# Withdrawn Draft

# Warning Notice

The attached draft document has been withdrawn and is provided solely for historical purposes. It has been followed by the document identified below.

Withdrawal Date November 13, 2024

Original Release Date June 13, 2024

# The attached draft document is followed by:

Status Final

Series/Number NIST IR 8517

Title Hardware Security Failure Scenarios: Potential Weaknesses in

Hardware Design

**Publication Date** November 2024

**DOI** <a href="https://doi.org/10.6028/NIST.IR.8517">https://doi.org/10.6028/NIST.IR.8517</a>

CSRC URL https://csrc.nist.gov/pubs/ir/8517/final

**Additional Information** 





# NIST Internal Report NIST IR 8517 ipd

# **Hardware Security Failure Scenarios**

Potential Weaknesses in Hardware Design

**Initial Public Draft** 

Peter Mell Irena Bojanova

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8517.ipd



# NIST Internal Report NIST IR 8517 ipd

# **Hardware Security Failure Scenarios**

Potential Weaknesses in Hardware Design

**Initial Public Draft** 

Peter Mell Computer Security Division Information Technology Laboratory

Irena Bojanova Software and Systems Division Information Technology Laboratory

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8517.ipd

June 2024



U.S. Department of Commerce Gina M. Raimondo, Secretary

Certain equipment, instruments, software, or materials, commercial or non-commercial, are identified in this paper in order to specify the experimental procedure adequately. Such identification does not imply recommendation or endorsement of any product or service by NIST, nor does it imply that the materials or equipment identified are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at <a href="https://csrc.nist.gov/publications">https://csrc.nist.gov/publications</a>.

#### **NIST Technical Series Policies**

<u>Copyright, Use, and Licensing Statements</u> <u>NIST Technical Series Publication Identifier Syntax</u>

#### **Publication History**

Approved by the NIST Editorial Review Board on YYYY-MM-DD [will be added in final publication]

#### **How to Cite this NIST Technical Series Publication**

Mell P, Bojanova I (2024) Hardware Security Failure Scenarios: Potential Weaknesses in Hardware Design. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) NIST IR 8517 ipd. https://doi.org/10.6028/NIST.IR.8517.ipd

#### **Author ORCID iDs**

Peter Mell: 0000-0003-2938-897X Irena Bojanova: 0000-0002-3198-7026

#### **Contact Information**

nistir8517@nist.gov

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

#### **Public Comment Period**

June 13, 2024 - July 31, 2024

#### **Submit Comments**

nistir8517@nist.gov

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

#### **Additional Information**

Additional information about this publication is available at <a href="https://csrc.nist.gov/pubs/ir/8517/ipd">https://csrc.nist.gov/pubs/ir/8517/ipd</a>, including related content, potential updates, and document history.

All comments are subject to release under the Freedom of Information Act (FOIA).

#### 1 Abstract

- 2 Historically, hardware has been assumed to be inherently secure. However, chips are both
- 3 created with and contain complex software, and software is known to have bugs. Some of these
- 4 bugs will compromise security. This publication evaluates the types of vulnerabilities that can
- 5 occur, leveraging existing work on hardware weaknesses. For each type, a security failure
- 6 scenario is provided that describes **how** the weakness could be exploited, **where** the weakness
- 7 typically occurs, and what kind of damage could be done by an attacker. The 98 failure
- 8 scenarios provided demonstrate the extensive and broadly distributed possibilities for
- 9 hardware-related security failures.

#### 10 Keywords

chips; design; failures; hardware; scenarios; security; vulnerability; weakness.

#### 12 Reports on Computer Systems Technology

- 13 The Information Technology Laboratory (ITL) at the National Institute of Standards and
- 14 Technology (NIST) promotes the U.S. economy and public welfare by providing technical
- 15 leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test
- 16 methods, reference data, proof of concept implementations, and technical analyses to advance
- 17 the development and productive use of information technology. ITL's responsibilities include
- 18 the development of management, administrative, technical, and physical standards and
- 19 guidelines for the cost-effective security and privacy of other than national security-related
- 20 information in federal information systems.

#### 21 Audience

- 22 This report is intended for a broad audience who wants to understand the many ways in which
- hardware can fail from a security perspective. This includes policymakers interested in
- 24 information technology (IT) security, IT security officers, operation security staff who must
- 25 secure deployed hardware, and developers of hardware. It is written for a technically oriented
- audience, but it does not require specific knowledge of hardware security.

#### **Call for Patent Claims**

- 29 This public review includes a call for information on essential patent claims (claims whose use
- 30 would be required for compliance with the guidance or requirements in this Information
- 31 Technology Laboratory (ITL) draft publication). Such guidance and/or requirements may be
- 32 directly stated in this ITL Publication or by reference to another publication. This call also
- includes disclosure, where known, of the existence of pending U.S. or foreign patent
- 34 applications relating to this ITL draft publication and of any relevant unexpired U.S. or foreign
- 35 patents.

28

38

39

40

41

42

43

44

45

46

47

48 49

50

- 36 ITL may require from the patent holder, or a party authorized to make assurances on its behalf,37 in written or electronic form, either:
  - a) assurance in the form of a general disclaimer to the effect that such party does not hold and does not currently intend holding any essential patent claim(s); or
  - b) assurance that a license to such essential patent claim(s) will be made available to applicants desiring to utilize the license for the purpose of complying with the guidance or requirements in this ITL draft publication either:
    - i. under reasonable terms and conditions that are demonstrably free of any unfair discrimination; or
    - ii. without compensation and under reasonable terms and conditions that are demonstrably free of any unfair discrimination.
  - Such assurance shall indicate that the patent holder (or third party authorized to make assurances on its behalf) will include in any documents transferring ownership of patents subject to the assurance, provisions sufficient to ensure that the commitments in the assurance are binding on the transferee, and that the transferee will similarly include appropriate provisions in the event of future transfers with the goal of binding each successor-in-interest.
- 52 The assurance shall also indicate that it is intended to be binding on successors-in-interest
- regardless of whether such provisions are included in the relevant transfer documents.
- 54 Such statements should be addressed to: nistir8517@nist.gov.

# **Table of Contents**

| 56 | 1. Introduction                                             | 1  |
|----|-------------------------------------------------------------|----|
| 57 | 2. Background                                               | 2  |
| 58 | 2.1. Weaknesses vs. Vulnerabilities                         | 2  |
| 59 | 2.2. Weakness Data Fields                                   | 2  |
| 60 | 2.3. Weakness Abstractions                                  | 3  |
| 61 | 2.4. Weakness Views                                         | 3  |
| 62 | 2.4.1. Hardware Design View                                 | 3  |
| 63 | 2.4.2. Research Concepts View                               | 4  |
| 64 | 2.4.3. Simplified Mapping of Published Vulnerabilities View | 4  |
| 65 | 3. Technical Approach                                       | 6  |
| 66 | 3.1. Concept of Hardware Security Failure Scenarios         | 6  |
| 67 | 3.1.1. Determining How Weaknesses Occur                     | 6  |
| 68 | 3.1.2. Determining Where Weaknesses Occur                   | 6  |
| 69 | 3.1.3. Determining What Damage Weaknesses Allow             | 6  |
| 70 | 3.2. Creating Hardware Weakness Subgraphs                   | 6  |
| 71 | 4. Hardware Security Failure Scenarios                      | 9  |
| 72 | 4.1. Improper Access Control                                | 9  |
| 73 | 4.2. Improper Adherence to Coding Standards                 | 14 |
| 74 | 4.3. Improper Check or Handling of Exceptional Conditions   | 16 |
| 75 | 4.4. Improper Control of a Resource Through its Lifetime    | 18 |
| 76 | 4.5. Incorrect Comparison                                   | 22 |
| 77 | 4.6. Insufficient Control Flow Management                   | 23 |
| 78 | 4.7. Protection Mechanism Failure                           | 25 |
| 79 | 5. Categories of Hardware Design Weaknesses                 | 28 |
| 80 | 5.1. Core and Compute Issues                                | 28 |
| 81 | 5.2. Cross-Cutting Problems                                 | 28 |
| 82 | 5.3. Debug and Test Problems                                | 30 |
| 83 | 5.4. General Circuit and Logic Design Concerns              | 30 |
| 84 | 5.5. Integration Issues                                     | 32 |
| 85 | 5.6. Manufacturing and Life Cycle Management Concerns       | 32 |
| 86 | 5.7. Memory and Storage Issues                              | 34 |
| 87 | 5.8. Peripherals, On-chip Fabric, and Interface/IO Problems | 34 |
| 88 | 5.9. Physical Access Issues and Concerns                    | 36 |
| 89 | 5.10. Power, Clock, Thermal, and Reset Concerns             | 36 |

| 90         | 5.11. Privilege Separation and Access Control Issues                                             | 37      |
|------------|--------------------------------------------------------------------------------------------------|---------|
| 91         | 5.12. Security Flow Issues                                                                       | 38      |
| 92         | 5.13. Security Primitives and Cryptography Issues                                                | 39      |
| 93         | 6. Comparison With Software Weaknesses                                                           | 41      |
| 94         | 7. Software Assurance Trends Categories                                                          | 45      |
| 95         | 8. Conclusion                                                                                    | 48      |
| 96         | References                                                                                       | 49      |
| 97         | Appendix A. List of Symbols, Abbreviations, and Acronyms                                         | 60      |
| 98         | Appendix B. Analysis of the Complete Hardware Weakness Graph                                     | 61      |
| 99         | B.1. Hardware Design Category Overlay                                                            | 61      |
| 100        | B.2. Comparison of View-1000 and View-1194 Relationships                                         | 62      |
| 101        | Appendix C. Weakness Hierarchy — Improper Access Control                                         | 64      |
| 102        | Appendix D. Weakness Hierarchy — Improper Adherence to Coding Standards                          | 68      |
| 103        | Appendix E. Weakness Hierarchy — Improper Check or Handling of Exceptional Conditions            | 69      |
| 104        | Appendix F. Weakness Hierarchy — Improper Control of a Resource Through its Lifetime             | 70      |
| 105        | Appendix G. Weakness Hierarchy — Incorrect Comparison                                            | 73      |
| 106        | Appendix H. Weakness Hierarchy — Insufficient Control Flow Management                            | 74      |
| 107        | Appendix I. Weakness Hierarchy — Protection Mechanism Failure                                    | 75      |
| L08        | List of Figures                                                                                  |         |
| 109        | Fig. 1. Complete HW CWE graph created using View 1000 and View 1194                              | 7       |
| 110        | Fig. 2. HW CWE subgraph for pillar Improper Access Control (CWE-284)                             | 10      |
| 111        | Fig. 3. HW CWE subgraph for pillar Improper Adherence to Coding Standards (CWE-710)              | 15      |
| 112        | Fig. 4. HW CWE subgraph for pillar Improper Adherence to Coding Standards (CWE-703)              | 17      |
| 113        | Fig. 5. HW CWE subgraph for pillar Improper Control of a Resource Through its Lifetime (CWE-664) | l)19    |
| 114        | Fig. 6. HW CWE subgraph for pillar Incorrect Comparison (CWE-697)                                | 23      |
| l15        | Fig. 7. HW CWE subgraph for pillar Insufficient Control Flow Management (CWE-691)                | 24      |
| 116        | Fig. 8. HW CWE subgraph for pillar Protection Mechanism Failure (CWE-693)                        | 26      |
| 117        | Fig. 9. HW CWEs under the category Core and Compute Issues (CWE-1201)                            | 28      |
| 118        | Fig. 10. HW CWEs under the category Cross-Cutting Problems (CWE-1208)                            | 29      |
| 119        | Fig. 11. HW CWEs under the category Debug and Test Problems (CWE-1207)                           | 30      |
| 120        | Fig. 12. HW CWEs under the category General Circuit and Logic Design Concerns (CWE-1199)         | 31      |
| 121        | Fig. 13. HW CWEs under the category Integration Issues (CWE-1197)                                | 32      |
| 122<br>123 | Fig. 14. HW CWEs under the category Manufacturing and Life Cycle Management Concerns (CWE        | -<br>33 |

| 124        | Fig. 15. HW CWEs under the category Memory and Storage Issues (CWE-1202)                                  | 34 |
|------------|-----------------------------------------------------------------------------------------------------------|----|
| 125<br>126 | Fig. 16. HW CWEs under the category Peripherals, On-chip Fabric, and Interface/IO Problems (CWE 1203)     |    |
| 127        | Fig. 17. Figure 18. HW CWEs under the category Physical Access Issues and Concerns (CWE-1388)             | 36 |
| 128        | Fig. 18. HW CWEs under the category Power, Clock, Thermal, and Reset Concerns (CWE-1206)                  | 37 |
| 129        | Fig. 19. HW CWEs under the category Privilege Separation and Access Control Issues (CWE-1198)             | 38 |
| 130        | Fig. 20. HW CWEs under the category Security Flow Issues (CWE-1196)                                       | 39 |
| 131        | Fig. 21. HW CWEs under the category Security Primitives and Cryptography Issues (CWE-1205)                | 40 |
| 132<br>133 | Fig. 22. HW CWE complete graph with View-1003 pillar and class CWEs that are not in View-1194 highlighted | 42 |
| 134<br>135 | Fig. 23. HW CWE complete graph with View-1003 base CWEs that overlap with View-1194 highligh              |    |
| 136        | Fig. 24. HW CWE complete graph with memory-related weaknesses highlighted                                 | 44 |
| 137        | Fig. 25. View-699 CWEs that overlap with View-1194 highlighted                                            | 45 |
| 138        | Fig. 26. The 12 CWEs in both View-1194 and View-699                                                       | 47 |
| 139        | Fig. 27. HW CWE Category Graph: Improper Access Control                                                   | 65 |
| 140        |                                                                                                           |    |

#### 1. Introduction

- Historically, hardware has been viewed as "an immutable root-of-trust" with no security issues
- 143 [1]. It has been assumed to be inherently secure. However, chips are created with and contain
- 144 complex software, and software is known to have bugs. It is not unusual to have 1-25 bugs per
- 145 1000 lines of code for delivered software [2], and some of these bugs will have security
- implications. Further complicating matters, many of these bugs are hard-coded onto silicon,
- 147 which can make mitigation challenging.
- 148 This work describes and categorizes ways in which computer hardware (HW) (i.e., chips) can fail
- 149 from a security perspective. It does this by enumerating 98 scenarios that represent potential
- weaknesses in the programming and physical aspects of HW design. The purpose is to highlight
- the dangers of vulnerabilities potentially being introduced into the HW design process.
- 152 The Common Weakness Enumeration (CWE) [8][9] is a list of weaknesses. In this context, a
- weakness is defined as "a condition in a software, firmware, hardware, or service component
- that, under certain circumstances, could contribute to the introduction of vulnerabilities" [4].
- 155 CWE designators of the form (CWE-XXXX) are given to each of the 934 listed weaknesses (as of
- 156 January 26, 2024). Each weakness entry contains complex, multi-page data elements with
- detailed security information. Since the inception of CWEs, a primary focus has been software
- weaknesses, while coverage of hardware-specific weaknesses has been more recent. All CWEs
- can be viewed by using the 'ID Lookup' search box on the CWE webpage [9].
- 160 As of April 29, 2024, the HW CWE Special Interest Group (HW CWE SIG) [5] has curated a list of
- 161 108 HW CWEs focused on HW design issues. The list includes a few CWEs that were created for
- software weaknesses but that are also relevant to HW weaknesses. These 'software' CWEs have
- been expanded to include HW-specific details and examples. However, the majority of the
- 164 CWEs on the list are HW-specific and do not apply to the software domain. This indicates that
- 165 HW security is fundamentally different from software security, despite the fact that both are
- 166 created with and contain code. This publication demonstrates the uniqueness of HW security
- and the very different challenges presented compared to software security. At the same time,
- 168 HW can contain weaknesses commonly found in software, and an HW weakness may be linked
- in a chain of weaknesses that include software weaknesses.
- 170 The HW security failure scenarios in this publication are based on the HW CWEs. For the
- purposes of this publication, an HW security failure scenario briefly describes how an attacker
- can cause a particular type of damage where the exploit typically occurs. Focusing on
- 173 weaknesses enables one to look at the set of potential dangers, inclusive of and beyond the set
- of publicly published vulnerabilities. While reasonably comprehensive, the failure scenarios are
- 175 not intended to provide exhaustive coverage. Their purpose is to highlight the significant
- 176 danger presented by each HW weakness.

## 178 2. Background

- 179 This section provides the background for understanding the technical approach and
- categorization system used in creating and organizing the HW security failure scenarios.
- 181 Readers interested in simply perusing the failure scenarios without understanding how they
- were derived or organized should go directly to Sec. 4.

#### 183 2.1. Weaknesses vs. Vulnerabilities

- 184 A weakness can also be defined as a bug or fault type that can be exploited through an
- operation that results in a security-relevant error [3]. The word 'type' is critical as it conveys
- that a weakness is a concept that can be instantiated in software or hardware; a weakness is
- not specific to a particular program or chip. A vulnerability, however, is tied to a specific piece
- of code or chip. A vulnerability is an instantiation of a weakness. Complicating matters, some
- vulnerabilities arise only in the context of a chain of weaknesses [3].
- 190 Vulnerabilities are enumerated in the Common Vulnerabilities and Exposures (CVE) list [6]. The
- National Vulnerability Database contains details on each CVE [7]. There are over 25,000 CVEs
- 192 published annually, with the rate usually growing each year. As of February 22, 2024 only 131
- 193 of these are HW CVEs.

194

#### 2.2. Weakness Data Fields

- 195 Every weakness in the CWE is described by a set of elements. The following are the CWE data
- 196 fields leveraged in the creation of the HW failure scenarios:
- 197 1. **Description/Extended Description** Detailed explanation of the fault type
- Relationships/Memberships Taxonomic information to organize weaknesses into
   hierarchies and categories
- 3. Modes of Introduction Descriptions of the life cycle phase where the CWE can be
   introduced
- 4. **Applicable Platforms** Involved languages and technologies
- 203 5. Common Consequences Affected security attributes along with likelihoods (e.g.,
   204 confidentiality, integrity, availability, access control, authentication, and authorization)
- 205 6. **Demonstrative Examples** Hypothetical examples of the weakness
- Observed Examples Actual observed examples of the weakness, usually with CVE
   references
- 208 8. **Potential Mitigations** Protection methods

#### 209 **2.3. Weakness Abstractions**

- The CWE weaknesses model is composed of four layers of abstraction: pillar (P), class (C), base
- 211 (B), and variant (V)<sup>1</sup>. The abstraction reflects the extent to which issues are being described in
- terms of five dimensions: behavior, property, technology, language, and resource. Variant
- 213 weaknesses are at the most specific level of abstraction and describe at least three dimensions.
- 214 Base weaknesses are more abstract than variants and more specific than classes; they describe
- 215 two to three dimensions. Class weaknesses are very abstract and not typically specific about
- any language or technology; they describe one to two dimensions. Pillar weaknesses are at the
- 217 highest level of abstraction. In this work, pillars and classes are used to organize the HW
- 218 security failure scenarios.

#### 2.4. Weakness Views

- 220 CWE designators of the form (CWE-XXXX) are given to weaknesses, views, and categories. A
- view provides a hierarchical organization of CWEs from a particular perspective (e.g., software
- development, research, and hardware design). A category is a simpler construct that groups a
- set of CWEs that have some similarity. Views may contain categories within their hierarchy.
- As of February 9, 2024, the CWE contains 49 views and 374 categories. There are three views
- 225 pertinent to this work: Hardware Design view (CWE-1194), Research Concepts view (CWE-
- 226 <u>1000</u>), and the Weaknesses for Simplified Mapping of Published Vulnerabilities view (<u>CWE-</u>
- 227 **1003**).

219

#### 228 **2.4.1. Hardware Design View**

- The Hardware Design view (CWE-1194) organizes the 108 HW weakness CWEs using 13
- categories. This view is a three-level hierarchy with CWE-1194 as its root, the 13 categories<sup>2</sup> as
- children of the root, and a tree of HW weakness CWEs under each category. HW weaknesses
- 232 may occur under multiple categories, although most do not.
- 233 The 13 categories of HW design weaknesses are:
- 1. Core and Compute Issues (<u>CWE-1201</u>)
- 2. Cross-Cutting Problems (CWE-1208)
- 3. Debug and Test Problems (CWE-1207)
- 4. General Circuit and Logic Design Concerns (<u>CWE-1199</u>)
- 5. Integration Issues (<u>CWE-1197</u>)
- 6. Manufacturing and Life Cycle Management Concerns (CWE-1195)
- 7. Memory and Storage Issues (CWE-1202)

<sup>&</sup>lt;sup>1</sup> A compound element (linking together weaknesses) associates two or more interacting or co-occurring CWEs. None of the HW CWEs are of the compound abstraction.

<sup>&</sup>lt;sup>2</sup> Section 5 provides details on the 13 categories.

- 8. Peripherals, On-chip Fabric, and Interface/IO Problems (CWE-1203)
- 9. Physical Access Issues and Concerns (CWE-1388)
- 10. Power, Clock, Thermal, and Reset Concerns (CWE-1206)
- 11. Privilege Separation and Access Control Issues (CWE-1198)
- 245 12. Security Flow Issues (<u>CWE-1196</u>)
- 246 13. Security Primitives and Cryptography Issues (CWE-1205)

# 247 **2.4.2. Research Concepts View**

- The Research Concepts view (CWE-1000) organizes all weakness CWEs by the method through
- 249 which an exploitation can occur. It is a directed acyclic graph with a single source node, CWE-
- 250 1000. In this hierarchy, some CWEs can have multiple parents, and all of them have CWE-1000
- as their oldest ancestor. These properties allow a CWE (even one with only one parent) to
- 252 possibly be reached through multiple paths from the root.
- 253 The children of CWE-1000 are 10 pillars that organize the weakness CWEs. The pillar CWEs
- 254 marked with \* contain HW CWEs. However, none of these pillars are hardware-specific and
- 255 cover many software security weaknesses as well.
- 256 1. Improper Access Control (CWE-284) \*
- 257 2. Improper Adherence to Coding Standards (CWE-710) \*
- 258 3. Improper Check or Handling of Exceptional Conditions (CWE-703) \*
- 4. Improper Control of a Resource Through its Lifetime (CWE-664) \*
- 5. Improper Interaction Between Multiple Correctly-Behaving Entities (CWE-435)
- 261 6. Improper Neutralization (CWE-707)
- 7. Incorrect Calculation (<u>CWE-682</u>)
- 263 8. Incorrect Comparison (CWE-697)\*
- 9. Insufficient Control Flow Management (CWE-691) \*
- 265 10. Protection Mechanism Failure (CWE-693) \*

#### 266 **2.4.3. Simplified Mapping of Published Vulnerabilities View**

- The Weaknesses for Simplified Mapping of Published Vulnerabilities view (CWE-1003) organizes
- the weaknesses that are most commonly seen in software CVEs to assist organizations that deal
- with such data (e.g., vulnerability databases and security tool vendors).
- 270 It is a three-level tree with CWE-1003 as its root (i.e., there is only one path to each CWE, and
- all CWEs have exactly one parent). It has no categories and organizes the CWEs by pillars and
- classes. The children of the root are 35 classes and two pillars. It contains a total of 130

weaknesses, and only three of these weaknesses are also HW CWEs (<u>CWE-203</u>, <u>CWE-276</u>, and <u>CWE-319</u>).

#### 275 **3. Technical Approach**

- This section describes the concept of a hardware security failure scenario and the approach to
- 277 creating weakness graphs to organize them.

#### 278 3.1. Concept of Hardware Security Failure Scenarios

- 279 For the purposes of this work, a hardware security failure scenario describes a malicious entity
- 280 (e.g., human attacker or automated malware) leveraging a weakness to violate security policy.
- 281 Each failure scenario has three aspects: how the weakness could be exploited, where the
- weakness typically occurs, and what kind of damage could be done.
- 283 While reasonably comprehensive, the failure scenarios are not intended to provide exhaustive
- coverage. Their purpose is to highlight the dangers presented by each HW weakness.

## 285 3.1.1. Determining How Weaknesses Occur

- 286 The 'Extended Description' and 'Modes of Introduction' sections of each CWE entry provide
- information on how an HW CWE can occur. The CWE Research Concepts view (CWE-1000)
- 288 organizes HW CWEs by abstractions of behavior. The path of nodes from the Research Concepts
- view root to the HW CWE under analysis describes how a weakness can occur with increasing
- 290 granularity as the path is traversed. Some HW CWEs have multiple paths that typically describe
- 291 simultaneously occurring behaviors and provide a more complete picture of how these CWEs
- 292 occur.

299

305

#### 293 3.1.2. Determining Where Weaknesses Occur

- 294 The Hardware Design view (CWE-1194) organizes the HW CWEs into 13 categories. They
- 295 generally describe where an HW CWE can occur, potentially from different points of view (e.g.,
- 296 physically on the chip, security operations, and life cycle). Section 5 describes each of these
- 297 categories and the CWE classes associated with them. The 'Extended Description' of each CWE
- 298 is usually helpful in determining the "where."

## 3.1.3. Determining What Damage Weaknesses Allow

- 300 The CWE entry 'Common Consequences' section provides a high-level list of the security areas
- affected (e.g., access control, confidentiality, integrity, and availability) and the technical
- impacts (e.g., read data, modify data, bypass access control). The 'Observed Examples' section
- 303 provides more granular and concrete damage explanations that are often useful for creating
- failure scenarios. The 'Extended Description' section often discusses potential damage.

#### 3.2. Creating Hardware Weakness Subgraphs

- 306 The failure scenarios are organized by their associated HW CWEs. The HW CWEs are primarily
- organized by the Research Concepts view (<u>CWE-1000</u>) and then secondarily by the Hardware

310

311312

313314

315

316

view (<u>CWE-1194</u>). This approach provides directed graphs that hierarchically show **how** HW CWEs occur at increasing levels of granularity as the graph is traversed and additional information is added about **where** the weaknesses can occur.

Figure 1 shows the complete HW CWE graph, all of the HW CWEs, and the non-HW CWEs necessary to connect them together.



Fig. 1. Complete HW CWE graph created using View 1000 and View 1194

The HW CWE graph contains a root node for each of the seven Research Concepts view (<u>CWE-1000</u>) pillars that contain HW CWEs. It shows the Hardware Design view (<u>CWE-1194</u>) categories

317 to which each CWE belongs and the view from which each relationship was defined. It also 318 shows the abstraction for each CWE pillar, class, base, and variant. 319 Section 4 shows the subgraphs of the CWEs reachable from each respective HW-associated 320 pillar. Appendix B provides an analysis and statistics for Fig. 1 and describes the algorithm used 321 for the construction of the graphs. Appendix C through Appendix I provide an alternative 322 textual view of the pillar subtrees using a strict hierarchical tree layout. This latter approach is 323 convenient for a quick perusal of the HW CWEs but cannot capture the complex relationships 324 that only become apparent from the complete graph view. 325 The HW CWE graphs in this publication primarily use arrows to show the relationships between 326 the CWEs and colors to quickly provide additional information about each CWE (e.g., the HW 327 category it belongs to and the abstraction). For readers with difficulties discerning the colors, 328 this same information is available for each CWE on the associated CWE web page and can be 329 accessed using the format https://cwe.mitre.org/data/definitions/XXX.html, where XXX is 330 replaced with the CWE number. 331

## 332 4. Hardware Security Failure Scenarios

- 333 The HW security failure scenarios were created by reviewing the full CWE entries, extracting the
- three failure scenario aspects (the 'how', 'when', and 'what' from Sec. 3.1), and then writing a
- 335 short summary of those aspects.
- This section contains an enumeration of 98 HW security failure scenarios distributed among the
- 337 CWE pillars as follows:
- 1. Improper Access Control (CWE-284, 43 scenarios)
- 2. Improper Adherence to Coding Standards (<u>CWE-710</u>, 14 scenarios)
- 3. Improper Check or Handling of Exceptional Conditions (<u>CWE-703</u>, five scenarios)
- 4. Improper Control of a Resource Through its Lifetime (CWE-664, 40 scenarios)
- 342 5. Incorrect Comparison (CWE-697, one scenario)
- 6. Insufficient Control Flow Management (<u>CWE-691</u>, 11 scenarios)
- 7. Protection Mechanism Failure (<u>CWE-693</u>, 15 scenarios)
- 345 The presence of a failure scenario in a product indicates the presence of the associated
- weakness and an issue with one of the above pillars.
- 347 A small number of HW CWEs fall under multiple pillars. For these CWEs, the associated security
- failure scenario is located in the section for the pillar that qualitatively has the strongest linkage
- to the CWE. The full CWE Research Concepts view graph in Appendix B shows which HW CWEs
- are shared under which pillars.
- 351 The HW CWEs are grouped by the classes underlying the pillar. The CWE Research Concepts
- 352 view often provides finer grained delineations (e.g., organizing bases and variants under other
- bases or providing subclasses under classes). For clarity of reading, this additional information is
- provided in the associated figures for each subsection with directed subgraphs of the HW CWEs
- 355 under each pillar.

356

#### 4.1. Improper Access Control

- 357 The CWE Improper Access Control (CWE-284) applies when a "product does not restrict or
- incorrectly restricts access to a resource from an unauthorized actor." Access control involves
- 359 the use of protection mechanisms, such as:
- Authentication (i.e., proving the identity of an actor)
- Authorization (i.e., ensuring that a given actor can access a resource)
- Accountability (i.e., tracking activities that were performed)
- The HW CWEs under this pillar occur within the following pillar/class hierarchy. The CWEs
- 364 marked with \* are HW CWEs.

366

367

368

369

370

371372

373

374

375

376

377

378

#### CWE-284 P Improper Access Control

- CWE-1263 C Improper Physical Access Control \*
- CWE-1294 C Insecure Security Identifier Mechanism \*
- <u>CWE-285</u> C Improper Authorization

Figure 2 shows the directed graph of HW CWEs under this pillar with their parent-child relationships.



Fig. 2. HW CWE subgraph for pillar Improper Access Control (CWE-284)

The HW class Improper Physical Access Control (<u>CWE-1263</u>) has one HW CWE child (<u>CWE-1243</u>). The security failure scenario is:

- 1. A malicious human can leverage physical access to obtain restricted information because the physical security features are insufficient [CWE-1263].
  - a. During debug operations, an untrusted agent can read security-sensitive device information (e.g., encryption keys and manufacting data) that is permanently

stored in fuses but loaded into protected registers due to code that does not take the debug mode into account [CWE-1243].

The HW class Insecure Security Identifier Mechanism (<u>CWE-1294</u>) has five HW CWE children. The security failure scenarios are:

- 1. A malicious agent can initiate an unauthorized transaction (e.g., read, write, program, reset, fetch, compute) by taking advantage of incorrectly implemented security identifiers that define the privilege level of the agent in a system-on-a-chip (SoC) [CWE-1294].
  - a. A malicious agent on an SOC may assign itself inappropriate security tokens to give itself additional privileges (e.g., read, write, fetch, program, compute, reset) because the security tokens are improperly protected [CWE-1259].
  - A malicious agent can gain inappropriate privileges over assets due to an incorrect assignment of security tokens to agents. A single token may be assigned to multiple agents, or multiple tokens may be assigned to a single agent [CWE-1270].
  - A malicious agent can gain unauthorized access to an asset by taking advantage
    of the incorrect decoding of security identifier information in bus-transaction
    signals [CWE-1290].
  - d. An agent can gain unauthorized access to an asset by taking advantage of a bridge incorrectly performing a protocol conversion between agents that use different bus protocols [CWE-1292].
  - e. A security identifier is not included with an agent-to-agent transaction. This can result in a denial of service (DoS) for the agent's requests or the ability of a malicious agent to enact unauthorized actions due to inappropriate handling of the missing identifier by the destination agent [CWE-1302].

The non-HW class Improper Authorization (CWE-285) has five security failure scenarios:

- 1. Malicious software can take advantage of software-controllable device functionality (e.g., power control, clock management, and memory access) to modify registers/memory or to perform side-channel attacks without the need for physical access to the chip [CWE-1256].
- 2. A malicious actor at an outsourced semiconductor assembly and test (OSAT) facility can take advantage of logic errors in debug interconnections to obtain improper access to sensitive information for chips in the more vulnerable pre-production stage [CWE-1297].
- 3. An attacker can modify the hardware-stored firmware version number used in the secure or verified boot process. The attacker can then execute older vulnerable versions of firmware with plans to exploit known vulnerabilities and possibly prevent upgrades [CWE-1328].
- 4. Malicious software can change non-write-protected parametric data values, thus changing the unit conversion/scaling for sensor reporting (e.g., thermal, power, voltage,

- current, and frequency). This can cause hardware to operate outside of design limits even though the limit values themselves have not been modified [CWE-1314].
  - 5. A human can use a physical debug or test interface to obtain sensitive information from an asset due to an incorrect debug access level assignment [CWE-1244].
  - There are 27 non-class HW CWEs that are direct children of pillar Improper Access Control (CWE-284). The security failure scenarios are:
    - 1. An attacker with physical access to a chip can leverage a lack of or faults in debug/test interface access control to read and set registers (e.g., via a scan chain using a Joint Test Action Group [JTAG] interface) and bypass normal on-chip protections [CWE-1191].
    - 2. Malicious code on a device may leverage a lack of granularity in hardware access control to read or modify assets (e.g., device configuration and keys) by taking advantage of unintended privileges [CWE-1220].
    - 3. New functionality may not be implementable because a programmable lock bit set during the boot process prevents an unnecessarily large address region from being written [CWE-1222].
    - 4. Malicious code can take advantage of an improper implementation of write-once register bits to reprogram system settings (e.g., boot time configuration) [CWE-1224].
    - 5. Attackers may unlock a secured system by leveraging design or code errors to modify trusted lock bits that should have their values immutable after the initial set, thereby enabling writes to protected registers or address regions [CWE-1231].
    - 6. Attackers can gain full read-write access to a device by accessing undocumented features (typically put there to allow for easy developer testing) that circumvent security controls. These are often implemented as "chicken bits" undocumented bits that disable security features [CWE-1242].
    - 7. Attackers can write malicious code to memory and then execute it because the central processing unit (CPU) does not support a bit that defines read-only and write-only regions of memory. This can also happen if the CPU relies on an improperly configured memory protection unit (MPU) and memory management unit (MMU) for read and write exclusivity [CWE-1252].
    - 8. Attackers can access protected memory regions and perform both read and write by using memory alias addresses (i.e., redundant addresses that point to the same memory region) or mirrored memory regions that do not have the same protections. An attacker could possibly create memory address aliases to perform such an attack [CWE-1257].
    - 9. Lower privilege software can write to memory regions for higher privileged software due to overlapping memory regions, thus enabling malicious software to perform privilege escalation or a DoS attack [CWE-1260].
    - Malicious software can access registers that provide hardware functionality interfaces due to an access control fault, allowing confidentiality and integrity violations [<u>CWE-1262</u>].

- 457 11. A malicious agent on an SoC may gain inappropriate or even full access to another agent 458 when sending a bus transaction because the policy encoder mapping bus transactions to 459 security tokens uses an obsolete encoding [CWE-1267].
  - 12. A malicious agent can take advantage of improperly granted hardware control policy privileges to grant themselves read or write privileges over a protected resource (e.g., register-stored encryption keys) [CWE-1268].
  - 13. An attacker can change or replace boot loader code by leveraging inadequate access control for the volatile memory (VM) in which the code is copied. This code is copied from non-volatile memory (NVM) to VM and then authenticated by the SoC read-only memory (ROM) code, but it is vulnerable to change after this occurs [CWE-1274].
  - 14. Hardware intellectual property (IP) an independently developed component may be improperly connected to its parent and result in security risks due to incorrectly connected signaling. Functionality may be maintained but security weakened, enabling unauthorized access by external agents [CWE-1276].
  - 15. Malicious code can modify the registers containing the attestation data that measures the boot code (i.e., secure hashes of the boot code), thereby enabling altered boot code to be executed without being detected [CWE-1283].
  - 16. A human can obtain unauthorized access permissions through a test access port (TAP) or similar design element by leveraging logic errors that misconfigure the interconnections of debug components [CWE-1296].
  - 17. When a product is powering down, an attacker can modify the configuration state being saved to persistent storage to alter the security or safety configuration upon restart (e.g., modify privileges, disable protections, or damage hardware) [CWE-1304].
  - 18. Malicious software can bypass access controls by leveraging a bridge between IP blocks that use different fabric protocols (i.e., interconnecting components) that is incorrectly translating security attributes from one protocol to another [CWE-1311].
  - 19. An attacker can bypass a firewall in an on-chip fabric by writing to an unprotected mirrored memory region that then propagates the changes to the original data [CWE-1312].
  - 20. An attacker can leverage a hardware feature that allows for the activation of test or debug logic at runtime, thus enabling unauthorized reads and modifications to system data and bus messages [CWE-1313].
  - 21. A malicious IP responder in a fabric may initiate control transactions to other devices through an incorrectly set register bit that allows an IP block to access other peripherals [CWE-1315].
  - 22. Protected and unprotected memory regions for an on-chip fabric may have overlapping mappings (either accidentally or intentionally and maliciously) that enable an attacker to send a transaction that modifies protected memory [CWE-1316].

499

500

501

502

503

504

505

506

507

508

509

510

511

512

519

- 23. An attacker can gain unauthorized access to an IP block by leveraging a lack of access
   control checks by a fabric bridge that is translating transactions between two different
   protocols [CWE-1317].
  - 24. A malicious agent can cause hardware to operate outside of its design limits (potentially causing physical damage) by disabling sensor alerts or initiate a DoS attack by generating alerts. The attacker may also disrupt the response mechanism that receives the alerts [CWE-1320].
  - 25. An attacker can read security-sensitive traces (i.e., log data of IP blocks) from trace aggregation IP blocks that either store this data in unprotected memory or allow transport to unprivileged users (e.g., via a debug-trace port). These traces can include instructions executed from a CPU, transaction types and destinations from a fabric, and cryptographic keys from cryptographic coprocessors [CWE-1323].
  - 26. An attacker can make unauthorized use of hardware error injection capabilities (normally used for testing) to disrupt redundant IP blocks, thereby degrading redundancy or forcing the IP component into a degraded operational mode [CWE-1334].
  - 27. An attacker can bypass access control-protected assets by using unprotected alternate paths (e.g., shadow registers and external interfaces) [CWE-1299].

### 4.2. Improper Adherence to Coding Standards

- 513 The CWE Improper Adherence to Coding Standards (CWE-710) applies when a "product does
- 514 not follow certain coding rules for development, which can lead to resultant weaknesses or
- 515 increase the severity of the associated vulnerabilities."
- 516 The HW CWEs under this pillar occur within the following pillar/class hierarchy. The CWEs
- 517 marked with \* are HW CWEs.
- 518 CWE-710 P Improper Adherence to Coding Standards
  - <u>CWE-573</u> C Improper Following of Specification by Caller
- <u>CWE-684</u> C Incorrect Provision of Specified Functionality
- CWE-1059 C Insufficient Technical Documentation \*
- CWE-1357 C Reliance on Insufficiently Trustworthy Component \*
- <u>CWE-657</u> C Violation of Secure Design Principles
- 524 Figure 3 shows the directed graph of HW CWEs under this pillar with their parent-child
- 525 relationships.

528

529

530

531

532533

534

535

536

537538

539

540

541542



Fig. 3. HW CWE subgraph for pillar Improper Adherence to Coding Standards (CWE-710)

Under the non-HW class Improper Following of Specification by Caller (<u>CWE-573</u>), there is one security failure scenario:

1. An attacker can decipher cryptographic output because the cryptographic algorithm used by the IP block does not implement a required step [CWE-325].

Under the non-HW class Incorrect Provision of Specified Functionality (<u>CWE-684</u>), there are two security failure scenarios:

- 1. An attacker can compromise security due to an IP block that fails to perform according to its specification [CWE-440].
- 2. Attackers can cause a DoS or possibly gain privileges by providing input to a finite state machine (FSM) that drives it in an undefined state (the FSM code does not cover all possible state transitions) [CWE-1245].

No security failure scenarios were written for HW class Insufficient Technical Documentation (CWE-1059) because it is too general to do so.

The HW class Reliance on Insufficiently Trustworthy Component (<u>CWE-1357</u>) has two security failure scenarios:

546547

548

549

550

551552

553

554

555

556

557558

559

562

563

564

565

- 1. Attackers can compromise an SoC because it relies on the composition of IP blocks, one of which is untrustworthy [CWE-1357].
  - 2. Attackers can compromise an SoC because it contains a vulnerable component that cannot be updated (e.g., firmware or ROM used in secure booting) [CWE-1329] [CWE-1277] [CWE-1310].

Under the non-HW class Violation of Secure Design Principles (<u>CWE-657</u>), there are three security failure scenarios:

- 1. An attacker can gain unauthorized access to IP blocks if the secure operation of an SoC is not achieved because the IP blocks are not securely and uniquely identified (e.g., missing, ignored, or insufficient identifiers) [CWE-1192].
- 2. A malicious agent can access sensitive assets because multiplexed resources (e.g., pins that are used by both trusted and untrusted agents but not at the same time) do not properly isolate accessible assets (e.g., between trusted and untrusted agents) [CWE-1189].
- 3. An attacker can use timing channels to infer sensitive data when a network-on-chip (NoC) does not provide proper isolation on the fabric and other resources between trusted and untrusted agents [CWE-1331].
- One non-class HW CWE is a direct child of pillar Improper Adherence to Coding Standards (CWE-710). It has one security failure scenario:
  - 1. An attacker can compromise a hardware state by writing to reserved bits (i.e., unused bits reserved for future functionality) that were covertly activated by developers for debugging or undocumented capabilities [CWE-1209].

#### 4.3. Improper Check or Handling of Exceptional Conditions

- The CWE Improper Adherence to Coding Standards (<u>CWE-703</u>) applies when a "product does not properly anticipate or handle exceptional conditions that rarely occur during normal
- operation of the product."
- The HW CWEs under this pillar occur within the following pillar/class hierarchy. The CWEs
- 570 marked with \* are HW CWEs.
- 571 CWE-703 P Improper Check or Handling of Exceptional Conditions
- CWE-1384 C Improper Handling of Physical or Environmental Conditions \*
- Figure 4 shows the digraph of hardware CWEs under this pillar with their parent-child relationships.



576

577578

579

580

581 582

583

584

585

586 587

588

589 590

591

592



Fig. 4. HW CWE subgraph for pillar Improper Adherence to Coding Standards (CWE-703)

The HW class Improper Handling of Physical or Environmental Conditions (<u>CWE-1384</u>) has five security failure scenarios:

- An attacker can leverage natural or maliciously created design-limit-exceeding physical or environmental conditions (e.g., atmospheric, electromagnetic interference, lasers, power variance, overclocking, component aging, cosmic radiation) to compromise the secure operations of a chip [CWE-1384].
  - a. An attacker can compromise security functionality (e.g., secure boot) by introducing voltage and clock glitches (this can also happen naturally) [<u>CWE-1247</u>].
  - b. An attacker can leverage the degradation of secure operations on a chip or a DoS due to single-event upsets (SEUs) (i.e., random bit flip errors) [CWE-1261].
  - c. An attacker can bypass security-critical code by using fault injection techniques to skip security-critical instructions [CWE-1332].
  - d. An attacker can cool hardware below the minimum design operating temperature to vary hardware behavior to compromise deployed security (e.g., power cycling not clearing volatile memory) [CWE-1351].

| 593               | 4.4. Improper Control of a Resource Through its Lifetime                                                                                                                                                                 |
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 594<br>595<br>596 | The CWE Improper Control of a Resource Through its Lifetime (CWE-664) applies when a "product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release." |
| 597<br>598        | The HW CWEs under this pillar occur within the following pillar/class hierarchy. No child class of the pillar is itself an HW CWE.                                                                                       |
| 599               | CWE-664 P Improper Control of a Resource Through its Lifetime                                                                                                                                                            |
| 600               | <u>CWE-400</u> C Uncontrolled Resource Consumption                                                                                                                                                                       |
| 601               | <u>CWE-404</u> C Improper Resource Shutdown or Release                                                                                                                                                                   |
| 602               | <u>CWE-610</u> C Externally Controlled Reference to a Resource in Another Sphere                                                                                                                                         |
| 603               | <u>CWE-662</u> C Improper Synchronization                                                                                                                                                                                |
| 604               | <u>CWE-665</u> C Improper Initialization                                                                                                                                                                                 |
| 605               | <u>CWE-668</u> C Exposure of Resource to Wrong Sphere                                                                                                                                                                    |
| 606               | <u>CWE-669</u> C Incorrect Resource Transfer Between Spheres                                                                                                                                                             |
| 607<br>608        | Figure 5 shows the digraph of hardware CWEs under this pillar with their parent-child relationships.                                                                                                                     |

611612

613614

615



Fig. 5. HW CWE subgraph for pillar Improper Control of a Resource Through its Lifetime (CWE-664)

Under the non-HW class Uncontrolled Resource Consumption (<u>CWE-400</u>), there is one security failure scenario:

1. An attacker can cause a premature failure of NVM by taking advantage of non-implemented or incorrectly implemented wear leveling operations (e.g., by repeated writing) [CWE-1246].

- Under the non-HW class Improper Resource Shutdown or Release (<u>CWE-404</u>), there is one security failure scenario:
  - 1. An attacker can retrieve sensitive information from decommissioned hardware that was not scrubbed of sensitive information [CWE-1266].
  - Under the non-HW class Externally Controlled Reference to a Resource in Another Sphere (CWE-610), there is one security failure scenario:
    - 1. An attacker can violate access control by sending a message to a hardware component via an intermediary, whereby the message is interpreted by the recipient as having the privileges of the intermediary (not the original unprivileged sender) [CWE-441].
  - Under the non-HW class Improper Synchronization (<u>CWE-662</u>), there are four security failure scenarios.
    - 1. An attacker can change system configuration information stored in lock-protected registers after a power state transition that causes improper lock behavior (e.g., making the lock programmable, clearing the lock, or resetting protected registers) [CWE-1232].
    - 2. An attacker can violate access controls by directly changing system configurations protected by a register lock bit since the one-way lock that was properly set after system startup does not prevent the changes [CWE-1233].
    - 3. An attacker can modify security-sensitive configuration information by using a debug mode to remove lock bit protections [CWE-1234].
    - 4. An attacker can obtain access to sensitive data that is transmitted before security approval by taking advantage of errors in the separate control and data channels in hardware bus protocols [CWE-1264].
  - Under the non-HW class Improper Initialization (<u>CWE-665</u>), there are three security failure scenarios:
    - 1. An attacker can read cryptographic output by taking advantage of weakened or broken cryptography that was encrypted before the cryptographic support units were ready (e.g., an external random number generator) [CWE-1279].
    - 2. An attacker can compromise system security if register or IP parameter defaults (initialized at hardware reset) are incorrectly hard-coded with insecure values in the hardware description language code [CWE-1221].
    - 3. An attacker can violate system security by taking advantage of an uninitialized security-critical register (e.g., before register initialization during system startup) [CWE-1271].
  - Under the non-HW class Exposure of Resource to Wrong Sphere (<u>CWE-668</u>), there are seven security failure scenarios:
    - 1. An attacker can violate system security by changing security-sensitive and assumed-immutable data (e.g., golden digests) that are insecurely stored in writable memory instead of immutable memory (e.g., ROM, fuses, or one-time programmable memory [OTP]) [CWE-1282].

- 2. An attacker can unlock hardware (e.g., to enter debug mode) using leaked or stolen credentials that were often necessarily shared among multiple entities (e.g., for hardware products not created by a single company, via vertical integration) [CWE-1273].
  - 3. An attacker can obtain sensitive information from debug messages that unnecessarily reveal security details, often reducing security by obscurity (e.g., location of password hashes) [CWE-1295].
  - An attacker can obtain security-relevant state information by observing different behaviors that are indicative of the hardware state (e.g., in timing, responses, and control flow) [CWE-203].
  - 5. An attacker can obtain security-sensitive information by leveraging physical access to the hardware to measure phenomena (e.g., physical side channels, such as real-time power consumption) [CWE-1300] [CWE-1255].
  - 6. An attacker can obtain sensitive data by evaluating and probing shared microarchitectural resources in contexts that should be isolated (e.g., caches and branch prediction logic) [CWE-1303].
  - 7. Malicious software can take advantage of incorrectly assigned default permissions to obtain unauthorized access [CWE-276].
  - Under both the non-HW classes Exposure of Resource to Wrong Sphere (<u>CWE-668</u>) and Incorrect Resource Transfer Between Spheres (<u>CWE-669</u>), there is one HW CWE with one security failure scenario:
    - 1. Attackers can obtain security-sensitive values from registers that are not cleared prior to entering debug mode [CWE-1258].
  - Under the non-HW class Incorrect Resource Transfer Between Spheres (<u>CWE-669</u>), there is one security failure scenario:
    - 1. An attacker can infer sensitive data by observing discrepancies left behind by transient executions (i.e., speculative processing that was not needed and rolled back), detecting the transiency, and gaining evidence of the sensitive data values being processed [CWE-1420] [CWE-1421] [CWE-1422] [CWE-1423].
  - Under both the non-HW classes Improper Resource Shutdown or Release (<u>CWE-404</u>) and Incorrect Resource Transfer Between Spheres (<u>CWE-669</u>), there are four security failure scenarios:
    - 1. Malicious software can read sensitive information from resources (e.g., registers) that were not cleared after use and that are made available due to a state change in the device (e.g., entering sleep or debug mode) or an execution change between privilege levels [CWE-226] [CWE-1272].
    - 2. A malicious user of a hardware IP block can extract sensitive information stored in registers that were not zeroed after IP block use from a previous user (e.g., input/output registers) [CWE-1239].

- 3. An attacker can read sensitive data that was incompletely deleted or for which residual evidence or data remanence remains (e.g., performance optimizations that do not fully delete, physical properties that make data resistant to full deletion) [CWE-1301] [CWE-
  - 4. An attacker can take advantage of a process performing a transient execution (i.e., speculatively executed code) that leaves sensitive data in the microarchitectural state by provoking exceptions that allow the data to be read [CWE-1342].
- 700 There are HW CWEs that do not have an intervening class between them and pillar (<u>CWE-664</u>). 701 They have one security failure scenario:
  - 1. An attacker can violate system security by taking advantage of the need for multiple hardware components to keep local copies of a shared state (e.g., caches and MMUs) when they are unable to maintain full consistency [CWE-1250] [CWE-1251].

#### 4.5. Incorrect Comparison

- 706 The CWE Incorrect Comparison (<u>CWE-697</u>) applies when a "product compares two entities in a 707 security-relevant context, but the comparison is incorrect, which may lead to resultant 708 weaknesses." For example, the comparison:
- Checks one factor incorrectly
  - Should consider multiple factors but does not check at least one of those factors at all
- Checks the wrong factor
- The HW CWEs under this pillar occur within the CWE-697 P Incorrect Comparison pillar/class
- 713 hierarchy.

697

698 699

702

703

704

705

710

- 714 Figure 6 shows the digraph of hardware CWEs under this pillar with their parent-child
- 715 relationships.



Fig. 6. HW CWE subgraph for pillar Incorrect Comparison (CWE-697)

- The HW security failure scenario pertaining to this pillar is:
  - 1. An attacker can make informed guesses of security credentials when evaluation of those credentials is performed iteratively as opposed to all at once (i.e., atomically) [CWE-1254].

# 4.6. Insufficient Control Flow Management

- The CWE Insufficient Control Flow Management (CWE-691) applies when "the code does not
- sufficiently manage its control flow during execution, creating conditions in which the control
- 726 flow can be modified in unexpected ways."
- 727 The HW CWEs under this pillar occur within the following pillar/class hierarchy. No child class of
- 728 the pillar is itself an HW CWE.
- 729 CWE-691 P Insufficient Control Flow Management
  - <u>CWE-362</u> C Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  - <u>CWE-662</u> C Improper Synchronization
    - CWE-667 C Improper Locking
    - CWE-696 C Incorrect Behavior Order
- 735 Figure 7 shows the digraph of hardware CWEs under this pillar with their parent-child
- 736 relationships.

717718

719

720

721

722

723

730

731

732

733

739

740

741

742

743

744

745

746

747748

749

750

751

752

753

754

755

756

757

758



Fig. 7. HW CWE subgraph for pillar Insufficient Control Flow Management (CWE-691)

Under the non-HW class Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362), there are two security failure scenarios:

- 1. Malicious software can violate the system security model by writing to write-once registers that typically hold system configuration data prior to trusted code writing to them [CWE-1223].
- 2. An attacker can circumvent security protections by taking advantage of a race condition in hardware logic [CWE-1298].

The non-HW class Improper Synchronization (<u>CWE-662</u>) has four security failure scenarios that were previously provided in Sec. 4.4. This is because <u>CWE-662</u> also falls under pillar Improper Control of a Resource Through its Lifetime (<u>CWE-664</u>). The full graph in Fig. 1 shows the relationships.

Under the non-HW class Incorrect Behavior Order (<u>CWE-696</u>), there are three security failure scenarios:

- An attacker can leverage an early boot IP with direct memory access (DMA) prior to security configuration settings being established in order to access security-sensitive data and potentially gain privileges by bypassing the operating system (OS) and bootloader [CWE-1190].
- 2. An attacker can leverage an untrusted IP or peripheral microcontroller after system reset to access memory and fabric (e.g., to obtain privileges or read sensitive data) prior to trusted firmware asserting security controls during the boot sequence [CWE-1193].

- 759 3. A malicious agent can gain access to a protected asset if the hardware-based access control check does not complete prior to the asset being accessed [CWE-1280].
- 761 The HW child of pillar CWE-691 has one security failure scenario:
  - 1. Malicious code can cause undesirable processor behavior (e.g., lock a processor) by executing a special sequence of instructions [CWE-1281].

#### 4.7. Protection Mechanism Failure

765 The CWE Protection Mechanism Failure (<u>CWE-693</u>) applies when:

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. This weakness covers three distinct situations. A 'missing' protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An 'insufficient' protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an 'ignored' mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

- 776 There are 15 HW CWEs under this pillar. They occur within the following pillar/class hierarchy.
- 777 No child class of the pillar is itself an HW CWEs.
- 778 CWE-693 P Protection Mechanism Failure
- CWE-311 C Missing Encryption of Sensitive Data
- 780 CWE-327 C Use of a Broken or Risky Cryptographic Algorithm
- 781 <u>CWE-330</u> C Use of Insufficiently Random Value
- 782 Figure 8 shows the digraph of hardware CWEs under this pillar with their parent-child
- 783 relationships.

762

763

764

766

767

768

769

770

771

772

773

774

785

786

787

788 789

790

791

792

793

794

795

796

797

798

799

800 801

802

803

804



Fig. 8. HW CWE subgraph for pillar Protection Mechanism Failure (CWE-693)

Under the non-HW class Missing Encryption of Sensitive Data (<u>CWE-311</u>), there is one security failure scenario:

 An attacker may gain access to sensitive information if it is transmitted unencrypted through on-chip component interconnects or external debug channels (e.g., JTAG debug port) [CWE-319].

Under the non-HW class Use of a Broken or Risky Cryptographic Algorithm (<u>CWE-327</u>), there is one security failure scenario:

1. An attacker can read encrypted information since HW-implemented cryptographic primitives may not be easily patchable or upgradeable, resulting in a weakening of cryptographic services over time as the computational power of attackers increases and vulnerabilities are discovered that weaken implemented algorithms [CWE-1240].

Under the non-HW class Use of Insufficiently Random Values (<u>CWE-330</u>), there is one security failure scenario:

 An attacker may break encryption by leveraging the ability to predict generated 'random' numbers that come from pseudorandom number generators (RNGs) as opposed to hardware-based true random number generators (TRNGs) [<u>CWE-1241</u>].

The non-class children of pillar <u>CWE-693</u> have the following nine security failure scenarios:

1. An attack can leverage a security-sensitive hardware module that may fail due to semiconductor defects that already existed in a new chip or that occurred over time

- 805 (e.g. due to thermal/electrical stress). Such failures can freeze signals to either 0 or 1. [CWE-1248].
  - 2. An attacker can blow a fuse to put a chip into an insecure state with one-directional fuses on chips used to permanently set a configuration (e.g., 'Manufacturing Complete') when such fuses incorrectly implement a reverse security logic [CWE-1253].
  - 3. An attacker can gain unauthorized capabilities (e.g., bypass cryptographic checks, read and change an internal state, and adjust system configurations) when a chip is not set to a production configuration, thereby allowing debug capabilities [CWE-1269].
  - 4. An attacker can read confidential information from a chip (e.g., secret keys, device identifiers, proprietary code, and circuit designs) with imaging technology (e.g., x-ray microscopy and scanning electron microscopes) after the removal of chip packaging and individual integrated circuit layers [CWE-1278].
  - 5. An attacker can run leaked debug firmware on a chip and gain greater insight into the inner workings and state of the chip if both the debug and production firmware are signed with the same public key [CWE-1291].
  - 6. An attacker can bypass security by leveraging peripherals and chip components that require the transfer of information for security features (e.g., privileges and immutable identity) but that are connected to on-chip fabrics or buses that do not support those features [CWE-1318].
  - 7. An attacker can generate magnetic pulses to induce temporary faults on a chip (known as electromagnetic fault injection), thereby circumventing or changing security functionality (e.g., bypassing security features, reading confidential information, changing program flow, or perturbing RNGs) [CWE-1319].
  - 8. An attacker can compromise secure boot capabilities and execute their choice of code by modifying memory or fuses that should have been made immutable [CWE-1326].
  - 9. Malicious software can execute code to trigger overheating on chips that contain inadequate thermal protection (e.g., heat sensors and cooling capabilities), resulting in temporary DoS, permanent failure ("bricking"), reliability issues, and physical safety hazards [CWE-1338].

835

836

837

838

839

840

841

842843

844

845

846

847

### 5. Categories of Hardware Design Weaknesses

The HW CWE SIG groups HW weaknesses into 13 categories that describe where a security problem may exist in an HW design. This section presents these categories and the associated HW CWEs.

### 5.1. Core and Compute Issues

Weaknesses in the category Core and Compute Issues (<u>CWE-1201</u>) are "typically associated with CPUs, Graphics, Vision, AI, FPGA, and microcontrollers." There are three HW CWEs in this category, none of which are classes.



Fig. 9. HW CWEs under the category Core and Compute Issues (CWE-1201)

# 5.2. Cross-Cutting Problems

Weaknesses in the category Cross-Cutting Problems (<u>CWE-1208</u>) can "arise in multiple areas of hardware design or apply to a wide cross-section of components." There are nine HW CWEs in this category. Three are classes Insufficient Technical Documentation (<u>CWE-1059</u>), Improper

Physical Access Control (<u>CWE-1263</u>), and Reliance on Insufficiently Trustworthy Component (<u>CWE-1357</u>).



Fig. 10. HW CWEs under the category Cross-Cutting Problems (CWE-1208)

## 5.3. Debug and Test Problems

852

853

854

855

856857

858

859

860

Weaknesses in the category Debug and Test Problems (<u>CWE-1207</u>) are "related to hardware debug and test interfaces such as JTAG and scan chain)." There are 12 HW CWEs in this category, none of which are classes.



Fig. 11. HW CWEs under the category Debug and Test Problems (CWE-1207)

### 5.4. General Circuit and Logic Design Concerns

Weaknesses in the category General Circuit and Logic Design Concerns (<u>CWE-1199</u>) are "related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and

862

863

864

registers) as well as issues related to hardware description languages such as System Verilog and VHDL)." There are 14 HW CWEs in this category, none of which are classes.



Fig. 12. HW CWEs under the category General Circuit and Logic Design Concerns (CWE-1199)

### 5.5. Integration Issues

865

866

867

868

869 870

871

872

873

Weaknesses in the category Integration Issues (<u>CWE-1197</u>) arise from the integration of multiple hardware IP cores, SoC subsystem interactions, or hardware platform subsystem interactions. There is only one HW CWE in this category.



Fig. 13. HW CWEs under the category Integration Issues (CWE-1197)

# 5.6. Manufacturing and Life Cycle Management Concerns

Weaknesses in the category Manufacturing and Life Cycle Management Concerns (<u>CWE-1195</u>) are "root-caused to defects that arise in the semiconductor-manufacturing process or during

the life cycle and supply chain." There are six HW CWEs in this category, one of which is class Insufficient Technical Documentation (CWE-1059).



Fig. 14. HW CWEs under the category Manufacturing and Life Cycle Management Concerns (CWE-1195)

#### 5.7. Memory and Storage Issues

878

879 880

881

882 883

884

885

886

887

888

Weaknesses in the category Memory and Storage Issues (<u>CWE-1202</u>) are "typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC)." There are seven HW CWEs in this category, none of which are classes.



Fig. 15. HW CWEs under the category Memory and Storage Issues (CWE-1202)

### 5.8. Peripherals, On-chip Fabric, and Interface/IO Problems

Weaknesses in the category Peripherals, On-chip Fabric, and Interface/IO Problems (<u>CWE-1203</u>) are "related to hardware security problems that apply to peripheral devices, IO interfaces, on-chip interconnects, NoC, and buses. For example, this category includes issues related to design of hardware interconnect and/or protocols, such as PCIe, USB, SMBUS, general-purpose IO pins,

and user-input peripherals such as mouse and keyboard." There are six HW CWEs in this category, none of which are classes.



Fig. 16. HW CWEs under the category Peripherals, On-chip Fabric, and Interface/IO Problems (CWE-1203)

894

895

896

897898

899

900

901

### 5.9. Physical Access Issues and Concerns

Weaknesses in the category Physical Access Issues and Concerns (<u>CWE-1388</u>) are related to physical access concerns. There are 10 HW CWEs in this category, one of which is class Improper Handling of Physical or Environmental Conditions (<u>CWE-1384</u>).



Fig. 17. Figure 18. HW CWEs under the category Physical Access Issues and Concerns (CWE-1388)

# 5.10. Power, Clock, Thermal, and Reset Concerns

Weaknesses in the category Power, Clock, Thermal, and Reset Concerns (<u>CWE-1206</u>) are "related to system power, voltage, current, temperature, clocks, system state saving/restoring,

903

904 905

906

907

908

909

910

and resets at the platform and SoC level." There are 11 HW CWEs in this category, none of which are classes.



Fig. 18. HW CWEs under the category Power, Clock, Thermal, and Reset Concerns (CWE-1206)

# 5.11. Privilege Separation and Access Control Issues

Weaknesses in the category Privilege Separation and Access Control Issues (<u>CWE-1198</u>) are "related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources, such as registers and fuses." There are 23 HW CWEs in this category, two of which are classes Unintended Proxy

913

914

915

916917

or Intermediary ('Confused Deputy') (<u>CWE-441</u>) and Insecure Security Identifier Mechanism (<u>CWE-1294</u>).



Fig. 19. HW CWEs under the category Privilege Separation and Access Control Issues (CWE-1198)

# **5.12. Security Flow Issues**

Weaknesses in the category Security Flow Issues (<u>CWE-1196</u>) are "related to improper design of full-system security flows, including but not limited to secure boot, secure update, and

920 921

922

923

924

hardware-device attestation." There are eight HW CWEs in this category, none of which are classes.



Fig. 20. HW CWEs under the category Security Flow Issues (CWE-1196)

# 5.13. Security Primitives and Cryptography Issues

Weaknesses in the category Security Primitives and Cryptography Issues (<u>CWE-1205</u>) are "related to hardware implementations of cryptographic protocols and other hardware-security

primitives, such as physical unclonable functions (PUFs) and random number generators(RNGs)." There are seven HW CWEs in this category, none of which are classes.



Fig. 21. HW CWEs under the category Security Primitives and Cryptography Issues (CWE-1205)

940

#### 929 **6. Comparison With Software Weaknesses**

- 930 As presented in Sec. 2.4.3, the Weaknesses for Simplified Mapping of Published Vulnerabilities
- 931 view (CWE-1003) includes the CWEs that cover the majority of CVEs. As presented in Sec. 2.4.1,
- 932 the Hardware Design view (CWE-1194) contains the HW CWEs.
- There are only three CWEs that overlap in View-1003 and View-1194: <a href="CWE-203">CWE-276</a>, and
- 934 CWE-319. The have the following View-1194 categories:
- 935 1. Observable Discrepancy (<u>CWE-203</u>) is in View-1194 category Security Primitives and Cryptography Issues (<u>CWE-1205</u>).
- Incorrect Default Permissions (<u>CWE-276</u>) is in View-1194 category Privilege Separation
   and Access Control Issues (<u>CWE-1198</u>).
  - 3. Cleartext Transmission of Sensitive Information (<u>CWE-319</u>) is in View-1194 category Debug and Test Problems (<u>CWE-1207</u>).
- 941 Figure 22 shows the complete HW CWE graph created using View-1000 and View-1194 (from
- 942 Fig. 1) with the View-1003 software CWEs added and highlighted in dark purple. Twenty of
- these CWEs occur within the HW CWE graph even though 17 of them are not HW CWEs. These
- 944 17 are intermediary CWEs that connect an HW CWE with its respective pillars.



Fig. 22. HW CWE complete graph with View-1003 pillar and class CWEs that are not in View-1194 highlighted

Figure 23 shows the complete HW CWE graph created using View-1000 and View-1194 (from Fig. 1) with the three CWEs that occur both in View-1003 and View-1194 highlighted in purple.



Fig. 23. HW CWE complete graph with View-1003 base CWEs that overlap with View-1194 highlighted

952

953

954

955

Figure 24 shows the complete HW CWE graph with memory-related weaknesses darkly shaded in purple. These may be candidates to be analyzed for addition as HW CWEs if firmware (including microcode) weaknesses are considered HW weaknesses.



Fig. 24. HW CWE complete graph with memory-related weaknesses highlighted

957

958

959

960 961

# 7. Software Assurance Trends Categories

In addition to the views previously presented, there is a Software Development view (<u>CWE-699</u>). Figure 25 shows the View-699 CWEs that overlap with the complete HW CWEs graph (from Fig. 1).



Fig. 25. View-699 CWEs that overlap with View-1194 highlighted

| 962<br>963 | Only 12 CWEs are both in View-1194 and View-699. Organized by the View-699 categories, they are: |
|------------|--------------------------------------------------------------------------------------------------|
| 964        | CWE View-699> CWE Category: Permission Issues – ( <u>CWE-275</u> )                               |
| 965        | CWE-276: Incorrect Default Permissions                                                           |
| 966        | CWE View-699> CWE Category: Cryptographic Issues – (CWE-310)                                     |
| 967        | CWE-325: Missing Cryptographic Step                                                              |
| 968        | CWE View-699> CWE Category: Behavioral Problems – (CWE-438)                                      |
| 969        | CWE-440: Expected Behavior Violation                                                             |
| 970        | CWE View-699> CWE Category: Documentation Issues – ( <u>CWE-1125</u> )                           |
| 971        | CWE-1053: Missing Documentation for Design                                                       |
| 972        | CWE-1110: Incomplete Design Documentation                                                        |
| 973        | CWE-1111: Incomplete I/O Documentation                                                           |
| 974        | CWE-1112: Incomplete Documentation of Program Execution                                          |
| 975        | CWE-1118: Insufficient Documentation of Error Handling Techniques                                |
| 976        | CWE View-699> CWE Category: Authorization Errors – (CWE-1212)                                    |
| 977        | CWE-1220: Insufficient Granularity of Access Control                                             |
| 978        | CWE View-699> CWE Category: Information Management Errors – (CWE-199)                            |
| 979        | CWE-319: Cleartext Transmission of Sensitive Information                                         |
| 980        | CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation                           |
| 981        | CWE-1241: Use of Predictable Algorithm in Random Number Generator                                |
| 982        | Figure 26 provides a separate view of these 12 CWEs.                                             |





Fig. 26. The 12 CWEs in both View-1194 and View-699

| 987                                                           | 8. Conclusion                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|---------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 988<br>989<br>990<br>991<br>992                               | Historically held notions that hardware is invulnerable have been shown to be incorrect. This work has presented 98 hardware security failure scenarios that demonstrate <b>what</b> an attacker can do, <b>where</b> can they do it, and <b>how</b> can they do it. Each scenario describes a type of vulnerability that can be instantiated in many different ways on distinct hardware platforms. Almost all of these scenarios represent significant security concerns.                                                                                                                                                                                                                                                                                                                                         |
| 993<br>994<br>995<br>996<br>997<br>998<br>999<br>1000<br>1001 | However, there are few known HW vulnerabilities. As of February 22, 2024, there were only 131 HW CVEs. This can be partially explained by HW developers finding and removing HW vulnerabilities during the design process, meaning that they are never added to the CVE. At the same time, the number of HW CVEs may be artificially low because HW developers are reticent to acknowledge vulnerabilities in shipped products due to the inability to resolve or mitigate them. It is also possible that the restricted programming languages used for HW design limit the possibility of introducing vulnerabilities relative to more general software programming languages. Another factor could be that HW security has only recently received significantly heightened attention from the security community. |
| 1002<br>1003<br>1004<br>1005<br>1006                          | Hardware is a new focal point in the unending conflict between computer security hackers and defenders. Vulnerabilities can have serious consequences because of the large deployed base of chips and the inability to fix vulnerabilities on those chips. There are many ways in which HW can fail from a security perspective, and there is ample justification for securing HW infrastructure. HW is the foundation of computing and must be trustworthy.                                                                                                                                                                                                                                                                                                                                                        |

| 1008         | References                                                               |         |                                                                                    |
|--------------|--------------------------------------------------------------------------|---------|------------------------------------------------------------------------------------|
| 1009<br>1010 | The references are organized into general references and CWE references. |         |                                                                                    |
| 1011         | General References                                                       |         |                                                                                    |
| 1012         | [1]                                                                      | Bellay  | y, Forte, Taylor (2021) Hardware Vulnerability Description, Sharing and Reporting: |
| 1013         |                                                                          | -       | enges and Opportunities, Available at https://dforte.ece.ufl.edu/wp-               |
| 1014         |                                                                          |         | ent/uploads/sites/65/2021/05/GOMACTech_conf.pdf                                    |
| 1015         | [2]                                                                      |         | onnell (2004) Code Complete: A Practical Handbook of Software Construction,        |
| 1016         |                                                                          |         | nd Edition, Available at                                                           |
| 1017         |                                                                          |         | ://people.engr.tamu.edu/slupoli/notes/ProgrammingStudio/supplements/Code%2         |
| 1018         |                                                                          | ·       | iplete%202nd.pdf                                                                   |
| 1019         | [3]                                                                      |         | ova, Irena, et al. 'Bug, fault, error, or weakness: Demystifying software security |
| 1020         |                                                                          | -       | rabilities.' IT Professional 25.01 (2023): 7-12. Available at                      |
| 1021         |                                                                          |         | ://ieeexplore.ieee.org/document/10077830                                           |
| 1022         | [4]                                                                      | MITR    | E (2024) CWE/CAPEC Board, Available at                                             |
| 1023         |                                                                          | https:  | ://cwe.mitre.org/community/board.html                                              |
| 1024         | [5]                                                                      | HW C    | WE SIG (2024) Hardware CWE Special Interest Group – Mission and Initial            |
| 1025         |                                                                          | Guida   | ance, Available at https://cwe.mitre.org/documents/HW CWE SIG.pdf                  |
| 1026         | [6]                                                                      | MITR    | E (2024) CVE. Available at http://cve.mitre.org                                    |
| 1027         | [7]                                                                      | NIST (  | (2024) National Vulnerability Database. Available at https://nvd.nist.gov          |
| 1028         | [8]                                                                      | MITR    | E (2024) New to CWE. Available at https://cwe.mitre.org/about/new_to_cwe.html      |
| 1029         | [9]                                                                      | MITR    | E (2024) CWE Common Weakness Enumeration. Available at                             |
| 1030         |                                                                          | https:  | ://cwe.mitre.org/index.html                                                        |
| 1031         |                                                                          |         |                                                                                    |
| 1032         | CWE                                                                      | Referer | nces                                                                               |
| 1033         | [CWE                                                                     | -203]   | Preliminary List Of Vulnerability Examples for Researchers (PLOVER) Project        |
| 1034         |                                                                          |         | Team (2006) CWE-203: Observable Discrepancy. (The MITRE Corporation).              |
| 1035         |                                                                          |         | Submission date 2006-07-19. Available at                                           |
| 1036         |                                                                          |         | https://cwe.mitre.org/data/definitions/203.html                                    |
| 1037         | [CWE                                                                     | -2261   | PLOVER Project Team (2006) CWE-226: Sensitive Information in Resource Not          |
| 1038         | [CVVL                                                                    | 220]    | Removed Before Reuse. (The MITRE Corporation). Submission date 2006-07-19.         |
| 1039         |                                                                          |         | Available at https://cwe.mitre.org/data/definitions/226.html                       |
|              | [ O) 4 ( E                                                               | 0761    |                                                                                    |
| 1040         | [CWE                                                                     | -2/6]   | PLOVER Project Team (2006) CWE-276: Incorrect Default Permissions. (The            |
| 1041         |                                                                          |         | MITRE Corporation). Submission date 2006-07-19. Available at                       |
| 1042         |                                                                          |         | https://cwe.mitre.org/data/definitions/276.html                                    |
| 1043         | [CWE                                                                     | -319]   | PLOVER Project Team (2006) CWE-319: Cleartext Transmission of Sensitive            |
| 1044         |                                                                          |         | Information. (The MITRE Corporation). Submission date 2006-07-19. Available at     |
| 1045         |                                                                          |         | https://cwe.mitre.org/data/definitions/319.html                                    |
| 1046         | [CWE                                                                     | -3251   | PLOVER Project Team (2006) CWE-325: Missing Cryptographic Step. (The MITRE         |
| 1047         | [ - · · · -                                                              | 1       | Corporation). Submission date 2006-07-19. Available at                             |
| 1048         |                                                                          |         | https://cwe.mitre.org/data/definitions/325.html                                    |
|              |                                                                          |         | <u> </u>                                                                           |

| 1049<br>1050<br>1051         | [CWE-440]  | PLOVER Project Team (2006) CWE-440: Expected Behavior Violation. (The MITRE Corporation). Submission date 2006-07-19. Available at <a href="https://cwe.mitre.org/data/definitions/440.html">https://cwe.mitre.org/data/definitions/440.html</a>                                                                                |
|------------------------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1052<br>1053<br>1054         | [CWE-441]  | PLOVER Project Team (2006) CWE-441: Unintended Proxy or Intermediary ('Confused Deputy'). (The MITRE Corporation). Submission date 2006-07-19. Available at <a href="https://cwe.mitre.org/data/definitions/441.html">https://cwe.mitre.org/data/definitions/441.html</a>                                                       |
| 1055<br>1056<br>1057         | [CWE-1053] | CWE Content Team (2019) CWE-1053: Missing Documentation for Design. (The MITRE Corporation). Submission date 2019-01-03. Available at <a href="https://cwe.mitre.org/data/definitions/1053.html">https://cwe.mitre.org/data/definitions/1053.html</a>                                                                           |
| 1058<br>1059<br>1060         | [CWE-1059] | CWE Content Team (2019) CWE-1059: Insufficient Technical Documentation. (The MITRE Corporation). Submission date 2019-01-03. Available at <a href="https://cwe.mitre.org/data/definitions/1059.html">https://cwe.mitre.org/data/definitions/1059.html</a>                                                                       |
| 1061<br>1062<br>1063<br>1064 | [CWE-1189] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC). (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1189.html">https://cwe.mitre.org/data/definitions/1189.html</a>           |
| 1065<br>1066<br>1067         | [CWE-1190] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1190: DMA Device Enabled Too Early in Boot Phase. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1190.html">https://cwe.mitre.org/data/definitions/1190.html</a>                                 |
| 1068<br>1069<br>1070<br>1071 | [CWE-1191] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1191: On-Chip Debug and Test Interface With Improper Access Control. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1191.html">https://cwe.mitre.org/data/definitions/1191.html</a>              |
| 1072<br>1073<br>1074<br>1075 | [CWE-1192] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1192: Improper Identifier for IP Block used in System-On-Chip (SOC). (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1192.html">https://cwe.mitre.org/data/definitions/1192.html</a>              |
| 1076<br>1077<br>1078<br>1079 | [CWE-1193] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1193: Power-On of Untrusted Execution Core Before Enabling Fabric Access Control. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1193.html">https://cwe.mitre.org/data/definitions/1193.html</a> |
| 1080<br>1081<br>1082         | [CWE-1209] | Sherman B (2020) CWE-1209: Failure to Disable Reserved Bits. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1209.html">https://cwe.mitre.org/data/definitions/1209.html</a>                                                                                  |
| 1083<br>1084<br>1085         | [CWE-1220] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1220: Insufficient Granularity of Access Control. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1220.html">https://cwe.mitre.org/data/definitions/1220.html</a>                                 |

| 1086<br>1087<br>1088         | [CWE-1221] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1221: Incorrect Register Defaults or Module Parameters. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1221.html">https://cwe.mitre.org/data/definitions/1221.html</a>                        |
|------------------------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1089<br>1090<br>1091<br>1092 | [CWE-1222] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1222: Insufficient Granularity of Address Regions Protected by Register Locks. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1222.html">https://cwe.mitre.org/data/definitions/1222.html</a> |
| 1093<br>1094<br>1095         | [CWE-1223] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1223: Race Condition for Write-Once Attributes. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1223.html">https://cwe.mitre.org/data/definitions/1223.html</a>                                |
| 1096<br>1097<br>1098         | [CWE-1224] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1224: Improper Restriction of Write-Once Bit Fields. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1224.html">https://cwe.mitre.org/data/definitions/1224.html</a>                           |
| 1099<br>1100<br>1101         | [CWE-1231] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1231: Improper Prevention of Lock Bit Modification. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1231.html">https://cwe.mitre.org/data/definitions/1231.html</a>                            |
| 1102<br>1103<br>1104<br>1105 | [CWE-1232] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1232: Improper Lock Behavior After Power State Transition. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1232.html">https://cwe.mitre.org/data/definitions/1232.html</a>                     |
| 1106<br>1107<br>1108<br>1109 | [CWE-1233] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1233.html">https://cwe.mitre.org/data/definitions/1233.html</a>   |
| 1110<br>1111<br>1112<br>1113 | [CWE-1234] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1234.html">https://cwe.mitre.org/data/definitions/1234.html</a>                |
| 1114<br>1115<br>1116         | [CWE-1239] | Fern N (2020) CWE-1239: Improper Zeroization of Hardware Register. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1239.html">https://cwe.mitre.org/data/definitions/1239.html</a>                                                                         |
| 1117<br>1118<br>1119<br>1120 | [CWE-1240] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1240.html">https://cwe.mitre.org/data/definitions/1240.html</a>            |
| 1121<br>1122<br>1123<br>1124 | [CWE-1241] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1241: Use of Predictable Algorithm in Random Number Generator. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1241.html">https://cwe.mitre.org/data/definitions/1241.html</a>                 |

| 1125<br>1126<br>1127<br>1128 | [CWE-1242] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1242: Inclusion of Undocumented Features or Chicken Bits. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1242.html">https://cwe.mitre.org/data/definitions/1242.html</a>                                 |
|------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1129<br>1130<br>1131<br>1132 | [CWE-1243] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1243: Sensitive Non-Volatile Information Not Protected During Debug. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1243.html">https://cwe.mitre.org/data/definitions/1243.html</a>                      |
| 1133<br>1134<br>1135<br>1136 | [CWE-1244] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1244.html">https://cwe.mitre.org/data/definitions/1244.html</a>                       |
| 1137<br>1138<br>1139<br>1140 | [CWE-1245] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1245: Improper Finite State Machines (FSMs) in Hardware Logic. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1245.html">https://cwe.mitre.org/data/definitions/1245.html</a>                            |
| 1141<br>1142<br>1143<br>1144 | [CWE-1246] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1246: Improper Write Handling in Limited-write Non-Volatile Memories. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1246.html">https://cwe.mitre.org/data/definitions/1246.html</a>                     |
| 1145<br>1146<br>1147<br>1148 | [CWE-1247] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1247: Improper Protection Against Voltage and Clock Glitches. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1247.html">https://cwe.mitre.org/data/definitions/1247.html</a>                             |
| 1149<br>1150<br>1151<br>1152 | [CWE-1248] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1248: Semiconductor Defects in Hardware Logic with Security-Sensitive Implications. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1248.html">https://cwe.mitre.org/data/definitions/1248.html</a>       |
| 1153<br>1154<br>1155<br>1156 | [CWE-1250] | CWE Content Team (2020) CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1250.html">https://cwe.mitre.org/data/definitions/1250.html</a>                           |
| 1157<br>1158<br>1159         | [CWE-1251] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1251: Mirrored Regions with Different Values. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1251.html">https://cwe.mitre.org/data/definitions/1251.html</a>                                             |
| 1160<br>1161<br>1162<br>1163 | [CWE-1252] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1252: CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1252.html">https://cwe.mitre.org/data/definitions/1252.html</a> |

| 1164<br>1165<br>1166         | [CWE-1253] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1253: Incorrect Selection of Fuse Values. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1253.html">https://cwe.mitre.org/data/definitions/1253.html</a>                                          |
|------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1167<br>1168<br>1169         | [CWE-1254] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1254: Incorrect Comparison Logic Granularity. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1254.html">https://cwe.mitre.org/data/definitions/1254.html</a>                                      |
| 1170<br>1171<br>1172         | [CWE-1255] | CWE Content Team (2020) CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1255.html">https://cwe.mitre.org/data/definitions/1255.html</a>                                                |
| 1173<br>1174<br>1175         | [CWE-1256] | Fern N (2020) CWE-1256: Improper Restriction of Software Interfaces to Hardware Features. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1256.html">https://cwe.mitre.org/data/definitions/1256.html</a>                                                      |
| 1176<br>1177<br>1178<br>1179 | [CWE-1257] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1257.html">https://cwe.mitre.org/data/definitions/1257.html</a>       |
| 1180<br>1181<br>1182<br>1183 | [CWE-1258] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1258.html">https://cwe.mitre.org/data/definitions/1258.html</a> |
| 1184<br>1185<br>1186         | [CWE-1259] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1259: Improper Restriction of Security Token Assignment. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1259.html">https://cwe.mitre.org/data/definitions/1259.html</a>                           |
| 1187<br>1188<br>1189<br>1190 | [CWE-1260] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1260.html">https://cwe.mitre.org/data/definitions/1260.html</a>                |
| 1191<br>1192<br>1193         | [CWE-1261] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1261: Improper Handling of Single Event Upsets. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1261.html">https://cwe.mitre.org/data/definitions/1261.html</a>                                    |
| 1194<br>1195<br>1196         | [CWE-1262] | Fern N (2020) CWE-1262: Improper Access Control for Register Interface. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1262.html">https://cwe.mitre.org/data/definitions/1262.html</a>                                                                        |
| 1197<br>1198<br>1199         | [CWE-1263] | CWE Content Team (2020) CWE-1263: Improper Physical Access Control. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1263.html">https://cwe.mitre.org/data/definitions/1263.html</a>                                                                            |
| 1200<br>1201<br>1202         | [CWE-1264] | Fern N (2020) CWE-1264: Hardware Logic with Insecure De-Synchronization between Control and Data Channels. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1264.html">https://cwe.mitre.org/data/definitions/1264.html</a>                                     |

| 1203<br>1204<br>1205                                                                         | [CWE-1266] | Wortman PA (2020) CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1266.html">https://cwe.mitre.org/data/definitions/1266.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|----------------------------------------------------------------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1206<br>1207<br>1208                                                                         | [CWE-1267] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1267: Policy Uses Obsolete Encoding. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1267.html">https://cwe.mitre.org/data/definitions/1267.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 1209<br>1210<br>1211<br>1212                                                                 | [CWE-1268] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1268.html">https://cwe.mitre.org/data/definitions/1268.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 1213<br>1214<br>1215                                                                         | [CWE-1269] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1269: Product Released in Non-Release Configuration. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1269.html">https://cwe.mitre.org/data/definitions/1269.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 1216<br>1217<br>1218                                                                         | [CWE-1270] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1270: Generation of Incorrect Security Tokens. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1270.html">https://cwe.mitre.org/data/definitions/1270.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 1219<br>1220<br>1221                                                                         | [CWE-1271] | Fern N (2020) CWE-1271: Uninitialized Value on Reset for Registers Holding Security Settings. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1271.html">https://cwe.mitre.org/data/definitions/1271.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|                                                                                              |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 1222<br>1223<br>1224<br>1225                                                                 | [CWE-1272] | Manna PK, Khattri H, Kanuparthi A (2020) CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1272.html">https://cwe.mitre.org/data/definitions/1272.html</a>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 1223<br>1224                                                                                 | [CWE-1272] | Uncleared Before Debug/Power State Transition. (The MITRE Corporation). Submission date 2020-02-24. Available at                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 1223<br>1224<br>1225<br>1226<br>1227                                                         |            | Uncleared Before Debug/Power State Transition. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1272.html">https://cwe.mitre.org/data/definitions/1272.html</a> Manna PK, Khattri H, Kanuparthi A (2020) CWE-1273: Device Unlock Credential Sharing. (The MITRE Corporation). Submission date 2020-02-24. Available at                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 1223<br>1224<br>1225<br>1226<br>1227<br>1228<br>1229<br>1230<br>1231                         | [CWE-1273] | Uncleared Before Debug/Power State Transition. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1272.html">https://cwe.mitre.org/data/definitions/1272.html</a> Manna PK, Khattri H, Kanuparthi A (2020) CWE-1273: Device Unlock Credential Sharing. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1273.html">https://cwe.mitre.org/data/definitions/1273.html</a> Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code. (The MITRE Corporation). Submission date 2020-02-24. Available at                                                                                                                                                                                                                                                                        |
| 1223<br>1224<br>1225<br>1226<br>1227<br>1228<br>1229<br>1230<br>1231<br>1232<br>1233<br>1234 | [CWE-1273] | Uncleared Before Debug/Power State Transition. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1272.html">https://cwe.mitre.org/data/definitions/1272.html</a> Manna PK, Khattri H, Kanuparthi A (2020) CWE-1273: Device Unlock Credential Sharing. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1273.html">https://cwe.mitre.org/data/definitions/1273.html</a> Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1274.html">https://cwe.mitre.org/data/definitions/1274.html</a> Fern N (2020) CWE-1276: Hardware Child Block Incorrectly Connected to Parent System. (The MITRE Corporation). Submission date 2020-02-24. Available at |

| 1241<br>1242                 |            | Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1278.html">https://cwe.mitre.org/data/definitions/1278.html</a>                                                                                                                                                  |
|------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1243<br>1244<br>1245<br>1246 | [CWE-1279] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1279.html">https://cwe.mitre.org/data/definitions/1279.html</a> |
| 1247<br>1248<br>1249<br>1250 | [CWE-1280] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1280: Access Control Check Implemented After Asset is Accessed. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1280.html">https://cwe.mitre.org/data/definitions/1280.html</a>           |
| 1251<br>1252<br>1253         | [CWE-1281] | Fern N (2020) CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1281.html">https://cwe.mitre.org/data/definitions/1281.html</a>                                              |
| 1254<br>1255<br>1256         | [CWE-1282] | Fern N (2020) CWE-1282: Assumed-Immutable Data is Stored in Writable Memory. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1282.html">https://cwe.mitre.org/data/definitions/1282.html</a>                                                          |
| 1257<br>1258<br>1259<br>1260 | [CWE-1283] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1283: Mutable Attestation or Measurement Reporting Data. (The MITRE Corporation). Submission date 2020-02-24. Available at <a href="https://cwe.mitre.org/data/definitions/1283.html">https://cwe.mitre.org/data/definitions/1283.html</a>                  |
| 1261<br>1262<br>1263         | [CWE-1290] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1290: Incorrect Decoding of Security Identifiers . (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1290.html">https://cwe.mitre.org/data/definitions/1290.html</a>                                       |
| 1264<br>1265<br>1266         | [CWE-1291] | Manna PK, Khattri H, Kanuparthi A (2020) CWE-1291: Public Key Re-Use for Signing both Debug and Production Code. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1291.html">https://cwe.mitre.org/data/definitions/1291.html</a>                      |
| 1267<br>1268<br>1269         | [CWE-1292] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1292: Incorrect Conversion of Security Identifiers. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1292.html">https://cwe.mitre.org/data/definitions/1292.html</a>                       |
| 1270<br>1271<br>1272         | [CWE-1294] | CWE Content Team (2020) CWE-1294: Insecure Security Identifier Mechanism. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1294.html">https://cwe.mitre.org/data/definitions/1294.html</a>                                                             |
| 1273<br>1274<br>1275         | [CWE-1295] | Manna PK, Khattri H, Kanuparthi A (2020) CWE-1295: Debug Messages Revealing Unnecessary Information. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1295.html">https://cwe.mitre.org/data/definitions/1295.html</a>                                  |
| 1276<br>1277<br>1278         | [CWE-1296] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1296: Incorrect Chaining or Granularity of Debug Components. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1296.html">https://cwe.mitre.org/data/definitions/1296.html</a>                             |

| 1279<br>1280<br>1281<br>1282 | [CWE-1297] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1297: Unprotected Confidential Information on Device is Accessible by OSAT Vendors. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1297.html">https://cwe.mitre.org/data/definitions/1297.html</a>                    |
|------------------------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1283<br>1284<br>1285         | [CWE-1298] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1298: Hardware Logic Contains Race Conditions. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1298.html">https://cwe.mitre.org/data/definitions/1298.html</a>                                          |
| 1286<br>1287<br>1288<br>1289 | [CWE-1299] | Kanuparthi A, Khattri H, Manna PK, Mangipudi NKV (2020) CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1299.html">https://cwe.mitre.org/data/definitions/1299.html</a>                    |
| 1290<br>1291<br>1292         | [CWE-1300] | Fern N (2020) CWE-1300: Improper Protection of Physical Side Channels. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1300.html">https://cwe.mitre.org/data/definitions/1300.html</a>                                                                              |
| 1293<br>1294<br>1295         | [CWE-1301] | Fern N (2020) CWE-1301: Insufficient or Incomplete Data Removal within Hardware Component. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1301.html">https://cwe.mitre.org/data/definitions/1301.html</a>                                                          |
| 1296<br>1297<br>1298<br>1299 | [CWE-1302] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1302: Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC). (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1302.html">https://cwe.mitre.org/data/definitions/1302.html</a>                      |
| 1300<br>1301<br>1302         | [CWE-1303] | Fern N (2020) CWE-1303: Non-Transparent Sharing of Microarchitectural Resources. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1303.html">https://cwe.mitre.org/data/definitions/1303.html</a>                                                                    |
| 1303<br>1304<br>1305<br>1306 | [CWE-1304] | Accellera Systems Initiative (2020) CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation. (The MITRE Corporation). Submission date 2020-08-20. Available at <a href="https://cwe.mitre.org/data/definitions/1304.html">https://cwe.mitre.org/data/definitions/1304.html</a> |
| 1307<br>1308<br>1309         | [CWE-1310] | Mangipudi NKV (2020) CWE-1310: Missing Ability to Patch ROM Code. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1310.html">https://cwe.mitre.org/data/definitions/1310.html</a>                                                                                   |
| 1310<br>1311<br>1312         | [CWE-1311] | Kanuparthi A, Khattri H, Manna P (2020) CWE-1311: Improper Translation of Security Attributes by Fabric Bridge. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1311.html">https://cwe.mitre.org/data/definitions/1311.html</a>                                     |
| 1313<br>1314<br>1315<br>1316 | [CWE-1312] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1312: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1312.html">https://cwe.mitre.org/data/definitions/1312.html</a>                              |

| 1317<br>1318<br>1319         | [CWE-1313] | Sherman B (2020) CWE-1313: Hardware Allows Activation of Test or Debug Logic at Runtime. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1313.html">https://cwe.mitre.org/data/definitions/1313.html</a>                                                              |
|------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1320<br>1321<br>1322         | [CWE-1314] | Khattri H, Manna PK, Kanuparthi AA (2020) CWE-1314: Missing Write Protection for Parametric Data Values. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1314.html">https://cwe.mitre.org/data/definitions/1314.html</a>                                              |
| 1323<br>1324<br>1325         | [CWE-1315] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1315: Improper Setting of Bus Controlling Capability in Fabric End-point. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1315.html">https://cwe.mitre.org/data/definitions/1315.html</a>                                |
| 1326<br>1327<br>1328<br>1329 | [CWE-1316] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1316: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1316.html">https://cwe.mitre.org/data/definitions/1316.html</a> |
| 1330<br>1331<br>1332         | [CWE-1317] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1317: Improper Access Control in Fabric Bridge. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1317.html">https://cwe.mitre.org/data/definitions/1317.html</a>                                                          |
| 1333<br>1334<br>1335<br>1336 | [CWE-1318] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1318: Missing Support for Security Features in On-chip Fabrics or Buses. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1318.html">https://cwe.mitre.org/data/definitions/1318.html</a>                                 |
| 1337<br>1338<br>1339         | [CWE-1319] | Leger S, Narasipur R (2020) CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI). (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1319.html">https://cwe.mitre.org/data/definitions/1319.html</a>                                            |
| 1340<br>1341<br>1342<br>1343 | [CWE-1320] | Khattri H, Kanuparthi A, Manna PK (2020) CWE-1320: Improper Protection for Outbound Error Messages and Alert Signals. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1320.html">https://cwe.mitre.org/data/definitions/1320.html</a>                                 |
| 1344<br>1345<br>1346         | [CWE-1323] | Khattri H, Manna PK, Kanuparthi AA (2020) CWE-1323: Improper Management of Sensitive Trace Data. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1323.html">https://cwe.mitre.org/data/definitions/1323.html</a>                                                      |
| 1347<br>1348<br>1349         | [CWE-1326] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1326: Missing Immutable Root of Trust in Hardware. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1326.html">https://cwe.mitre.org/data/definitions/1326.html</a>                                                       |
| 1350<br>1351<br>1352         | [CWE-1328] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1328: Security Version Number Mutable to Older Versions. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1328.html">https://cwe.mitre.org/data/definitions/1328.html</a>                                                 |
| 1353<br>1354<br>1355         | [CWE-1329] | CWE Content Team (2020) CWE-1329: Reliance on Component That is Not Updateable. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1329.html">https://cwe.mitre.org/data/definitions/1329.html</a>                                                                       |

| 1356<br>1357<br>1358         | [CWE-1330] | Khattri H, Kanuparthi A, Manna PK (2020) CWE-1330: Remanent Data Readable after Memory Erase. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1330.html">https://cwe.mitre.org/data/definitions/1330.html</a>                                       |
|------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1359<br>1360<br>1361<br>1362 | [CWE-1331] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1331: Improper Isolation of Shared Resources in Network On Chip (NoC). (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1331.html">https://cwe.mitre.org/data/definitions/1331.html</a>                 |
| 1363<br>1364<br>1365         | [CWE-1332] | Woudenberg J (2020) CWE-1332: Improper Handling of Faults that Lead to Instruction Skips. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1332.html">https://cwe.mitre.org/data/definitions/1332.html</a>                                           |
| 1366<br>1367<br>1368         | [CWE-1334] | Pangburn J (2020) CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1334.html">https://cwe.mitre.org/data/definitions/1334.html</a>                                           |
| 1369<br>1370<br>1371         | [CWE-1338] | Kanuparthi A, Khattri H, Manna PK (2020) CWE-1338: Improper Protections Against Hardware Overheating. (The MITRE Corporation). Submission date 2020-12-10. Available at <a href="https://cwe.mitre.org/data/definitions/1338.html">https://cwe.mitre.org/data/definitions/1338.html</a>                               |
| 1372<br>1373<br>1374<br>1375 | [CWE-1342] | Nordstrom A, Althoff A (2021) CWE-1342: Information Exposure through Microarchitectural State after Transient Execution. (The MITRE Corporation). Submission date 2021-10-28. Available at <a href="https://cwe.mitre.org/data/definitions/1342.html">https://cwe.mitre.org/data/definitions/1342.html</a>            |
| 1376<br>1377<br>1378         | [CWE-1351] | Wortman PA (2021) CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments. (The MITRE Corporation). Submission date 2021-07-20. Available at <a href="https://cwe.mitre.org/data/definitions/1351.html">https://cwe.mitre.org/data/definitions/1351.html</a>                              |
| 1379<br>1380<br>1381         | [CWE-1357] | CWE Content Team (2022) CWE-1357: Reliance on Insufficiently Trustworthy Component. (The MITRE Corporation). Submission date 2022-04-28. Available at <a href="https://cwe.mitre.org/data/definitions/1357.html">https://cwe.mitre.org/data/definitions/1357.html</a>                                                 |
| 1382<br>1383<br>1384         | [CWE-1384] | CWE Content Team (2022) CWE-1384: Improper Handling of Physical or Environmental Conditions. (The MITRE Corporation). Submission date 2022-04-28. Available at <a href="https://cwe.mitre.org/data/definitions/1384.html">https://cwe.mitre.org/data/definitions/1384.html</a>                                        |
| 1385<br>1386<br>1387         | [CWE-1420] | Constable SD (2024) CWE-1420: Exposure of Sensitive Information during Transient Execution. (The MITRE Corporation). Submission date 2024-02-29. Available at <a href="https://cwe.mitre.org/data/definitions/1420.html">https://cwe.mitre.org/data/definitions/1420.html</a>                                         |
| 1388<br>1389<br>1390<br>1391 | [CWE-1421] | Constable SD (2024) CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution. (The MITRE Corporation). Submission date 2024-02-29. Available at <a href="https://cwe.mitre.org/data/definitions/1421.html">https://cwe.mitre.org/data/definitions/1421.html</a> |
| 1392<br>1393                 | [CWE-1422] | Constable SD (2024) CWE-1422: Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution. (The MITRE Corporation).                                                                                                                                                              |

| NIST IR 8517 ipd (Initial Public Draft) |  |
|-----------------------------------------|--|
| June 2024                               |  |

Hardware Security Failure Scenarios Potential Weaknesses in Hardware Design

| 1394<br>1395         |            | Submission date 2024-02-29. Available at <a href="https://cwe.mitre.org/data/definitions/1422.html">https://cwe.mitre.org/data/definitions/1422.html</a>                                                                   |
|----------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1396<br>1397<br>1398 | [CWE-1423] | Constable SD (2024) CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution. (The MITRE Corporation). Submission date 2024-02-29. Available at |
| 1399                 |            | https://cwe.mitre.org/data/definitions/1423.html                                                                                                                                                                           |

| 1400         | Appendix A. List of Symbols, Abbreviations, and Acronyms |
|--------------|----------------------------------------------------------|
| 1401<br>1402 | CPU Central Processing Unit                              |
| 1403<br>1404 | <b>DoS</b> Denial of Service                             |
| 1405         | FSM                                                      |
| 1406         | Finite-State Machine                                     |
| 1407         | IP                                                       |
| 1408         | Intellectual Property                                    |
| 1409<br>1410 | JTAG Joint Test Action Group                             |
| 1411         | MMU                                                      |
| 1412         | Memory Management Unit                                   |
| 1413<br>1414 | MPU Memory Protection Unit                               |
| 1415         | NoC                                                      |
| 1416         | Network-on-Chip                                          |
| 1417         | NVM                                                      |
| 1418         | Non-Volatile Memory                                      |
| 1419         | OS                                                       |
| 1420         | Operating System                                         |
| 1421<br>1422 | OTP One-Time Programmable Memory                         |
| 1423         | ROM                                                      |
| 1424         | Read-Only Memory                                         |
| 1425         | SEU                                                      |
| 1426         | Single-Event Upset                                       |
| 1427         | SoC                                                      |
| 1428         | System-on-a-Chip                                         |
| 1429<br>1430 | TAP Test Access Port                                     |
| 1431         | VM                                                       |
| 1432         | Volatile Memory                                          |

#### Appendix B. Analysis of the Complete Hardware Weakness Graph

Figure 1 in Sec. 3.2 shows the complete HW CWE graph. The root nodes are the seven HW applicable pillars under the Research Concepts view. Table 1 provides statistics on the types of CWEs in the graph.

Table 1. Statistics on the complete HW CWE graph

|          | Non-HW CWEs | HW CWEs | All CWEs |  |
|----------|-------------|---------|----------|--|
| All      | 50          | 108     | 158      |  |
| Pillar   | 7           | 0       | 7        |  |
| Class    | 25          | 6       | 31       |  |
| Base     | 13          | 98      | 111      |  |
| Variant  | 5           | 4       | 9        |  |
| Compound | 0           | 0       | 0        |  |

1439

1440

1441

1442

1443

1444

1445

1434

1435

1436

1437

1438

To construct an HW CWE graph, create a directed graph for all CWEs using the relationships provided by the Research Concepts view (<u>CWE-1000</u>). Remove all nodes that are unreachable from any of the seven HW applicable pillars as well as all nodes without at least one HW CWE as a descendant, unless they themselves are HW CWEs. Add in any edges from the Hardware Design view (<u>CWE-1194</u>) that are not already in the graph.

# **B.1.** Hardware Design Category Overlay

1446 In Fig. 1, nodes with more than one outline belong to more than one HW design category. 1447 There are four CWEs that belong to three categories: CWE-1248 to CWE-1195, CWE-1206, and 1448 CWE-1388 and CWEs-1421, 1422, and 1423 to CWE-1198, CWE-1201, and CWE-1202. There are 1449 12 CWEs that belong to two categories: CWE-1247, CWE-1255, and CWE-1332 to CWE-1206 1450 and CWE-1388; CWE-1300 and CWE-1351 to CWE-1205 and CWE-1388; CWE-1059 to CWE-1451 1195 and CWE-1208; CWE-1232 to CWE-1199 and CWE-1206; CWE-1234 to CWE-1199 and CWE-1207; CWE-1261 to CWE-1199 and CWE-1388; CWE-1314 to CWE-1198 and CWE-1206; 1452 1453 CWE-1342 and CWE-1420 to CWE-1201 and CWE-1202; and CWE-1351 to CWE-1205 and CWE-1454 1388.

Table 2. Mapping of HW CWEs to HW Categories

| CWE\Category | CWE-<br>1195 | CWE-<br>1198 | CWE-<br>1199 | CWE-<br>1201 | CWE-<br>1202 | CWE-<br>1205 | CWE-<br>1206 | CWE-<br>1207 | CWE-<br>1208 | CWE-<br>1388 |
|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|
| CWE-1248     | ✓            |              |              |              |              |              | ✓            |              |              | ✓            |
| CWE-1247     |              |              |              |              |              |              | ✓            |              |              | ✓            |
| CWE-1255     |              |              |              |              |              |              | ✓            |              |              | ✓            |
| CWE-1332     |              |              |              |              |              |              | ✓            |              |              | ✓            |
| CWE-1300     |              |              |              |              |              | <b>√</b>     |              |              |              | ✓            |
| CWE-1351     |              |              |              |              |              | ✓            |              |              |              | ✓            |
| CWE-1059     | ✓            |              |              |              |              |              |              |              | <b>√</b>     |              |
| CWE-1232     |              |              | ✓            |              |              |              | ✓            |              |              |              |
| CWE-1234     |              |              | ✓            |              |              |              |              | <b>√</b>     |              |              |
| CWE-1261     |              |              | <b>√</b>     |              |              |              |              |              |              | ✓            |
| CWE-1314     |              | <b>√</b>     |              |              |              |              | <b>√</b>     |              |              |              |
| CWE-1342     |              |              |              | ✓            | <b>√</b>     |              |              |              |              |              |
| CWE-1420     |              |              |              | ✓            | <b>√</b>     |              |              |              |              |              |
| C WE-1421    |              | <b>√</b>     |              | <b>√</b>     | <b>√</b>     |              |              |              |              |              |
| C WE-1422    |              | <b>√</b>     |              | <b>√</b>     | <b>√</b>     |              |              |              |              |              |
| C WE-1423    |              | ✓            |              | <b>√</b>     | ✓            |              |              |              |              |              |

### B.2. Comparison of View-1000 and View-1194 Relationships

1457 There are seven relationships that belong to both View-1000 and View-1194 depicted on the

digraph with gradient black-to-red edges (arrows): CWE-226→CWE-1342, CWE-226→CWE-1458

1239, CWE-1301→CWE-CWE-1330, CWE-203→CWE-CWE-1300, CWE-1420→ CWE-1421, CWE-1459

1422, and CWE-1423. Four other relationships belong only to view 1194 and are depicted with

1460

1461 red edges (arrows): CWE-1294→CWE-1259, CWE-1294→1270, CWE-1294→ CWE-1290, and

1462 CWE-1294→CWE-1292. The rest of the relations only belongto View-1000 and are depicted in

1463 black.

1456

1464 The following parent-child relations are only present in View-1000, but both of their nodes

1465 pertain to View-1194 as well: CWE-1220→CWE-1222; CWE-1263→CWE-1243; CWE-

1294→CWE-1302; CWE-1384→CWEs-1247, 1261, 1332, and 1351; CWE-226→CWEs-1272 and 1466

| NIST IR 8517 ipd (Initial Public Draft) |
|-----------------------------------------|
| June 2024                               |

Hardware Security Failure Scenarios Potential Weaknesses in Hardware Design

1301; CWE-203→CWE-1303; CWE-1300→CWE-1255; CWE-1357→CWEs-1329; CWE-1468 1329→1277 and 1310; and CWE-1059→CWEs-1053, 1110, 1111, 1112, and 1118.

CWE-208 is only used in View-1194 as a intermediary, but both its parent and child pertain to View-1194: CWE-20→ CWE-208→ CWE-1254.

| 1471                         | Appendix C. Weakness Hierarchy — Improper Access Control                                                                                                                                                                                                                                                          |
|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1472<br>1473<br>1474<br>1475 | The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusa of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |
| 1476<br>1477                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                               |
| 1478                         | CWE-284 P Improper Access Control                                                                                                                                                                                                                                                                                 |
| 1479<br>1480                 | Figure 27 shows the relationship of CWEs to each other and various attributes of the CWEs (e.g., hardware category and CWE abstraction).                                                                                                                                                                          |

14811482

1483

1484

1485

1486

1487

1488

1489

1490



Fig. 27. HW CWE Category Graph: Improper Access Control

- CWE-1191 B On-Chip Debug and Test Interface With Improper Access Control \*
- CWE-1220 B Insufficient Granularity of Access Control \*
  - CWE-1222 V Insufficient Granularity of Address Regions Protected by Register Locks \*
- CWE-1224 B Improper Restriction of Write-Once Bit Fields \*
- CWE-1231 B Improper Prevention of Lock Bit Modification \*
- CWE-1233 B Security-Sensitive Hardware Controls with Missing Lock Bit Protection \*
- CWE-1242 B Inclusion of Undocumented Features or Chicken Bits \*

1522

1491 CWE-1252 B CPU Hardware Not Configured to Support Exclusivity of Write and Execute 1492 Operations \* 1493 CWE-1257 B Improper Access Control Applied to Mirrored or Aliased Memory Regions \* CWE-1259 B Improper Restriction of Security Token Assignment \* 1494 1495 CWE-1260 B Improper Handling of Overlap Between Protected Memory Ranges \* 1496 CWE-1262 B Improper Access Control for Register Interface \* CWE-1263 C Improper Physical Access Control \* 1497 CWE-1243 B Sensitive Non-Volatile Information Not Protected During Debug \* 1498 CWE-1267 B Policy Uses Obsolete Encoding \* 1499 1500 CWE-1268 B Policy Privileges are not Assigned Consistently Between Control and Data 1501 Agents \* CWE-1270 B Generation of Incorrect Security Tokens \* 1502 1503 CWE-1274 B Improper Access Control for Volatile Memory Containing Boot Code \* 1504 CWE-1276 B Hardware Child Block Incorrectly Connected to Parent System \* 1505 CWE-1280 B Access Control Check Implemented After Asset is Accessed \* CWE-1283 B Mutable Attestation or Measurement Reporting Data \* 1506 CWE-1290 B Incorrect Decoding of Security Identifiers \* 1507 1508 CWE-1292 B Incorrect Conversion of Security Identifiers \* 1509 CWE-1294 C Insecure Security Identifier Mechanism \* 1510 CWE-1302 B Missing Security Identifier \* 1511 CWE-1296 B Incorrect Chaining or Granularity of Debug Components \* 1512 CWE-1304 B Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation \* 1513 CWE-1311 B Improper Translation of Security Attributes by Fabric Bridge \* 1514 1515 CWE-1312 B Missing Protection for Mirrored Regions in On-Chip Fabric Firewall \* CWE-1313 B Hardware Allows Activation of Test or Debug Logic at Runtime \* 1516 CWE-1315 B Improper Setting of Bus Controlling Capability in Fabric End-point \* 1517 1518 CWE-1316 B Fabric-Address Map Allows Programming of Unwarranted Overlaps of 1519 Protected and Unprotected Ranges \* 1520 CWE-1317 B Improper Access Control in Fabric Bridge \* 1521 CWE-1320 B Improper Protection for Outbound Error Messages and Alert Signals \*

CWE-1323 B Improper Management of Sensitive Trace Data \*

| 1523         | • CWE-: | 1334 B Unauthorized Error Injection Can Degrade Hardware Redundancy *                              |
|--------------|---------|----------------------------------------------------------------------------------------------------|
| 1524         | • CWE-  | 285 C Improper Authorization                                                                       |
| 1525         | 0       | CWE-1256 B Improper Restriction of Software Interfaces to Hardware Features                        |
| 1526<br>1527 | 0       | CWE-1297 B Unprotected Confidential Information on Device is Accessible by OSAT Vendors *          |
| 1528         | 0       | CWE-1328 B Security Version Number Mutable to Older Versions *                                     |
| 1529         | 0       | CWE-732 C Incorrect Permission Assignment for Critical Resource                                    |
| 1530         |         | <ul> <li>CWE-276 B Incorrect Default Permissions *</li> </ul>                                      |
| 1531         | 0       | CWE-862 C Missing Authorization                                                                    |
| 1532         |         | <ul> <li>CWE-1314 B Missing Write Protection for Parametric Data Values *</li> </ul>               |
| 1533         | 0       | CWE-863 C Incorrect Authorization                                                                  |
| 1534<br>1535 |         | <ul> <li>CWE-1244 B Internal Asset Exposed to Unsafe Debug Access Level or<br/>State *</li> </ul>  |
| 1536         | • CWE-  | 287 C Improper Authentication                                                                      |
| 1537         | 0       | CWE-306 B Missing Authentication for Critical Function                                             |
| 1538         |         | <ul> <li>CWE-288 B Authentication Bypass Using an Alternate Path or Channel</li> </ul>             |
| 1539<br>1540 |         | <ul> <li>CWE-1299 B Missing Protection Mechanism for Alternate<br/>Hardware Interface *</li> </ul> |
| 1541         | • CWE-  | 923 C Improper Restriction of Communication Channel to Intended Endpoints                          |
| 1542         | 0       | CWE-420 B Unprotected Alternate Channel                                                            |
| 1543<br>1544 |         | <ul> <li>CWE-1299 B Missing Protection Mechanism for Alternate Hardware<br/>Interface *</li> </ul> |
|              |         |                                                                                                    |

| 1545                         | Appendix D. Weakness Hierarchy — Improper Adherence to Coding Standards                                                                                                                                                                                                                                            |  |  |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 1546<br>1547<br>1548<br>1549 | The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusal of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |  |  |
| 1550<br>1551                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                                |  |  |
| 1552                         | CWE-710 P Improper Adherence to Coding Standards                                                                                                                                                                                                                                                                   |  |  |
| 1553                         | <ul> <li>CWE-1059 C Insufficient Technical Documentation *</li> </ul>                                                                                                                                                                                                                                              |  |  |
| 1554                         | <ul> <li>CWE-1053 B Missing Documentation for Design *</li> </ul>                                                                                                                                                                                                                                                  |  |  |
| 1555                         | CWE-1209 B Failure to Disable Reserved Bits *                                                                                                                                                                                                                                                                      |  |  |
| 1556                         | CWE-1357 C Reliance on Insufficiently Trustworthy Component *                                                                                                                                                                                                                                                      |  |  |
| 1557                         | <ul> <li>CWE-1329 B Reliance on Component That is Not Updateable *</li> </ul>                                                                                                                                                                                                                                      |  |  |
| 1558                         | <ul><li>CWE-1277 B Firmware Not Updateable *</li></ul>                                                                                                                                                                                                                                                             |  |  |
| 1559                         | <ul><li>CWE-1310 B Missing Ability to Patch ROM Code *</li></ul>                                                                                                                                                                                                                                                   |  |  |
| 1560                         | CWE-573 C Improper Following of Specification by Caller                                                                                                                                                                                                                                                            |  |  |
| 1561                         | <ul> <li>CWE-325 B Missing Cryptographic Step *</li> </ul>                                                                                                                                                                                                                                                         |  |  |
| 1562                         | CWE-657 C Violation of Secure Design Principles                                                                                                                                                                                                                                                                    |  |  |
| 1563<br>1564                 | <ul> <li>CWE-1192 B System-on-Chip (SoC) Using Components without Unique,<br/>Immutable Identifiers *</li> </ul>                                                                                                                                                                                                   |  |  |
| 1565                         | <ul> <li>CWE-653 B Improper Isolation or Compartmentalization</li> </ul>                                                                                                                                                                                                                                           |  |  |
| 1566<br>1567                 | <ul> <li>CWE-1189 B Improper Isolation of Shared Resources on System-on-a-Chip<br/>(SoC) *</li> </ul>                                                                                                                                                                                                              |  |  |
| 1568<br>1569                 | <ul> <li>CWE-1303 B Non-Transparent Sharing of Microarchitectural<br/>Resources *</li> </ul>                                                                                                                                                                                                                       |  |  |
| 1570<br>1571                 | <ul> <li>CWE-1331 B Improper Isolation of Shared Resources in Network On Chip<br/>(NoC) *</li> </ul>                                                                                                                                                                                                               |  |  |
| 1572                         | <ul> <li>CWE-684 C Incorrect Provision of Specified Functionality</li> </ul>                                                                                                                                                                                                                                       |  |  |
| 1573                         | <ul> <li>CWE-1245 B Improper Finite State Machines (FSMs) in Hardware Logic *</li> </ul>                                                                                                                                                                                                                           |  |  |
| 1574                         | <ul> <li>CWE-440 B Expected Behavior Violation *</li> </ul>                                                                                                                                                                                                                                                        |  |  |

| 1575                         | Appendix E. Weakness Hierarchy — Improper Check or Handling of Exceptional Conditions                                                                                                                                                                                                                              |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1576<br>1577<br>1578<br>1579 | The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusal of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |
| 1580<br>1581                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                                |
| 1582                         | CWE-703 P Improper Check or Handling of Exceptional Conditions                                                                                                                                                                                                                                                     |
| 1583                         | <ul> <li>CWE-1384 C Improper Handling of Physical or Environmental Conditions *</li> </ul>                                                                                                                                                                                                                         |
| 1584                         | <ul> <li>CWE-1247 B Improper Protection Against Voltage and Clock Glitches *</li> </ul>                                                                                                                                                                                                                            |
| 1585                         | <ul> <li>CWE-1261 B Improper Handling of Single Event Upsets *</li> </ul>                                                                                                                                                                                                                                          |
| 1586                         | <ul> <li>CWE-1332 B Improper Handling of Faults that Lead to Instruction Skips *</li> </ul>                                                                                                                                                                                                                        |
| 1587<br>1588                 | <ul> <li>CWE-1351 B Improper Handling of Hardware Behavior in Exceptionally Cold<br/>Environments *</li> </ul>                                                                                                                                                                                                     |

| 1589                         | Appendix F. Weakness Hierarchy — Improper Control of a Resource Through its Lifetime  The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusal of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |  |  |
|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 1590<br>1591<br>1592<br>1593 |                                                                                                                                                                                                                                                                                                                                                                                                          |  |  |
| 1594<br>1595                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                                                                                                                      |  |  |
| 1596                         | CWE-664 P Improper Control of a Resource Through its Lifetime                                                                                                                                                                                                                                                                                                                                            |  |  |
| 1597<br>1598                 | <ul> <li>CWE-1250 B Improper Preservation of Consistency Between Independent<br/>Representations of Shared State *</li> </ul>                                                                                                                                                                                                                                                                            |  |  |
| 1599                         | <ul> <li>CWE-1251 B Mirrored Regions with Different Values *</li> </ul>                                                                                                                                                                                                                                                                                                                                  |  |  |
| 1600                         | <ul> <li>CWE-1329 B Reliance on Component That is Not Updateable *</li> </ul>                                                                                                                                                                                                                                                                                                                            |  |  |
| 1601                         | <ul> <li>CWE-1277 B Firmware Not Updateable *</li> </ul>                                                                                                                                                                                                                                                                                                                                                 |  |  |
| 1602                         | <ul> <li>CWE-1310 B Missing Ability to Patch ROM Code *</li> </ul>                                                                                                                                                                                                                                                                                                                                       |  |  |
| 1603                         | CWE-400 C Uncontrolled Resource Consumption                                                                                                                                                                                                                                                                                                                                                              |  |  |
| 1604                         | <ul> <li>CWE-1246 B Improper Write Handling in Limited-write Non-Volatile Memories *</li> </ul>                                                                                                                                                                                                                                                                                                          |  |  |
| 1605                         | CWE-404 C Improper Resource Shutdown or Release                                                                                                                                                                                                                                                                                                                                                          |  |  |
| 1606<br>1607                 | <ul> <li>CWE-1266 B Improper Scrubbing of Sensitive Data from Decommissioned Device</li> <li>*</li> </ul>                                                                                                                                                                                                                                                                                                |  |  |
| 1608                         | <ul> <li>CWE-459 B Incomplete Cleanup</li> </ul>                                                                                                                                                                                                                                                                                                                                                         |  |  |
| 1609<br>1610                 | <ul> <li>CWE-226 B Sensitive Information in Resource Not Removed Before Reuse</li> </ul>                                                                                                                                                                                                                                                                                                                 |  |  |
| 1611                         | <ul> <li>CWE-1239 V Improper Zeroization of Hardware Register *</li> </ul>                                                                                                                                                                                                                                                                                                                               |  |  |
| 1612<br>1613                 | <ul> <li>CWE-1272 B Sensitive Information Uncleared Before<br/>Debug/Power State Transition *</li> </ul>                                                                                                                                                                                                                                                                                                 |  |  |
| 1614<br>1615                 | <ul> <li>CWE-1301 B Insufficient or Incomplete Data Removal within<br/>Hardware Component *</li> </ul>                                                                                                                                                                                                                                                                                                   |  |  |
| 1616<br>1617                 | <ul> <li>CWE-1330 V Remanent Data Readable after Memory Erase</li> </ul>                                                                                                                                                                                                                                                                                                                                 |  |  |
| 1618<br>1619                 | <ul> <li>CWE-1342 B Information Exposure through Microarchitectural<br/>State after Transient Execution *</li> </ul>                                                                                                                                                                                                                                                                                     |  |  |
| 1620                         | CWE-610 C Externally Controlled Reference to a Resource in Another Sphere                                                                                                                                                                                                                                                                                                                                |  |  |
| 1621                         | <ul> <li>CWE-441 C Unintended Proxy or Intermediary ('Confused Deputy') *</li> </ul>                                                                                                                                                                                                                                                                                                                     |  |  |
| 1622                         | CWE-662 C Improper Synchronization                                                                                                                                                                                                                                                                                                                                                                       |  |  |

| 1623         |   | 0     | CWE-667 C Improper Locking                                                                                             |
|--------------|---|-------|------------------------------------------------------------------------------------------------------------------------|
| 1624         |   |       | <ul> <li>CWE-1232 B Improper Lock Behavior After Power State Transition *</li> </ul>                                   |
| 1625<br>1626 |   |       | <ul> <li>CWE-1233 B Security-Sensitive Hardware Controls with Missing Lock Bit<br/>Protection *</li> </ul>             |
| 1627<br>1628 |   |       | <ul> <li>CWE-1234 B Hardware Internal or Debug Modes Allow Override of Locks</li> </ul>                                |
| 1629         |   | 0     | CWE-821 B Incorrect Synchronization                                                                                    |
| 1630<br>1631 |   |       | <ul> <li>CWE-1264 B Hardware Logic with Insecure De-Synchronization between<br/>Control and Data Channels *</li> </ul> |
| 1632         | • | CWE-6 | 65 C Improper Initialization                                                                                           |
| 1633<br>1634 |   | 0     | CWE-1279 B Cryptographic Operations are run Before Supporting Units are Ready *                                        |
| 1635         |   | 0     | CWE-1419 C Incorrect Initialization of Resource                                                                        |
| 1636         |   |       | <ul> <li>CWE-1221 B Incorrect Register Defaults or Module Parameters *</li> </ul>                                      |
| 1637         |   | 0     | CWE-909 C Missing Initialization of Resource                                                                           |
| 1638<br>1639 |   |       | <ul> <li>CWE-1271 B Uninitialized Value on Reset for Registers Holding Security<br/>Settings *</li> </ul>              |
| 1640         | • | CWE-6 | 68 C Exposure of Resource to Wrong Sphere                                                                              |
| 1641<br>1642 |   | 0     | CWE-1189 B Improper Isolation of Shared Resources on System-on-a-Chip (SoC) *                                          |
| 1643         |   |       | ■ CWE-1303 B Non-Transparent Sharing of Microarchitectural Resources *                                                 |
| 1644         |   | 0     | CWE-1282 B Assumed-Immutable Data is Stored in Writable Memory *                                                       |
| 1645         |   | 0     | CWE-1331 B Improper Isolation of Shared Resources in Network On Chip (NoC) *                                           |
| 1646         |   | 0     | CWE-200 C Exposure of Sensitive Information to an Unauthorized Actor                                                   |
| 1647<br>1648 |   |       | <ul> <li>CWE-1258 B Exposure of Sensitive System Information Due to Uncleared<br/>Debug Information *</li> </ul>       |
| 1649         |   |       | <ul> <li>CWE-1273 B Device Unlock Credential Sharing *</li> </ul>                                                      |
| 1650         |   |       | <ul> <li>CWE-1295 B Debug Messages Revealing Unnecessary Information *</li> </ul>                                      |
| 1651         |   |       | <ul> <li>CWE-203 B Observable Discrepancy *</li> </ul>                                                                 |
| 1652         |   |       | <ul> <li>CWE-1300 B Improper Protection of Physical Side Channels *</li> </ul>                                         |
| 1653<br>1654 |   |       | <ul> <li>CWE-1255 V Comparison Logic is Vulnerable to Power<br/>Side-Channel Attacks *</li> </ul>                      |
| 1655<br>1656 |   |       | <ul> <li>CWE-1303 B Non-Transparent Sharing of Microarchitectural<br/>Resources *</li> </ul>                           |

| 1657         | <ul> <li>CWE-208 B Observable Timing Discrepancy</li> </ul>                                                          |
|--------------|----------------------------------------------------------------------------------------------------------------------|
| 1658         | <ul> <li>CWE-1254 B Incorrect Comparison Logic Granularity *</li> </ul>                                              |
| 1659         | <ul> <li>CWE-732 C Incorrect Permission Assignment for Critical Resource</li> </ul>                                  |
| 1660         | <ul> <li>CWE-276 B Incorrect Default Permissions *</li> </ul>                                                        |
| 1661         | CWE-669 C Incorrect Resource Transfer Between Spheres                                                                |
| 1662<br>1663 | <ul> <li>CWE-212 B Improper Removal of Sensitive Information Before Storage or<br/>Transfer</li> </ul>               |
| 1664<br>1665 | <ul> <li>CWE-1258 B Exposure of Sensitive System Information Due to Uncleared<br/>Debug Information *</li> </ul>     |
| 1666<br>1667 | <ul> <li>CWE-226 B Sensitive Information in Resource Not Removed Before Reuse</li> </ul>                             |
| 1668         | <ul> <li>CWE-1239 V Improper Zeroization of Hardware Register *</li> </ul>                                           |
| 1669<br>1670 | <ul> <li>CWE-1272 B Sensitive Information Uncleared Before<br/>Debug/Power State Transition *</li> </ul>             |
| 1671<br>1672 | <ul> <li>CWE-1301 B Insufficient or Incomplete Data Removal within<br/>Hardware Component *</li> </ul>               |
| 1673<br>1674 | <ul> <li>CWE-1330 V Remanent Data Readable after Memory Erase</li> </ul>                                             |
| 1675<br>1676 | <ul> <li>CWE-1342 B Information Exposure through Microarchitectural<br/>State after Transient Execution *</li> </ul> |

| 1677                         | Appendix G. Weakness Hierarchy — Incorrect Comparison                                                                                                                                                                                                                                                              |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1678<br>1679<br>1680<br>1681 | The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusal of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |
| 1682<br>1683                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                                |
| 1684                         | CWE-697 P Incorrect Comparison                                                                                                                                                                                                                                                                                     |
| 1685                         | CWE-1254 B Incorrect Comparison Logic Granularity *                                                                                                                                                                                                                                                                |

| 1686                         | Appendix H. Weakness Hierarchy — Insufficient Control Flow Management                                                                                                                                                                                                                                              |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1687<br>1688<br>1689<br>1690 | The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusal of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |
| 1691<br>1692                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                                |
| 1693                         | CWE-691 P Insufficient Control Flow Management                                                                                                                                                                                                                                                                     |
| 1694                         | <ul> <li>CWE-1279 B Cryptographic Operations are run Before Supporting Units are Ready *</li> </ul>                                                                                                                                                                                                                |
| 1695                         | <ul> <li>CWE-1281 B Sequence of Processor Instructions Leads to Unexpected Behavior *</li> </ul>                                                                                                                                                                                                                   |
| 1696<br>1697                 | <ul> <li>CWE-362 C Concurrent Execution using Shared Resource with Improper Synchronization<br/>('Race Condition')</li> </ul>                                                                                                                                                                                      |
| 1698                         | <ul> <li>CWE-1223 B Race Condition for Write-Once Attributes *</li> </ul>                                                                                                                                                                                                                                          |
| 1699                         | <ul> <li>CWE-1298 B Hardware Logic Contains Race Conditions *</li> </ul>                                                                                                                                                                                                                                           |
| 1700                         | CWE-662 C Improper Synchronization                                                                                                                                                                                                                                                                                 |
| 1701                         | <ul> <li>CWE-667 C Improper Locking</li> </ul>                                                                                                                                                                                                                                                                     |
| 1702                         | <ul> <li>CWE-1232 B Improper Lock Behavior After Power State Transition *</li> </ul>                                                                                                                                                                                                                               |
| 1703<br>1704                 | <ul> <li>CWE-1233 B Security-Sensitive Hardware Controls with Missing Lock Bit<br/>Protection *</li> </ul>                                                                                                                                                                                                         |
| 1705<br>1706                 | <ul> <li>CWE-1234 B Hardware Internal or Debug Modes Allow Override of Locks</li> <li>*</li> </ul>                                                                                                                                                                                                                 |
| 1707                         | <ul> <li>CWE-821 B Incorrect Synchronization</li> </ul>                                                                                                                                                                                                                                                            |
| 1708<br>1709                 | <ul> <li>CWE-1264 B Hardware Logic with Insecure De-Synchronization between<br/>Control and Data Channels *</li> </ul>                                                                                                                                                                                             |
| 1710                         | CWE-696 C Incorrect Behavior Order                                                                                                                                                                                                                                                                                 |
| 1711                         | <ul> <li>CWE-1190 B DMA Device Enabled Too Early in Boot Phase *</li> </ul>                                                                                                                                                                                                                                        |
| 1712<br>1713                 | <ul> <li>CWE-1193 B Power-On of Untrusted Execution Core Before Enabling Fabric<br/>Access Control *</li> </ul>                                                                                                                                                                                                    |
| 1714                         | <ul> <li>CWE-1280 B Access Control Check Implemented After Asset is Accessed *</li> </ul>                                                                                                                                                                                                                          |
| 1715                         |                                                                                                                                                                                                                                                                                                                    |

1746

| 1716                         | Appendix I. Weakness Hierarchy — Protection Mechanism Failure                                                                                                                                                                                                                                                      |  |  |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 1717<br>1718<br>1719<br>1720 | The CWEs for this pillar are listed in a strict hierarchical tree structure to allow for easy perusal of all relevant CWEs. Some CWEs are duplicated because they appear under multiple classes within the same pillar. The full graph view in Fig. 1 shows the complex relationships between many of the HW CWEs. |  |  |
| 1721<br>1722                 | Each CWE is labelled with its abstraction type — Pillar: P, Class: C, Base: B, or Variant: V. Those marked with $\ast$ are HW CWEs.                                                                                                                                                                                |  |  |
| 1723                         | CWE-693 P Protection Mechanism Failure                                                                                                                                                                                                                                                                             |  |  |
| 1724<br>1725                 | <ul> <li>CWE-1248 B Semiconductor Defects in Hardware Logic with Security-Sensitive<br/>Implications *</li> </ul>                                                                                                                                                                                                  |  |  |
| 1726                         | <ul> <li>CWE-1253 B Incorrect Selection of Fuse Values *</li> </ul>                                                                                                                                                                                                                                                |  |  |
| 1727                         | <ul> <li>CWE-1269 B Product Released in Non-Release Configuration *</li> </ul>                                                                                                                                                                                                                                     |  |  |
| 1728<br>1729                 | <ul> <li>CWE-1278 B Missing Protection Against Hardware Reverse Engineering Using Integrated<br/>Circuit (IC) Imaging Techniques *</li> </ul>                                                                                                                                                                      |  |  |
| 1730                         | <ul> <li>CWE-1291 B Public Key Re-Use for Signing both Debug and Production Code *</li> </ul>                                                                                                                                                                                                                      |  |  |
| 1731                         | <ul> <li>CWE-1318 B Missing Support for Security Features in On-chip Fabrics or Buses *</li> </ul>                                                                                                                                                                                                                 |  |  |
| 1732                         | <ul> <li>CWE-1319 B Improper Protection against Electromagnetic Fault Injection (EM-FI) *</li> </ul>                                                                                                                                                                                                               |  |  |
| 1733                         | <ul> <li>CWE-1326 B Missing Immutable Root of Trust in Hardware *</li> </ul>                                                                                                                                                                                                                                       |  |  |
| 1734                         | <ul> <li>CWE-1338 B Improper Protections Against Hardware Overheating *</li> </ul>                                                                                                                                                                                                                                 |  |  |
| 1735                         | CWE-311 C Missing Encryption of Sensitive Data                                                                                                                                                                                                                                                                     |  |  |
| 1736                         | <ul> <li>CWE-319 B Cleartext Transmission of Sensitive Information *</li> </ul>                                                                                                                                                                                                                                    |  |  |
| 1737                         | <ul> <li>CWE-327 C Use of a Broken or Risky Cryptographic Algorithm</li> </ul>                                                                                                                                                                                                                                     |  |  |
| 1738                         | <ul> <li>CWE-1240 B Use of a Cryptographic Primitive with a Risky Implementation *</li> </ul>                                                                                                                                                                                                                      |  |  |
| 1739                         | CWE-330 C Use of Insufficiently Random Values                                                                                                                                                                                                                                                                      |  |  |
| 1740                         | <ul> <li>CWE-1241 B Use of Predictable Algorithm in Random Number Generator *</li> </ul>                                                                                                                                                                                                                           |  |  |
| 1741                         | <ul> <li>CWE-653 B Improper Isolation or Compartmentalization</li> </ul>                                                                                                                                                                                                                                           |  |  |
| 1742<br>1743                 | <ul> <li>CWE-1189 B Improper Isolation of Shared Resources on System-on-a-Chip (SoC)</li> </ul>                                                                                                                                                                                                                    |  |  |
| 1744                         | <ul> <li>CWE-1303 B Non-Transparent Sharing of Microarchitectural Resources *</li> </ul>                                                                                                                                                                                                                           |  |  |
| 1745                         | <ul> <li>CWE-1331 B Improper Isolation of Shared Resources in Network On Chip (NoC) *</li> </ul>                                                                                                                                                                                                                   |  |  |