Analyzing and Exploiting Branch Mispredictions in Microcode
Nicholas Mosier, Hamed Nemati, John C. Mitchell, Caroline Trippel
TL;DR
The paper introduces uSpectre, a new class of transient execution attacks that exploit microcode branch mispredictions to transiently leak data, showing that many prior Spectre/Meltdown variants are actually instances of µSpec-tre on Intel microarchitectures. It defines three µSpec-tre variants—MEB, MVI, and MIL—and demonstrates their existence across Goldmont and other cores, including novel vulnerabilities like PCIDX and MEB-OF, which reveal previously inaccessible microarchitectural state. The authors reclassify several known attacks as µSpec-tre instances and disclose new vulnerabilities, while proposing µSLH, a microcode-based defense that uses conditional selects to zero out dubious data after mispredictions. The work highlights the practical risk of microcode-level leakage and argues for vendor microcode updates to mitigate these threats, while noting limitations and the need for broader mitigation strategies for MIL-type leaks. Overall, the paper expands the transient execution taxonomy, uncovers deep leakage channels, and offers a concrete defense path with µSLH, informing hardware security and microarchitectural risk assessment.
Abstract
We present uSpectre, a new class of transient execution attacks that exploit microcode branch mispredictions to transiently leak sensitive data. We find that many long-known and recently-discovered transient execution attacks, which were previously categorized as Spectre or Meltdown variants, are actually instances of uSpectre on some Intel microarchitectures. Based on our observations, we discover multiple new uSpectre attacks and present a defense against uSpectre vulnerabilities, called uSLH.
