Researcher Names: Hany Ragab, Enrico Barberis, Herbert Bos and Cristiano Giuffrida
Link: https://www.vusec.net/projects/fpvi-scsb/
Since the discovery of Spectre and Meltdown, the security community has put a lot of effort into discovering new speculative execution attacks that are still built on top of variants of the same speculation techniques, for example, by mistraining yet another predictor.
This paper tackles the problem from a new perspective, closely examining the different root causes of speculative execution, and specifically focusing on the unexplored class of speculations based on machine clears (MC), such as Floating Point, Self-Modifying Code, Memory Ordering, and Memory Disambiguation. These events yield two entirely new attack primitives which affect all major CPU vendors: Intel, AMD, and ARM, called Floating Point Value Injection (FPVI) and Speculative Code Store Bypass (SCSB).
The paper also presents an end-to-end FPVI exploit on the latest Mozilla Firefox browser, leaking arbitrary memory through attacker-controlled and speculatively injected floating-point results in JavaScript, affecting millions of users. What could go wrong?