CWE-1282: Assumed-Immutable Data is Stored in Writable Memory
Learn about CWE-1282 (Assumed-Immutable Data is Stored in Writable Memory), its security impact, exploitation methods, and prevention guidelines.
What is Assumed-Immutable Data is Stored in Writable Memory?
• Overview: Assumed-Immutable Data is Stored in Writable Memory refers to the vulnerability where data presumed to be unchangeable, like bootloaders or configuration settings, is kept in memory that can be altered, risking unauthorized modifications.
• Exploitation Methods:
- Attackers can modify the data stored in writable memory to bypass security controls or introduce malicious code.
- Common attack patterns include reprogramming the bootloader to load unauthorized code or altering device identifiers for malicious purposes.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized code execution and compromised system integrity.
- Potential cascading effects include the compromise of cryptographic keys, leading to broader system and data breaches.
- Business impact includes loss of customer trust, potential legal liabilities, and financial losses due to data breaches or system failures.
• Prevention Guidelines:
- Specific code-level fixes include ensuring critical data is stored in read-only memory or using one-time programmable memory solutions.
- Security best practices involve implementing secure boot processes and using hardware-based security features to protect essential assets.
- Recommended tools and frameworks include using secure storage libraries and hardware security modules (HSMs) to safeguard immutable data.
Corgea can automatically detect and fix Assumed-Immutable Data is Stored in Writable Memory in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not Technology-Specific
Vulnerable Code Example
// This JavaScript example demonstrates a vulnerability where immutable configuration data is stored in a modifiable object.
class ConfigManager {
constructor() {
// Vulnerable: Configuration data stored in a plain object, allowing modification.
this.configData = {
deviceId: "12345-ABCDE",
bootloaderVersion: "1.0.0"
}; // Configuration data is mutable and can be altered externally.
}
updateConfig(key, value) {
// This method allows updates to the configuration, which should be immutable.
if (this.configData.hasOwnProperty(key)) {
this.configData[key] = value; // This line allows modification of supposedly immutable data.
}
}
}
How to fix Assumed-Immutable Data is Stored in Writable Memory?
To address this vulnerability in JavaScript, we can use Object.freeze() to make the configuration object immutable. Freezing an object prevents new properties from being added to it and existing properties from being removed or altered. This ensures that configuration data intended to be immutable cannot be changed, preserving its integrity and security.
Fixed Code Example
class ConfigManager {
constructor() {
// Use Object.freeze() to make the configuration data immutable.
this.configData = Object.freeze({
deviceId: "12345-ABCDE",
bootloaderVersion: "1.0.0"
}); // Configuration data is now immutable and cannot be altered.
}
getConfig() {
// Provide a method to safely access the configuration data.
return this.configData;
}
// Removed the updateConfig method to prevent any modifications to the configuration data.
}
In both examples, the key takeaway is to use data structures and methods that enforce immutability, ensuring that critical configuration data cannot be altered once set. This approach enhances the security and integrity of the application by preventing unintended modifications to configuration settings.