CWE-1302: Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)

BaseIncomplete

The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.

View on MITRE
Back to CWE Lookup

Extended Description

In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute). A typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity) in addition to much more information in the message. Sometimes the transactions are qualified with a Security Identifier. This Security Identifier helps the destination agent decide on the set of allowed or disallowed actions. A weakness that can exist in such transaction schemes is that the source agent does not consistently include the necessary Security Identifier with the transaction. If the Security Identifier is missing, the destination agent might drop the message (resulting in an inadvertent Denial-of-Service (DoS)) or take inappropriate action by default in its attempt to execute the transaction, resulting in privilege escalation or provision of unintended access.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1302: Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)?+

CWE-1302: Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier. In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute). A typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity) in addition to much more information in the message. Sometimes the transactions are qualified with a Security Identifier. This Security Identifier helps the destination agent decide on the set of allowed or disallowed actions. A weakness that can exist in such transaction schemes is that the source agent does not consistently include the necessary Security Identifier with the transaction. If the Security Identifier is missing, the destination agent might drop the message (resulting in an inadvertent Denial-of-Service (DoS)) or take inappropriate action by default in its attempt to execute the transaction, resulting in privilege escalation or provision of unintended access.

What are the security consequences of Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)?+

If exploited, CWE-1302 (Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)) it can compromise Confidentiality, Integrity, Availability and Access Control, leading to outcomes such as Modify Memory, Read Memory, DoS: Crash, Exit, or Restart, Bypass Protection Mechanism and Execute Unauthorized Code or Commands.

How do you prevent or mitigate Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)?+

Recommended mitigations for CWE-1302 include: Transaction details must be reviewed for design inconsistency and common weaknesses. Security identifier definition and programming flow must be tested in pre-silicon and post-silicon testing.

Which programming languages are affected by Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)?+

CWE-1302 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1302 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More