CWE-1331: Improper Isolation of Shared Resources in Network On Chip (NoC)
The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.
Last updated
Overview
Typically, network on chips (NoC) have many internal resources that are shared between packets from different trust domains. These resources include internal buffers, crossbars and switches, individual ports, and channels. The sharing of resources causes contention and introduces interference between differently trusted domains, which poses a security threat via a timing channel, allowing attackers to infer data that belongs to a trusted agent. This may also result in introducing network interference, resulting in degraded throughput and latency.
Background
"Network-on-chip" (NoC) is a commonly-used term used for hardware interconnect fabrics used by multicore Systems-on-Chip (SoC). Communication between modules on the chip uses packet-based methods, with improved efficiency and scalability compared to bus architectures [REF-1241].
Common consequences
What can happen when CWE-1331 is exploited.
DoS: Resource Consumption (Other), Varies by Context, Other
Affects: Confidentiality, Availability
Attackers may infer data that belongs to a trusted agent. The methods used to perform this attack may result in noticeably increased resource consumption.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1331, grouped by where in the lifecycle they apply.
Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents.
How to detect it
Manual Analysis
Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.
Effectiveness: Moderate
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Consider a NoC that implements a one-dimensional mesh network with four nodes. This supports two flows: Flow A from node 0 to node 3 (via node 1 and node 2) and Flow B from node 1 to node 2. Flows A and B share a common link between Node 1 and Node 2. Only one flow can use the link in each cycle.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-33096 — Improper isolation of shared resource in a network-on-chip leads to denial of service
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1331.
- What is CWE-1331?
- The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.
- How do you prevent CWE-1331?
- Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents.
- How is CWE-1331 detected?
- Manual Analysis: Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.
- What are the consequences of CWE-1331?
- Exploiting CWE-1331 can lead to: DoS: Resource Consumption (Other), Varies by Context, Other.
References
- MITRE CWE definition (CWE-1331) (opens in a new tab)
- CWE-1331 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1331
Get alerted the moment a new CWE-1331 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.