The transient execution attack is a type of attack leveraging the vulnerability of modern CPU optimization technologies. New attacks surface rapidly. The side-channel is a key part of transient execution attacks to leak data. In this work, we discover a vulnerability that the change of the EFLAGS register in transient execution may have a side effect on the Jcc (jump on condition code) instruction after it in Intel CPUs. Based on our discovery, we propose a new side-channel attack that leverages the timing of both transient execution and Jcc instructions to deliver data. This attack encodes secret data to the change of register which makes the execution time of context slightly slower, which can be measured by the attacker to decode data. This attack doesn't rely on the cache system and doesn't need to reset the EFLAGS register manually to its initial state before the attack, which may make it more difficult to detect or mitigate. We implemented this side-channel on machines with Intel Core i7-6700, i7-7700, and i9-10980XE CPUs. In the first two processors, we combined it as the side-channel of the Meltdown attack, which could achieve 100\% success leaking rate. We evaluate and discuss potential defenses against the attack. Our contributions include discovering security vulnerabilities in the implementation of Jcc instructions and EFLAGS register and proposing a new side-channel attack that does not rely on the cache system.

翻译：瞬态执行攻击是一类利用现代CPU优化技术漏洞的攻击方式。新型攻击手段层出不穷，其中侧信道是瞬态执行攻击泄露数据的关键环节。本研究发现，在Intel CPU中，瞬态执行过程中EFLAGS寄存器的状态变化可能会对后续Jcc（条件跳转）指令产生副作用。基于此发现，我们提出一种新型侧信道攻击方法，通过利用瞬态执行与Jcc指令的时序特征来传输数据。该攻击将机密数据编码为寄存器的状态变化，使得上下文执行时间略微变慢，攻击者可通过测量执行时间解码数据。该攻击不依赖缓存系统，且无需在攻击前手动将EFLAGS寄存器复位至初始状态，这使其更难以被检测或防御。我们在搭载Intel Core i7-6700、i7-7700及i9-10980XE CPU的机器上实现了该侧信道攻击。在前两款处理器中，我们将其与Meltdown攻击的侧信道相结合，成功实现了100%的数据泄露成功率。我们评估并讨论了针对该攻击的潜在防御方案。本文主要贡献包括：发现Jcc指令与EFLAGS寄存器实现中的安全漏洞，以及提出一种不依赖缓存系统的新型侧信道攻击方法。