New to CAPEC? Start Here
Home > CAPEC List > CAPEC-680: Exploitation of Improperly Controlled Registers (Version 3.6)  

CAPEC-680: Exploitation of Improperly Controlled Registers

Attack Pattern ID: 680
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description

An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.

+ Extended Description

Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.1Accessing Functionality Not Properly Constrained by ACLs
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.180Exploiting Incorrectly Configured Access Control Security Levels
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Awareness of the hardware being leveraged.
Access to the hardware being leveraged.
+ Skills Required
[Level: High]
Intricate knowledge of registers.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Modify Data
Confidentiality
Read Data
+ Mitigations
Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.
Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.
Test security lock programming flow in both pre-silicon and post-silicon environments.
Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.
Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.
+ Example Instances

During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.

+ References
[REF-693] Brandon Hill. "Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux". David Altavilla and Hot Hardware, Inc. 2018-01-02. <https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos>. URL validated: 2021-10-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-10-21CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021