CWE-1256: Improper Restriction of Software Interfaces to Hardware Features
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.
常见后果
影响范围: Integrity
技术影响: Modify Memory Modify Application Data Bypass Protection Mechanism
潜在缓解措施
阶段: Architecture and Design Implementation
检测方法
方法: Manual Analysis
Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.
方法: Automated Dynamic Analysis
有效性: Moderate
观察示例
参考: CVE-2019-11157
Plundervolt: Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access [REF-1081].
参考: CVE-2020-8694
PLATYPUS Attack: Insufficient access control in the Linux kernel driver for some Intel processors allows information disclosure.
参考: CVE-2020-8695
Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure.
参考: CVE-2020-12912
AMD extension to a Linux service does not require privileged access to the RAPL interface, allowing side-channel attacks.
参考: CVE-2015-0565
NaCl in 2015 allowed the CLFLUSH instruction, making Rowhammer attacks possible.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | An architect may initiate introduction of this weakness via exacting requirements for software accessible power/clock management requirements |
| Implementation | An implementer may introduce this weakness by assuming there are no consequences to unbounded power and clock management for secure components from untrusted ones. |