Hany Ragab and Enrico Barberis

Rage Against the Machine Clear


Since the discovery of the Spectre and Meltdown vulnerabilities, transient execution attacks have increasingly gained momentum. However, while the security community has investigated several variants to trigger attacks during transient execution, much less attention has been devoted to the analysis of the root causes of transient execution itself. Most transient attack variants simply build on well-known causes, such as branch misprediction and aborts of Intel TSX—which is no longer supported on many recent processors.

In this presentation, we tackle the problem from a new perspective, closely examining the different root causes of transient execution rather than focusing on new attacks based on known transient windows. Our analysis specifically focuses on the class of transient execution based on machine clears (MC), reverse engineering previously unexplored root causes such as Floating Point MC, Self-Modifying Code MC, Memory Ordering MC, and Memory Disambiguation MC. We show these events not only originate new transient execution windows that widen the horizon for known attacks, but also yield entirely new attack primitives to inject transient values (Floating Point Value Injection or FPVI) and executing stale code (Speculative Code Store Bypass or SCSB), affecting all major CPU vendors: Intel, AMD and ARM. We present an end-to-end FPVI exploit on the latest Mozilla SpiderMonkey JavaScript engine with all the mitigations enabled, disclosing arbitrary memory in the browser through attacker-controlled and transiently-injected floating-point results. Finally, as a by-product of our analysis, we present a new root cause-based classification of all known transient execution paths.


Hany is a Ph.D. candidate at VUSec, the Systems and Network Security Research Group at Vrije Universiteit Amsterdam. In his research, he focuses on hardware security, side-channels attacks, fuzzing, hardware design and microarchitectural attacks. Previously, Hany worked on CrossTalk, the first cross-core transient execution attack.