This repository contains test code, examples and exploits regarding transient windows generated by Machine Clears.

For more information about our work:

• More details on www.vusec.net/projects/fpvi-scsb
• Intel security advisory on FPVI (CVE-2021-0086) and SCSB (CVE-2021-0089)
• Affected Intel CPUs (Columns FPVI & SCSB)
• AMD security advisory on FPVI (CVE-2021-26314) and SCSB (CVE-2021-26313)
• ARM confirming some FPU implementations being vulnerable to FPVI
• Xen security advisory on SCSB

To compile all the code and configure your environment, simply perform the following:

make
source config.sh

Every folder contains a separated README with more details. In summary, this is the content of every folder:

• fp_reverse_engineering: utilities to test, understand and verify the presence of FPVI vulnerability
• leakers: example test code to show how every presented machine clear can be used to read transiently memory
• leak_rate_win_size: code to measure leak rate and window size of various transient execution mechanisms
• md_reverse_engineering: experiments to reverse engineer the memory disambiguation predictor on Intel processor
• fpvi_firefox_exploit: Firefox exploit based on FPVI to leak arbitrary memory locations (CVE-2021-29955).