logo

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

Stable Base
Structure: Simple
Description

The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.

Extended Description

A System-On-a-Chip (SoC) has a lot of functionality, but it may have a limited number of pins or pads. A pin can only perform one function at a time. However, it can be configured to perform multiple different functions. This technique is called pin multiplexing. Similarly, several resources on the chip may be shared to multiplex and support different features or functions. When such resources are shared between trusted and untrusted agents, untrusted agents may be able to access the assets intended to be accessed only by the trusted agents.

Common Consequences 2
Scope: Access Control

Impact: Bypass Protection Mechanism

If resources being used by a trusted user are shared with an untrusted user, the untrusted user may be able to modify the functionality of the shared resource of the trusted user.

Scope: Integrity

Impact: Quality Degradation

The functionality of the shared resource may be intentionally degraded.
Detection Methods 1
Automated Dynamic AnalysisHigh
Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.
Potential Mitigations 1
Phase: Architecture and Design

Strategy: Separation of Privilege

When sharing resources, avoid mixing agents of varying trust levels. Untrusted agents should not share resources with trusted agents.
Demonstrative Examples 1
Consider the following SoC design. The Hardware Root of Trust (HRoT) local SRAM is memory mapped in the core{0-N} address space. The HRoT allows or disallows access to private memory ranges, thus allowing the sram to function as a mailbox for communication between untrusted and trusted HRoT partitions.
We assume that the threat is from malicious software in the untrusted domain. We assume this software has access to the core{0-N} memory map and can be running at any privilege level on the untrusted cores. The capability of this threat in this example is communication to and from the mailbox region of SRAM modulated by the hrot_iface. To address this threat, information must not enter or exit the shared region of SRAM through hrot_iface when in secure or privileged mode.
Observed Examples 2
CVE-2020-8698Processor has improper isolation of shared resources allowing for information disclosure.
CVE-2019-6260Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138].
References 2
Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack
Ali Abbasi and Majid Hashemi
2016
https://www.blackhat.com/docs/eu-16/materials/eu-16-Abbasi-Ghost-In-The-PLC-Designing-An-Undetectable-Programmable-Logic-Controller-Rootkit-wp.pdf
ID: REF-1036
CVE-2019-6260: Gaining control of BMC from the host processor
Stewart Smith
2019
https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/(2025-07-29)
ID: REF-1138
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
System on Chip : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Isolation or Compartmentalization (CWE-653)
ChildOf: Exposure of Resource to Wrong Sphere (CWE-668)
PeerOf: Improper Isolation of Shared Resources in Network On Chip (NoC) (CWE-1331)