CWE-1244
Internal Asset Exposed to Unsafe Debug Access Level or State
AI Translation Available
The product uses physical debug or test
interfaces with support for multiple access levels, but it
assigns the wrong debug access level to an internal asset,
providing unintended access to the asset from untrusted debug
agents.
Status
stable
Abstraction
base
Affected Platforms
System on Chip
Extended Description
AI Translation
Debug authorization can have multiple levels of access, defined such that different system internal assets are accessible based on the current authorized debug level. Other than debugger authentication (e.g., using passwords or challenges), the authorization can also be based on the system state or boot stage. For example, full system debug access might only be allowed early in boot after a system reset to ensure that previous session data is not accessible to the authenticated debugger.
Technical Details
AI Translation
Common Consequences
confidentiality
integrity
authorization
access control
Impacts
read memory
modify memory
gain privileges or assume identity
bypass protection mechanism
Detection Methods
manual analysis
Potential Mitigations
Phases:
architecture and design
implementation
Descriptions:
•
Apply blinding [REF-1219] or masking techniques in strategic areas.
•
For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents.
•
Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces.