CWE-1342

Information Exposure through Microarchitectural State after Transient Execution

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

Mitigation

Phases: Architecture and Design, Requirements

Description:

  • Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.
Mitigation

Phase: Build and Compilation

Description:

  • Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush.
CAPEC-696: Load Value Injection

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.

Back to CWE stats page