Since the discovery of Spectre and Meltdown, the security community has put a lot of effort into discovering new speculative execution attacks but still built on top of variants of the same speculation techniques, for example, by mistraining yet another predictor, and much less attention was devoted to the analysis of the root causes of speculation itself.
This paper tackles the problem from a new perspective, closely examining the different root causes of speculative execution, specifically focusing on the unexplored class of speculations based on machine clears (MC). By reverse-engineering the root causes machine clear, such as Floating Point, Self-Modifying Code, Memory Ordering, and Memory Disambiguation, these events not only originate new speculative execution windows that widen the horizon for known attacks, but also yield two entirely new attack primitives which affect all major CPU vendors: Intel, AMD, and ARM. The primitives are called Floating Point Value Injection (FPVI), used to inject speculative floating-point values in subsequent instructions and Speculative Code Store Bypass (SCSB) used to microarchitecturally desynchronize code and data, triggering speculative execution of stale code. The paper also presents an end-to-end FPVI exploit on the latest Mozilla Firefox browser, leaking arbitrary memory through attacker-controlled and speculatively-injected floating-point results in JavaScript, affecting millions of users. Finally, the work presents a new root cause-based classification of all known speculative execution paths, to clarify the whole speculative execution attacks scene.
Hany is a Ph.D. candidate at VUSec, the Systems and Network Security Research Group at Vrije Universiteit Amsterdam. In his research, he focuses on hardware security, microarchitectural attacks, and fuzzing. Previously, Hany worked on CrossTalk, the first cross-core microarchitectural attack.
Enrico is a Ph.D. student at the System Security Group at Vrije Universiteit Amsterdam (VUSec). His current research focuses on microarchitectural attacks and all intrinsic threats introduced by hardware design flaws.