Dark Mode
Capec-702 Detail
Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
Detailed Software Hardware Likelihood: Low Typical Severity: Medium
Parents: 180
An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.
Chip designers often include design elements in a chip for debugging and troubleshooting such as: Various Test Access Ports (TAPs) which allow boundary scan commands to be executed. Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip. Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-702 | capec | https://capec.mitre.org/data/definitions/702.html | |
| CWE-1296 | cwe | http://cwe.mitre.org/data/definitions/1296.html | |
| REF-748 | reference_from_CAPEC | https://www.hpl.hp.com/hpjournal/94dec/dec94a7a.pdf | Hewlett-Packard Journal, Overview of the Test Access Port, 1994--12 |
| REF-749 | reference_from_CAPEC | https://flynn.com/2017/06/12/finding-faults-with-the-test-access-port-tap/ | Finding Faults with the Test Access Port (TAP), 2017--06---12 |
| REF-750 | reference_from_CAPEC | https://www.xjtag.com/about-jtag/jtag-a-technical-overview/ | Technical Guide to JTAG |
Explore
-
Find and scan debug interface: The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
| Techniques |
|---|
| Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain |
Experiment
-
Connect to debug interface: The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.
| Techniques |
|---|
| Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator |
Exploit
-
Move along debug chain: Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.
| Techniques |
|---|
| Run a command such as “scan_chain” to see what TAPs are available in the chain. |
- Hardware device has an exposed debug interface
- A device to scan a TAP or JTAG interface, such as a JTAGulator
- A device to communicate on a TAP or JTAG interface, such as a BusPirate
| Medium |
|---|
| Ability to operate devices to scan and connect to an exposed debug interface |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Gain Privileges | Gain Privileges | Read Data |
- A System-on-Chip (SoC) might give regular users access to the SoC-level TAP, but does not want to give access to all of the internal TAPs (e.g., Core). If any of the internal TAPs were incorrectly chained to the SoC-level TAP, this would grant regular users access to the internal TAPs and allow them to execute commands there.
- Suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented, and the attacker can gain unauthorized access.