MITRE Rolls Out 4 Brand-New CWEs for Microprocessor Security Bugs

  /     /     /  
Publicated : 23/11/2024   Category : security


MITRE Rolls Out 4 Brand-New CWEs for Microprocessor Security Bugs


Goal is to give chip designers and security practitioners in the semiconductor space a better understanding of major microprocessor flaws like Meltdown and Spectre.



The MITRE-led Common Weakness Enumeration (CWE) program added four new microprocessor-related weaknesses to its community-developed list of common software and hardware weaknesses that result in exploitable vulnerabilities.
The new CWEs
are the most significant among the updates included in
CWE Version 4.14,
 the latest version of the widely used resource for describing and documenting different weakness types, released Feb. 29.
The CWEs are the result of a collaborative effort among Intel, AMD, Arm, Riscure, and Cycuity and give processor designers and security practitioners in the semiconductor space a common language for discussing weaknesses in modern microprocessor architectures. Stakeholders can use the CWEs to look for weaknesses in existing products and to establish a standard for identifying and mitigating weaknesses that lead to vulnerabilities in microprocessor technologies.
CWEs ... are about the root causes that really make vulnerabilities possible, says Alec Summers, MITREs CWE program lead. They encapsulate information on the one-to-many relationship between a single mistake a developer might make and the many hundreds of vulnerabilities that it can result in across products, Summers says. The four new CWEs define mistakes in microarchitectural design and are the result of some really incredible collaboration among industry members that are competitors in some ways, he says.
A lot of the impetus for the collaboration stemmed from efforts by stakeholders in the hardware and microprocessor communities to establish a common understanding of the root causes behind major vulnerabilities, like
Meltdown and Spectre
, says Bob Heinemann, the leader of the CWE working group tasked with the job.
The two related vulnerabilities were associated with a weakness in a processor performance optimization technique called out-of-order or speculative execution. The flaws
enabled side-channel attacks
that attackers could abuse to obtain sensitive information, such as passwords and encryption keys from systems running these processors. The vulnerabilities affected almost every major microprocessor technology and were hugely challenging to address because they existed at the hardware level. Since then, researchers have kept looking for and finding new ways to
exploit the weakness in side-channel attacks
.
We boiled [the root causes] down to four things, says Heinemann, who describes the work that went into it as some of the most technically challenging and complex the CWE program has ever undertaken. The focus was to ensure that microprocessor designers have information that will help them design around the causes that led to the two vulnerabilities and similar ones, he says.
The four new CWEs are CWE-1420, CWE-1421, CWE-1422, and CWE-1423.
CWE-1420 concerns exposure of sensitive information during transient or speculative execution — the hardware optimization function associated with Meltdown and Spectre — and is the parent of the three other CWEs.
CWE-1421 has to do with sensitive information leaks in shared microarchitectural structures during transient execution; CWE-1422 addresses data leaks tied to incorrect data forwarding during transient execution. CWE-1423 looks at data exposure tied to a specific internal state within a microprocessor.
The microprocessor CWEs are important because of the increasing number of
side-channel exploits targeting CPU
resources, says John Gallagher, vice president at Viakoo Labs. Chip-level vulnerabilities are typically hard to patch, he says, which is why catching potential vulnerabilities early provides a better path to addressing them through firmware updates and ultimately by designing the vulnerability out of future [versions].

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MITRE Rolls Out 4 Brand-New CWEs for Microprocessor Security Bugs