Processor Optimization Removal or Modification of Security-critical Code

Description

This vulnerability occurs when a processor's performance optimization unintentionally strips out or alters security-critical code that a developer intentionally placed in the software.

Extended Description

Modern processors use complex optimization techniques like speculative execution, branch prediction, and instruction reordering to boost performance. However, these very optimizations can sometimes work against security by removing timing-based checks, skipping redundant-looking security validations, or executing instructions out of order in a way that bypasses critical security gates. The developer's code appears correct at the source and compiled levels, but the hardware's behavior creates a hidden gap in the intended security model. For developers, this means security mechanisms that rely on precise execution order or constant-time operations—common in cryptography or access control checks—are particularly at risk. Mitigating this requires understanding specific processor behaviors and using appropriate barriers, serializing instructions, or compiler intrinsics that prevent the CPU from optimizing away these sensitive code sections. It's a reminder that security must be enforced at the hardware-software interface, not just within the source code.

Common Consequences 1

Scope: Integrity

Impact: Bypass Protection Mechanism

A successful exploitation of this weakness will change the order of an application's execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible.

Detection Methods 1

White BoxOpportunistic

In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.

Observed Examples 3

CVE-2017-5715Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".

CVE-2017-5753Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as "Spectre".

CVE-2017-5754Intel processor optimizations related to speculative execution cause access control checks to be bypassed when placing data into the cache. Often known as "Meltdown".

References 2

Spectre Attacks: Exploiting Speculative Execution

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom

03-01-2018

https://arxiv.org/abs/1801.01203

ID: REF-11

Meltdown

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg

03-01-2018

https://arxiv.org/abs/1801.01207

ID: REF-12

Likelihood of Exploit

Low

Applicable Platforms

Languages:

Not Language-Specific : Rarely

Technologies:

Processor Hardware : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

663
Use of a Non-reentrant Function in a Concurrent Context

Related Weaknesses

ChildOf:

Insecure Automated Optimizations (CWE-1038)

Notes

MaintenanceAs of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.