CWE-1422
Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
Description
A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.
{"xhtml:p":["Software may use a variety of techniques to preserve the\n\t\t\tconfidentiality of private data that is accessible within the current\n\t\t\tprocessor context. For example, the memory safety and type safety\n\t\t\tproperties of some high-level programming languages help to prevent\n\t\t\tsoftware written in those languages from exposing private data. As a\n\t\t\tsecond example, software sandboxes may co-locate multiple users'\n\t\t\tsoftware within a single process. The processor's Instruction Set\n\t\t\tArchitecture (ISA) may permit one user's software to access another\n\t\t\tuser's data (because the software shares the same address space), but\n\t\t\tthe sandbox prevents these accesses by using software techniques such\n\t\t\tas bounds checking.","If incorrect or stale data can be forwarded (for example, from a\n\t\t\tcache) to transient operations, then the operations'\n\t\t\tmicroarchitectural side effects may correspond to the data. If an\n\t\t\tattacker can trigger these transient operations and observe their side\n\t\t\teffects through a covert channel, then the attacker may be able to\n\t\t\tinfer the data. For example, an attacker process may induce transient\n\t\t\texecution in a victim process that causes the victim to inadvertently\n\t\t\taccess and then expose its private data via a covert channel. In the\n\t\t\tsoftware sandbox example, an attacker sandbox may induce transient\n\t\t\texecution in its own code, allowing it to transiently access and\n\t\t\texpose data in a victim sandbox that shares the same address space.","Consequently, weaknesses that arise from incorrect/stale data\n\t\t\tforwarding might violate users' expectations of software-based memory\n\t\t\tsafety and isolation techniques. If the data forwarding behavior is\n\t\t\tnot properly documented by the hardware vendor, this might violate the\n\t\t\tsoftware vendor's expectation of how the hardware should behave."]}
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Memory
Potential Mitigations
The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
Processor designers, system software vendors, or other agents may choose to restrict the ability of unprivileged software to access to high-resolution timers that are commonly used to monitor covert channels.
Processor designers may expose instructions or other architectural features that allow software to mitigate the effects of transient execution, but without disabling predictors. These features may also help to limit opportunities for data exposure.
Processor designers may expose registers (for example, control registers or model-specific registers) that allow privileged and/or user software to disable specific predictors or other hardware features that can cause confidential data to be exposed during transient execution.
Use software techniques (including the use of serialization instructions) that are intended to reduce the number of instructions that can be executed transiently after a processor event or misprediction.
Isolate sandboxes or managed runtimes in separate address spaces (separate processes).
Include serialization instructions (for example, LFENCE) that prevent processor events or mis-predictions prior to the serialization instruction from causing transient execution after the serialization instruction. For some weaknesses, a serialization instruction can also prevent a processor event or a mis-prediction from occurring after the serialization instruction (for example, CVE-2018-3639 can allow a processor to predict that a load will not depend on an older store; a serialization instruction between the store and the load may allow the store to update memory and prevent the mis-prediction from happening at all).
Use software techniques that can mitigate the consequences of transient execution. For example, address masking can be used in some circumstances to prevent out-of-bounds transient reads.
If the weakness is exposed by a single instruction (or a small set of instructions), then the compiler (or JIT, etc.) can be configured to prevent the affected instruction(s) from being generated, and instead generate an alternate sequence of instructions that is not affected by the weakness.
If a hardware feature can allow incorrect or stale data to be forwarded to transient operations, the hardware designer may opt to disclose this behavior in architecture documentation. This documentation can inform users about potential consequences and effective mitigations.
CVE-2020-0551A fault, microcode assist, or abort may allow transient load operations to forward malicious stale data to dependent operations executed by a victim, causing the victim to unintentionally access and potentially expose its own data over a covert channel.
CVE-2020-8698A fast store forwarding predictor may allow store operations to forward incorrect data to transient load operations, potentially exposing data over a covert channel.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now