CWE-1342
Information Exposure through Microarchitectural State after Transient Execution
The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.
Mitigation
Phases: Architecture and Design, Requirements
Description:
- Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.
Mitigation
Phase: Build and Compilation
Description:
- Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush.
CAPEC-696: Load Value Injection
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.