CWE-1312: Missing Protection for Mirrored Regions in… | Glexia
CWE-1312 (Missing Protection for Mirrored Regions in On-Chip Fabric Firewall) weakness overview with consequences, detection methods, mitigations, related CVEs and…
Glexia's Take · Automated analysis
CWE-1312: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality,Integrity,Access Control: Modify Memory,Read Memory,Bypass Protection Mechanism
Developer Pattern
CWE-1312 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Automation confidence
high confidence from CWE-1312, 4.20.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Official CWE Definition
CWE-1312: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- A memory-controller IP block is connected to the on-chip fabric in a System on Chip (SoC). The memory controller is configured to divide the memory into four parts: one original and three mirrored regions inside the memory. The upper two bits of the address indicate which region is being addressed. 00 indicates the original region and 01, 10, and 11 are used to address the mirrored regions. All four regions operate in a lock-step manner and are always synchronized. The firewall in the on-chip fabric is programmed to protect the assets in the memory. The firewall only protects the original range but not the mirrored regions.,The attacker (as an unprivileged user) sends a write transaction to the mirrored region. The mirrored region has an address with the upper two bits set to "10" and the remaining bits of the address pointing to an asset. The firewall does not block this write transaction. Once the write is successful, contents in the protected-memory region are also updated. Thus, the attacker can bypass existing, memory protections.,Firewall should protect mirrored regions.
Remediation
- Architecture and Design: The fabric firewall should apply the same protections as the original region to the mirrored regions.
- Implementation: The fabric firewall should apply the same protections as the original region to the mirrored regions.
Detection
- Manual Dynamic Analysis: Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.
Mappings
Related CVEs, CWEs, and ATT&CK context
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.
