Home > News  

News & Events

Right-click and copy a URL to share an article. Send feedback about this page to capec@mitre.org.

How “Meltdown” and “Spectre” Can Be Defined by CWE and CAPEC

January 31, 2018 | Share this article

There has been a lot of press (rightly so) regarding the “Meltdown”- and “Spectre”-style attacks. The CAPEC and CWE teams have been reviewing the available information and trying to determine if new weaknesses or attack patterns should be added. Below are our current thoughts. We welcome additional discussion.

Common Weakness Enumeration (CWE™)

Both Meltdown and Spectre are technically attacks. They take advantage of a processor executing instructions out of order, in a way that causes some instructions to be executed even though the logic of the original code would not execute these instructions. This condition leads to a case where data in memory is cached before a permission check is performed. The end result is the ability to perform side-channel style attacks against the cache to learn the exact value of data.

The root cause of both of these attacks is the out of order execution. The processor uses this feature to increase the speed at which a program can be executed. This is very similar to compiler optimizations where a compiler makes changes to the source code to improve performance. In both instances, the computer is no longer executing exactly what the developer told it to execute, but rather is executing a variation that the processor/compiler thinks is “better.”

Unfortunately, these optimizations can sometimes lead to an exploitable weakness. There already exists a base-level CWE for the compiler version of this:

CWE-733: Compiler Optimization Removal or Modification of Security-critical Code

A new base-level CWE should be added to cover the case where the processor changes the order of security-critical code.

In addition, a new class-level CWE should also be considered around the topic of “Insecure Optimizations.” This class-level CWE would be a member of the Behavioral Problems category in the Development Concepts view, and a child of Interaction Error in the Researcher view. Both the existing compiler optimization (CWE-733) weakness and the new processor execution order weakness would be children of this new class.

CWE CATEGORY: Behavioral Problems

CWE-435: Improper Interaction Between Multiple Entities

Finally, there should be a CanFollow relationship between the existing class CWE-696: Incorrect Behavior Order and this new class “Insecure Optimizations”. We see this relationship in Meltdown/Spectre with the optimizations resulting in a change in the order of execution.

One last note, many discussions of Meltdown and Spectre focus on the side channel attack that arises from timing discrepancies. In this case, the timing discrepancy is not a weakness as it is legitimate behavior (since caching improves efficiency) and is not introduced by choices made by the application developer. Therefore, this is not a focus from the CWE classification perspective; the ability to see this (legitimate) timing discrepancy arises from the insecure optimization.

Common Attack Pattern Enumeration and Classification (CAPEC™)

Shifting to the attack pattern side of things, both the compiler and processor weaknesses are not currently well represented in CAPEC.

The compiler weakness (CWE-733) is not directly attacked, but rather results in a different weakness (e.g., buffer overflow) being present in the software, and that weakness is the one that is used in an attack. CWE thinks of this as a chain. The processor weakness can be thought of in the same way. Even though an adversary can manipulate when/how a processor decides to execute out of order, it is the resulting exposure of data that contributes to the vulnerability. See CWE-668: Exposure of Resource to Wrong Sphere.

For both the Meltdown and Spectre attacks, CAPEC already has a relevant standard-level attack pattern that can be leveraged:

CAPEC-141: Cache Poisoning

This attack pattern has a detailed-level child that covers the DNS version of cache poisoning. Meltdown and Spectre expose a different type of cache poisoning where the adversary doesn't insert malicious data into the cache, but rather cause the cache to contain data that shouldn’t be allowed. CAPEC-141 needs to be cleaned up a bit, but the overall idea behind it is valid. A new detailed-level pattern should be added to cover the Flush+Reload attack pattern (and potentially others) that are leveraged by the Meltdown and Spectre attacks.

What do you think?

Please let us know your thoughts on the above by sending an email message to the CAPEC Researcher community discussion list, or directly to capec@mitre.org.

We look forward to hearing from you!

CAPEC List Version 2.11 Now Available

August 4, 2017 | Share this article

CAPEC Version 2.11 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.10 and Version 2.11.

Major changes for Version 2.11 include adding three new attack patterns: CAPEC-630: TypoSquatting, CAPEC-631: SoundSquatting, and CAPEC-632: Homograph Attack via Homoglyphs. Also, the social engineering part of the tree was enhanced to improve relationships, patterns were updated to bring consistency to fields like Required Resources, and missing information was added throughout. In all, 138 patterns and categories were modified, and 5 patterns were deprecated. There were no schema updates.

There are now 512 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
3
  • Existing Attack Patterns Updated:
138
  • Attack Patterns Deprecated:
5
  • Existing Categories Updated:
25
  • CAPEC-to-CWE Mapping Added:
3
  • CAPEC-to-CWE Mapping Removed:
7

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.10_v2.11.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC List Version 2.10 Now Available

May 1, 2017 | Share this article

CAPEC Version 2.10 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.9 and Version 2.10.

Major changes for Version 2.10 include adding fourteen new attack patterns: CAPEC-559: Orbital Jamming, CAPEC-582: Route Disabling, CAPEC-583: Disabling Network Hardware, CAPEC-584: BGP Route Disabling, CAPEC-585: DNS Domain Seizure, CAPEC-586: Object Injection, CAPEC-587: Cross Frame Scripting (XFS), CAPEC-588: DOM-Based XSS, CAPEC-589: DNS Blocking, CAPEC-590: IP Address Blocking, CAPEC-591: Reflected XSS, CAPEC-592: Stored XSS, CAPEC-593: Session Hijacking, and CAPEC-599: Terrestrial Jamming. Also, the cross-site scripting and obstruction areas were cleaned-up, and missing information was added throughout. In all, 90 patterns and categories were modified, and 7 patterns were deprecated. Other major changes include the addition of a CSV version of the CAPEC List, and an enhancement for navigating the list on the CAPEC website so that your chosen presentation filter is now saved in a cookie so the filter does not have to be continuously updated while you navigate the CAPEC List. There were no schema updates.

There are now 510 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
14
  • Existing Attack Patterns Updated:
88
  • Attack Patterns Deprecated:
7
  • Existing Categories Updated:
3
  • CAPEC-to-CWE Mapping Added:
27
  • CAPEC-to-CWE Mapping Removed:
118

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.9_v2.10.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC Privacy Policy Updated

April 28, 2017 | Share this article

The CAPEC Privacy Policy was updated to notify users that cookies are now being used on the CAPEC website for the sole purpose of saving presentation filter selections so users do not have to continuously update the filter to navigate the CAPEC List.

CAPEC Is Main Topic of Article on IBM’s Security Intelligence Blog

March 27, 2017 | Share this article

CAPEC is the main topic of a March 27, 2017 article by Scott Craig entitled “CAPEC: Making Heads or Tails of Attack Patterns” on IBM’s Security Intelligence blog.

In the article, the author first explains what CAPEC is and the problem it solves, then states: “For the 2017 IBM X-Force Threat Intelligence Index, the X-Force team grouped methods of attack observed in 2016 according to the CAPEC standard. IBM X-Force Threat Research adopted the CAPEC standard for attack categorization because it was developed using methodologies similar to those used in other well-established naming conventions for security terms, such as Common Vulnerabilities and Exposure (CVE). Many IT security professionals are already aware of the CVE dictionary of common names for publicly known cybersecurity vulnerabilities.”

The author then provides an in-depth discussion of CAPEC including a section on the CAPEC hierarchy, explaining in detail what it is and how it benefits analysts: “Using CAPEC instead of other naming conventions should help analysts better recognize which attack patterns they most often see and then prioritize improvements to their security. Just knowing there have been a lot of distributed denial-of-service (DDoS) attacks, for example, doesn’t indicate how to best defend against them because this type of incident can occur as a consequence of different attack patterns.” The author also provides an overview of how CAPEC can help provide clarity in differentiating between consequences, device types, and attack vectors, and provides a real-world example of how this is utilized in the 2017 IBM X-Force Threat Intelligence Index.

The author concludes the article with a call for continued adoption of CAPEC, stating: “I expect to see more and more cybersecurity professionals adopting CAPEC for classifying and communicating about attacks in the near future.”

Read the complete article at https://securityintelligence.com/capec-making-heads-or-tails-of-attack-patterns/.

CAPEC List Version 2.9 Now Available

January 10, 2017 | Share this article

CAPEC Version 2.9 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.8 and Version 2.9.

Major changes for Version 2.9 include adding five new attack patterns: CAPEC-594: Traffic Injection, CAPEC-595: Connection Reset, CAPEC-596: TCP RST Injection, CAPEC-597: Absolute Path Traversal, and CAPEC-598: DNS Spoofing. Also, the Mechanisms of Attack view was cleaned-up by removing categories that were not mechanisms (but rather more like goals), removing circular relationships, and verifying consistency in the meta->standard->detailed relationship structure. In all, 78 patterns and categories were modified, and 13 patterns and categories were deprecated. There were no schema updates.

There are now 503 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
5
  • Existing Attack Patterns Updated:
67
  • Attack Patterns Deprecated:
6
  • Existing Categories Updated:
15
  • Categories Deprecated:
7
  • CAPEC-to-CWE Mapping Added:
3
  • CAPEC-to-CWE Mapping Removed:
3

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.8_v2.9.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CAPEC List Page

January 09, 2017 | Share this article

We have updated the CAPEC website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu.

The main CAPEC List page has also been streamlined for ease-of-use into four main sections:

Navigate CAPEC – Offers two hierarchical representations, Mechanisms of Attack and Domains of Attack, to help you navigate the entire list according to your specific point of view.
External Mappings – Offers views used to represent mappings to external groupings such as a Top-N list, as well as to express subsets of entries that are related by some external factor.
Helpful Views – Offers additional helpful views based on a specific criteria and hope to provide insight for a certain domain or use case, such as a Comprehensive CAPEC Dictionary, Mobile Device Patterns, etc.
Release Downloads – Provides an archive of previous release versions of the core content downloads, schemas, schema documentation, and difference reports.

Please send any comments or concerns to capec@mitre.org.

CAPEC is part of the OWASP Cornucopia gamification

June 3, 2016 | Share this article

CAPEC is part of the Open Web Application Security Project (OWASP) Cornucopia gamification card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic and through the CAPEC mappings to the Cornucopia "attack suits" the Cornucopia card game links the attacks with requirements and verification techniques. With each card mapped to CAPEC software attack pattern IDs, which themselves are mapped to CWEs, the game also covers the CWE weakness IDs targeted. Each card is also mapped to the 36 primary security stories in the SAFECode "Security Stories and Security Tasks for Agile Development Environments", as well as to the OWASP SCP v2, ASVS v2 2014 and AppSensor (application attack detection and response) to help teams create their own security-related stories for use in Agile processes. The first card deck is an "Ecommerce Website Edition" with other decks, like mobile apps in the works.

CAPEC part of ISACA's Cybersecurity Fundamentals Glossary

January 2016 | Share this article

CAPEC is part of Information Systems Audit and Control Association's (ISACA's) Cybersecurity Fundamentals Glossary, provided as part of their Cybersecurity Nexus (CSX) offerings for cybersecurity professionals. CSX provides knowledge, tools, training and credentials for cybersecurity professionals. Additional information on CSX is available at https://cybersecurity.isaca.org.


More information is available — Please select a different filter.
Page Last Updated or Reviewed: January 31, 2018