CWE-1298: Hardware Logic Contains Race Conditions

BaseDraft

A race condition in the hardware logic results in undermining security guarantees of the system.

View on MITRE
Back to CWE Lookup

Extended Description

A race condition in logic circuits typically occurs when a logic gate gets inputs from signals that have traversed different paths while originating from the same source. Such inputs to the gate can change at slightly different times in response to a change in the source signal. This results in a timing error or a glitch (temporary or permanent) that causes the output to change to an unwanted state before settling back to the desired state. If such timing errors occur in access control logic or finite state machines that are implemented in security sensitive flows, an attacker might exploit them to circumvent existing protections.

Technical Details

Structure
Simple

Applicable To

Languages
VerilogVHDL
Platforms

Frequently Asked Questions

What is CWE-1298: Hardware Logic Contains Race Conditions?+

CWE-1298: Hardware Logic Contains Race Conditions is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A race condition in the hardware logic results in undermining security guarantees of the system. A race condition in logic circuits typically occurs when a logic gate gets inputs from signals that have traversed different paths while originating from the same source. Such inputs to the gate can change at slightly different times in response to a change in the source signal. This results in a timing error or a glitch (temporary or permanent) that causes the output to change to an unwanted state before settling back to the desired state. If such timing errors occur in access control logic or finite state machines that are implemented in security sensitive flows, an attacker might exploit them to circumvent existing protections.

What are the security consequences of Hardware Logic Contains Race Conditions?+

If exploited, CWE-1298 (Hardware Logic Contains Race Conditions) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism, Gain Privileges or Assume Identity and Alter Execution Logic.

How do you prevent or mitigate Hardware Logic Contains Race Conditions?+

Recommended mitigations for CWE-1298 include: Adopting design practices that encourage designers to recognize and eliminate race conditions, such as Karnaugh maps, could result in the decrease in occurrences of race conditions. Logic redundancy can be implemented along security critical paths to prevent race conditions. To avoid metastability, it is a good practice in general to default to a secure state in which access is not given to untrusted agents.

Which programming languages are affected by Hardware Logic Contains Race Conditions?+

CWE-1298 commonly affects Verilog and VHDL. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1298 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More