Skip to content

HW CWE Categories Work Stream

Jump to bottom
BobH-MITRE edited this page May 18, 2022 · 19 revisions

Physical and Environment Category Working Notes

SIG Questions to Consider

I want to bring to your attention an existing CWE entry whose extended description reads very similar to the category text we just developed. Thanks to Steve Christey for the pointer. With this new information I have a few asks of the group:

  1. Do you agree that the descriptions of CWE-1384 and the new category are similar? I think they are but want to hear your opinions.
  2. If similar, what is the purpose of creating a new category? It is possible to organize related CWEs to be children of CWE-1384.
  3. I’ve listed all the CWE entries below that we have identified that would be organized under this new category. Does it make sense to make them all children of CWE-1384?
  4. Is there a use case for CWE where having these organized under a category vs a child/parent relationship is preferable? What say you?

Reference Material

CWE-1384: Improper Handling of Extreme Physical Environment Conditions

Description

The product does not properly detect and handle extreme conditions in the product's physical environment, such as temperature, radiation, humidity, power, or other physical phenomena.

Extended Description

Hardware products are typically only guaranteed to behave correctly within certain environmental limits, such as running between minimum and maximum temperatures. Such products cannot necessarily control the external conditions that they are subjected to. However, the inability to detect and handle such conditions can cause the product to produce security-critical errors, e.g., flipping a bit that is used for an authentication decision. In addition, these physical conditions could be intentionally manipulated by an adversary to directly trigger such errors, although it might be technically difficult to do so.

Description for New Proposed HW Category

Proposed Category Name

Physical and Environmental Hazards

Category Description

This category's weaknesses are associated with hazards related to the physical environment in which a system operates. These hazards can undermine a component's reliability, security, or resilience when subjected to extreme conditions. Hazards include severe temperatures, component aging, under-voltages, overvoltages, clock transients, materials manipulation, electromagnetic interference, exposure to light (such as UV, X-rays, or lasers), or exposure to ionizing radiation.

Physical and Environmental Related CWEs

  • CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI)
  • CWE-1300: Improper Protection of Physical Side Channels
  • CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
  • *CWE-1332: Improper Handling of Faults that Lead to Instruction Skips
  • *CWE-1247: Improper Protection Against Voltage and Clock Glitches
  • CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks
  • *CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments
  • CWE-1263: Improper Physical Access Control
  • CWE-1338: Improper Protections Against Hardware Overheating under
  • CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy
  • CWE-1319: Improper Protection against Electromagnetic Fault Injection

*: Indicates that this CWE is currently organized as a child of CWE-1384.

Clone this wiki locally