When developing a software, firmware, or hardware design, designers work to ensure the final design behaves and functions as required by the design’s specification (a list of desired behaviors/functionalities). While verifying the functionality of a design is certainly crucial, designers must also verify that the way they implemented the desired functionality does not introduce security or safety weaknesses. Identifying such weaknesses requires designers to have not only a broad knowledge of potential weaknesses but also a reliable way of detecting instances of these weakness in their code. This is by no means an easy task but there are resources to help point designers in the right direction. One invaluable resource is Mitre’s Common Weakness Enumeration (CWE), a community-developed list of software and hardware weaknesses that can become vulnerabilities.

On April 3, 2025, Mitre released CWE Version 4.17 which, among many other updates, contained a new CWE entry contributed by Andy Meza and Jason Oberg (CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs). This CWE was developed based on our security analysis of the open-source hardware root of trust OpenTitan (see paper here). Using hardware information flow tracking enabled by Cycuity’s Radix-S, we discovered a weakness in the implementation of a crypto core in OpenTitan’s one-time programmable memory controller. Despite being a commonly seen weakness that is relevant to many systems, there was no corresponding CWE entry for the detected weakness. So, we submitted a CWE proposal to Mitre’s CWE team and eventually began working with them to prepare CWE-1431 for release.

The development of CWE-1431, along with the original security analysis, was a collaborative effort led by Andy Meza. It featured a great team of academic and industry researchers: Andy Meza, Francesco Restuccia, Jason Oberg, Dominic Rizzo, and Ryan Kastner. We look forward to contributing more CWEs in the future and encourage others in the community to do the same.