AMD CPUs are vulnerable to a severe new side-channel attack

mongeese

Posts: 425   +65
Staff member

Processors run a lot of software concurrently and essential to systems' security is keeping programs separate so that one can't see what the other is doing, but new research into AMD’s processors has uncovered flaws that allow data to be shared between programs running on the same core.

“The key takeaway of this paper is that AMD’s cache way predictors leak secret information,” says the research paper from the Austrian team.

In both new exploits, collectively called "Take A Way" flaws, attacking software begins by picking an address corresponding with the target data’s address. The attacker then accesses the data stored in their version of the address, but that creates a link based on the address within the cache and the way predictor. The route the processor will take to access that address next time is guaranteed to be quite quick. But if the address is triggered a third time, then the processor will get to it slowly.

All the attacker has to do, then, is bring up that address at regular intervals. If it comes up quick then the victim hadn’t accessed it during the interval, but if it takes a while, it was accessed. This allows the attacker to monitor when the victim accesses data stored within the processor, without knowing where that data is, and without the requirement of sharing memory with the victim.

From there the researchers paired the exploits with existing attack patterns and weaknesses to stir up some trouble. They constructed a covert channel between two pieces of software that are not meant to be able to communicate. They were able to break ASLR (address space layout randomization) which is a key step in accessing processor memory. Subsequently, they were able to leak kernel data and even crack AES encryption keys.

In short, that’s the better part of the processor cracked open. It’s not easy to do, and it involves combining a lot of different exploits in some complex ways, but it’s possible. AMD has yet to respond to the paper's allegations, and perhaps most importantly, announce if this can be fixed via a firmware update and at what kind of performance cost. The flaws reportedly affect some older Athlon CPUs as well as all Ryzen and Threadripper processors.

There are quite a few of these hardware exploits out and about, though most of them up until now have targeted Intel processors. There haven’t been any attacks recorded in the wild yet. Furthermore, defenses against this specific attack shouldn’t be too difficult to implement according to the researchers. The team claims they notified AMD of their findings last August, so the company has had a long time to react and hopefully have a software update to remedy most of the issues soon. They do suggest that a watertight seal might involve physical updates to the architecture though.

Masthead Credit: Michael Dziedzic on Unsplash

Permalink to story.

 

Irata

Posts: 992   +1,469
TechSpot Elite
Here's AMD's response. Not feeling much better informed after this, but since this issue was published late on a Friday, that is to be expected as pretty much everyone is out of the office by then.

Note: It should be pointed out that this University research team is funded by Intel. That is not an attempt to downplay anything but still worth mentioning.

"We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way. The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities. AMD believes these are not new speculation-based attacks.

AMD continues to recommend the following best practices to help mitigate against side-channel issues:

Keeping your operating system up-to-date by operating at the latest version revisions of platform software and firmware, which include existing mitigations for speculation-based vulnerabilities
Following secure coding methodologies
Implementing the latest patched versions of critical libraries, including those susceptible to side channel attacks
Utilizing safe computer practices and running antivirus software"
 
Last edited:

Lew Zealand

Posts: 1,633   +1,689
TechSpot Elite
Note: It should be pointed out that this University research team is funded by Intel. That is not an attempt to downplay anything but still worth mentioning.
From the Acknowledgements section of the paper:

"Additional funding was provided by generous gifts from Intel."

LOL Intel, keep the smear campaign coming instead of fixing your own problems.
 

noel24

Posts: 655   +696
I got a dejavu. I remember few years ago an Israeli institute, with shady connections to Intel, finding flaws in AMD hardware and recommending selling It's stock, cause They are "virtually worthless". Short time before Zen exploded in Intel's face. I think I've read it here on Techspot, among other sites... Strange.
 

Irata

Posts: 992   +1,469
TechSpot Elite
Still seems difficult to assess the degree of the problem and what all is required. Is this a single exploit or do you need to use several exploits together to get the desired results? AMD says as much, but I'll wait for others (more knowledgeable than me) to analyze this futher.

The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities.
Here is the twitter response from one of the involved scientists when asked if this is as serious as Meltdown or Zombieload:

Certainly not. The attacks leak a few bit of meta-data. Meltdown and Zombieload leak tons of actual data.
 
Last edited:

Evernessince

Posts: 5,461   +6,134
From the Acknowledgements section of the paper:

"Additional funding was provided by generous gifts from Intel."

LOL Intel, keep the smear campaign coming instead of fixing your own problems.
Yep, that's verbatim what it says in the paper's acknowledgement section. Something like that really should be in large bold font on the first page. Whether or not they think they are being influenced by who is funding them (and let's be honest, in many cases papers are) not making an obvious disclosure just makes it look like they are hiding their funding and their potential bias.

That said, this is an issue AMD should fix if it's confirmed by AMD / Other third parties.
 

Lew Zealand

Posts: 1,633   +1,689
TechSpot Elite
Yep, that's verbatim what it says in the paper's acknowledgement section. Something like that really should be in large bold font on the first page. Whether or not they think they are being influenced by who is funding them (and let's be honest, in many cases papers are) not making an obvious disclosure just makes it look like they are hiding their funding and their potential bias.

That said, this is an issue AMD should fix if it's confirmed by AMD / Other third parties.
While it would be nice for papers published in scientific journals to disclose potential conflicts of interest up front before you get invested in the findings, that isn't the standard of publication in any journals I'm familiar with (mostly biological sciences). In fact, the Acknowledgements section is where everyone declares how the science was funded, so this paper is consistent with current standards.
 

Evernessince

Posts: 5,461   +6,134
While it would be nice for papers published in scientific journals to disclose potential conflicts of interest up front before you get invested in the findings, that isn't the standard of publication in any journals I'm familiar with (mostly biological sciences). In fact, the Acknowledgements section is where everyone declares how the science was funded, so this paper is consistent with current standards.
I could care less about what is standard when that standard is wrong. It's not just "nice" to have those things up front, it should be a requirement. It would not be hard to put a disclosure page right after the cover page. Even YouTubers are required to explicitly state if a video is sponsored at the start. We should hold our "research" papers to a higher standard.
 

amstech

Posts: 2,643   +1,805
This allows the attacker to monitor when the victim accesses data stored within the processor, without knowing where that data is, and without the requirement of sharing memory with the victim.
Unites States Government said:
Pfff, we've been doing that for years
 

mrvco

Posts: 98   +86
Still seems difficult to assess the degree of the problem and what all is required. Is this a single exploit or do you need to use several exploits together to get the desired results? AMD says as much, but I'll wait for others (more knowledgeable than me) to analyze this futher.



Here is the twitter response from one of the involved scientists when asked if this is as serious as Meltdown or Zombieload:



Yet the headline includes "SEVERE".