CWE-1420

A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.

{"xhtml:p":["When operations execute but do not commit to the processor's\n\t\t\t\t\tarchitectural state, this is commonly referred to as transient\n\t\t\t\t\texecution. This behavior can occur when the processor mis-predicts an\n\t\t\t\t\toutcome (such as a branch target), or when a processor event (such as\n\t\t\t\t\tan exception or microcode assist, etc.) is handled after younger\n\t\t\t\t\toperations have already executed. Operations that execute transiently\n\t\t\t\t\tmay exhibit observable discrepancies (CWE-203) in covert channels\n\t\t\t\t\t[REF-1400] such as data caches. Observable discrepancies of this kind\n\t\t\t\t\tcan be detected and analyzed using timing or power analysis\n\t\t\t\t\ttechniques, which may allow an attacker to infer information about the\n\t\t\t\t\toperations that executed transiently. For example, the attacker may be\n\t\t\t\t\table to infer confidential data that was accessed or used by those\n\t\t\t\t\toperations.","Transient execution weaknesses may be exploited using one of two\n\t\t\t\t\tmethods. In the first method, the attacker generates a code sequence\n\t\t\t\t\tthat exposes data through a covert channel when it is executed\n\t\t\t\t\ttransiently (the attacker must also be able to trigger transient\n\t\t\t\t\texecution). Some transient execution weaknesses can only expose data\n\t\t\t\t\tthat is accessible within the attacker's processor context. For\n\t\t\t\t\texample, an attacker executing code in a software sandbox may be able\n\t\t\t\t\tto use a transient execution weakness to expose data within the same\n\t\t\t\t\taddress space, but outside of the attacker's sandbox. Other transient\n\t\t\t\t\texecution weaknesses can expose data that is architecturally\n\t\t\t\t\tinaccessible, that is, data protected by hardware-enforced boundaries\n\t\t\t\t\tsuch as page tables or privilege rings. These weaknesses are the\n\t\t\t\t\tsubject of CWE-1421.","In the second exploitation method, the attacker first identifies a\n\t\t\t\t\tcode sequence in a victim program that, when executed transiently, can\n\t\t\t\t\texpose data that is architecturally accessible within the victim's\n\t\t\t\t\tprocessor context. For instance, the attacker may search the victim\n\t\t\t\t\tprogram for code sequences that resemble a bounds-check bypass\n\t\t\t\t\tsequence (see Demonstrative Example 1). If the attacker can trigger a\n\t\t\t\t\tmis-prediction of the conditional branch and influence the index of\n\t\t\t\t\tthe out-of-bounds array access, then the attacker may be able to infer\n\t\t\t\t\tthe value of out-of-bounds data by monitoring observable discrepancies\n\t\t\t\t\tin a covert channel."]}

Applicable Platforms