CWE-1421
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
Description
A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.
{"xhtml:p":["Many commodity processors have Instruction Set Architecture (ISA)\n\t\t\tfeatures that protect software components from one another. These\n\t\t\tfeatures can include memory segmentation, virtual memory, privilege\n\t\t\trings, trusted execution environments, and virtual machines, among\n\t\t\tothers. For example, virtual memory provides each process with its own\n\t\t\taddress space, which prevents processes from accessing each other's\n\t\t\tprivate data. Many of these features can be used to form\n\t\t\thardware-enforced security boundaries between software components.","Many commodity processors also share microarchitectural resources that\n\t\t\tcache (temporarily store) data, which may be confidential. These\n\t\t\tresources may be shared across processor contexts, including across\n\t\t\tSMT threads, privilege rings, or others.","When transient operations allow access to ISA-protected data in a\n\t\t\tshared microarchitectural resource, this might violate users'\n\t\t\texpectations of the ISA feature that is bypassed. For example, if\n\t\t\ttransient operations can access a victim's private data in a shared\n\t\t\tmicroarchitectural resource, then the operations' microarchitectural\n\t\t\tside effects may correspond to the accessed data. If an attacker can\n\t\t\ttrigger these transient operations and observe their side effects\n\t\t\tthrough a covert channel [REF-1400], then the attacker may be able to infer the\n\t\t\tvictim's private data. Private data could include sensitive program\n\t\t\tdata, OS/VMM data, page table data (such as memory addresses), system\n\t\t\tconfiguration data (see Demonstrative Example 3), or any other data\n\t\t\tthat the attacker does not have the required privileges to access."]}
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Memory
Potential Mitigations
Hardware designers may choose to engineer the processor's pipeline to prevent architecturally restricted data from being used by operations that can execute transiently.
Hardware designers may choose not to share microarchitectural resources that can contain sensitive data, such as fill buffers and store buffers.
Hardware designers may choose to sanitize specific microarchitectural state (for example, store buffers) when the processor transitions to a different context, such as whenever a system call is invoked. Alternatively, the hardware may expose instruction(s) that allow software to sanitize microarchitectural state according to the user or system administrator's threat model. These mitigation approaches are similar to those that address CWE-226; however, sanitizing microarchitectural state may not be the optimal or best way to mitigate this weakness on every processor design.
The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
Software architects may design software to enforce strong isolation between different contexts. For example, kernel page table isolation (KPTI) mitigates the Meltdown vulnerability [REF-1401] by separating user-mode page tables from kernel-mode page tables, which prevents user-mode processes from using Meltdown to transiently access kernel memory [REF-1404].
If the weakness is exposed by a single instruction (or a small set of instructions), then the compiler (or JIT, etc.) can be configured to prevent the affected instruction(s) from being generated, and instead generate an alternate sequence of instructions that is not affected by the weakness.
Use software techniques (including the use of serialization instructions) that are intended to reduce the number of instructions that can be executed transiently after a processor event or misprediction.
System software can mitigate this weakness by invoking state-sanitizing operations when switching from one context to another, according to the hardware vendor's recommendations.
Some systems may allow the user to disable (for example, in the BIOS) sharing of the affected resource.
Some systems may allow the user to disable (for example, in the BIOS) microarchitectural features that allow transient access to architecturally restricted data.
The hardware vendor may provide a patch to sanitize the affected shared microarchitectural state when the processor transitions to a different context.
This kind of patch may not be feasible or implementable for all processors or all weaknesses.
Processor designers, system software vendors, or other agents may choose to restrict the ability of unprivileged software to access to high-resolution timers that are commonly used to monitor covert channels.
CVE-2017-5715A fault may allow transient user-mode operations to access kernel data cached in the L1D, potentially exposing the data over a covert channel.
CVE-2018-3615A fault may allow transient non-enclave operations to access SGX enclave data cached in the L1D, potentially exposing the data over a covert channel.
CVE-2019-1135A TSX Asynchronous Abort may allow transient operations to access architecturally restricted data, potentially exposing the data over a covert channel.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now