New to CAPEC? Start Here
Home > CAPEC List > CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components (Version 3.9)  

CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components

Attack Pattern ID: 702
Abstraction: Detailed
View customized information:
+ Description

An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.

+ Extended Description

Chip designers often include design elements in a chip for debugging and troubleshooting such as:

  • Various Test Access Ports (TAPs) which allow boundary scan commands to be executed.
  • Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip.
  • Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs.

Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.

+ Likelihood Of Attack

Low

+ Typical Severity

Medium

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.180Exploiting Incorrectly Configured Access Control Security Levels
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
View NameTop Level Categories
Domains of AttackSoftware, Hardware
Mechanisms of AttackSubvert Access Control
+ Execution Flow
Explore

  1. Find and scan debug interface: The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.

    Techniques
    Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain
Experiment

  1. Connect to debug interface: The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.

    Techniques
    Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator
Exploit

  1. Move along debug chain: Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.

    Techniques
    Run a command such as “scan_chain” to see what TAPs are available in the chain.
+ Prerequisites
Hardware device has an exposed debug interface
+ Skills Required
[Level: Medium]
Ability to identify physical debug interfaces on a device
[Level: Medium]
Ability to operate devices to scan and connect to an exposed debug interface
+ Resources Required
A device to scan a TAP or JTAG interface, such as a JTAGulator
A device to communicate on a TAP or JTAG interface, such as a BusPirate
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
Integrity
Modify Data
Access Control
Authorization
Gain Privileges
+ Mitigations
Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels
Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users
+ Example Instances

A System-on-Chip (SoC) might give regular users access to the SoC-level TAP, but does not want to give access to all of the internal TAPs (e.g., Core). If any of the internal TAPs were incorrectly chained to the SoC-level TAP, this would grant regular users access to the internal TAPs and allow them to execute commands there.

Suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented, and the attacker can gain unauthorized access.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-748] Hewlett-Packard Journal. "Overview of the Test Access Port". 1994-12. <https://www.hpl.hp.com/hpjournal/94dec/dec94a7a.pdf>. URL validated: 2023-01-18.
[REF-749] "Finding Faults with the Test Access Port (TAP)". 2017-06-12. <https://flynn.com/2017/06/12/finding-faults-with-the-test-access-port-tap/>. URL validated: 2023-01-18.
[REF-750] "Technical Guide to JTAG". <https://www.xjtag.com/about-jtag/jtag-a-technical-overview/>. URL validated: 2023-01-18.
+ Content History
Submissions
Submission DateSubmitterOrganization
2023-01-24
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: January 24, 2023
 

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2024, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.