CAPEC-702

Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
LOW
MEDIUM
Draft
2023-01-24 00:00 +00:00

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.

Informations

Execution Flow

1) Explore

[Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.

Technique
  • Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain

2) Experiment

[Connect to debug interface] The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.

Technique
  • Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator

3) Exploit

[Move along debug chain] Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.

Technique
  • Run a command such as “scan_chain” to see what TAPs are available in the chain.

Prerequisites

Hardware device has an exposed debug interface

Skills Required

Ability to identify physical debug interfaces on a device
Ability to operate devices to scan and connect to an exposed debug interface

Resources Required

A device to scan a TAP or JTAG interface, such as a JTAGulator
A device to communicate on a TAP or JTAG interface, such as a BusPirate

Mitigations

Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels
Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users

Related Weaknesses

CWE-ID Weakness Name
CWE-1296 Incorrect Chaining or Granularity of Debug Components
The product's debug components contain incorrect chaining or granularity of debug components.

References

REF-748

Overview of the Test Access Port
Hewlett-Packard Journal.
https://www.hpl.hp.com/hpjournal/94dec/dec94a7a.pdf

REF-749

Finding Faults with the Test Access Port (TAP)
https://flynn.com/2017/06/12/finding-faults-with-the-test-access-port-tap/

REF-750

Technical Guide to JTAG
https://www.xjtag.com/about-jtag/jtag-a-technical-overview/

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2023-01-24 +00:00
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.