Processor Optimization Removal or Modification of Security-critical Code

Incomplete Base

Structure: Simple

Description

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.

Common Consequences 1

Scope: Integrity

Impact: Bypass Protection Mechanism

A successful exploitation of this weakness will change the order of an application's execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible.

Detection Methods 1

White BoxOpportunistic

In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.

Observed Examples 3

CVE-2017-5715Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".

CVE-2017-5753Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".

CVE-2017-5754Intel processor optimizations related to speculative execution cause access control checks to be bypassed when placing data into the cache. Often known as "Meltdown".

References 2

Spectre Attacks: Exploiting Speculative Execution

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom

03-01-2018

https://arxiv.org/abs/1801.01203

ID: REF-11

Meltdown

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg

03-01-2018

https://arxiv.org/abs/1801.01207

ID: REF-12

Likelihood of Exploit

Low

Applicable Platforms

Languages:

Not Language-Specific : Rarely

Technologies:

Processor Hardware : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

663
Use of a Non-reentrant Function in a Concurrent Context

Related Weaknesses

ChildOf:

Insecure Automated Optimizations (CWE-1038)

Notes

MaintenanceAs of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.