Rage against the machine clear: A systematic analysis of machine clears and their implications for transient execution attacks

Hany Ragab*, Enrico Barberis, Herbert Bos, Cristiano Giuffrida

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Since the discovery of the Spectre and Meltdown vulnerabilities, transient execution attacks have increasingly gained momentum. However, while the community has investigated several variants to trigger attacks during transient execution, much less attention has been devoted to the analysis of the root causes of transient execution itself. Most attack variants simply build on well-known root causes, such as branch misprediction and aborts of Intel TSX-which are no longer supported on many recent processors. In this paper, we tackle the problem from a new perspective, closely examining the different root causes of transient execution rather than focusing on new attacks based on known transient windows. Our analysis specifically focuses on the class of transient execution based on machine clears (MC), reverse engineering previously unexplored root causes such as Floating Point MC, Self-Modifying Code MC, Memory Ordering MC, and Memory Disambiguation MC. We show these events not only originate new transient execution windows that widen the horizon for known attacks, but also yield entirely new attack primitives to inject transient values (Floating Point Value Injection or FPVI) and executing stale code (Speculative Code Store Bypass or SCSB). We present an end-to-end FPVI exploit on the latest Mozilla SpiderMonkey JavaScript engine with all the mitigations enabled, disclosing arbitrary memory in the browser through attacker-controlled and transiently-injected floating-point results. We also propose mitigations for both attack primitives and evaluate their performance impact. Finally, as a by-product of our analysis, we present a new root cause-based classification of all known transient execution paths.

Original languageEnglish
Title of host publicationUSENIX Security '21 - Proceedings of the 30th USENIX Security Symposium
PublisherUSENIX Association
Pages1451-1468
Number of pages18
ISBN (Electronic)9781939133243
Publication statusPublished - 11 Aug 2021
Event30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online
Duration: 11 Aug 202113 Aug 2021

Conference

Conference30th USENIX Security Symposium, USENIX Security 2021
CityVirtual, Online
Period11/08/2113/08/21

Bibliographical note

Funding Information:
We thank our shepherd Daniel Genkin and the anonymous reviewers for their valuable comments. We also thank Erik Bosman from VUSec and Andrew Cooper from Citrix for their input, Intel and Mozilla engineers for the productive mitigation discussions, Travis Downs for his MD reverse engineering, and Evan Wallace for his Float Toy tool. This work was supported by the European Union's Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by the Dutch Research Council (NWO) through the INTERSECT project.

Funding Information:
We thank our shepherd Daniel Genkin and the anonymous reviewers for their valuable comments. We also thank Erik Bosman from VUSec and Andrew Cooper from Citrix for their input, Intel and Mozilla engineers for the productive mitigation discussions, Travis Downs for his MD reverse engineering, and Evan Wallace for his Float Toy tool. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by the Dutch Research Council (NWO) through the INTERSECT project.

Publisher Copyright:
© 2021 by The USENIX Association. All rights reserved.

Fingerprint

Dive into the research topics of 'Rage against the machine clear: A systematic analysis of machine clears and their implications for transient execution attacks'. Together they form a unique fingerprint.

Cite this