Category: Power, Clock, Thermal, and Reset Concerns
Draft
Summary
Weaknesses in this category are related to system power, voltage, current, temperature, clocks, system state saving/restoring, and resets at the platform and SoC level.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1232 | Improper Lock Behavior After Power State Transition | Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable. |
| CWE-1247 | Improper Protection Against Voltage and Clock Glitches | The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device. |
| CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications | The security-sensitive hardware module contains semiconductor defects. |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks | A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token. |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels. |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Security-critical logic is not set to a known value on reset. |
| CWE-1304 | Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation | The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation. |
| CWE-1314 | Missing Write Protection for Parametric Data Values | The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure. |
| CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals | Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts. |
| CWE-1332 | Improper Handling of Faults that Lead to Instruction Skips | The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur. |
| CWE-1338 | Improper Protections Against Hardware Overheating | A hardware device is missing or has inadequate protection features to prevent overheating. |
| CWE-1194 | Hardware Design | This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.