Phantom Speculation and Training in Transient Execution are two novel techniques that have been identified to leak arbitrary information from all modern CPUs.
A new technique called “Inception” has emerged from the combination of these methods.
Phantom Speculation can be used to trigger misprediction without any source branches of the misprediction, whereas Training in Transient Execution can be used to manipulate future mispredictions through past mispredictions which are triggered by the attacker.
CVE-2023-20569: Inception: Microarchitectural Stack Overflow
This is a novel transient execution attack that leaks arbitrary information on all AMD Zen CPUs with the presence of all the software as well as hardware mitigations.
Inception is an idea in the CPU in the state of “dreaming” resulting in wrong actions based on the previous activities and predictions.
Inception also hijacks the transient control flow of return instructions.
Training in Transient Execution (TTE)
Instead of leaking the data in the transient windows, this attack abuses the transient window for inserting new predictions into the branch predictor, making the future transient windows more powerful.
These attacks require specific gadgets in the victim code.
CVE-2022-23825: Phantom Speculation
This technique enables an attacker to create a transient window at arbitrary instructions which are followed by XOR instruction which makes the windows behave like a call instruction and allows the attacker to create a transient window.
A complete report has been published by Comsec, which provides detailed information on the technique, method, combination, mitigation, and resource of Inception.
This technique will be presented at the 32nd USENIX Security Symposium this year.
A research paper was also published along with a GitHub repository which consists of the source code of Inception. The phantom source code was mentioned to be submitted later.