Dettaglio CAPEC-624

CAPEC-624

Hardware Fault Injection
Basso
Alto
Stable
2015-11-09
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Avviso per un CAPEC specifico
Rimani informato su qualsiasi modifica relativa a un CAPEC specifico.
Gestione notifiche

Descrizioni CAPEC

The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.

Informazioni CAPEC

Prerequisiti

Physical access to the system
The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation.

Competenze richieste

Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required.

Risorse richieste

Mitigazioni

Implement robust physical security countermeasures and monitoring.

Vulnerabilità correlate

CWE-ID Nome della vulnerabilità

CWE-1247

 Improper Protection Against Voltage and Clock Glitches
The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.

CWE-1248

 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
The security-sensitive hardware module contains semiconductor defects.

CWE-1256

 Improper Restriction of Software Interfaces to Hardware Features
The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.

CWE-1319

 Improper Protection against Electromagnetic Fault Injection (EM-FI)
The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.

CWE-1332

 Improper Handling of Faults that Lead to Instruction Skips
The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.

CWE-1334

 Unauthorized Error Injection Can Degrade Hardware Redundancy
An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.

CWE-1338

 Improper Protections Against Hardware Overheating
A hardware device is missing or has inadequate protection features to prevent overheating.

CWE-1351

 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.

Invio

Nome Organizzazione Data Data di rilascio
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00

Modifiche

Nome Organizzazione Data Commento
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Alternate_Terms, Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Other_Notes, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Prerequisites
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated @Name, Consequences, Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Description, Related_Weaknesses
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.