Corgea LogoCorgea Security Hub

CWE-1314: Missing Write Protection for Parametric Data Values

Learn about CWE-1314 (Missing Write Protection for Parametric Data Values), its security impact, exploitation methods, and prevention guidelines.

What is Missing Write Protection for Parametric Data Values?

• Overview: This vulnerability occurs when a device fails to protect the parametric data values used by sensors to scale their outputs, allowing unauthorized software to alter sensor readings. This can lead to inaccurate sensor data, potentially damaging hardware or causing operational failures.

• Exploitation Methods:

  • Attackers can manipulate sensor readings by altering unprotected parametric data values.
  • Common attack patterns include modifying scale conversion factors to misrepresent sensor outputs.

• Security Impact:

  • Direct consequences include hardware damage or operational disruption due to incorrect sensor data.
  • Potential cascading effects could involve triggering safety mechanisms or shutting down systems based on false sensor readings.
  • Business impact may involve costly hardware repairs, downtime, and loss of trust from customers.

• Prevention Guidelines:

  • Implement write protection for all sensor parametric data values to prevent unauthorized modifications.
  • Employ security best practices such as using trusted software or hardware fuses to set and protect sensor thresholds.
  • Use recommended tools and frameworks that offer mechanisms for securing sensor data and enforcing write protection policies.
Corgea can automatically detect and fix Missing Write Protection for Parametric Data Values in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Sensor Hardware

Vulnerable Code Example

Sure, let's improve the code examples provided for CWE-1314 (Missing Write Protection for Parametric Data Values) by addressing the issues mentioned.

# sensor_module.py {11-14}
class Sensor:
    def __init__(self):
        # Public dictionary that can be modified externally
        self.parametric_data = {
            'scale_factor': 1.0,  # Scale factor for sensor readings
            'offset': 0.0         # Offset for sensor readings
        }

    def get_scaled_reading(self, raw_value):
        # Vulnerability: parametric_data can be modified externally
        return raw_value * self.parametric_data['scale_factor'] + self.parametric_data['offset']

sensor = Sensor()
# Untrusted code can modify parametric_data
sensor.parametric_data['scale_factor'] = 10.0  # Malicious alteration
print(sensor.get_scaled_reading(100))  # Outputs: 1000.0 (manipulated reading)

Explanation

In this vulnerable example, the parametric_data dictionary is publicly accessible and modifiable. This allows untrusted code to alter these values, potentially leading to incorrect sensor readings and operational failures. The lack of encapsulation and direct access to critical parameters is the core issue here.

How to fix Missing Write Protection for Parametric Data Values?

To fix this vulnerability, encapsulation should be used to protect the parametric data. By implementing private attributes and providing controlled access through dedicated methods, we can prevent unauthorized modifications. This ensures that only trusted methods can alter these critical values.

Fixed Code Example

# sensor_module.py {11-20}
class Sensor:
    def __init__(self):
        # Private attributes for encapsulation
        self._scale_factor = 1.0
        self._offset = 0.0

    def get_scaled_reading(self, raw_value):
        # Read the private attributes to calculate the scaled reading
        return raw_value * self._scale_factor + self._offset

    def set_scaling_parameters(self, scale_factor, offset):
        # Provides controlled access to modify scale_factor and offset
        # Add validation if necessary to ensure safe values
        if scale_factor >= 0 and offset >= 0:  # Example validation
            self._scale_factor = scale_factor
            self._offset = offset
        else:
            raise ValueError("Scale factor and offset must be non-negative")

sensor = Sensor()
# Only trusted methods can modify the scale parameters
sensor.set_scaling_parameters(1.5, 5.0)
print(sensor.get_scaled_reading(100))  # Outputs: 155.0 (trusted reading)

Explanation

In the fixed code, parametric_data has been replaced by private attributes _scale_factor and _offset. A public method set_scaling_parameters() is provided to allow controlled modification of these values, including basic validation to ensure safe values. This ensures that untrusted code cannot directly alter the scaling parameters, protecting the system from potential misuse and incorrect sensor readings.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-1314: Missing Write Protection for Parametric Data Values and get remediation guidance

Start for free and no credit card needed.