CAPEC-663

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Low Severity: Very High
Exploitation of Transient Instruction Execution

Description

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.

Prerequisites

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.

Mitigations

Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources

Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables

Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution

Configuration: Disable SharedArrayBuffer for Web Browsers

Configuration: Disable Copy-on-Write between Cloud VMs

Configuration: Privilege Checks on Cache Flush Instructions

Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks

Skills Required

[High] Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.

[High] Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.