CAPEC-696 Load Value Injection – Attack Pattern Analysis

CAPEC-696 Metadata

Likelihood of Attack

Low

Typical Severity

Very High

Overview

Summary

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.

Prerequisites

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU. The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads The adversary needs the ability to induce page faults or microcode assists on the target system. Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Survey target application and relevant OS shared code libraries] Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.	Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
2	Experiment	[Fill microarchitectural buffer with controlled value] The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.	The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system
3	Experiment	[Set up instruction to page fault or microcode assist] The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.	When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists. When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit
4	Exploit	[Operate on adversary-controlled data] Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.	Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget. Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.

Potential Solutions / Mitigations

Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice. Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.

Related Weaknesses (CWE)

CWE ID	Description
CWE-1342	Information Exposure through Microarchitectural State after Transient Execution

Related CAPECs

CAPEC ID	Description
CAPEC-663	An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.

CAPEC ID

Description

CAPEC-663

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.