CWE-1239: Improper Zeroization of Hardware Register
The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.
Last updated
Overview
Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result of this is that sensitive information, such as passwords or encryption keys, can exist in locations not transparent to the user of the hardware logic. When a different entity obtains access to the IP due to a change in operating mode or conditions, the new entity can extract information belonging to the previous user if no mechanisms are in place to clear register contents. It is important to clear information stored in the hardware if a physical attack on the product is detected, or if the user of the hardware block changes. The process of clearing register contents in a hardware IP is referred to as zeroization in standards for cryptographic hardware modules such as FIPS-140-2 [REF-267].
Common consequences
What can happen when CWE-1239 is exploited.
Varies by Context
Affects: Confidentiality
The consequences will depend on the information disclosed due to the vulnerability.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1239, grouped by where in the lifecycle they apply.
Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Suppose a hardware IP for implementing an encryption routine works as expected, but it leaves the intermediate results in some registers that can be accessed. Exactly why this access happens is immaterial - it might be unintentional or intentional, where the designer wanted a "quick fix" for something.
The example code below [REF-1379] is taken from the SHA256 Interface/wrapper controller module of the HACK@DAC'21 buggy OpenPiton SoC. Within the wrapper module there are a set of 16 memory-mapped registers referenced data[0] to data[15]. These registers are 32 bits in size and are used to store the data received on the AXI Lite interface for hashing. Once both the message to be hashed and a request to start the hash computation are received, the values of these registers will be forwarded to the underlying SHA256 module for processing. Once forwarded, the values in these registers no longer need to be retained. In fact, if not cleared or overwritten, these sensitive values can be read over the AXI Lite interface, potentially compromising any previously confidential data stored therein.
Vulnerable example
// Implement SHA256 I/O memory map interfaceSafe example
// Implement SHA256 I/O memory map interfaceAttack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1239.
- What is CWE-1239?
- The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.
- How do you prevent CWE-1239?
- Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time.
- What are the consequences of CWE-1239?
- Exploiting CWE-1239 can lead to: Varies by Context.
References
- MITRE CWE definition (CWE-1239) (opens in a new tab)
- CWE-1239 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1239
Get alerted the moment a new CWE-1239 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.