ByteOS Network

CWE-1242:Inclusion of Undocumented Features or Chicken Bits

Weakness ID:1242

Version:v4.17

Weakness Name:Inclusion of Undocumented Features or Chicken Bits

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Incomplete

Details Content History Observed CVE Examples Reports

▼Description

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

▼Extended Description

A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as "chicken bits". They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features. An attacker might exploit these interfaces for unauthorized access.

▼Common Consequences

Scope	Likelihood	Impact	Note
ConfidentialityIntegrityAvailabilityAccess Control	N/A	Modify MemoryRead MemoryExecute Unauthorized Code or CommandsGain Privileges or Assume IdentityBypass Protection Mechanism	N/A

Scope: Confidentiality, Integrity, Availability, Access Control

Likelihood: N/A

Impact: Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism

Note:

N/A

▼Potential Mitigations

Phase:Architecture and Design, Implementation

Effectiveness: High

Description:

The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documented.

▼Modes Of Introduction

Phase: Architecture and Design

Note:

N/A

Phase: Implementation

Note:

N/A

Phase: Documentation

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

Technology

Class: Not Technology-Specific(Undetermined Prevalence)

Class: ICS/OT(Undetermined Prevalence)

Operating System

Class: Not OS-Specific(Undetermined Prevalence)

Architecture

Class: Not Architecture-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer.

Language: Other(Bad code)

Attackers dump the code from the device and then perform reverse engineering to analyze the code. The undocumented, special-access features are identified, and attackers can activate them by sending specific commands via UART before secure-boot phase completes. Using these hidden features, attackers can perform reads and writes to memory via the UART interface. At runtime, the attackers can also execute arbitrary code and dump the entire memory contents.

Remove all chicken bits and hidden features that are exposed to attackers. Add authorization schemes that rely on cryptographic primitives to access any features that the manufacturer does not want to expose. Clearly document all interfaces.

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
ISA/IEC 62443	Part 4-1	N/A	Req SD-4
ISA/IEC 62443	Part 4-1	N/A	Req SVV-3
ISA/IEC 62443	Part 4-2	N/A	Req CR 2.12

Taxonomy Name: ISA/IEC 62443

Entry ID: Part 4-1

Fit: N/A

Entry Name: Req SD-4

Taxonomy Name: ISA/IEC 62443

Entry ID: Part 4-1

Fit: N/A

Entry Name: Req SVV-3

Taxonomy Name: ISA/IEC 62443

Entry ID: Part 4-2

Fit: N/A

Entry Name: Req CR 2.12

▼Related Attack Patterns

ID	Name
CAPEC-212	Functionality Misuse
CAPEC-36	Using Unpublished Interfaces or Functionality

ID: CAPEC-212

Name: Functionality Misuse

ID: CAPEC-36

Name: Using Unpublished Interfaces or Functionality

▼References

Reference ID: REF-1071

Title: Doors of Durin: The Veiled Gate to Siemens S7 Silicon

Author: Ali Abbasi, Tobias Scharnowski, Thorsten Holz

Publication:

URL:https://i.blackhat.com/eu-19/Wednesday/eu-19-Abbasi-Doors-Of-Durin-The-Veiled-Gate-To-Siemens-S7-Silicon.pdf

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-1072

Title: Breakthrough Silicon Scanning Discovers Backdoor in Military Chip

Author: Sergei Skorobogatov, Christopher Woods

Publication:

URL:https://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-1073

Title: God Mode Unlocked: Hardware Backdoors in x86 CPUs

Author: Chris Domas

Publication:

URL:https://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-1074

Title: Hardware Backdooring is Practical

Author: Jonathan Brossard

Publication:

URL:https://media.blackhat.com/bh-us-12/Briefings/Brossard/BH_US_12_Brossard_Backdoor_Hacking_Slides.pdf

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-1075

Title: Security, Reliability, and Backdoors

Author: Sergei Skorabogatov

Publication:

URL:https://www.cl.cam.ac.uk/~sps32/SG_talk_SRB.pdf

Day:N/A

Month:N/A

Year:N/A