CAPEC-702 Exploiting Incorrect Chaining or Gran...

CAPEC-702 Metadata

Likelihood of Attack

Low

Typical Severity

Medium

Overview

Summary

An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.

Prerequisites

Hardware device has an exposed debug interface

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Find and scan debug interface] The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.	Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain
2	Experiment	[Connect to debug interface] The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.	Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator
3	Exploit	[Move along debug chain] Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.	Run a command such as “scan_chain” to see what TAPs are available in the chain.

Potential Solutions / Mitigations

Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users

Related Weaknesses (CWE)

CWE ID	Description
CWE-1296	Incorrect Chaining or Granularity of Debug Components

Related CAPECs

CAPEC ID	Description
CAPEC-180	An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC ID

Description

CAPEC-180

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.