All, Recently we've come across a few CWEs related to memory safety that don't exist in the hardware view but we at Cycuity feel have relevance to the hardware view. Specifically:
- *CWE-787 <https://cwe.mitre.org/data/definitions/787.html>:* Out-of-bounds Writes - *CWE-125 <https://cwe.mitre.org/data/definitions/125.html>:* Out-of-bounds Read - *CWE-786 <https://cwe.mitre.org/data/definitions/786.html>: *Access of Memory Location Before Start of Buffer - *CWE-126 <https://cwe.mitre.org/data/definitions/126.html>:* Buffer Over-read In hardware, typically memories get represented as an array with an address decoder. It's quite common for the address fed into the decoder to create an index into the memory array that is outside the boundaries of the array for both reads and writes. The result of this is that data is either read/written from/to a location that was not originally intended (or in some cases X [unknown] is read/written). This has an impact on both data confidentiality and integrity. Given this, we think these should have some representation in the hardware view. Either as is or perhaps with a hardware-specific CWE that's a child to these. I would be interested in others' thoughts on this. Perhaps we can discuss this in the next SIG meeting. Regards, Jason -- *Jason Oberg * | Co-founder and CTO ja...@cycuity.com <andreas.kuehlm...@cycuity.com> | +1-888-488-7706 cycuity.com | Connect with us <https://www.linkedin.com/company/3261758/admin/> NOTICE TO RECIPIENT | This email and any attachments may contain private, confidential and privileged material for the sole use of the intended recipient. If you are not the intended recipient, please immediately notify the sender of the error by return email and delete this email and any attachments.
