The Mitre Corporation has released version 4.0 of the Common Weakness Enumeration (CWE) list, which has been expanded to include hardware security weaknesses.
The Common Weakness Enumeration (CWE) is a category system for weaknesses and vulnerabilities.
The project is sponsored by Mitre and supported by US-CERT and the National Cyber Security Division of the US Department of Homeland Security.
Thee CWE list is community-developed and “serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.”
Hardware security weaknesses
Until now, the CWE list categorized only software weaknesses but, due to popular demand, has been now expanded to cover security issues that can be encountered in hardware design, including:
- Manufacturing and life cycle management concerns
- Security flow issues
- Integration issues
- Privilege separation and access control issues
- General circuit and logic design concerns
- Core and compute issues
- Memory and storage issues
- Peripherals, on-chip fabric, and interface/IO problems
- Security primitives and cryptography issues
- Power, clock, and reset concerns
- Debug and test problems
- Cross-cutting problems
This addition can come in handy to hardware designers to better understand potential mistakes that can be made in specific areas of their IP design, as well as to educators to teach future professionals about the types of mistakes that are commonly made in hardware design.