# **RAGE AGAINST THE MACHINE CLEAR**

A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks









Hany Ragab Enrico Barberis

## Herbert Bos

Cristiano Giuffrida



## Outline

- 1. Background
- 2. Machine Clears
- 3. Firefox Exploit
- 4. Results

## Side Channels 101



### Side Channels 101

News > World > Europe

## Melting snow being used by police to find cannabis farms in the **Netherlands**

Snow-free roofs can indicate the high temperatures needed to grow the drug

Lizzie Dearden | Tuesday 10 February 2015 13:31 | comments







Data cache (shared resource)

| array | array | array |  |
|-------|-------|-------|--|
| [0]   | [1]   | [2]   |  |
|       |       |       |  |

Cached
Not cached









|  | array<br>[0] | array<br>[1] | array<br>[2] | ••• |
|--|--------------|--------------|--------------|-----|
|--|--------------|--------------|--------------|-----|















|--|



| arrayarrayarray[x-1][x][x+1] |
|------------------------------|
|------------------------------|



















## **Transient Execution Attacks**



## **Transient Execution Attacks**



The root cause of discarding issued  $\mu$ Ops on x86 processors

The root cause of discarding issued  $\mu$ Ops on x86 processors

**Branch Misprediction** 

The root cause of discarding issued  $\mu$ Ops on x86 processors

**Branch Misprediction** 

**Machine Clear** 

The root cause of discarding issued  $\mu$ Ops on x86 processors

**Branch Misprediction** 

**Machine Clear** 



The root cause of discarding issued  $\mu$ Ops on x86 processors



#### **Machine Clear**

The root cause of discarding issued  $\mu$ Ops on x86 processors





| Rage Against The Machine | e Against The Machine Clear |  |  |
|--------------------------|-----------------------------|--|--|
| Self-Modifying Code      | Floating-Point              |  |  |
| Machine Clear            | Machine Clear               |  |  |
| Memory Ordering          | Memory Disambiguation       |  |  |
| Machine Clear            | Machine Clear               |  |  |

Self-Modifying Code Machine Clear Floating-Point Machine Clear

### Self-Modifying Code Machine Clear

Floating-Point Machine Clear

Speculative Code Store Bypass (SCSB)

Negligible mitigation overhead

Self-Modifying Code Machine Clear Floating-Point Machine Clear

Speculative Code Store Bypass (SCSB)

Negligible mitigation overhead

Floating-Point Value Injection (FPVI)

53% Mitigation overhead

Self-Modifying Code Machine Clear Floating-Point Machine Clear

End-to-end exploit leaking arbitrary memory in Firefox

With a leakage rate of **13 KB/s** 

## Security Analysis of Machine Clear

1. Architectural Invariant

2. Invariant Violation

- 3. Security Implications
- 4. Exploitation

# SELF-MODIFYING CODE MACHINE CLEAR

## Self-Modifying Code Machine Clear

## Self-Modifying Code Machine Clear

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

### Self-Modifying Code Machine Clear

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

i1: ...
i2: store nop @ i3
i3: load secret
i4: ...
i5: ...

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant

Stores always target data



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant Stores always target data

Invariant Violation Self-Modifying Code



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant Stores always target data

Invariant Violation Self-Modifying Code

Security Implications

Transiently execute stale code



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant Stores always target data

Invariant Violation Self-Modifying Code

Security Implications
Transiently execute stale code

Exploitation













#### 8.1.3 Handling Self- and Cross-Modifying Code





#### 8.1.3 Handling Self- and Cross-Modifying Code

|  | (* OPTION 1 *)<br>Store modified code (as data) into code segment;<br>Jump to new code or an intermediate location;<br>Execute new code;                           |  |
|--|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
|  | (* OPTION 2 *)<br>Store modified code (as data) into code segment;<br>Execute a serializing instruction; (* For example, CPUID instruction *)<br>Execute new code; |  |

DIT f & g code DIT f & g code DIT f & g code DIT f & f code
Listing 2 Chromium instruction cache flush
(chromium/src/v8/src/codegen/x64/cpu-x64.cc)
void CpuFeatures::FlushICache(void\* start, size\_t size) {
/\* No need to flush the instruction
cache on Intel \*/ ...}

Listing 3 Firefox instruction cache flush (mozilla-unified/js/src/jit/FlushICache.h)

Execute a serializing instruction; (\* For example, CPUID instruction \*) Execute new code;

Architectural Invariant
Stores always target data memory

Invariant Violation Self-Modifying Code

Security Implications **Transiently execute stale code** 

Exploitation

**Speculative Code Store Bypass** 

## MEMORY ORDERING MACHINE CLEAR

A Total Store Order memory model guarantees that all CPU cores see all memory operations as the program order, except one case: A store instruction followed by a load instruction operating on different addresses may be reordered

X & Y are initially 0

| PROCESSOR A                                           | PROCESSOR B        |
|-------------------------------------------------------|--------------------|
| <pre>r1 = [X] (slow) r2 = [Y] (fast) r3 = f(r2)</pre> | [X] = 1<br>[Y] = 1 |









Architectural Invariant OoO execution always complies with TSO

Invariant Violation Memory ordering model violation

Security Implications Transiently leak stale data

Exploitation Non-trivial due to strict synchronization requirements

## FLOATING-POINT MACHINE CLEAR

Subnormal/Denormal numbers are a special range of floating-point numbers with a value smaller than the smallest Normal number (i.e. 2^-1022)

i1: Z = X / Y i2: Z = Z + 1 i3: ...







Subnormal/Denormal numbers are a special range of floating-point numbers with a value smaller than the smallest Normal number (i.e. 2^-1022)

Architectural Invariant FPU always operates on normal numbers









# **FPVI EXPLOIT**

### 1. Attack Setup

| $\leftarrow \rightarrow \mathbb{C}$                                                                                | 150% … ♡☆ … ⊡ © =                                     |
|--------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
| Victim page: http://localhost:8080/index.html                                                                      | Attacker iframe: http://10.0.0.104:8080/attacker.html |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            | Auto-attack Calibrate                                 |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET<br>SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            | Addr: Oxdeadbeef000 Leak                              |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET<br>SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                     |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET<br>SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |
| SECRET SECRET SECRET SECRET SECRET SECRET SECRET SECRET                                                            |                                                       |

## 2. Finding Operands

## 2. Finding Operands



### 3. Memory Leak





### 3. Memory Leak



### 3. Memory Leak



```
//x = 0xc000e8b2c9755600
z = x/y
if (typeof z === "string") {
  //z = 0 \times fffb0 deadbeef000
  //leak byte a 0xdeadbeef004
  return buf[(z.length&0xff)<<10]</pre>
 else {
  return z //z=-Infinity
}
```

### 4. ASLR Bypass



### 4. ASLR Bypass



### Floating-Point Value Injection (FPVI)

• Exploit leakage rate of 13 KB/s



### Floating-Point Value Injection (FPVI)

- Exploit leakage rate of 13 KB/s
- Mitigations:
  - → Flush To Zero (FTZ) & Denormal Are Zero (DAZ)
  - → We implemented a LLVM pass adding a serializing instruction in detected FPVI gadgets.
     With 53% geomean overhead for SPEC FP 2017.
  - → Use site-isolation or conditionally mask FP operations in the browsers.



# MEMORY DISAMBIGUATION MACHINE CLEAR

When a load instruction is following a store instruction which destination address is not ready yet, the Memory Disambiguation Unit predicts whether the two instructions are operating on the same memory addresses (i.e. Alias) or not (i.e. No-Alias).

0xXXXX not ready yet 0x1234 contains "Secret"

| Store | "Hello" | to | 0xXXXX |
|-------|---------|----|--------|
| Load  | from    |    | 0x1234 |







When a load instruction is following a store instruction which destination address is not ready yet, the Memory Disambiguation Unit predicts whether the two instructions are operating on the same memory addresses (i.e. Alias) or not (i.e. No-Alias).



Memory Disambiguation Misprediction Detection Transiently Done

Architectural Invariant Stores followed by Loads are always disambiguated correctly

Invariant Violation MDU misprediction

Security Implications Transiently leak stale data

Exploitation

Spectre v4 (Speculative Store Bypass)

### **Other types of Machine Clear**

- AVX vmaskmov
- Exceptions
- Hardware interrupts
- Microcode assists

# RESULTS

#### Self-Modifying Code

i1: ...

- i2: store nop @ i3
- i3: load secret

Machine Clear Detection
Transiently Done

### Self-Modifying Code

i1: ...

- i2: store nop @ i3
- i3: load secret

Machine Clear Detection
Transiently Done

 PROCESSOR A
 PROCESSOR B

 r1 = [X] (slow)
 [X] = 1

 r2 = [Y] (fast)
 [Y] = 1

 r3 = f(r2)
 Memory Ordering

|                                             | Self-Modifying Code                                                                | Floating-Point                        |
|---------------------------------------------|------------------------------------------------------------------------------------|---------------------------------------|
| Machine Clear Detection<br>Transiently Done | i1:<br>i2: store nop @ i3<br>i3: load secret                                       | i1: Z = X / Y<br>i2: Z = Z + 1<br>i3: |
|                                             | PROCESSOR A<br>r1 = [X] (slow)<br>r2 = [Y] (fast)<br>r3 = f(r2)<br>Memory Ordering | В                                     |

|                                             | Self-Modifying Code                                                                                                          | Floating-Point                                      |
|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|
| Machine Clear Detection<br>Transiently Done | i1:<br>i2: store nop @ i3<br>i3: load secret                                                                                 | i1: Z = X / Y<br>i2: Z = Z + 1<br>i3:               |
|                                             | PROCESSOR A       PROCESSOR B         r1 = [X] (slow)       [X] = 1         r2 = [Y] (fast)       [Y] = 1         r3 = f(r2) | i1: store "Hello" to 0xXXXX<br>i2: load from 0x1234 |
| Memory Ordering                             |                                                                                                                              | Memory Disambiguation                               |





Architectural upper limit leakage rate













### **Root-Cause Classification of Transient Execution**

### **Root-Cause Classification of Transient Execution**











• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

| CPU<br>Vendor | Affected by SCSB<br>(CVE-2021-0089)<br>(CVE-2021-26313) | Affected by FPVI<br>(CVE-2021-0086)<br>(CVE-2021-26314) |
|---------------|---------------------------------------------------------|---------------------------------------------------------|
| Intel         | ~                                                       | ~                                                       |
| AMD           | ~                                                       | *                                                       |
| ARM           | X                                                       | **                                                      |

\* No exploitable NaN-boxed transient results were found \*\* ARM reported that some FPU implementations are affected by FPVI

• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

 Mozilla confirmed the FPVI vulnerability (CVE-2021-29955) and deployed a mitigation based on conditionally masking malicious NaN-boxed FP results in Firefox 87.

| CPU<br>Vendor | Affected by SCSB<br>(CVE-2021-0089)<br>(CVE-2021-26313) | Affected by FPVI<br>(CVE-2021-0086)<br>(CVE-2021-26314) |
|---------------|---------------------------------------------------------|---------------------------------------------------------|
| Intel         | ~                                                       | ~                                                       |
| AMD           | ~                                                       | *                                                       |
| ARM           | X                                                       | **                                                      |

\* No exploitable NaN-boxed transient results were found \*\* ARM reported that some FPU implementations are affected by FPVI

• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

 Mozilla confirmed the FPVI vulnerability (CVE-2021-29955) and deployed a mitigation based on conditionally masking malicious NaN-boxed FP results in Firefox 87.

• Xen hypervisor mitigated SCSB and released a security advisory (XSA-375) following our proposed mitigation.

| CPU<br>Vendor | Affected by SCSB<br>(CVE-2021-0089)<br>(CVE-2021-26313) | Affected by FPVI<br>(CVE-2021-0086)<br>(CVE-2021-26314) |
|---------------|---------------------------------------------------------|---------------------------------------------------------|
| Intel         | ~                                                       | ~                                                       |
| AMD           | ~                                                       | *                                                       |
| ARM           | ×                                                       | **                                                      |

\* No exploitable NaN-boxed transient results were found \*\* ARM reported that some FPU implementations are affected by FPVI

• Bad Speculation is not caused only by classic mispredictions

• Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.

• Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.

• Architectural invariants can be exploited, creating new security threats, e.g. FPVI & SCSB

 Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.

 Architectural invariants can be exploited, creating new security threats, e.g. FPVI & SCSB

• Defenses must focus on the wider class of root-causes of bad speculation.

 Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.



• Defenses must focus on the wider class of root-causes of bad speculation.

https://www.vusec.net/projects/fpvi-scsb/

https://github.com/vusec/fpvi-scsb

@hanyrax

http://download.vusec.net/papers/fpvi-scsb\_sec21.pdf

VUSec

@enrico barberis