10

I can't seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I'm looking for a CWE that applies to power glitching or clock glitching against a microcontroller or microprocessor.

Are there any CWEs suitable for this case? I'm aware of the hardware entries in CAPEC, but I specifically need a CWE in this case.

Polynomial
  • 132,208
  • 43
  • 298
  • 379

3 Answers3

3

Yes. There is now the Hardware Design CWE View. It lists CWEs such as:

  • CWE-1247: Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
  • CWE-1248: Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
  • CWE-1232: Improper Lock Behavior After Power State Transition
  • CWE-1245: Improper Finite State Machines (FSMs) in Hardware Logic

Have a look at the view - specifically this page for the issue you mentioned. I believe it is still a "draft" at this point, but may be useful for you.

the_endian
  • 1,009
  • 1
  • 8
  • 17
1

I think the CWE is just not the right place.

Quote from the FAQ:

A1. What is CWE? What is a "software weakness"?

Targeted at both the development community and the community of security practitioners, Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software weaknesses that can occur in software's architecture, design, code or implementation that can lead to exploitable security vulnerabilities. CWE was created to serve as a common language for describing software security weaknesses; serve as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

There are no hardware-specific weaknesses in CWE, because there are only software weaknesses listed. You will have to consult other databases.

Tom K.
  • 7,913
  • 3
  • 30
  • 53
0

Without knowing the specific use case you have in mind, it sounds like both of these would fall under weaknesses related to time and state:

https://cwe.mitre.org/data/definitions/361.html

"Description Summary Weaknesses in this category are related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads.

Extended Description

Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

As a side note, DARPA is interested in hardware specific vulnerabilities as well and has created a new program (SSITH) with the goal of addressing them:

http://www.darpa.mil/news-events/2017-04-10

In the announcement, they call out several categories of the CWE that are applicable to hardware:

"In cyberjargon, these classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection"

which seems like an odd set of selections, although they all could arguably be hardware-impacting at some level.

This:

http://forristal.com/material/Forristal_Hardware_Involved_Software_Attacks.pdf

may make for some interesting reading on classifying hardware-related issues as well.

Jason
  • 71
  • 6