Description
A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.
Software may use a variety of techniques to preserve the confidentiality of private data that is accessible within the current processor context. For example, the memory safety and type safety properties of some high-level programming languages help to prevent software written in those languages from exposing private data. As a second example, software sandboxes may co-locate multiple users' software within a single process. The processor's Instruction Set Architecture (ISA) may permit one user's software to access another user's data (because the software shares the same address space), but the sandbox prevents these accesses by using software techniques such as bounds checking. If incorrect or stale data can be forwarded (for example, from a cache) to transient operations, then the operations' microarchitectural side effects may correspond to the data. If an attacker can trigger these transient operations and observe their side effects through a covert channel, then the attacker may be able to infer the data. For example, an attacker process may induce transient execution in a victim process that causes the victim to inadvertently access and then expose its private data via a covert channel. In the software sandbox example, an attacker sandbox may induce transient execution in its own code, allowing it to transiently access and expose data in a victim sandbox that shares the same address space. Consequently, weaknesses that arise from incorrect/stale data forwarding might violate users' expectations of software-based memory safety and isolation techniques. If the data forwarding behavior is not properly documented by the hardware vendor, this might violate the software vendor's expectation of how the hardware should behave.
Potential Impact
Confidentiality
Read Memory
Demonstrative Examples
void call_victim(size_t untrusted_arg) {
*arg_copy = untrusted_arg;
array[**trusted_ptr * 4096];
}void fn(int idx) {
unsigned char v;
idx_array[0] = 4096;
v = array[idx_array[idx] * (idx)];
}Mitigations & Prevention
The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
Processor designers, system software vendors, or other agents may choose to restrict the ability of unprivileged software to access to high-resolution timers that are commonly used to monitor covert channels.
Processor designers may expose instructions or other architectural features that allow software to mitigate the effects of transient execution, but without disabling predictors. These features may also help to limit opportunities for data exposure.
Processor designers may expose registers (for example, control registers or model-specific registers) that allow privileged and/or user software to disable specific predictors or other hardware features that can cause confidential data to be exposed during transient execution.
Use software techniques (including the use of serialization instructions) that are intended to reduce the number of instructions that can be executed transiently after a processor event or misprediction.
Isolate sandboxes or managed runtimes in separate address spaces (separate processes).
Include serialization instructions (for example, LFENCE) that prevent processor events or mis-predictions prior to the serialization instruction from causing transient execution after the serialization instruction. For some weaknesses, a serialization instruction can also prevent a processor event or a mis-prediction from occurring after the serialization instruction (for example, CVE-2018-3639 can allow a processor to predict that a load will not depend on an older s
Use software techniques that can mitigate the consequences of transient execution. For example, address masking can be used in some circumstances to prevent out-of-bounds transient reads.
If the weakness is exposed by a single instruction (or a small set of instructions), then the compiler (or JIT, etc.) can be configured to prevent the affected instruction(s) from being generated, and instead generate an alternate sequence of instructions that is not affected by the weakness.
If a hardware feature can allow incorrect or stale data to be forwarded to transient operations, the hardware designer may opt to disclose this behavior in architecture documentation. This documentation can inform users about potential consequences and effective mitigations.
Detection Methods
- Automated Static Analysis Moderate — A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).
- Manual Analysis Moderate — This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without
- Automated Analysis High — Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under te
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2020-0551 | A fault, microcode assist, or abort may allow transient load operations to forward malicious stale data to dependent operations executed by a victim, causing the victim to unintentionally |
| CVE-2020-8698 | A fast store forwarding predictor may allow store operations to forward incorrect data to transient load operations, potentially exposing data over a covert channel. |
Related Weaknesses
Frequently Asked Questions
What is CWE-1422?
CWE-1422 (Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.
How can CWE-1422 be exploited?
Attackers can exploit CWE-1422 (Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution) to read memory. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-1422?
Key mitigations include: The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
What is the severity of CWE-1422?
CWE-1422 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.