CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

Description

A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.

Many commodity processors have Instruction Set Architecture (ISA) features that protect software components from one another. These features can include memory segmentation, virtual memory, privilege rings, trusted execution environments, and virtual machines, among others. For example, virtual memory provides each process with its own address space, which prevents processes from accessing each other's private data. Many of these features can be used to form hardware-enforced security boundaries between software components. Many commodity processors also share microarchitectural resources that cache (temporarily store) data, which may be confidential. These resources may be shared across processor contexts, including across SMT threads, privilege rings, or others. When transient operations allow access to ISA-protected data in a shared microarchitectural resource, this might violate users' expectations of the ISA feature that is bypassed. For example, if transient operations can access a victim's private data in a shared microarchitectural resource, then the operations' microarchitectural side effects may correspond to the accessed data. If an attacker can trigger these transient operations and observe their side effects through a covert channel [REF-1400], then the attacker may be able to infer the victim's private data. Private data could include sensitive program data, OS/VMM data, page table data (such as memory addresses), system configuration data (see Demonstrative Example 3), or any other data that the attacker does not have the required privileges to access.

Potential Impact

Confidentiality

Read Memory

Demonstrative Examples

Some processors may perform access control checks in parallel with
				memory read/write operations. For example, when a user-mode program
				attempts to read data from memory, the processor may also need to
				check whether the memory address is mapped into user space or kernel
				space. If the processor performs the access concurrently with the
				check, then the access may be able to transiently read kernel data
				before the check completes. This race condition is demonstrated in the
				following code snippet from [REF-1408], with additional annotations:

Bad

1 ; rcx = kernel address, rbx = probe array
				  2 xor rax, rax                # set rax to 0
				  3 retry:
				  4 mov al, byte [rcx]          # attempt to read kernel memory
				  5 shl rax, 0xc                # multiply result by page size (4KB)
				  6 jz retry                    # if the result is zero, try again
				  7 mov rbx, qword [rbx + rax]  # transmit result over a cache covert channel

Some processors may allow access to system registers (for example,
				system coprocessor registers or model-specific registers) during
				transient execution. This scenario is depicted in the code snippet
				below. Under ordinary operating circumstances, code in exception level
				0 (EL0) is not permitted to access registers that are restricted to
				EL1, such as TTBR0_EL1. However, on some processors an earlier
				mis-prediction can cause the MRS instruction to transiently read the
				value in an EL1 register. In this example, a conditional branch (line
				2) can be mis-predicted as "not taken" while waiting for a slow load
				(line 1). This allows MRS (line 3) to transiently read the value in
				the TTBR0_EL1 register. The subsequent memory access (line 6) can
				allow the restricted register's value to become observable, for
				example, over a cache covert channel. 

				 Code snippet is from [REF-1410]. See also [REF-1411].

Bad

1 LDR X1, [X2] ; arranged to miss in the cache
				  2 CBZ X1, over ; This will be taken 
				  3 MRS X3, TTBR0_EL1; 
				  4 LSL X3, X3, #imm 
				  5 AND X3, X3, #0xFC0
				  6 LDR X5, [X6,X3] ; X6 is an EL0 base address
				  7 over

Mitigations & Prevention

Architecture and Design High

Hardware designers may choose to engineer the processor's pipeline to prevent architecturally restricted data from being used by operations that can execute transiently.

Architecture and Design Moderate

Hardware designers may choose not to share microarchitectural resources that can contain sensitive data, such as fill buffers and store buffers.

Architecture and Design Moderate

Hardware designers may choose to sanitize specific microarchitectural state (for example, store buffers) when the processor transitions to a different context, such as whenever a system call is invoked. Alternatively, the hardware may expose instruction(s) that allow software to sanitize microarchitectural state according to the user or system administrator's threat model. These mitigation approaches are similar to those that address CWE-226; however, sanitizing micro

Architecture and Design Limited

The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.

Architecture and Design Limited

Software architects may design software to enforce strong isolation between different contexts. For example, kernel page table isolation (KPTI) mitigates the Meltdown vulnerability [REF-1401] by separating user-mode page tables from kernel-mode page tables, which prevents user-mode processes from using Meltdown to transiently access kernel memory [REF-1404].

Build and Compilation Limited

If the weakness is exposed by a single instruction (or a small set of instructions), then the compiler (or JIT, etc.) can be configured to prevent the affected instruction(s) from being generated, and instead generate an alternate sequence of instructions that is not affected by the weakness.

Build and Compilation Incidental

Use software techniques (including the use of serialization instructions) that are intended to reduce the number of instructions that can be executed transiently after a processor event or misprediction.

Implementation Limited

System software can mitigate this weakness by invoking state-sanitizing operations when switching from one context to another, according to the hardware vendor's recommendations.

System Configuration Limited

Some systems may allow the user to disable (for example, in the BIOS) sharing of the affected resource.

System Configuration Limited

Some systems may allow the user to disable (for example, in the BIOS) microarchitectural features that allow transient access to architecturally restricted data.

Detection Methods

Manual Analysis Moderate — This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without
Automated Analysis Moderate — This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainte
Automated Analysis High — Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the
Fuzzing Opportunistic — Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430])

Real-World CVE Examples

CVE ID	Description
CVE-2017-5715	A fault may allow transient user-mode operations to access kernel data cached in the L1D, potentially exposing the data over a covert channel.
CVE-2018-3615	A fault may allow transient non-enclave operations to access SGX enclave data cached in the L1D, potentially exposing the data over a covert channel.
CVE-2019-1135	A TSX Asynchronous Abort may allow transient operations to access architecturally restricted data, potentially exposing the data over a covert channel.

Frequently Asked Questions

What is CWE-1421?

CWE-1421 (Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU...

How can CWE-1421 be exploited?

Attackers can exploit CWE-1421 (Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution) to read memory. This weakness is typically introduced during the Architecture and Design, Implementation, System Configuration, Architecture and Design phase of software development.

How do I prevent CWE-1421?

Key mitigations include: Hardware designers may choose to engineer the processor's pipeline to prevent architecturally restricted data from being used by operations that can execute transiently.

What is the severity of CWE-1421?

CWE-1421 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.