The ghost is the machine: Weird machines in transient execution.

Microarchitectural attacks typically exploit some form of transient execution to steal sensitive data. More recently, though, a new class of attacks has used transient execution to (covertly) compute: Wampler et al. use Spectre primitives to obfuscate control flow, and Evtyushkin et al. construct "weird" logic gates that use Intel's TSX to compute entirely using microarchitectural side effects (i.e., in a cache side channel). This paper generalizes weird gate constructions beyond TSX and shows how to build such gates using any transient execution primitive. We build logic gates using exceptions, the branch predictor, and the branch target buffer, and we design a NOT gate that appears to perform roughly one order of magnitude(1) better than the prior state of the art. These constructions work on AMD, Intel, and ARM machines with approximate to 95-99% accuracy; a million AND gate executions take from half a second (when built with TSX) to four and a half seconds (when built with the branch target buffer). Our results indicate that weird gates are more generally applicable than previously known and may become more widely used, e.g., for malware obfuscation.