logo

Information Exposure through Microarchitectural State after Transient Execution

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a CPU fails to completely erase temporary data traces left behind by speculative execution or error recovery processes. These lingering microarchitectural hints can be analyzed through side-channels to leak sensitive information.

Extended Description

Modern CPUs use techniques like speculative execution and microcode assists to boost performance. When these operations are canceled or encounter errors, the processor should fully clean up. However, if remnants of these transient computations persist in internal buffers (like load/store queues), they create a measurable change in the chip's hidden state. An attacker can then use timing or other side-channel attacks to infer protected data, such as secrets from other processes or virtual machines. Successful exploitation typically requires three conditions: first, vulnerable code must speculatively access sensitive information, leaving microarchitectural traces. Second, the attacker must be able to trigger the specific CPU exceptions or mis-speculations that create these traces. Finally, the attacker needs a method to observe the state change, often by analyzing cache timing or other hardware resource contention, to slowly reconstruct the leaked data.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Modify MemoryRead MemoryExecute Unauthorized Code or Commands
Potential Mitigations 2
Phase: Architecture and DesignRequirements
Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.

Effectiveness: High

Phase: Build and Compilation
Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush.

Effectiveness: High
Demonstrative Examples 1
Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this example from [REF-1203].
Consider the code gadget:

Code Example:

Bad
C
c
A processor with this weakness will store the value of untrusted_arg (which may be provided by an attacker) to the stack, which is trusted memory. Additionally, this store operation will save this value in some microarchitectural buffer, e.g. the store queue. In this code gadget, trusted_ptr is dereferenced while the attacker forces a page fault. The faulting load causes the processor to mis-speculate by forwarding untrusted_arg as the (speculative) load result. The processor then uses untrusted_arg for the pointer dereference. After the fault has been handled and the load has been re-issued with the correct argument, secret-dependent information stored at the address of trusted_ptr remains in microarchitectural state and can be extracted by an attacker using a code gadget.
Observed Examples 1
CVE-2020-0551Load value injection in some processors utilizing speculative execution may allow an authenticated user to enable information disclosure via a side-channel with local access.
References 4
LVI - Hijacking Transient Execution with Load Value Injection
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens
2020
https://lviattack.eu/
ID: REF-1202
LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection
Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens
09-01-2020
https://lviattack.eu/lvi.pdf
ID: REF-1203
Hijacking Transient Execution through Microarchitectural Load Value Injection
18-05-2020
https://www.youtube.com/watch?v=99kVz-YGi6Y
ID: REF-1204
CacheOut: Leaking Data on Intel CPUs via Cache Evictions
Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, Yuval Yarom
28-12-2020
https://cacheoutattack.com/files/CacheOut.pdf
ID: REF-1205
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : UndeterminedSystem on Chip : Undetermined
Modes of Introduction
Architecture and Design
Requirements
Related Attack Patterns
Related Weaknesses
ChildOf: Sensitive Information in Resource Not Removed Before Reuse (CWE-226)
ChildOf: Sensitive Information in Resource Not Removed Before Reuse (CWE-226)
Notes
RelationshipInformation Exposure through Microarchitectural State after Transient Execution differs from Non-Transparent Sharing of Microarchitectural Resources, which is related to misprediction and biasing microarchitectural components, while Information Exposure through Microarchitectural State after Transient Execution addresses illegal data flows and retention. For example, Spectre is an instance of Non-Transparent Sharing of Microarchitectural Resources biasing branch prediction to steer the transient execution indirectly.
MaintenanceAs of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.