CWE-1239: Improper Zeroization of Hardware Register
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.
扩展描述
Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result of this is that sensitive information, such as passwords or encryption keys, can exist in locations not transparent to the user of the hardware logic. When a different entity obtains access to the IP due to a change in operating mode or conditions, the new entity can extract information belonging to the previous user if no mechanisms are in place to clear register contents. It is important to clear information stored in the hardware if a physical attack on the product is detected, or if the user of the hardware block changes. The process of clearing register contents in a hardware IP is referred to as zeroization in standards for cryptographic hardware modules such as FIPS-140-2 [REF-267].
常见后果
影响范围: Confidentiality
技术影响: Varies by Context
说明: The consequences will depend on the information disclosed due to the vulnerability.
潜在缓解措施
阶段: Architecture and Design
描述: Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | Lack of hardware mechanisms to zeroize or clear registers in the design or specification. |
| Implementation | Mechanisms to zeroize and clear registers are in the design but implemented incorrectly. |
| Operation | Hardware-provided zeroization mechanisms are not used appropriately by the IP user (ex. firmware), or data remanence issues are not taken into account. |
适用平台
编程语言
操作系统
技术
关键信息
CWE ID: CWE-1239
抽象级别: Variant
结构: Simple
状态: Draft