Thanks for recalling this work, Jason! If the list of transient execution CWEs would be helpful, it does exist in the public domain: https://github.com/CWE-CAPEC/hw-cwe-sig/blob/b14189ceb8b198b040340e504f8d37f16a5799f0/working-docs/transient.md#applying-these-new-cwes-to-a-variety-of-transient-execution-cves.
Regards, Scott Constable From: Jason Oberg <ja...@cycuity.com> Sent: Tuesday, October 15, 2024 9:54 AM To: Kanuparthi, Arun <arun.kanupar...@intel.com> Cc: Steven M Christey <co...@mitre.org>; Fung, Jason M <jason.m.f...@intel.com>; Ford, Thomas <thoma...@dell.com>; HW CWE Special Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org>; Bob Heinemann <rheinem...@mitre.org> Subject: Re: [EXT] Re: Hardward CWE Top-N list Another data point is the work done on the microarchitectural/transient execution weaknesses. Scott Constable did a great job of putting together a long list of relevant CVEs and the CWE mappings, so we may be able to use some of that data as well. Perhaps one approach to this "most important HW list" is to start with something data centric like hardware advisories (as Arun mentioned) or the microarchitectural vulnerabilities then "back fill" the rest through a survey of the community like we did before. It's not perfect but would at least anchor some of the most important HW CWEs into real observed examples. On Tue, Oct 15, 2024 at 9:14 AM Kanuparthi, Arun <arun.kanupar...@intel.com<mailto:arun.kanupar...@intel.com>> wrote: I’m afraid we can’t go by NVD data alone to get our top HW CWE list as not many CVEs do not follow the diligent tagging for HW CWEs. A lot of security advisories have been published in the past few years pertaining to hardware. We will need to eyeball those and make a ballpark guess of what the CWE could be. It is time taking but might be worth it. The Hack@DAC team periodically monitors these advisories to get ideas to insert new bugs in the competition. We’d be happy to help. -Arun Kanuparthi From: Steven M Christey <co...@mitre.org<mailto:co...@mitre.org>> Sent: Tuesday, October 15, 2024 9:03 AM To: Oberg, Jason <ja...@cycuity.com<mailto:ja...@cycuity.com>>; Fung, Jason M <jason.m.f...@intel.com<mailto:jason.m.f...@intel.com>> Cc: Ford, Thomas <thoma...@dell.com<mailto:thoma...@dell.com>>; HW CWE Special Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org<mailto:hw-cwe-special-interest-group-sig-list@mitre.org>>; Bob Heinemann <rheinem...@mitre.org<mailto:rheinem...@mitre.org>> Subject: RE: [EXT] Re: Hardward CWE Top-N list There are no HW-specific CWEs in recent CWE Top 25 lists (derived from NVD data), and there’s no indication in this year’s Top 25 work either. We can look at some recent NVD data to see how much any particular HW CWE is used, but I’ll warn ahead of time that the number will almost certainly be very small. Consider that a HW product with a design weakness is going against software products with dozens of implementation bugs like SQL injection and buffer overflows. Also, many HW products seem to map to “classic” non-HW CWEs. We can get back to you with some numbers fairly quickly. - Steve From: Jason Oberg <ja...@cycuity.com<mailto:ja...@cycuity.com>> Sent: Tuesday, October 8, 2024 6:30 PM To: Fung, Jason <jason.m.f...@intel.com<mailto:jason.m.f...@intel.com>> Cc: Ford, Thomas <thoma...@dell.com<mailto:thoma...@dell.com>>; HW CWE Special Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org<mailto:hw-cwe-special-interest-group-sig-list@mitre.org>>; Bob Heinemann <rheinem...@mitre.org<mailto:rheinem...@mitre.org>> Subject: [EXT] Re: Hardward CWE Top-N list This Message Is From an External Sender This message originates outside of MITRE. If you feel this is suspicious, please report it via "Report Suspicious Email" button in Outlook. Third! Having a refresh to the TopN for hardware would be great for the community. On Tue, Oct 8, 2024 at 3:21 PM Fung, Jason M <jason.m.f...@intel.com<mailto:jason.m.f...@intel.com>> wrote: Great point. I second Tom’s idea. From: Ford, Thomas <thoma...@dell.com<mailto:thoma...@dell.com>> Sent: Tuesday, October 8, 2024 1:45 PM To: hw-cwe-special-interest-group-sig-list@mitre.org<mailto:hw-cwe-special-interest-group-sig-list@mitre.org> Cc: Bob Heinemann <rheinem...@mitre.org<mailto:rheinem...@mitre.org>> Subject: Hardward CWE Top-N list Hello, I would like bring up a topic to the group about the Most Important Hardware Weakness list now that it’s a few years old. I’ve been looking into the question of which HW CWEs have been referenced from CVEs to date, and are those CWEs on the Top N list? Should we revisit the Top N list based on what is being reported to CVE? I’m curious about what insights others have on this. Thanks, Tom Ford Internal Use - Confidential
