Détail du CWE-1420

A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.

Modes d'introduction

Architecture and Design : This weakness can be introduced when a computing unit (such as a CPU, GPU, accelerator, or any other processor) uses out-of-order execution, speculation, or any other microarchitectural feature that can allow microarchitectural operations to execute without committing to architectural state.
Implementation : This weakness can be introduced when sandboxes or managed runtimes are not properly isolated by using hardware-enforced boundaries. Developers of sandbox or managed runtime software should exercise caution when relying on software techniques (such as bounds checking) to prevent code in one sandbox from accessing confidential data in another sandbox. For example, an attacker sandbox may be able to trigger a processor event or mis-prediction in a manner that allows it to transiently read a victim sandbox's private data.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Systèmes d’exploitation

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)

Conséquences courantes

Exemples observés

Mesures d’atténuation potentielles

Phases : Architecture and Design
The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
Phases : Requirements
Phases : Requirements
Phases : Requirements
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Documentation

Méthodes de détection

Manual Analysis

Efficacité : Moderate

Fuzzing

Efficacité : Opportunistic

Fuzzing

Efficacité : Opportunistic

Automated Static Analysis

Efficacité : Limited

Automated Analysis

Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Array

Références

REF-1389

You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection
Alyssa Milburn, Ke Sun, Henrique Kawakami.
https://arxiv.org/abs/2203.04277

REF-1417

InvisiSpec: making speculative execution invisible in the cache hierarchy.
Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, Josep Torrella.
https://iacoma.cs.uiuc.edu/iacoma-papers/micro18.pdf

REF-1418

Port Contention for Fun and Profit
Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida García, Nicola Tuveri.
https://eprint.iacr.org/2018/1060.pdf

REF-1419

Speculative Interference Attacks: Breaking Invisible Speculation Schemes
Mohammad Behnia, Prateek Sahu, Riccardo Paccagnella, Jiyong Yu, Zirui Zhao, Xiang Zou, Thomas Unterluggauer, Josep Torrellas, Carlos Rozas, Adam Morrison, Frank Mckeen, Fangfei Liu, Ron Gabor, Christopher W. Fletcher, Abhishek Basak, Alaa Alameldeen.
https://arxiv.org/abs/2007.11818

REF-1420

Spectre is here to stay: An analysis of side-channels and speculative execution
Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest.
https://arxiv.org/pdf/1902.05178

REF-1421

Managed Runtime Speculative Execution Side Channel Mitigations
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/runtime-speculative-side-channel-mitigations.html

REF-1398

Control Flow Integrity
The Clang Team.
https://clang.llvm.org/docs/ControlFlowIntegrity.html

REF-1414

Retpoline: A Branch Target Injection Mitigation
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html

REF-1390

Speculation
The kernel development community.
https://docs.kernel.org/6.6/staging/speculation.html

REF-1425

Speculative Load Hardening
Chandler Carruth.
https://llvm.org/docs/SpeculativeLoadHardening.html

REF-1427

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
Hany Ragab, Enrico Barberis, Herbert Bos, Cristiano Giuffrida.
https://www.usenix.org/system/files/sec21-ragab.pdf

REF-1428

Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing
Oleksii Oleksenko, Marco Guarnieri, Boris Köpf, Mark Silberstein.
https://arxiv.org/pdf/2301.07642

REF-1429

SpecFuzz: Bringing Spectre-type vulnerabilities to the surface
Oleksii Oleksenko, Bohdan Trach, Mark Silberstein, Christof Fetzer.
https://www.usenix.org/system/files/sec20-oleksenko.pdf

REF-1415

Spectre Attacks: Exploiting Speculative Execution
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom.
https://spectreattack.com/spectre.pdf

REF-1400

Refined Speculative Execution Terminology
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/refined-speculative-execution-terminology.html

Soumission

Modifications