CWE-1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)

PUBLISHEDweakness record
released 2020-08-20 · last modified 2025-12-11

Metadata

CWE ID:
CWE-1302
摘要:
Base
结构:
Simple
状态:
Incomplete
发布日期:
2020-08-20
更新日期:
2025-12-11

名称

Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)

描述

The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.

In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute). A typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity) in addition to much more information in the message. Sometimes the transactions are qualified with a Security Identifier. This Security Identifier helps the destination agent decide on the set of allowed or disallowed actions. A weakness that can exist in such transaction schemes is that the source agent does not consistently include the necessary Security Identifier with the transaction. If the Security Identifier is missing, the destination agent might drop the message (resulting in an inadvertent Denial-of-Service (DoS)) or take inappropriate action by default in its attempt to execute the transaction, resulting in privilege escalation or provision of unintended access.

常见后果

范围:
Confidentiality, Integrity, Availability, Access Control
影响:
Modify Memory, Read Memory, DoS: Crash, Exit, or Restart, Bypass Protection Mechanism, Execute Unauthorized Code or Commands

相关 CWE