MITRE publishes list of hardware security flaws

MITRE ATT&CK

This weakness can be found in the programming, design and architecture of the hardware, leading to exploitable vulnerabilities and exposing the system to attack.

This was created by MITRE, a non-profit organization, in collaboration with the Hardware CWE Special Interest Group (SIG), which includes representatives from “the hardware design, manufacturing, research, and security communities, as well as universities and government agencies.

Because of the lack of relevant data to conduct a systematic study, this list was created using a modified Delphi method that leverages the subjective opinions of content knowledgeable experts.

The main goal of MITRE’s “2021 CWE Most Important Hardware Weaknesses” is to raise awareness of common hardware weaknesses through Common Weakness Enumeration (CWE).

https://cwe.mitre.org/documents/ HW_CWE_SIG.pdf

We can also prevent hardware security problems from happening in the first place by teaching programmers and designers how to eliminate critical mistakes early in the product development lifecycle.

In addition, test engineers and security analysts can use this list to prepare their security testing and evaluation plans.

The following list shows the 10 most problematic security weaknesses for the 96 pieces of hardware in CWE.

  • CWE-1189 Improper Isolation of Shared Resources in System-on-Chip (SoC)
  • CWE-1191 Improper Access Control for On-Chip Debug and Test Interfaces
  • CWE-1231 Improper Lock Bit Change Security Sensitive Hardware Controls Lacking Lock Bit Protection
  • CWE-1233 Security Sensitive Hardware Controls Lacking Lock Bit Protection
  • CWE-1240 Use of Cryptographic Primitives in Risky Implementations
  • CWE-1244 Insecure Debug Access Levels or States Inadequate handling of overlap between protected memory ranges
  • CWE-1260 Inadequate handling of overlap between protected memory ranges
  • CWE-1272 Unclear handling of sensitive information prior to transition
  • CWE-1274 Inappropriate access control to volatile memory containing boot code
  • CWE-1277 Inability to update firmware
  • CWE-1300 Inappropriate protection of physical side channels

MITRE notes that “hardware users can use this list to ask their suppliers for more secure hardware products, and managers and CIOs can use it as a measure of their progress in addressing hardware security and where to invest resources to develop security tools and automated processes that mitigate a wide range of vulnerabilities by eliminating root causes. This list can be used by managers and CIOs as a measure of progress in their hardware security efforts, and to identify where to invest resources to develop security tools and automated processes that mitigate a wide range of vulnerabilities by eliminating root causes.

https://cwe.mitre.org/ scoring/lists/2021_CWE_MIHW.html

MITRE also published in July a list of the top 25 most common and dangerous vulnerabilities that have occurred in software over the past two years.

Last May, CISA and the FBI also released the top 10 most exploited security flaws from 2016-2019.

Leave a Reply

Your email address will not be published.