CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code
The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.
View on MITREExtended Description
Adversaries could bypass the secure-boot process and execute their own untrusted, malicious boot code. As a part of a secure-boot process, the read-only-memory (ROM) code for a System-on-Chip (SoC) or other system fetches bootloader code from Non-Volatile Memory (NVM) and stores the code in Volatile Memory (VM), such as dynamic, random-access memory (DRAM) or static, random-access memory (SRAM). The NVM is usually external to the SoC, while the VM is internal to the SoC. As the code is transferred from NVM to VM, it is authenticated by the SoC's ROM code. If the volatile-memory-region protections or access controls are insufficient to prevent modifications from an adversary or untrusted agent, the secure boot may be bypassed or replaced with the execution of an adversary's code.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Likelihood
HighMitigation Strategies
Phase
Description
Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.
Phase
Description
Test the volatile-memory protections to ensure they are safe from modification or untrusted code.
Detection Methods
Method
Manual AnalysisDescription
Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.
Effectiveness
HighMethod
Manual AnalysisDescription
Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.
Effectiveness
ModerateCode Examples & CVEs
Demonstrative Examples
A typical SoC secure boot's flow includes fetching the next piece of code (i.e., the boot loader) from NVM (e.g., serial, peripheral interface (SPI) flash), and transferring it to DRAM/SRAM volatile, internal memory, which is more efficient.
The memory from where the boot loader executes can be modified by an adversary.
A typical SoC secure boot's flow includes fetching the next piece of code (i.e., the boot loader) from NVM (e.g., serial, peripheral interface (SPI) flash), and transferring it to DRAM/SRAM volatile, internal memory, which is more efficient.
The memory from where the boot loader executes can be modified by an adversary.
Observed CVE Examples (1)
Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code?+
CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory. Adversaries could bypass the secure-boot process and execute their own untrusted, malicious boot code. As a part of a secure-boot process, the read-only-memory (ROM) code for a System-on-Chip (SoC) or other system fetches bootloader code from Non-Volatile Memory (NVM) and stores the code in Volatile Memory (VM), such as dynamic, random-access memory (DRAM) or static, random-access memory (SRAM). The NVM is usually external to the SoC, while the VM is internal to the SoC. As the code is transferred from NVM to VM, it is authenticated by the SoC's ROM code. If the volatile-memory-region protections or access controls are insufficient to prevent modifications from an adversary or untrusted agent, the secure boot may be bypassed or replaced with the execution of an adversary's code.
What are the security consequences of Improper Access Control for Volatile Memory Containing Boot Code?+
If exploited, CWE-1274 (Improper Access Control for Volatile Memory Containing Boot Code) it can compromise Access Control and Integrity, leading to outcomes such as Modify Memory, Execute Unauthorized Code or Commands and Gain Privileges or Assume Identity.
How do you prevent or mitigate Improper Access Control for Volatile Memory Containing Boot Code?+
Recommended mitigations for CWE-1274 include: Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code. Test the volatile-memory protections to ensure they are safe from modification or untrusted code.
How is Improper Access Control for Volatile Memory Containing Boot Code detected?+
CWE-1274 can be detected using Manual Analysis. Combining automated tooling with manual review typically yields the best coverage.
Which programming languages are affected by Improper Access Control for Volatile Memory Containing Boot Code?+
CWE-1274 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Improper Access Control for Volatile Memory Containing Boot Code?+
MITRE documents real CVEs mapped to CWE-1274, including CVE-2019-2267. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1274 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.