CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
- Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain
步骤 2 Experiment
[Connect to debug interface] The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.
- Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator
步骤 3 Exploit
[Move along debug chain] Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.
- Run a command such as “scan_chain” to see what TAPs are available in the chain.
前提条件
- Hardware device has an exposed debug interface
所需技能
所需资源
- A device to scan a TAP or JTAG interface, such as a JTAGulator
- A device to communicate on a TAP or JTAG interface, such as a BusPirate
后果影响
影响范围: Confidentiality
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
影响范围: Access Control Authorization
技术影响: Gain Privileges
缓解措施
Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels
Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users