Dark Mode
Capec-680 Detail
Exploitation of Improperly Controlled Registers
Detailed Hardware Hardware Likelihood: Medium Typical Severity: High
Parents: 1 180
Threats: T277 T286 T336 T340 T383 T390 T396 T405
An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.
Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-680 | capec | https://capec.mitre.org/data/definitions/680.html | |
| CWE-1224 | cwe | http://cwe.mitre.org/data/definitions/1224.html | |
| CWE-1231 | cwe | http://cwe.mitre.org/data/definitions/1231.html | |
| CWE-1233 | cwe | http://cwe.mitre.org/data/definitions/1233.html | |
| CWE-1262 | cwe | http://cwe.mitre.org/data/definitions/1262.html | |
| CWE-1283 | cwe | http://cwe.mitre.org/data/definitions/1283.html | |
| REF-693 | reference_from_CAPEC | https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos | Brandon Hill, Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux, 2018--01---02, David Altavilla and Hot Hardware, Inc |
Not present
- Awareness of the hardware being leveraged.
- Access to the hardware being leveraged.
Not present
| High |
|---|
| Intricate knowledge of registers. |
| Integrity | Confidentiality |
|---|---|
| Modify Data | Read Data |
- During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.