This work exposes microarchitectural security risks introduced by Intel’s newly added unprivileged instruction `cldemote`, whose cross-level cache state migration, exception suppression, and privilege-free memory access enable novel side-channel and KASLR bypass attacks. We propose two new attack primitives—Flush+Demote and Demote+Time—and systematically categorize, for the first time, five exploitable microarchitectural features and four general attack patterns arising from ISA extensions. Experimentally, we realize a low-bit-error-rate covert channel achieving 2.84 Mbps, recover the Linux kernel base address within 2.49 ms, and accelerate LLC eviction set construction by 36% while maintaining 100% success rate. Our findings prompt critical re-evaluation of security-by-design principles for emerging ISA extensions and underscore the need for formal security constraints in their specification and implementation.

ISA extensions are increasingly adopted to boost the performance of specialized workloads without requiring an entire architectural redesign. However, these enhancements can inadvertently expose new attack surfaces in the microarchitecture. In this paper, we investigate Intel's recently introduced cldemote extension, which promotes efficient data sharing by transferring cache lines from upper-level caches to the Last Level Cache (LLC). Despite its performance benefits, we uncover critical properties-unprivileged access, inter-cache state transition, and fault suppression-that render cldemote exploitable for microarchitectural attacks. We propose two new attack primitives, Flush+Demote and Demote+Time, built on our analysis. Flush+Demote constructs a covert channel with a bandwidth of 2.84 Mbps and a bit error rate of 0.018%, while Demote+Time derandomizes the kernel base address in 2.49 ms on Linux. Furthermore, we show that leveraging cldemote accelerates eviction set construction in non-inclusive LLC designs by obviating the need for helper threads or extensive cache conflicts, thereby reducing construction time by 36% yet retaining comparable success rates. Finally, we examine how ISA extensions contribute to broader microarchitectural attacks, identifying five key exploitable characteristics and categorizing four distinct attack types. We also discuss potential countermeasures, highlighting the far-reaching security implications of emerging ISA extensions.