Several security-sensitive values are programmed into fuses to be used during early-boot flows or later at runtime. Examples of these security-sensitive values include root keys, encryption keys, manufacturing-specific information, chip-manufacturer-specific information, and original-equipment-manufacturer (OEM) data. After the chip is powered on, these values are sensed from fuses and stored in temporary locations such as registers and local memories. These locations are typically access-control protected from untrusted agents capable of accessing them. Even to trusted agents, only read-access is provided. However, these locations are not blocked during debug operations, allowing a user to access this sensitive information.
Scope | Impact | Likelihood |
---|---|---|
Confidentiality Access Control | Modify Memory, Bypass Protection Mechanism |
Disable access to security-sensitive information stored in fuses directly and also reflected from temporary storage locations when in debug mode.
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-116 | Excavation An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. |
CAPEC-545 | Pull Data from System Resources An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location. |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi | Intel Corporation | 4.0 |
Name | Organization | Date | Comment |
---|---|---|---|
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes | |
CWE Content Team | MITRE | updated Demonstrative_Examples, References |