CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Export to Word

Description

The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result).

Extended Description

N/A


ThreatScore

Threat Mapped score: 3.0

Industry: Finiancial

Threat priority: P2 - Serious (High)


Observed Examples (CVEs)

Related Attack Patterns (CAPEC)

N/A


Attack TTPs

N/A

Modes of Introduction

Phase Note
Implementation This can occur when intermediate cryptographic states are directly assigned to output wires or ports.

Common Consequences

Potential Mitigations

Applicable Platforms


Demonstrative Examples

Intro: The following SystemVerilog code is a crypto module that takes input data and encrypts it by processing the data through multiple encryption rounds. Note: this example is derived from [REF-1469].

Body: In line 50 above, data_state_q is assigned to data_o. Since data_state_q contains intermediate state/results, this allows an attacker to obtain these results through data_o.

01 | module crypto_core_with_leakage 02 | ( 03 |     input  clk, 04 |     input  rst, 05 |     input  [127:0] data_i, 06 |     output [127:0] data_o, 07 |     output valid 08 | ); 09 | 10 | localparam int total_rounds = 10; 11 | logic [3:0]   round_id_q; 12 | logic [127:0] data_state_q, data_state_d; 13 | logic [127:0] key_state_q, key_state_d; 14 | 15 | crypto_algo_round u_algo_round ( 16 |     .clk     (clk), 17 |     .rst     (rst), 18 |     .round_i (round_id_q  ), 19 |     .key_i   (key_state_q ), 20 |     .data_i  (data_state_q), 21 |     .key_o   (key_state_d ), 22 |     .data_o  (data_state_d) 23 | ); 24 | 25 | always @(posedge clk) begin 26 |     if (rst) begin 27 |         data_state_q <= 0; 28 |         key_state_q  <= 0; 29 |         round_id_q   <= 0; 30 |     end 31 |     else begin 32 |         case (round_id_q) 33 |             total_rounds: begin 34 |                 data_state_q <= 0; 35 |                 key_state_q  <= 0; 36 |                 round_id_q   <= 0; 37 |             end 38 | 39 |             default: begin 40 |                 data_state_q <= data_state_d; 41 |                 key_state_q  <= key_state_d; 42 |                 round_id_q   <= round_id_q + 1; 43 |             end 44 |         endcase 45 |     end 46 | end 47 | 48 | assign valid  = (round_id_q == total_rounds) ? 1'b1 : 1'b0; 49 | 50 | assign data_o = data_state_q; 51 | 52 | endmodule

Notes

← Back to CWE list