CWE-1342: Information Exposure through Microarchitectural State after Transient Execution

Description

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

Submission Date :

Sept. 22, 2021, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

Tortuga Logic

Extended Description

In many processor architectures an exception, mis-speculation, or microcode assist results in a flush operation to clear results that are no longer required. This action prevents these results from influencing architectural state that is intended to be visible from software. However, traces of this transient execution may remain in microarchitectural buffers, resulting in a change in microarchitectural state that can expose sensitive information to an attacker using side-channel analysis. For example, Load Value Injection (LVI) [REF-1202] can exploit direct injection of erroneous values into intermediate load and store buffers.

Several conditions may need to be fulfilled for a successful attack:

1) incorrect transient execution that results in remanence of sensitive information;
2) attacker has the ability to provoke microarchitectural exceptions;
3) operations and structures in victim code that can be exploited must be identified.

Example Vulnerable Codes

Example - 1

Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this example from [REF-1203].

Consider the code gadget:



*arg_copy = untrusted_arg;array[**trusted_ptr * 4096];void call_victim(size_t untrusted_arg) {}

A processor with this weakness will store the value of untrusted_arg (which may be provided by an attacker) to the stack, which is trusted memory. Additionally, this store operation will save this value in some microarchitectural buffer, e.g. the store queue.In this code gadget, trusted_ptr is dereferenced while the attacker forces a page fault. The faulting load causes the processor to mis-speculate by forwarding untrusted_arg as the (speculative) load result. The processor then uses untrusted_arg for the pointer dereference. After the fault has been handled and the load has been re-issued with the correct argument, secret-dependent information stored at the address of trusted_ptr remains in microarchitectural state and can be extracted by an attacker using a code gadget.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

Go to

Visit http://cwe.mitre.org/ for more details.