CAPEC-663: Exploitation of Transient Instruction Execution

Description

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.

Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

Severity :

Very High

Possibility :

Low

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-74: Manipulating State Manipulating State CAPEC-124: Shared Resource Manipulation Shared Resource Manipulation CAPEC-141: Cache Poisoning Cache Poisoning CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels Exploiting Incorrectly Configured Access Control Security Levels CAPEC-184: Software Integrity Attack Software Integrity Attack CAPEC-212: Functionality Misuse Functionality Misuse CAPEC-696: Load Value Injection Load Value Injection

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

High Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.
High Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.

Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-1037: Processor Optimization Removal or Modification of Security-critical Code

CWE-1264: Hardware Logic with Insecure De-Synchronization between Control and Data Channels

CWE-1303: Non-Transparent Sharing of Microarchitectural Resources

Visit http://capec.mitre.org/ for more details.