logo

Information Exposure through Microarchitectural State after Transient Execution

Incomplete Base
Structure: Simple
Description

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

Extended Description

In many processor architectures an exception, mis-speculation, or microcode assist results in a flush operation to clear results that are no longer required. This action prevents these results from influencing architectural state that is intended to be visible from software. However, traces of this transient execution may remain in microarchitectural buffers, resulting in a change in microarchitectural state that can expose sensitive information to an attacker using side-channel analysis. For example, Load Value Injection (LVI) [REF-1202] can exploit direct injection of erroneous values into intermediate load and store buffers. Several conditions may need to be fulfilled for a successful attack: 1. incorrect transient execution that results in remanence of sensitive information; 1. attacker has the ability to provoke microarchitectural exceptions; 1. operations and structures in victim code that can be exploited must be identified.

Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Modify MemoryRead MemoryExecute Unauthorized Code or Commands
Potential Mitigations 2
Phase: Architecture and DesignRequirements
Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.

Effectiveness: High

Phase: Build and Compilation
Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush.

Effectiveness: High
Demonstrative Examples 1
Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this example from [REF-1203].
Consider the code gadget:

Code Example:

Bad
C
c
A processor with this weakness will store the value of untrusted_arg (which may be provided by an attacker) to the stack, which is trusted memory. Additionally, this store operation will save this value in some microarchitectural buffer, e.g. the store queue. In this code gadget, trusted_ptr is dereferenced while the attacker forces a page fault. The faulting load causes the processor to mis-speculate by forwarding untrusted_arg as the (speculative) load result. The processor then uses untrusted_arg for the pointer dereference. After the fault has been handled and the load has been re-issued with the correct argument, secret-dependent information stored at the address of trusted_ptr remains in microarchitectural state and can be extracted by an attacker using a code gadget.
Observed Examples 1
CVE-2020-0551Load value injection in some processors utilizing speculative execution may allow an authenticated user to enable information disclosure via a side-channel with local access.
References 4
LVI - Hijacking Transient Execution with Load Value Injection
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens
2020
https://lviattack.eu/
ID: REF-1202
LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens
09-01-2020
https://lviattack.eu/lvi.pdf
ID: REF-1203
Hijacking Transient Execution through Microarchitectural Load Value Injection
18-05-2020
https://www.youtube.com/watch?v=99kVz-YGi6Y
ID: REF-1204
CacheOut: Leaking Data on Intel CPUs via Cache Evictions
Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, Yuval Yarom
28-12-2020
https://cacheoutattack.com/files/CacheOut.pdf
ID: REF-1205
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : UndeterminedSystem on Chip : Undetermined
Modes of Introduction
Architecture and Design
Requirements
Related Attack Patterns
Related Weaknesses
ChildOf: Sensitive Information in Resource Not Removed Before Reuse (CWE-226)
ChildOf: Sensitive Information in Resource Not Removed Before Reuse (CWE-226)
Notes
RelationshipInformation Exposure through Microarchitectural State after Transient Execution differs from Non-Transparent Sharing of Microarchitectural Resources, which is related to misprediction and biasing microarchitectural components, while Information Exposure through Microarchitectural State after Transient Execution addresses illegal data flows and retention. For example, Spectre is an instance of Non-Transparent Sharing of Microarchitectural Resources biasing branch prediction to steer the transient execution indirectly.
MaintenanceAs of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.