# Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

Hany Ragab<sup>\*</sup>, Enrico Barberis<sup>\*</sup>, Herbert Bos and Cristiano Giuffrida

\*Equal contribution joint first authors



Vrije Universiteit Amsterdam

## **Speculative Execution**

Data cache

|  | ••• | array<br>[x-1] | array<br>[x] | array<br>[x+1] | ••• |
|--|-----|----------------|--------------|----------------|-----|
|--|-----|----------------|--------------|----------------|-----|

Not cached



Data cache

|--|

Not cached



Data cache

| arrayarrayarray[x-1][x][x+1] |
|------------------------------|
|------------------------------|







Data cache

|--|







## **Bad Speculation**

The root cause of discarding issued  $\mu$ Ops on x86 processors



**Branch Misprediction** 



**Branch Misprediction** 

**Machine Clear** 





**Machine Clear** 





**Machine Clear** 

| Rage Against The Machine | Clear                 |
|--------------------------|-----------------------|
| Self-Modifying Code      | Floating-Point        |
| Machine Clear            | Machine Clear         |
| Memory Ordering          | Memory Disambiguation |
| Machine Clear            | Machine Clear         |

Self-Modifying Code Machine Clear Floating-Point Machine Clear

#### Self-Modifying Code Machine Clear

Floating-Point Machine Clear

Speculative Code Store Bypass (SCSB)

Negligible mitigation overhead

Self-Modifying Code Machine Clear Floating-Point Machine Clear

Speculative Code Store Bypass (SCSB)

Negligible mitigation overhead

Floating-Point Value Injection (FPVI)

53% Mitigation overhead

Self-Modifying Code Machine Clear Floating-Point Machine Clear

End-to-end exploit leaking arbitrary memory in Firefox

With a leakage rate of **13 KB/s** 

1. Architectural Invariant

1. Architectural Invariant

2. Invariant Violation

1. Architectural Invariant

2. Invariant Violation

3. Security Implications

1. Architectural Invariant

2. Invariant Violation

3. Security Implications

4. Exploitation

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

i1: ...
i2: store nop @ i3
i3: load secret
i4: ...
i5: ...

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed



SMC Detection Transiently Done

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant Stores always target data



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant Stores always target data

Invariant Violation Self-Modifying Code



Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

Architectural Invariant Stores always target data

Invariant Violation Self-Modifying Code

Security Implications
Transiently execute stale code



SMC Detection Transiently Done

Self-Modifying Code is a program storing instructions as data, modifying its own code as it is being executed

#### Architectural Invariant Stores always target data

Invariant Violation Self-Modifying Code

Security Implications
Transiently execute stale code

Exploitation

?



SMC Detection Transiently Done










#### 8.1.3 Handling Self- and Cross-Modifying Code

(\* OPTION 1 \*)
Store modified code (as data) into code segment;
Jump to new code or an intermediate location;
Execute new code;
(\* OPTION 2 \*)
Store modified code (as data) into code segment;
Execute a serializing instruction; (\* For example, CPUID instruction \*)
Execute new code;



#### 8.1.3 Handling Self- and Cross-Modifying Code

| (* OPTION 1 *)<br>Store modified code (as data) into code segment;<br>Jump to new code or an intermediate location;<br>Execute new code;                           |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| (* OPTION 2 *)<br>Store modified code (as data) into code segment;<br>Execute a serializing instruction; (* For example, CPUID instruction *)<br>Execute new code; |  |





Subnormal/Denormal numbers are a special range of floating-point numbers with a value smaller than the smallest Normal number (i.e. 2^-1022)

i1: Z = X / Y i2: Z = Z + 1 i3: ...





















```
//x = 0xc000e8b2c9755600
//v = 0 \times 000400000000000
z = x/v
if (typeof z === "string") {
  //z = 0 \times fffb0 deadbeef000
  //leak byte a 0xdeadbeef004
  return buf[(z.length&0xff)<<10]</pre>
 else {
  return z //z=-Infinity
}
```

Architectural Invariant FPU always operates on normal numbers

Invariant Violation Denormal FP operations Security Implications Transiently inject arbitrary FP values Exploitation Floating-Point Value Injection

• Exploit leakage rate of 13 KB/s



- Exploit leakage rate of 13 KB/s
- Mitigations:
  - → Flush To Zero (FTZ) & Denormal Are Zero (DAZ)



- Exploit leakage rate of 13 KB/s
- Mitigations:
  - → Flush To Zero (FTZ) & Denormal Are Zero (DAZ)
  - → We implemented a LLVM pass adding a serializing instruction in detected FPVI gadgets.
     With 53% geomean overhead for SPEC FP 2017.



- Exploit leakage rate of 13 KB/s
- Mitigations:
  - → Flush To Zero (FTZ) & Denormal Are Zero (DAZ)
  - → We implemented a LLVM pass adding a serializing instruction in detected FPVI gadgets.
     With 53% geomean overhead for SPEC FP 2017.
  - → Use site-isolation or conditionally mask FP operations in the browsers.







Architectural baseline leakage rate






















• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

| CPU<br>Vendor | Affected by SCSB<br>(CVE-2021-0089)<br>(CVE-2021-26313) | Affected by FPVI<br>(CVE-2021-0086)<br>(CVE-2021-26314) |
|---------------|---------------------------------------------------------|---------------------------------------------------------|
| Intel         | $\checkmark$                                            | $\checkmark$                                            |
| AMD           | $\checkmark$                                            | <b>v</b> *                                              |
| ARM           | X                                                       | <b>v</b> **                                             |

\* No exploitable NaN-boxed transient results were found

\*\* ARM reported that some FPU implementations are affected by FPVI

• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

 Mozilla confirmed the FPVI vulnerability (CVE-2021-29955) and deployed a mitigation based on conditionally masking malicious NaN-boxed FP results in Firefox 87.

| CPU<br>Vendor | Affected by SCSB<br>(CVE-2021-0089)<br>(CVE-2021-26313) | Affected by FPVI<br>(CVE-2021-0086)<br>(CVE-2021-26314) |
|---------------|---------------------------------------------------------|---------------------------------------------------------|
| Intel         | $\checkmark$                                            | $\checkmark$                                            |
| AMD           | $\checkmark$                                            | √*                                                      |
| ARM           | ×                                                       | <b>√</b> **                                             |

\* No exploitable NaN-boxed transient results were found

\*\* ARM reported that some FPU implementations are affected by FPVI

• We disclosed FPVI and SCSB to CPU, browser, OS, and hypervisor vendors in February 2021.

 Mozilla confirmed the FPVI vulnerability (CVE-2021-29955) and deployed a mitigation based on conditionally masking malicious NaN-boxed FP results in Firefox 87.

• Xen hypervisor mitigated SCSB and released a security advisory (XSA-375) following our proposed mitigation.

| CPU<br>Vendor | Affected by SCSB<br>(CVE-2021-0089)<br>(CVE-2021-26313) | Affected by FPVI<br>(CVE-2021-0086)<br>(CVE-2021-26314) |
|---------------|---------------------------------------------------------|---------------------------------------------------------|
| Intel         | $\checkmark$                                            | $\checkmark$                                            |
| AMD           | $\checkmark$                                            | √*                                                      |
| ARM           | ×                                                       | <b>√</b> **                                             |

\* No exploitable NaN-boxed transient results were found

\*\* ARM reported that some FPU implementations are affected by FPVI

• Bad Speculation is not caused only by classic mispredictions

• Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.

• Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.

• Architectural invariants can be exploited, creating new security threats, e.g. FPVI & SCSB

• Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.

- Architectural invariants can be exploited, creating new security threats, e.g. FPVI & SCSB
- Defenses must focus on the wider class of root-causes of bad speculation.

• Bad Speculation is not caused only by classic mispredictions, but also by architectural invariants violations, i.e. Machine Clear.



- Architectural invariants can be exploited, creating new security threats, e.g. FPVI & SCSB
- Defenses must focus on the wider class of root-causes of bad speculation.

Code, exploit demo and more can be found here:

