Detalle CWE-1247

The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.

Modos de introducción

Operation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Sistemas operativos

Class: Not OS-Specific (Undetermined)

Arquitecturas

Class: Not Architecture-Specific (Undetermined)

Tecnologías

Class: ICS/OT (Undetermined)
Class: System on Chip (Undetermined)
Name: Power Management Hardware (Undetermined)
Name: Clock/Counter Hardware (Undetermined)
Name: Sensor Hardware (Undetermined)

Consecuencias comunes

Ejemplos observados

Mitigaciones potenciales

Phases : Architecture and Design // Implementation

Métodos de detección

Manual Analysis

Efectividad : Moderate

Dynamic Analysis with Manual Results Interpretation

During the implementation phase where actual hardware is available, specialized hardware tools and apparatus such as ChipWhisperer may be used to check if the platform is indeed susceptible to voltage and clock glitching attacks.

Architecture or Design Review

Review if the protections against glitching merely transfer the attack target. For example, suppose a critical authentication routine that an attacker would want to bypass is given the protection of modifying certain artifacts from within that specific routine (so that if the routine is bypassed, one can examine the artifacts and figure out that an attack must have happened). However, if the attacker has the ability to bypass the critical authentication routine, they might also have the ability to bypass the other protection routine that checks the artifacts. Basically, depending on these kind of protections is akin to resorting to "Security by Obscurity".

Architecture or Design Review

Many SoCs come equipped with a built-in Dynamic Voltage and Frequency Scaling (DVFS) that can control the voltage and clocks via software alone. However, there have been demonstrated attacks (like Plundervolt and CLKSCREW) that target this DVFS [REF-1081] [REF-1082]. During the design and implementation phases, one needs to check if the interface to this power management feature is available from unprivileged SW (CWE-1256), which would make the attack very easy.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

Referencias

REF-1061

Circuit Techniques for Dynamic Variation Tolerance
Keith Bowman, James Tschanz, Chris Wilkerson, Shih-Lien Lu, Tanay Karnik, Vivek De, Shekhar Borkar.
https://dl.acm.org/doi/10.1145/1629911.1629915

REF-1062

Razor: A Low-Power Pipeline Based on Circuit-Level Timing Speculation
Dan Ernst, Nam Sung Kim, Shidhartha Das, Sanjay Pant, Rajeev Rao, Toan Pham, Conrad Ziesler, David Blaauw, Todd Austin, Krisztian Flautner, Trevor Mudge.
https://web.eecs.umich.edu/~taustin/papers/MICRO36-Razor.pdf

REF-1063

Tunable Replica Circuits and Adaptive Voltage-Frequency Techniques for Dynamic Voltage, Temperature, and Aging Variation Tolerance
James Tschanz, Keith Bowman, Steve Walstra, Marty Agostinelli, Tanay Karnik, Vivek De.
https://ieeexplore.ieee.org/document/5205410

REF-1064

FAME: Fault-attack Aware Microprocessor Extensions for Hardware Fault Detection and Software Fault Response
Bilgiday Yuce, Nahid F. Ghalaty, Chinmay Deshpande, Conor Patrick, Leyla Nazhandali, Patrick Schaumont.
https://dl.acm.org/doi/10.1145/2948618.2948626

REF-1065

A 45 nm Resilient Microprocessor Core for Dynamic Variation Tolerance
Keith A. Bowman, James W. Tschanz, Shih-Lien L. Lu, Paolo A. Aseron, Muhammad M. Khellah, Arijit Raychowdhury, Bibiche M. Geuskens, Carlos Tokunaga, Chris B. Wilkerson, Tanay Karnik, Vivek De.
https://ieeexplore.ieee.org/document/5654663

REF-1066

Bypassing Secure Boot Using Fault Injection
Niek Timmers, Albert Spruyt.
https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf

REF-1217

Security Engineering
Ross Anderson.
https://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf

REF-1217

Security Engineering
Ross Anderson.
https://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf

REF-1081

Plundervolt
Kit Murdock, David Oswald, Flavio D Garcia, Jo Van Bulck, Frank Piessens, Daniel Gruss.
https://plundervolt.com/

REF-1082

CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management
Adrian Tang, Simha Sethumadhavan, Salvatore Stolfo.
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf

REF-1285

Physical Security Attacks Against Silicon Devices
Texas Instruments.
https://www.ti.com/lit/an/swra739/swra739.pdf?ts=1644234570420

REF-1286

On The Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-Invasive Physical Attacks
Lennert Wouters, Benedikt Gierlichs, Bart Preneel.
https://eprint.iacr.org/2022/328.pdf

Envío

Modificaciones