Corgea LogoCorgea Security Hub

CWE-1221: Incorrect Register Defaults or Module Parameters

Learn about CWE-1221 (Incorrect Register Defaults or Module Parameters), its security impact, exploitation methods, and prevention guidelines.

What is Incorrect Register Defaults or Module Parameters?

• Overview: CWE-1221, Incorrect Register Defaults or Module Parameters, occurs when hardware description language (HDL) code sets insecure default values for register settings or IP parameters, potentially leaving a hardware design in an insecure state after a reset.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by leveraging untrusted software to access insecure default states.
  • Common attack patterns include manipulating register settings to bypass security controls or exploit initialization flaws.

• Security Impact:

  • Direct consequences include the hardware starting in an unprotected state, leaving it open to exploitation.
  • Potential cascading effects involve compromised system integrity and unauthorized access to sensitive data.
  • Business impact can be severe, leading to data breaches, loss of intellectual property, and damage to brand reputation.

• Prevention Guidelines:

  • Specific code-level fixes include thoroughly reviewing and validating all register defaults and IP parameters for security implications.
  • Security best practices involve implementing comprehensive testing of hardware designs to ensure proper initialization and secure configurations.
  • Recommended tools and frameworks include using automated design verification tools to check for security-sensitive register and parameter settings during development.
Corgea can automatically detect and fix Incorrect Register Defaults or Module Parameters in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Verilog, VHDL

Affected Technologies: Not Technology-Specific

Vulnerable Code Example

module secure_module (
    input wire clk,
    input wire reset,
    output reg [7:0] data_out
);
    // Vulnerable default register value
    reg [7:0] secret_key = 8'b00000000; // Default value is insecure and predictable

    initial begin
        // Incorrect module parameter
        data_out = 8'b11111111; // This default output value may leak sensitive information
    end
endmodule

Explanation:

  • Line 5: The secret_key is initialized to all zeros, which is a predictable and insecure value. If an attacker can guess this value, it could lead to unauthorized access or data leakage.
  • Line 7: The data_out is set to all ones during initialization, which might unintentionally reveal sensitive data or the module's behavior, especially if this value is observable externally during startup.

How to fix Incorrect Register Defaults or Module Parameters?

To fix these vulnerabilities, ensure that:

  1. Secure Default Values: Use non-trivial default values for registers that do not expose sensitive information. Consider using randomness or obfuscation techniques.
  2. Safe Initialization: Avoid setting module parameters or outputs to values that might reveal sensitive information. Initialize them securely in response to a reset condition or during controlled system states.
  3. Parameterization: Use Verilog parameters to define secure default values, enabling easier management and auditing of these values for security.

Fixed Code Example

module secure_module (
    input wire clk,
    input wire reset,
    output reg [7:0] data_out
);
    // Fixed: Secure default register value using a parameter
    parameter [7:0] DEFAULT_SECRET_KEY = 8'b10101010; // Secure, non-trivial default value
    reg [7:0] secret_key = DEFAULT_SECRET_KEY;

    initial begin
        // Fixed: Safe initialization of data_out
        if (reset) begin
            data_out = 8'b00000000; // Safe default during reset
        end else begin
            data_out = secure_initial_value(); // Use a function to securely initialize
        end
    end

    // Function to provide a secure initial value for data_out
    function [7:0] secure_initial_value;
        // Implement logic to compute or load a secure initial value
        secure_initial_value = 8'b00110101; // Example secure initialization
    endfunction
endmodule

Explanation:

  • Line 5: A parameter DEFAULT_SECRET_KEY is introduced with a non-trivial default value, making the key harder to guess and more secure.
  • Lines 10-12: The initialization of data_out is conditional, checking for a reset signal to ensure it's set to zero safely during reset. If not resetting, it uses the secure_initial_value() function to initialize data_out securely.
  • Function: secure_initial_value provides a mechanism to compute or load a secure initial value, ensuring no sensitive information is exposed during initialization. This approach also allows for easy updates to the initialization logic as needed.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-1221: Incorrect Register Defaults or Module Parameters and get remediation guidance

Start for free and no credit card needed.