CWE-1221: Incorrect Register Defaults or Module Parameters

BaseIncomplete

Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.

View on MITRE
Back to CWE Lookup

Extended Description

Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. Hardware descriptive languages also support definition of parameter variables, which can be defined in code during instantiation of the hardware IP module. Such parameters are generally used to configure a specific instance of a hardware IP in the design. The system security settings of a hardware design can be affected by incorrectly defined default values or IP parameters. The hardware IP would be in an insecure state at power reset, and this can be exposed or exploited by untrusted software running on the system. Both register defaults and parameters are hardcoded values, which cannot be changed using software or firmware patches but must be changed in hardware silicon. Thus, such security issues are considerably more difficult to address later in the lifecycle. Hardware designs can have a large number of such parameters and register defaults settings, and it is important to have design tool support to check these settings in an automated way and be able to identify which settings are security sensitive.

Technical Details

Structure
Simple

Applicable To

Languages
VerilogVHDL
Platforms

Frequently Asked Questions

What is CWE-1221: Incorrect Register Defaults or Module Parameters?+

CWE-1221: Incorrect Register Defaults or Module Parameters is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values. Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. Hardware descriptive languages also support definition of parameter variables, which can be defined in code during instantiation of the hardware IP module. Such parameters are generally used to configure a specific instance of a hardware IP in the design. The system security settings of a hardware design can be affected by incorrectly defined default values or IP parameters. The hardware IP would be in an insecure state at power reset, and this can be exposed or exploited by untrusted software running on the system. Both register defaults and parameters are hardcoded values, which cannot be changed using software or firmware patches but must be changed in hardware silicon. Thus, such security issues are considerably more difficult to address later in the lifecycle. Hardware designs can have a large number of such parameters and register defaults settings, and it is important to have design tool support to check these settings in an automated way and be able to identify which settings are security sensitive.

What are the security consequences of Incorrect Register Defaults or Module Parameters?+

If exploited, CWE-1221 (Incorrect Register Defaults or Module Parameters) it can compromise Confidentiality, Integrity, Availability and Access Control, leading to outcomes such as Varies by Context.

How do you prevent or mitigate Incorrect Register Defaults or Module Parameters?+

Recommended mitigations for CWE-1221 include: During hardware design, all the system parameters and register defaults must be reviewed to identify security sensitive settings. The default values of these security sensitive settings need to be defined as part of the design review phase. Testing phase should use automated tools to test that values are configured per design specifications.

Which programming languages are affected by Incorrect Register Defaults or Module Parameters?+

CWE-1221 commonly affects Verilog and VHDL. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1221 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More