Transient Architectural Execution:�From Weird Gates to Weird Programs

Ping-Lun Wang, Fraser Brown, Riccardo Paccagnella,

Eyal Ronen, Riad S. Wahby, and Yuval Yarom

IEEE S&P, 05/19/2026

Contact: pinglunw@andrew.cmu.edu

μWMs: hidden computers in the CPU

2

▲ CPU

µArch

ISA

🤯 Obfuscate malware

😈 Improve μArch attacks

Credit: irasutoya.com

😥 Existing μWMs are very limited…

😎 Overcome side-channel mitigations

µWMs: many security applications!

Limitations of existing μWMs

3

Weird gates ^{[1, 2, 3]}

[1] Spec-o-Scope: Cache probing at cache speed, Horowitz et al., CCS ‘24

[2] Bending microarchitectural weird machines towards practicality, Wang et al., USENIX Sec ‘24

[3] The gates of time: Improving cache attacks with transient execution, Katzman et al., USENIX Sec ‘23

💥 No conditional execution (e.g., branches)

💥 No indexed memory operations

💥 Weird gates can only compute 4 bits at a time

Circuit model: very limited

Our work: transient architectural execution (TAE)

4

Credit: irasutoya.com

✨ Weird programs: compute with ISA

✅ Branches

✨ AES encryption is 543× faster than the state of the art!

µArch

✅ Memory operations

✅ Powerful ISA instructions (e.g., AES-NI)

= μWMs with full capabilities!

TAE: transient execution attacks + weird gates

5

Transient execution attacks

(e.g., Spectre & Meltdown)

Weird gates

Our work: TAE

Overview of transient architectural execution

6

add rax, rbx

Transient execution

μArch world

Arch world

1️⃣ μArch to Arch

3️⃣ Arch to μArch

💎

💵

2️⃣ Arch compute

Storage

Computation

← rax

rax ←

💵

Idea: cache miss → branch misprediction

7

input[0]

in the cache?

Yes!

No…

Evaluate condition

Make a prediction

✅ Correct direction

⛔ Incorrect direction

if (input[0]) correct();

else incorrect();

μArch (cache) → branch misprediction → Arch

8

input[0]

return 1;

Branch predictor?

return 0;

In transient execution

// input[0] is 0

if (input[0]) return 0;

else return 1;

✨ μArch to Arch!

0

😈 Mis-train the predictor

Make μArch to Arch more scalable

9

😥 A branch only converts 1 bit of information

🤔 What if we use an indirect branch?

✨ Multiple targets → multiple bits of information!

Branch target buffer (BTB) and indirect branches

10

Indirect branch

BTB state

Write to the BTB states

11

Indirect branch

(more targets…)

Last target:

BTB state

1

5

Convert BTB states to Arch value

12

Indirect branch

Last target:

BTB state

1

5

❓

Target is 5!

✨ μArch to Arch!

✨ 65,536 = 2¹⁶ targets

(more targets…)

Weird functions: compute with ISA using TAE

• 543× faster than the state of the art ^[1]!
• 96.05% of accuracy (3.65% lower)
• AES-NI is fast, but offers less obfuscation

13

1️⃣

2️⃣

3️⃣

[1] Bending microarchitectural weird machines towards practicality, Wang et al., USENIX Sec ‘24

Compose weird functions into weird programs

14

Weird function 1

Weird function 2

Weird function 3

Weird function n

▲ A weird program

(more weird functions…)

Compose weird functions into weird programs

15

Weird function 1

Weird function 2

Weird function 3

Weird function n

▲ A weird program

(more weird functions…)

✨ Large scale computation

Takeaways

✨ Transient Arch Exec: brings powerful ISA to μWMs!

• Transient Architectural Execution: From Weird Gates to Weird Programs
• Contact: Ping-Lun Wang, pinglunw@andrew.cmu.edu

✨ Weird programs: orders of magnitude faster!

✨ μWMs are practical for program obfuscation and other attacks

🛡️ Future work: μWMs mitigations