

# Hardware CWE™ Special Interest Group (SIG)

Gananand Kini, Bob Heinemann, Luke Malinowski,  
Gage Hackford, Chris Lathrop, Steve Christey Coley,  
Alec Summers

MITRE

June 9, 2023

# Agenda

REMINDER: This meeting is being recorded.

- Housekeeping and Announcements
- Working Items for this meeting:

|   |                                          |         |        |
|---|------------------------------------------|---------|--------|
| 1 | D3FEND and Hardware Coverage             | Peter K | 20 min |
| 2 | CVE QWG Hardware and Software Tagging    | Jason F | 20 min |
| 3 | HW CWE DEMOX's from Student Competitions |         |        |
| 4 | Becoming a CNA (if time permits)         | Alec S  | 10 min |

# Housekeeping

---

- **Schedule:**
  - **Next Meeting:**
    - **Scheduled for July 14**
    - **12:30 – 1:30 PM EST (16:30 – 17:30 UTC)**
    - Microsoft Teams
- **Contact: [cwe@mitre.org](mailto:cwe@mitre.org)**
- **Mailing List: [hw-cwe-special-interest-group-sig-list@mitre.org](mailto:hw-cwe-special-interest-group-sig-list@mitre.org)**
- **Minutes from previous meetings available on our GitHub site:**
  - [\*\*https://github.com/CWE-CAPEC/hw-cwe-sig\*\*](https://github.com/CWE-CAPEC/hw-cwe-sig)

# Announcements

- **Top 25 Release June 13**
- **CWE/CAPEC Board Meeting Occurred on June 2**
- **Tentative: CISA strategy around Secure By Design/Secure By Default for July SIG**

# D3FEND and Hardware Coverage

## Peter K



CWE and CAPEC are sponsored by [U.S. Department of Homeland Security](#) (DHS) [Cybersecurity and Infrastructure Security Agency](#) (CISA). Copyright © 1999–2023, [The MITRE Corporation](#). CWE, CAPEC, the CWE logo, and the CAPEC logo are trademarks of The MITRE Corporation.

# D3FEND

*A knowledge graph of cybersecurity countermeasures*

**Peter Kaloroumakis**

Principal, D3FEND Lead

[pk@mitre.org](mailto:pk@mitre.org)



DEFEND™



MITRE

Network & Infrastructure Security



Web Security



point Security



Application Security



MSSP



Risk & Compliance



Identity & Access Management



Data Security



## Mobile Security



Digital Risk Management



ain



**Security Consulting & Services**



Fraud & Transaction Security



## Cloud Security





## **Build and Operate a Trusted DoDIM**

| ORGANIZE                                     |                                                                   |                                           |                                                          |                         |                                |                                                                    |                                 |                                  |
|----------------------------------------------|-------------------------------------------------------------------|-------------------------------------------|----------------------------------------------------------|-------------------------|--------------------------------|--------------------------------------------------------------------|---------------------------------|----------------------------------|
| Lead and Govern                              |                                                                   |                                           |                                                          |                         |                                |                                                                    |                                 |                                  |
| Interim National Security Strategic Guidance | United States Intelligence Community Information Sharing Strategy | 2019 National Intelligence Strategy       | U.S. Int'l Strategy for Cyberspace                       | National Cyber Strategy | National Strategy to Secure 5G | NIST Framework for Improving Critical Infrastructure Cybersecurity | National Defense Strategy (NDS) | National Military Strategy (NMS) |
| 2018 DoD Cyber Strategy                      | DoD Digital Modernization Strategy                                | DoD Cybersecurity Risk Reduction Strategy | Summary of the 2018 DoD Artificial Intelligence Strategy | DoD Cloud Strategy      | DoD Data Strategy              | DoD Identity, Credential, and Access Management (ICAM) Strategy    | DoD 5G Strategy                 | DoD Information Sharing Strategy |

**Cybersecurity-Related Policies and Issuances**  
Developed by the DoD  
**Deputy CIO for Cybersecurity**  
Last Updated: November 29, 2021  
Send questions/suggestions to  
[contact@csiac.org](mailto:contact@csiac.org)



# D3FEND Publicly Released

- MITRE & NSA launch D3FEND
- <https://d3fend.mitre.org>
- Picked up by numerous media outlets
- 50K+ unique visitors to website in first week
- *Strong positive response to ontological modeling approach*

Links:

- [nsa.gov article](https://www.nsa.gov/article/7000/1137/nsa-funds-development-release-of-d3fend)
- [mitre.org article](https://d3fend.mitre.org)

The screenshot shows a news article from DARKReading titled "Mitre D3FEND explained: A new knowledge graph for cybersecurity defenders". The article discusses the D3FEND matrix and its purpose. It includes social sharing icons and a byline for David Strom.

This screenshot shows a news article from CSO News Center titled "D3FEND Knowledge Graph Guides Security Architects to Design Better Cyber Defenses". It features a large image of a network diagram and discusses the framework's impact on vendor communities.

The screenshot of the NSA/CSS website displays the D3FEND knowledge graph. The graph is a complex network of nodes and edges representing various cybersecurity concepts like Harden, Detect, and Decide. Below the graph, a banner reads "NSA Funds Development, Release of D3FEND".

This part of the NSA/CSS site shows recent news items. Headlines include "The Hungarian Code Writers", "Science of Security Enhances Research Publishing", "NSA Releases Guidance on Securing Unified Communications and Voice and Video over IP Systems", "Linda Burger, NSA Director of the Office of Research and Technology Applications (ORTA) elected Federal Laboratory Consortium (FLC) Executive Board Chair", and "Water Shortage".

# Impact

- NSA using D3FEND in public reporting to prescribe defenses against China's cyber attacks
- NSA TBCS transition improved capability analysis efficiency
- Advanced modeling applications for USAF; 50% improvement in threat coverage
- DOE CyOTE project recommends countermeasures
- Critical infrastructure commercial companies identified gaps in their security capabilities
- Vendors beginning to map to D3FEND
- D3FEND Paper Cited by over 13 academic papers in less than one year
- > 100 Job postings want D3FEND familiarity & knowledge

**Chinese State-Sponsored Cyber Operations: Observed TTPs**

**Summary**

The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People's Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China's long-term economic and military development objectives.

INTEZER

What MITRE D3FEND™ Techniques Does Intezer Analyze Implement?

Written by Intezer - 17 August 2021

Intelligence

D3FEND:  
- Countermeasures

**T881: SERVICE STOP**

**PURPOSE**

This Recipe, based upon use of the CyOTE methodology<sup>1</sup> (Figure 1), provides asset owners and operators (AOO) with general guidance for confirming suspicion of the Service Stop attack technique for the Inhibit Response Function tactic as defined by the MITRE ATT&CK® for Industrial Control Systems (ICS) framework<sup>2,3</sup> allowing them to be able to make informed business decisions based on collaborative analysis of the nature and context of the attack. This document also includes supplemental material with suggestions and recommendations for securing assets and improving detection capabilities. Additional information on this technique can be found in the Service Stop (T881) Technique Detection Capability Sheet for the Inhibit Response Function tactic.<sup>4</sup>

Figure 1: CyOTE Methodology Diagram

3:17

d3fend

Worldwide

Jobs Date Posted Experience L

112 results

**Penetration Testing Lead (Global)**  
TikTok  
Washington DC-Baltimore Area (Hybrid)  
1 connection  
16 days ago · 12 applicants

**Sr. Detection Engineer, Global Security Operations (US Remote Available)**  
Splunk  
McLean, VA (Remote)  
2 company alumni  
10 hours ago



**DEFEND™**



| Harden                               |                                  |                                  | Detect                              |                                   |                                     |                                         |                                          |                                   | Isolate                             |                                      |                                  | Deceive                                 |                                       | Evict                             |                     |                     |  |  |  |
|--------------------------------------|----------------------------------|----------------------------------|-------------------------------------|-----------------------------------|-------------------------------------|-----------------------------------------|------------------------------------------|-----------------------------------|-------------------------------------|--------------------------------------|----------------------------------|-----------------------------------------|---------------------------------------|-----------------------------------|---------------------|---------------------|--|--|--|
| Application Hardening                | Credential Hardening             | Message Hardening                | Platform Hardening                  | File Analysis                     | Identifier Analysis                 | Message Analysis                        | Network Traffic Analysis                 | Platform Monitoring               | Process Analysis                    | User Behavior Analysis               | Execution Isolation              | Network Isolation                       | Decoy Environment                     | Decoy Object                      | Credential Eviction | Process Eviction    |  |  |  |
| Exception Handler Pointer Validation | Certificate Pinning              | Message Authentication           | Disk Encryption                     | Dynamic Analysis                  | Homoglyph Detection                 | Sender MTA Reputation Analysis          | Administrative Network Activity Analysis | Firmware Verification             | Database Query String Analysis      | Authentication Event Thresholding    | Hardware-based Process Isolation | Broadcast Domain Isolation              | Connected Honeynet                    | Decoy File                        | Account Locking     | Process Termination |  |  |  |
|                                      | Multi-factor Authentication      | Message Encryption               | Driver Load Integrity Checking      | Emulated File Analysis            | Peripheral Firmware Verification    |                                         |                                          | File Access Pattern Analysis      | Authorization Event Thresholding    | Encrypted Tunnels                    |                                  | Integrated Honeynet                     | Decoy Network Resource                | Authentication Cache Invalidation |                     |                     |  |  |  |
|                                      | One-time Password                | Transfer Agent Authentication    | RF Shielding                        | File Content Rules                | URL Analysis                        | Sender Reputation Analysis              | Certificate Analysis                     | System Firmware Verification      | Indirect Branch Call Analysis       | Credential Compromise Scope Analysis | Mandatory Access Control         | Standalone Honeynet                     | Decoy Persona                         |                                   |                     |                     |  |  |  |
|                                      |                                  |                                  | TPM Boot Integrity                  | File Hashing                      |                                     |                                         | Active Certificate Analysis              | Operating System Monitoring       | Process Code Segment Verification   | Job Function Access Pattern Analysis | System Call Filtering            | Inbound Traffic Filtering               | Outbound Traffic Filtering            | Decoy Public Release              |                     |                     |  |  |  |
| Segment Address Offset Randomization | Strong Password Policy           | Bootloader Authentication        | Software Update                     | File Encryption                   | Local File Permissions              | Client-server Payload Profiling         | Endpoint Health Beacon                   | Input Device Analysis             | Process Self-Modification Detection | Local Account Monitoring             | Executable Denylisting           | DNS Allowlisting                        | Decoy Session Token                   |                                   |                     |                     |  |  |  |
| Dead Code Elimination                | Domain Trust Policy              |                                  |                                     |                                   |                                     |                                         | DNS Traffic Analysis                     | Memory Boundary Tracking          | Process Spawn Analysis              | Resource Access Pattern Analysis     | IO Port Restriction              | DNS Denylisting                         | Forward Resolution Domain Denylisting | Decoy User Credential             |                     |                     |  |  |  |
| Pointer Authentication               | User Account Permissions         | Biometric Authentication         | File Carving                        | IPC Traffic Analysis              | Network Traffic Community Deviation | Per Host Download-Upcast Ratio Analysis | Scheduled Job Analysis                   | Process Lineage Analysis          | User Data Transfer Analysis         |                                      | Script Execution Analysis        | User Geolocation Logon Pattern Analysis | Hierarchical Domain Denylisting       | Homoglyph Denylisting             |                     |                     |  |  |  |
| Application Configuration Hardening  | Certificate-based Authentication |                                  |                                     |                                   |                                     |                                         | System Daemon Monitoring                 | Shadow Stack Comparisons          | Web Session Activity Analysis       |                                      | System Call Analysis             | Session Duration Analysis               | Forward Resolution IP Denylisting     | Reverse Resolution IP Denylisting |                     |                     |  |  |  |
| Stack Frame Canary Validation        | Credential Transmission Scoping  | System Configuration Permissions | Protocol Metadata Anomaly Detection | Remote Terminal Session Detection | RPC Traffic Analysis                | User Session Init Config Analysis       | Service Binary Verification              | File Creation Analysis            | Session Duration Analysis           |                                      | Domain Account Monitoring        |                                         |                                       |                                   |                     |                     |  |  |  |
|                                      |                                  |                                  |                                     |                                   |                                     |                                         | Connection Attempt Analysis              | Firmware Behavior Analysis        |                                     |                                      |                                  |                                         |                                       |                                   |                     |                     |  |  |  |
|                                      |                                  |                                  |                                     |                                   |                                     |                                         | Inbound Session Volume Analysis          | Firmware Embedded Monitoring Code |                                     |                                      |                                  |                                         |                                       |                                   |                     |                     |  |  |  |
|                                      |                                  |                                  |                                     |                                   |                                     |                                         | Byte Sequence Emulation                  |                                   |                                     |                                      |                                  |                                         |                                       |                                   |                     |                     |  |  |  |
|                                      |                                  |                                  |                                     |                                   |                                     |                                         | Relay Pattern Analysis                   |                                   |                                     |                                      |                                  |                                         |                                       |                                   |                     |                     |  |  |  |









*Offensive Model*  
(ATT&CK\*)

*Defensive Model*  
(D3FEND)



## DEFEND Subroutine Taxonomy

tree  matrix

This is a taxonomy of **Subroutine** types. Navigate this tree by expanding the arrows on the nodes with children. You may also select multiple properties to display their values alongside the tree nodes.

**name**  
Subroutine  
**abbreviated IRI**  
d3f:Subroutine  
**definition**  
In different programming languages, a subroutine may be called a procedure, a function, a routine, a method, or a subprogram. The generic term callable unit is

**see also** <http://dbpedia.org/resource/Subroutine>

- ▼ Subroutine (22)
  - ▼ Input Function (1)
    - User Input Function
  - Deserialization Function
  - Eval Function
  - External Content Inclusion Function
  - File Path Open Function
  - Import Library Function
  - Log Message Function
  - Mathematical Function
  - Memory Allocation Function
  - Memory Free Function
  - Pointer Dereferencing Function
  - Console Output Function
  - Copy Memory Function
  - Raw Memory Access Function
  - Serialization Function
  - Shared Resource Access Function
  - String Format Function
  - Thread Start Function
  - Process Start Function
  - Exception Handler
  - Stored Procedure
  - Authentication Function



# Hardware Ontology



**D3FEND Hardware Ontology GitHub Discussion:**

<https://github.com/d3fend/d3fend-ontology/discussions/181>

# How to get involved

- Ask vendors what D3FEND techniques they support
- Think in terms of “Digital Artifacts” and “Defensive Verbs”
- Browse the knowledge base at <https://d3fend.mitre.org>
- If you are interested in the ontology, download [Protégé](#) to view the model
- Send ideas, and comments to [d3fend@mitre.org](mailto:d3fend@mitre.org)
- Join our slack channel (link on D3FEND Resources page)
- Extend or contribute to D3FEND at <https://github.com/d3fend/>

# CVE QWG Hardware and Software Tagging

## Jason F



CWE and CAPEC are sponsored by [U.S. Department of Homeland Security](#) (DHS) [Cybersecurity and Infrastructure Security Agency](#) (CISA). Copyright © 1999–2023, [The MITRE Corporation](#). CWE, CAPEC, the CWE logo, and the CAPEC logo are trademarks of The MITRE Corporation.

# HW CWE CONTENT ENHANCEMENT PROPOSALS

Jason M. Fung

June 9, 2023

# CVE Root Cause Tagging Proposal

# CVE Root Cause Tagging Proposal

## Motivation

- Many CVEs filed every year; but current CVE schema does not offer a way to query those with hardware root causes
- Best if CVEs are tagged based on SW or HW root causes
- Potential Use Cases
  - **Correctness:** Monitor new CVEs with HW root causes and ensure correct CWEs are assigned
  - **Awareness:** Offer a data-driven approach to curate the next Most Important Hardware Weakness list
  - ...

# CVE Root Cause Tagging Proposal

## Proposal Submitted to CVE Quality WG in March'21

- Proposal to add a tag to CVE schema for identifying the root cause
  - In collaboration with Chris Turner and Jason Oberg

We previously discussed including support for CVE level tags (which can be applied to the CNA or ADP containers) that assist in identification of root cause.

| Tag                 | Definition                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Hardware Root Cause | Tag this to a CVE if the primary root cause of the security vulnerability is originated from the hardware component of the affected product(s). The intent is to facilitate Hardware Designers to learn how to prevent similar weakness. Even when a hardware vulnerability can be addressed by a SW workaround, the "Hardware Root Cause" tag should still be applied, since the focus is on how the issue is introduced, not how it is remediated. |
| Software Root Cause | Tag this to a CVE if the primary root cause of the security vulnerability is originated from the software component of the affected product(s). The intent is to facilitate Software Developers to learn how to prevent similar weakness.                                                                                                                                                                                                            |

# CVE Root Cause Tagging Proposal

## Proposal Reviewed by CVE Quality WG in May'23

- CVE QWG agreed with the direction, but members initially had a difference in opinions on the implementation options
  - Should the tag be per **CVE Record** or per **CWE**?
    - Each CVE can support more than 1 “Problem Types” or CWE mappings
  - How to draw the line between **HW** vs. **SW**?
    - See next slide
- CVE QWG agreed to create a **record-level experimental tag for root cause**, and later promote to an official tag based on usage and feedback

# CVE Root Cause Tagging Proposal

## DISCUSSION: HOW TO DRAW THE LINE BETWEEN HW VS. SW?

- By position in the compute stack?
  - IP – SoC – Motherboard – BIOS – VM – OS – Driver – Apps
- By storage (anything in hard disk is SW)?
- By patchability?
  - HW = Circuit + Logic + BootROM
  - SW = Embedded FW and above
- By a fixed mapping/classification?
- By how it is implemented (C vs. RTL)?
- By security implications?
  - SW = FW with buffer overflow error
  - HW = FW misconfigures access control policy in HW
- ...

# Demonstrative Example Enhancement Proposal

Reusing Corpus from HACK@EVENT Hardware CTF Competitions

# Demonstrative Example Enhancement Proposal

## OVERVIEW

- CWEs with demonstrative examples help readers better appreciate how design and implementation issues manifest in RTL
  - However, not many HW CWEs have code examples today
- HACK@EVENT is a series of Pre-Si HW capture-the-flag competitions created by Intel (Arun Kanuparthi, Hareesh Khattri), Texas A&M and TU Darmstadt in the past 6 years
  - We take a complex open source SoC, insert industry-like security features, and inject security vulnerabilities that mimic mistakes made by hardware designers to form a buggy SoC for the competition.
  - Participants have 48 hours to examine the buggy SoC to find as many vulnerabilities as they can. Through the process, participants get to realize how hardware vulnerabilities captured in HW CWE are being manifested in real hardware, and limitations of today's EDA tools to support robust product security assurance.
  - Through gamification, we inspire talents to contribute towards hardware security.
- Idea: Buggy code from past competitions can be reused to serve as Demonstrative Examples for HW CWE

# Demonstrative Example Enhancement Proposal

## CWE-1281: SEQUENCE OF PROCESSOR INSTRUCTIONS LEADS TO UNEXPECTED BEHAVIOR

HW CWE: [CWE-1281](#)

Example Language: SystemVerilog

CWE Issue Description (from Website):

Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.

If the instruction set architecture (ISA) and processor logic are not designed carefully and tested thoroughly, certain combinations of instructions may lead to locking the processor or other unexpected and undesirable behavior. Upon encountering unimplemented instruction opcodes or illegal instruction operands, the processor should throw an exception and carry on without negatively impacting security. However, specific combinations of legal and illegal instructions may cause unexpected behavior with security implications such as allowing unprivileged programs to completely lock the CPU.

### Example Description:

The example code is taken from the commit stage inside the processor core of the HACK@DAC'19 buggy CVA6 SoC. To ensure the correct execution of atomic instructions, the CPU must guarantee atomicity: no other device overwrites the memory location between the atomic read starts and the atomic write finishes. Another device may overwrite the memory location only before the read operation or after the write operation, but never between them, and finally, the content will still be consistent.

Atomicity is especially critical when the variable to be modified is a mutex, counting semaphore, or similar piece of data that controls access to shared resources. Failure to ensure atomicity may result in two processors accessing a shared resource simultaneously, permanent lock-up, or similar disastrous behavior.

The following vulnerable code check for CSR interrupts and give them precedence over any other exception. However, the interrupts should not occur when the processor runs a series of atomic instructions. In the following vulnerable code, the required check must be included to ensure the processor is not in the middle of a series of atomic instructions. For more info, please check the Fixed code example.

### Vulnerable Code:

Example Language: SystemVerilog

bad code

```
if (csr_exception_i.valid && csr_exception_i.cause[63] && commit_instr_i[0].fu != CSR) begin  
    exception_o = csr_exception_i;  
    exception_o.tval = commit_instr_i[0].ex.tval;  
end
```

### Vulnerable Code Source:

[https://github.com/PouyaMahmoody/hackdac\\_2019/blob/main/src/commit\\_stage.sv](https://github.com/PouyaMahmoody/hackdac_2019/blob/main/src/commit_stage.sv)

line 287-290

### Mitigation Description:

Refrain from interrupting if we are committing an atomic instruction that should not be interrupted. We can do that by adding a condition to check whether the current committing instruction is atomic.

### Fixed code:

Example Language: SystemVerilog

good code

```
if (csr_exception_i.valid && csr_exception_i.cause[63] && !amo_valid_commit_o  
&& commit_instr_i[0].fu != CSR) begin  
    exception_o = csr_exception_i;  
    exception_o.tval = commit_instr_i[0].ex.tval;  
end
```

### Fixed code Source:

[https://github.com/openhwgroup/cva6/blob/7951802a0147aedb21e8f2f6dc1e1e9c4ee857a2/src/commit\\_stage.sv#L296:L301](https://github.com/openhwgroup/cva6/blob/7951802a0147aedb21e8f2f6dc1e1e9c4ee857a2/src/commit_stage.sv#L296:L301)

line 296-301

# Demonstrative Example Enhancement Proposal

## CWE-1260: IMPROPER HANDLING OF OVERLAP BETWEEN PROTECTED MEMORY RANGES

HW CWE: [CWE-1260](#)

Example Language: SystemVerilog

CWE Issue Description (from Website):

The product allows address regions to overlap, which can result in the bypassing of intended memory protection.

Isolated memory regions and access control (read/write) policies are used by hardware to protect privileged software. Software components are often allowed to change or remap memory region definitions in order to enable flexible and dynamically changeable memory management by system software.

If a software component running at lower privilege can program a memory address region to overlap with other memory regions used by software running at higher privilege, privilege escalation may be available to attackers. The memory protection unit (MPU) logic can incorrectly handle such an address overlap and allow the lower-privilege software to read or write into the protected memory region, resulting in a privilege escalation attack. An address overlap weakness can also be used to launch a denial of service attack on the higher-privilege software memory regions.

Example Description:

The example code below is taken from the IOMMU controller module of the HACK@DAC'19 buggy CVA6 SoC. The static memory map is composed of a set of Memory-Mapped Input/Output (MMIO) regions covering different IP agents within the SoC. Each region is defined by two 64-bit variables representing the base address and size of the memory region (XXXBase and XXXLength). In this example (see the vulnerable code source), we have 12 IP agents, and only 4 of them are called out for illustration purposes in the code snippets. Access to the AES IP MMIO region is considered privileged as it provides access to AES secret key, internal states, or decrypted data. The vulnerable code allows the overlap between the protected MMIO region of the AES peripheral and the unprotected UART MMIO region. As a result, unprivileged users can access the protected region of the AES IP.

In the given vulnerable example UART MMIO region starts at address 64'h1000\_0000 and ends at address 64'h1011\_1000 (UART7Base is 64'h1000\_0000, and the size of the region is provided by the UARTLength of 64'h0011\_1000). On the other hand, the AES MMIO region starts at address 64'h1010\_0000 and ends at address 64'h1010\_1000, which implies an overlap between the two peripherals' memory regions. Thus, any user with access to the UART can read or write the AES MMIO region, e.g., the AES secret key.

Vulnerable Code:

Example Language: SystemVerilog

bad code

```
...  
localparam logic[63:0] PLICLength = 64'h03FF_FFFF;  
localparam logic[63:0] UARTLength = 64'h0011_1000;  
localparam logic[63:0] AESLength = 64'h0000_1000;  
localparam logic[63:0] SPILength = 64'h0080_0000;  
...  
typedef enum logic [63:0] {  
    ...  
    PLICBase = 64'h0C00_0000,  
    UARTBase = 64'h1000_0000,  
    AESBase = 64'h1010_0000,  
    SPIBase = 64'h2000_0000,  
    ...  
}
```

Vulnerable Code Source:

[https://github.com/PouyaMahmoodi/hackdac\\_2019/blob/main/tb/ariane\\_soc\\_pkg.sv](https://github.com/PouyaMahmoodi/hackdac_2019/blob/main/tb/ariane_soc_pkg.sv)

line 44-45, 61-62

Mitigation Description:

Remove the overlapping address regions by decreasing the size of the UART memory region (as shown in the good code example) or adjusting memory bases for all the remaining peripherals.

Fixed code:

Example Language: SystemVerilog

good code

```
...  
localparam logic[63:0] PLICLength = 64'h03FF_FFFF;  
localparam logic[63:0] UARTLength = 64'h0000_1000;  
localparam logic[63:0] AESLength = 64'h0000_1000;  
localparam logic[63:0] SPILength = 64'h0080_0000;  
...  
typedef enum logic [63:0] {  
    ...  
    PLICBase = 64'h0C00_0000,  
    AESBase = 64'h1010_0000,  
    SPIBase = 64'h2000_0000,  
    ...  
}
```

Fixed code Source:

[https://github.com/openhwgroup/cva6/blob/v4.2.0/tb/ariane\\_soc\\_pkg.sv](https://github.com/openhwgroup/cva6/blob/v4.2.0/tb/ariane_soc_pkg.sv)

Line 45

# Demonstrative Example Enhancement Proposal

## HACK@DAC'19 OFFERS 21 EXAMPLES COVERING 13 UNIQUE HW CWES

| Location                 | CWE-Description                                                           | # of Existing Prescriptive Examples | # of Existing Code Examples |
|--------------------------|---------------------------------------------------------------------------|-------------------------------------|-----------------------------|
| ACC CTRL                 | CWE-1317: Improper Access Control in Fabric Bridge                        | 1                                   | 0                           |
| AES                      | CWE-1262: Improper Access Control for Register Interface                  | 1                                   | 0                           |
| ACC CTRL                 | CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges    | 1                                   | 0                           |
| BOOTROM                  | CWE-1326: Missing Immutable Root of Trust in Hardware                     | 1                                   | 0                           |
| JTAG                     | CWE-276: Incorrect Default Permissions                                    | 0                                   | 0                           |
| ACC CTRL                 | CWE-1262: Improper Access Control for Register Interface                  | 1                                   | 0                           |
| CPU-Interrupt Controller | CWE-1220: Insufficient Granularity of Access Control                      | 2                                   | 0                           |
| AES                      | CWE-1262: Improper Access Control for Register Interface                  | 1                                   | 0                           |
| ACC CTRL                 | CWE-276: Incorrect Default Permissions                                    | 0                                   | 0                           |
| JTAG                     | CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State    | 1                                   | 0                           |
| AES                      | CWE-1262: Improper Access Control for Register Interface                  | 1                                   | 0                           |
| JTAG                     | CWE-1221: Incorrect Register Defaults or Module Parameters                | 0                                   | 1                           |
| AES                      | CWE-1241: Use of Predictable Algorithm in Random Number Generator         | 1                                   | 0                           |
| CPU-Interrupt Controller | CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior | 1                                   | 0                           |
| CPU-Commit Stage         | CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior | 1                                   | 0                           |
| CPU-Com                  |                                                                           |                                     |                             |
| CPU-Addr                 |                                                                           |                                     |                             |
| CPU-Address Translation  | CWE-1262: Improper Access Control for Register Interface                  | 1                                   | 0                           |
| CPU-Address Translation  | CWE-226: Sensitive Information in Resource Not Removed Before Reuse       | 2 (not HW)                          | 0                           |
| JTAG                     | CWE-1191: On-Chip Debug and Test Interface With Improper Access Control   | 1                                   | 0                           |
| JTAG                     | CWE-1243: Sensitive Non-Volatile Information Not Protected During Debug   | 1                                   | 0                           |

HACK@DAC'19 and HACK@DAC'21 cover 38 unique HW CWEs

# Becoming a CNA

## Alec S



CWE and CAPEC are sponsored by [U.S. Department of Homeland Security](#) (DHS) [Cybersecurity and Infrastructure Security Agency](#) (CISA). Copyright © 1999–2023, [The MITRE Corporation](#). CWE, CAPEC, the CWE logo, and the CAPEC logo are trademarks of The MITRE Corporation.

# CVE Numbering Authority (CNA) Information and Requirements

---

June 9, 2023



# What is a CVE Numbering Authority (CNA)?

---

- **CVE Numbering Authority (CNA):** Organizations from around the world who are authorized by the CVE Program to assign CVE IDs and publish CVE Records for vulnerabilities within their distinct, agreed-upon scope.
  - Types of organizations include vendors, researchers, open source, CERTs, hosted services, bug bounty providers, and consortiums, but others are also welcome.

# Strategy of Federation in Action

As of June 1, 2023:  
295 Partners in 36 countries



Federation Through Partnership:  
Impact by the Numbers

| Federated Growth Strategy Implemented    | Year | Records Published | Number of CNAs |
|------------------------------------------|------|-------------------|----------------|
|                                          | 2016 | 6,457             | 24 (1 Int.)    |
|                                          | 2017 | 14,644            | 78             |
|                                          | 2018 | 16,510            | 90             |
|                                          | 2019 | 17,308            | 106            |
|                                          | 2020 | 18,364            | 144            |
|                                          | 2021 | 20,161            | 209 (100 Int.) |
| *Note: 57 CNAs Added, to-date in FY 2023 |      | 25,059            | 263 (123 Int.) |
|                                          | 2022 |                   |                |
|                                          | 2023 |                   |                |
|                                          |      |                   | 295 (136 Int.) |

| Year     | 1999-2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | 2023 | Total |
|----------|-----------|------|------|------|------|------|------|------|-------|
| All CNAs | 0%        | 50%  | 53%  | 53%  | 58%  | 65%  | 68%  | 77%  | 295   |
| CNA-LRs  | 100%      | 50%  | 47%  | 47%  | 42%  | 35%  | 32%  | 23%  |       |

\*Note: CISA ICS became a Top-Level Root and CNA-LR in calendar year 2020

# Benefits of Becoming a CNA

---

- Demonstrate mature vulnerability management practices and commitment to cybersecurity
- Communicate value-added vulnerability information
  - You are the subject matter experts and can provide the most accurate vulnerability description
- Control the CVE publication release process for vulnerabilities within scope
- Assign CVE IDs without having to share embargoed information with another CNA
- Streamline vulnerability disclosure processes

# Cost of Being a CNA

---

- **There is no monetary fee; however, CVE Records are not free to produce (i.e., time and resource allocation)**
  - Estimated minimum Level of Effort: 8 hours per month (up to 10 CVE Records)
- **CNAs volunteer their own time for their own benefit**
- **No contract to sign**

# Requirements for becoming a CNA

---

- Have a public vulnerability disclosure policy\* (e.g., [Microsoft](#))
- Have a public advisory location (e.g., [Apple](#))
- Agree to the [CVE Program Terms of Use](#)

Please visit [The logo for CWE and CAPEC. It features the letters "CWE" in blue and "CAPEC" in gold, with a trademark symbol \(TM\) next to CAPEC. The two words are stacked vertically.](https://www.cve.org/PartnerInformation>ListofPartners</a> for examples of other disclosure policies and advisory locations.</p></div><div data-bbox=)

CWE and CAPEC are sponsored by [U.S. Department of Homeland Security](#) (DHS) [Cybersecurity and Infrastructure Security Agency](#) (CISA). Copyright © 1999–2023, [The MITRE Corporation](#). CWE, CAPEC, the CWE logo, and the CAPEC logo are trademarks of The MITRE Corporation.

# Process for Becoming a CNA (1 of 2)

---

- **Request information on how to become a CNA via the CVE Program webform [here](#)**
  - Select “Request information on the CVE Numbering Authority (CNA) Program” from the dropdown menu
- **Your request will be assigned to someone on the Program Coordination team, who will provide a link to the registration form and supplemental material**
  - CNA Rules
  - Onboarding videos
- **Once registration form is received, a one-hour onboarding session will be scheduled**
  - Public vulnerability disclosure policy is required (e.g., [Microsoft](#))
  - Public source for vulnerability disclosures is required (e.g., [Apple](#))
  - Choose Root (or Top-Level Root) based on scope
  - Define scope\*

\*Please visit [The logo consists of two parts: "CWE" in blue and "CAPEC" in gold, both in a stylized font. A small trademark symbol \(TM\) is located next to the CAPEC text.](https://www.cve.org/PartnerInformation>ListofPartners</a> for examples of scopes.</p></div><div data-bbox=)

CWE and CAPEC are sponsored by [U.S. Department of Homeland Security](#) (DHS) [Cybersecurity and Infrastructure Security Agency](#) (CISA). Copyright © 1999–2023, [The MITRE Corporation](#). CWE, CAPEC, the CWE logo, and the CAPEC logo are trademarks of The MITRE Corporation.

# Process for Becoming a CNA (2 of 2)

---

- After onboarding session, you will be asked to complete and submit homework
- Once homework is submitted and approved, the CVE Program will work with you to select a date for announcement into the program
- After official announcement, CNA requests credentials to access CVE Services
  - Request CVE IDs
  - Publish and update CVE Records

# CVE Program Expectations of CNAs

---

- Follow the [CNA Rules](#) and [the CVE Program Professional Code of Conduct](#)
- Adhere to the CVE Program policies
  - [Record Dispute Policy](#)
  - [EOL Policy](#)
- Publish CVE Records in a timely manner once disclosure is made public
  - Once the vulnerability (and associated CVE ID) is made **public** (via an advisory, Tweet, blog, etc.), CVE Records must be published to the CVE List within 5 business days
- Respond to requests from Root (or Top-Level Root) in a timely manner
- Communicate any changes to CNA organization (POCs, mergers, change in scope) to Root or Top-Level Root

---

# Backup Slides

---

# A Picture of CVE Program Organization



# How CVE Works



- **Discover:** A person or organization discovers a new vulnerability (or a CNA finds a vulnerability in its own product)
- **Report:** Discoverer reports the vulnerability to a [CVE Program participant](#) (CNA)
  - CNA works with the discoverer and its internal security teams to validate and remediate the vulnerability
- **Request:** CNA requests a CVE Identifier (ID)
- **Reserve:** The ID is reserved (initial state of a CVE Record; not yet public)
- **Submit:** CNA submits the details
  - Details include, but are not limited to, affected product(s); affected or fixed product versions; vulnerability type, root cause, or impact; and at least one public reference
- **Publish:** Once the minimum required data elements are included in the CVE Record, and the vulnerability is publicly disclosed, it is published to the CVE List by the responsible CNA. The CVE Record is now available for download and viewing by the public.

# Next Meeting (**July 14**)

---

**CWE@MITRE.ORG**

- **Mailing List:** *[hw-cwe-special-interest-group-sig-list@mitre.org](mailto:hw-cwe-special-interest-group-sig-list@mitre.org)*
  - *NOTE: All mailing list items are archived publicly at:*
    - <https://www.mail-archive.com/hw-cwe-special-interest-group-sig-list@mitre.org/>
- **What would members of this body like to see for the next HW SIG agenda?**
- **Questions, Requests to present? Please let us know.**

# Backup

---



CWE and CAPEC are sponsored by [U.S. Department of Homeland Security](#) (DHS) [Cybersecurity and Infrastructure Security Agency](#) (CISA). Copyright © 1999–2023, [The MITRE Corporation](#). CWE, CAPEC, the CWE logo, and the CAPEC logo are trademarks of The MITRE Corporation.

# CWE-514: Covert Channel

---

## Description

- A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.

## Extended Description

- Typically the system has not given authorization for the transmission and has no knowledge of its occurrence.

# Covert Channels and Side Channels

---

- This is a discussion item on the GitHub
- Accidental transmission vs intentional transmission
- "A side channel is where information **leaks accidentally** via some medium that was not designed or intended for communication; a covert channel is where the **leak is deliberate.**" – *Ross Anderson*
- Hardware view should have coverage in the hardware view –*Jason Oberg*
- CWE-514 is a class weakness for Covert Channels
- Covert Channels should be in the HW categories Security Flow Issues, General Circuit and Logic Design Concerns, or Debug and Test Problems.  
–*Paul Wortman*
- Should we place CWE-514 in the HW View? Or create a base of CWE-514 and put that into the HW view?