Incorrect Initialization of Resource

The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.

  • Source

    CWE Catalog - 4.14

  • Identifier

    CWE-1419

  • Status

    Incomplete

Contents

Description

This can have security implications when the associated resource is expected to have certain properties or values. Examples include a variable that determines whether a user has been authenticated or not, or a register or fuse value that determines the security state of the product.

For software, this weakness can frequently occur when implicit initialization is used, meaning the resource is not explicitly set to a specific value. For example, in C, memory is not necessarily cleared when it is allocated on the stack, and many scripting languages use a default empty, null value, or zero value when a variable is not explicitly initialized.

For hardware, this weakness frequently appears with reset values and fuses. After a product reset, hardware may initialize registers incorrectly. During different phases of a product lifecycle, fuses may be set to incorrect values. Even if fuses are set to correct values, the lines to the fuse could be broken or there might be hardware on the fuse line that alters the fuse value to be incorrect.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

Consider example design module system verilog code shown below. The register_example module is an example parameterized module that defines two parameters, REGISTER_WIDTH and REGISTER_DEFAULT. Register_example module defines a Secure_mode setting, which when set makes the register content read-only and not modifiable by software writes. register_top module instantiates two registers, Insecure_Device_ID_1 and Insecure_Device_ID_2. Generally, registers containing device identifier values are required to be read only to prevent any possibility of software modifying these values. 

// Parameterized Register module example
// Secure_mode : REGISTER_DEFAULT[0] : When set to 1 register is read only and not writable//
module register_example
#(
parameter REGISTER_WIDTH = 8, // Parameter defines width of register, default 8 bits
parameter [REGISTER_WIDTH-1:0] REGISTER_DEFAULT = 2**REGISTER_WIDTH -2 // Default value of register computed from Width. Sets all bits to 1s except bit 0 (Secure _mode)
)
(
input [REGISTER_WIDTH-1:0] Data_in,
input Clk,
input resetn,
input write,
output reg [REGISTER_WIDTH-1:0] Data_out
);

reg Secure_mode;

always @(posedge Clk or negedge resetn)

  if (~resetn)
  begin

    Data_out <= REGISTER_DEFAULT; // Register content set to Default at reset
    Secure_mode <= REGISTER_DEFAULT[0]; // Register Secure_mode set at reset

  end
  else if (write & ~Secure_mode)
  begin

    Data_out <= Data_in;

  end

endmodule


module register_top
(
input Clk,
input resetn,
input write,
input [31:0] Data_in,
output reg [31:0] Secure_reg,
output reg [31:0] Insecure_reg
);

register_example #(

  .REGISTER_WIDTH (32),
  .REGISTER_DEFAULT (1224) // Incorrect Default value used bit 0 is 0.

) Insecure_Device_ID_1 (

  .Data_in (Data_in),
  .Data_out (Secure_reg),
  .Clk (Clk),
  .resetn (resetn),
  .write (write)

);

register_example #(

  .REGISTER_WIDTH (32) // Default not defined 2^32-2 value will be used as default.

) Insecure_Device_ID_2 (

  .Data_in (Data_in),
  .Data_out (Insecure_reg),
  .Clk (Clk),
  .resetn (resetn),
  .write (write)

);

endmodule

These example instantiations show how, in a hardware design, it would be possible to instantiate the register module with insecure defaults and parameters.

In the example design, both registers will be software writable since Secure_mode is defined as zero. 

register_example #(

  .REGISTER_WIDTH (32),
  .REGISTER_DEFAULT (1225) // Correct default value set, to enable Secure_mode

) Secure_Device_ID_example (

  .Data_in (Data_in),
  .Data_out (Secure_reg),
  .Clk (Clk),
  .resetn (resetn),
  .write (write)

);

Example Two

This code attempts to login a user using credentials from a POST request:

// $user and $pass automatically set from POST request
if (login_user($user,$pass)) {
  $authorized = true;
}
...

if ($authorized) {
  generatePage();
}

Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials.

Here is a fixed version:

$user = $_POST['user'];
$pass = $_POST['pass'];
$authorized = false;
if (login_user($user,$pass)) {
  $authorized = true;
}
...

This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP.

See Also

Comprehensive Categorization: Resource Lifecycle Management

Weaknesses in this category are related to resource lifecycle management.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.