The MITER-led Common Weakness Enumeration (CWE) program has added four new microprocessor-related weaknesses to the community-developed list of common software and hardware weaknesses that result in exploitable vulnerabilities.
The new CWE are the most significant of the updates contained in CWE version 4.14, the latest version of the resource widely used to describe and document different types of weaknesses, released on February 29.
A complex and collaborative effort
The CWEs are the result of a collaborative effort between Intel, AMD, Arm, Riscure and Cycuity and offer processor designers and security professionals in the semiconductor industry a common language to discuss the weaknesses of modern microprocessor architectures. Stakeholders can use CWEs to look for weaknesses in existing products and to establish a standard for identifying and mitigating weaknesses that lead to vulnerabilities in microprocessor technologies.
“CWE…is about the root causes that actually make vulnerabilities possible,” says Alec Summers, MITER’s CWE program manager. They encapsulate information about the one-to-many relationship between a single mistake a developer might make and the many hundreds of vulnerabilities it can lead to across products, Summers says. “The four new CWEs define errors in microarchitectural design and are the result of a truly incredible collaboration between members of the industry who are somewhat competitors,” he says.
Much of the impetus for collaboration came from efforts by stakeholders in the hardware and microprocessor communities to establish a common understanding of the root causes behind major vulnerabilities, such as Fusion and Spectrumsays Bob Heinemann, the leader of the CWE working group in charge of the work.
The two related vulnerabilities were associated with a weakness in a processor performance optimization technique called out-of-order or speculative execution. The defects Side channel attacks enabled which attackers could abuse to obtain sensitive information, such as passwords and encryption keys, from systems running these processors. The vulnerabilities affected nearly every major microprocessor technology and were extremely difficult to address because they existed at the hardware level. Since then, researchers have continued to try and find new ways to do this exploit the weakness of side channel attacks.
“We boiled [the root causes] up to four things,” says Heinemann, who describes the work as some of the most challenging and technically complex the CWE program has ever undertaken. The goal was to ensure that microprocessor designers have information that will help them to design around the causes that led to the two vulnerabilities and others like them, he says.
Weaknesses related to transient execution in modern CPUs
The four new CWEs are CWE-1420, CWE-1421, CWE-1422 and CWE-1423.
CWE-1420 is about exposing sensitive information during transient or speculative execution (the hardware optimization feature associated with Meltdown and Specter) and is the “parent” of the other three CWEs.
CWE-1421 deals with the leakage of sensitive information in shared microarchitectural structures during transient execution; CWE-1422 addresses data losses related to incorrect data forwarding during transient execution. CWE-1423 examines data exposure tied to a specific internal state within a microprocessor.
Microprocessor-based CWEs are important due to the growing number of Side-channel exploits that target the CPU resources, says John Gallagher, vice president of Viakoo Labs. “Chip-level vulnerabilities are typically difficult to patch,” he says, “which is why identifying potential vulnerabilities early provides a better path to addressing them through firmware updates and, ultimately, designing the vulnerability for the future . [versions].”