Insecure Automated Optimizations

Draft Class

Structure: Simple

Description

The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.

Common Consequences 1

Scope: Integrity

Impact: Alter Execution Logic

The optimizations alter the order of execution resulting in side effects that were not intended by the original developer.

Observed Examples 2

CVE-2017-5715Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".

CVE-2008-1685C compiler optimization, as allowed by specifications, removes code that is used to perform checks to detect integer overflows.

Likelihood of Exploit

Low

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Weaknesses

ChildOf:

Improper Interaction Between Multiple Correctly-Behaving Entities (CWE-435)

ChildOf:

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior (CWE-758)