| Name |
Exploiting Incorrect Chaining or Granularity of Hardware Debug Components |
|
| Likelyhood of attack |
Typical severity |
| Low |
Medium |
|
| Summary |
An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality. |
| Prerequisites |
Hardware device has an exposed debug interface |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface. |
- Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain
|
| 2 |
Experiment |
[Connect to debug interface] The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working. |
- Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator
|
| 3 |
Exploit |
[Move along debug chain] Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain. |
- Run a command such as “scan_chain” to see what TAPs are available in the chain.
|
|
| Solutions | Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-1296 |
Incorrect Chaining or Granularity of Debug Components |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-180 |
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. |
|