SCAP CWE: new Hardware view, organizes weaknesses around concepts that are frequently used or encountered in hardware design

Mitre has updated SCAP’s CWE to include Hardware (but not Firmware). SCAP is the main method to keep the industry informed of security issues. However, it has been mostly focused on userspace app and OS issues, and pretty much ignoring hardware and firmware. Similar to how ‘ring 0’ means so much, and security researchers created multiple ‘negative rings’ to help clarify things, mostly for hw/fw.

Outside of userspace apps, SCAP is not useful IMO because it doesn’t let you find HW/FW issues. An ARM TrustZone issue will be hidden in an Apple iPhone app CVE, an Intel UEFI bootloader issue will be hidden in a Windows OS CVE, etc. You can’t use SCAP’s metadata to explicitly search for HW/FW issues, you have to hope for the best with a full-text search, and hope that the iPhone CVE also mentioned TrustZone, etc.

Now, security tools need to issue these HW CWEs, too.

It looks like there might be some hope for SCAP after all. They just updated one of their XML languages to support Hardware (not Firmware). So when the rest of SCAP is updated, and vendor tools support it, then future issues can be more-easily identified, Existing and prior issues will likely be not back-ported to use this new metadata, so ‘full-text search’ will likely be needed to search NIST NVD for historical HW issues …and will continue to be needed for FW issues, since CWE is only updated for HW, not FW…

Unclear if IETF SACM — which is related to SCAP — adopts this view.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s