TID-103: Cache Timing Analysis Side Channel

Threat Description

Cache-based timing analysis attacks exploit variations in timing used for memory access, across both cached and uncached memory, to infer the contents of memory. This bypasses existing OS privilege mechanisms.

If a threat actor capable of executing arbitrary code on the device, they may be able to use a cache-based side-channel attack to extract data and sensitive information from more privileged processes or areas of memory on a device (e.g., passwords, keys). Executing a cache-based attack assumes the threat actor can deploy custom software to the device (including scripts).

Threat Maturity and Evidence

Known Exploitable Weakness
Spectre and Meltdown Cache Timing
Cache Timing was used to create micro-architecture side-channels in devices to read whether data was in the cache or not for the Spectre/Meltdown based-attacks. Through this side-channel data leak, it would be possible to dump entire sections of program memory in the case of Spectre/Meltdown, and kernel memory in the case of Meltdown. Both Spectre and Meltdown have been observed in the wild.

CWE

CVE

CVE-2017-5754 (Meltdown)
“Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.”

CVE-2017-5753 (Spectre)
“Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.”