MITRE Rolls Out 4 Brand-New CWEs for Microprocessor Security Bugs

The MITRE-led Common Weakness Enumeration (CWE) program added four new microprocessor-related weaknesses to its community-developed list of common software and hardware weaknesses that result in exploitable vulnerabilities.

The new CWEs are the most significant among the updates included in CWE Version 4.14, the latest version of the widely used resource for describing and documenting different weakness types, released Feb. 29.

A Complex, Collaborative Effort

The CWEs are the result of a collaborative effort among Intel, AMD, Arm, Riscure, and Cycuity and give processor designers and security practitioners in the semiconductor space a common language for discussing weaknesses in modern microprocessor architectures. Stakeholders can use the CWEs to look for weaknesses in existing products and to establish a standard for identifying and mitigating weaknesses that lead to vulnerabilities in microprocessor technologies.

"CWEs ... are about the root causes that really make vulnerabilities possible," says Alec Summers, MITRE's CWE program lead. They encapsulate information on the one-to-many relationship between a single mistake a developer might make and the many hundreds of vulnerabilities that it can result in across products, Summers says. "The four new CWEs define mistakes in microarchitectural design and are the result of some really incredible collaboration among industry members that are competitors in some ways," he says.

A lot of the impetus for the collaboration stemmed from efforts by stakeholders in the hardware and microprocessor communities to establish a common understanding of the root causes behind major vulnerabilities, like Meltdown and Spectre, says Bob Heinemann, the leader of the CWE working group tasked with the job.

The two related vulnerabilities were associated with a weakness in a processor performance optimization technique called out-of-order or speculative execution. The flaws enabled side-channel attacks that attackers could abuse to obtain sensitive information, such as passwords and encryption keys from systems running these processors. The vulnerabilities affected almost every major microprocessor technology and were hugely challenging to address because they existed at the hardware level. Since then, researchers have kept looking for and finding new ways to exploit the weakness in side-channel attacks.

"We boiled [the root causes] down to four things," says Heinemann, who describes the work that went into it as some of the most technically challenging and complex the CWE program has ever undertaken. The focus was to ensure that microprocessor designers have information that will help them design around the causes that led to the two vulnerabilities and similar ones, he says.

Transient Execution Related Weaknesses in Modern CPUs

The four new CWEs are CWE-1420, CWE-1421, CWE-1422, and CWE-1423.

CWE-1420 concerns exposure of sensitive information during transient or speculative execution — the hardware optimization function associated with Meltdown and Spectre — and is the "parent" of the three other CWEs.

CWE-1421 has to do with sensitive information leaks in shared microarchitectural structures during transient execution; CWE-1422 addresses data leaks tied to incorrect data forwarding during transient execution. CWE-1423 looks at data exposure tied to a specific internal state within a microprocessor.

The microprocessor CWEs are important because of the increasing number of side-channel exploits targeting CPU resources, says John Gallagher, vice president at Viakoo Labs. "Chip-level vulnerabilities are typically hard to patch," he says, "which is why catching potential vulnerabilities early provides a better path to addressing them through firmware updates and ultimately by designing the vulnerability out of future [versions]."