HW CWE Categories Work Stream

Physical and Environment Category Working Notes

SIG Questions to Consider

I want to bring to your attention an existing CWE entry whose extended description reads very similar to the category text we just developed. Thanks to Steve Christey for the pointer. With this new information I have a few asks of the group:

1. Do you agree that the descriptions of CWE-1384 and the new category are similar? I think they are but want to hear your opinions.
2. If similar, what is the purpose of creating a new category? It is possible to organize related CWEs to be children of CWE-1384.
3. I’ve listed all the CWE entries below that we have identified that would be organized under this new category. Does it make sense to make them all children of CWE-1384?
4. Is there a use case for CWE where having these organized under a category vs a child/parent relationship is preferable?

What say you?

Reference Material

CWE-1384: Improper Handling of Extreme Physical Environment Conditions

Description

The product does not properly detect and handle extreme conditions in the product's physical environment, such as temperature, radiation, humidity, power, or other physical phenomena.

Extended Description

Hardware products are typically only guaranteed to behave correctly within certain environmental limits, such as running between minimum and maximum temperatures. Such products cannot necessarily control the external conditions that they are subjected to. However, the inability to detect and handle such conditions can cause the product to produce security-critical errors, e.g., flipping a bit that is used for an authentication decision. In addition, these physical conditions could be intentionally manipulated by an adversary to directly trigger such errors, although it might be technically difficult to do so.

Description for New Proposed HW Category

Proposed Category Name

Physical and Environmental Hazards

Category Description

This category's weaknesses are associated with hazards related to the physical environment in which a system operates. These hazards can undermine a component's reliability, security, or resilience when subjected to extreme conditions. Hazards include severe temperatures, component aging, under-voltages, overvoltages, clock transients, materials manipulation, electromagnetic interference, exposure to light (such as UV, X-rays, or lasers), or exposure to ionizing radiation.

Physical and Environmental Related CWEs

• CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI)
• CWE-1300: Improper Protection of Physical Side Channels
• CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
• *CWE-1332: Improper Handling of Faults that Lead to Instruction Skips
• *CWE-1247: Improper Protection Against Voltage and Clock Glitches
• CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks
• *CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments
• CWE-1263: Improper Physical Access Control
• CWE-1338: Improper Protections Against Hardware Overheating under
• CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy
• CWE-1319: Improper Protection against Electromagnetic Fault Injection

*: Indicates that this CWE is currently organized as a child of CWE-1384.

CWE-1384 Draft Update

Compare to https://cwe.mitre.org/data/definitions/1384.html Title CWE-1384: Improper Handling of Extreme Physical Conditions or Harsh Environments Description The product does not properly detect and handle extreme physical conditions or harsh environments that are naturally occurring or artificially induced. Extended Description Hardware products are typically only guaranteed to behave correctly within certain physical limits or environmental conditions. Such products cannot necessarily control the physical or external conditions that they are subjected to. However, the inability to detect and handle such conditions can undermine a component's reliability, security, or resilience. Extreme and harsh conditions can occur naturally or induced artificially. [ADD EXAMPLE]

Conditions and characteristics of concern are:

• Atmospheric characteristics: extreme temperature ranges, excessive dust, high humidity, etc.
• Industrial environments: high vibrations, shocks, smoke, dust, explosive gases, etc.
• Interference: electromagnetic interference (EMI), radio frequency interference (RFI), etc.
• Assorted light sources: white light, ultra-violet light (UV), lasers, infrared (IR), etc.
• Power variances: spikes, sags, surges, swells, brownouts, blackouts, under-voltages, over-voltages, under-current, over-current, etc.
• Clock variances: glitching, overclocking, clock stretching, etc.
• Component aging and degradation
• Materials manipulation: focused ion beams (FIB), etc.
• Exposure to radiation: x-rays, cosmic radiation, etc.