Skip to content

HW CWE Categories Work Stream

Jump to bottom
BobH-MITRE edited this page May 18, 2022 · 19 revisions

Physical and Environment Category

Reference Material

CWE-1384: Improper Handling of Extreme Physical Environment Conditions

Description

The product does not properly detect and handle extreme conditions in the product's physical environment, such as temperature, radiation, humidity, power, or other physical phenomena.

Extended Description

Hardware products are typically only guaranteed to behave correctly within certain environmental limits, such as running between minimum and maximum temperatures. Such products cannot necessarily control the external conditions that they are subjected to. However, the inability to detect and handle such conditions can cause the product to produce security-critical errors, e.g., flipping a bit that is used for an authentication decision. In addition, these physical conditions could be intentionally manipulated by an adversary to directly trigger such errors, although it might be technically difficult to do so.

Description for New Proposed HW Category

Proposed Category Name

Physical and Environmental Hazards

Category Description

This category's weaknesses are associated with hazards related to the physical environment in which a system operates. These hazards can undermine a component's reliability, security, or resilience when subjected to extreme conditions. Hazards include severe temperatures, component aging, under-voltages, overvoltages, clock transients, materials manipulation, electromagnetic interference, exposure to light (such as UV, X-rays, or lasers), or exposure to ionizing radiation.

Physical and Environmental Related CWEs

  • CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI)
  • CWE-1300: Improper Protection of Physical Side Channels
  • CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
  • *CWE-1332: Improper Handling of Faults that Lead to Instruction Skips
  • *CWE-1247: Improper Protection Against Voltage and Clock Glitches
  • CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks
  • *CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments
  • CWE-1263: Improper Physical Access Control
  • CWE-1338: Improper Protections Against Hardware Overheating under
  • CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy
  • CWE-1319: Improper Protection against Electromagnetic Fault Injection

*: Indicates that this CWE is currently organized as a child of CWE-1384.

Clone this wiki locally