AMD, boffins clash over chip data-leak claims: New side-channel holes in decades of cores, CPU maker disagrees

Maybe don't be quite so smug, security researchers warn


AMD processors sold between 2011 and 2019 are vulnerable to two side-channel attacks that can extract kernel data and secrets, according to a new research paper.

In a paper [PDF] titled, "Take A Way: Exploring the Security Implications of AMD’s Cache Way Predictors," six boffins – Moritz Lipp, Vedad Hadžić, Michael Schwarz, and Daniel Gruss (Graz University of Technology), Clémentine Maurice (University of Rennes), and Arthur Perais (unaffiliated) – explain how they reverse-engineered AMD’s L1D cache way predictor to expose sensitive data in memory.

To save power when looking up a cache line in a set-associative cache, AMD's CPUs rely on something called way prediction. The way predictor allows the CPU to predict the correct cache location required, rather than test all the possible cache locations, for a given memory address. This speeds up operations, though it can also add latency when misprediction occurs.

The cache location is, in part, determined by a hash function, undocumented by AMD, that hashes the virtual address of the memory load. By reverse engineering this hash function, the researchers were able to create cache collisions which present observable timing effects – increased access time or L1 cache misses – that allow covert kernel data exfiltration, cryptographic key recovery, and weakening ASLR defenses on a fully-patched Linux system, the hypervisor, or the JavaScript sandbox.

Timing attacks of this sort allow the attacker to infer protected data based on the time the system takes to respond to specific inputs.

Chip

Cache flow problems continue for Intel: Yet more data-leaking processor design blunders discovered, patches due soon

READ MORE

The two attacks are called Collide+Probe and Load+Reload, in reference to the operations involved. The former exploits cache tag collisions while the latter exploits the way predictor's behavior for virtual addresses are mapped to the same physical address.

"With Collide+Probe, an attacker can monitor a victim’s memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core," the paper explains, noting that the technique has been demonstrated with a data transmission rate of up to 588.9 kB/s. "With Load+ Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core."

For Collide+Probe, the attacker is assumed to be able to run unprivileged native code on the target machine that's also on the same logical CPU core as the victim. It's also assumed the victim's code will respond to input from the attacker, such as a function call in a library or a system call.

For Load+Reload, the ability to run unprivileged native code on the target machine is also assumed, with the attacker and victim on the same physical but different logical CPU thread.

Local access is not a requirement for these attacks; the researchers demonstrated their techniques on sandboxed JavaScript and a virtualized cloud environments.

The boffins said that at least the following AMD chips, manufactured over the past couple of decades from 2001 to 2019, have a way predictor that can be exploited:

  • AMD FX-4100 Bulldozer
  • AMD FX-8350 Piledriver
  • AMD A10-7870K Steamroller
  • AMD Ryzen Threadripper 1920X Zen
  • AMD Ryzen Threadripper 1950X Zen
  • AMD Ryzen Threadripper 1700X Zen
  • AMD Ryzen Threadripper 2970WX Zen+
  • AMD Ryzen 7 3700X Zen 2
  • AMD EPYC 7401p Zen
  • AMD EPYC 7571 Zen

"This is a software-only attack that only needs unprivileged code execution," said Michael Schwarz, one of the paper's co-authors, via Twitter. "Any application can do that, and one of the attacks (Collide+Probe) has also been demonstrated from JavaScript in a browser without requiring any user interaction."

The researchers propose several mitigations: a mechanism to disable the cache way predictor if there are too many misses; using additional data when creating address hashes to make them more secure; clearing the way predictor when switching to another user-space application or returning from the kernel; and an optimized AES T-table implementation that prevents the attacker from monitoring cache tags.

In a response to the paper, AMD on Saturday suggested no additional actions need to be taken to prevent these attacks.

"We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way," the company said. "The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities. AMD believes these are not new speculation-based attacks."

Daniel Grus, another one of the researchers, said via Twitter that this side channel has not been fixed. But he also expressed skepticism that this technique presents an imminent threat, noting that Meltdown, a far stronger attack, doesn't appear to have been weaponized by anyone. ®


Biting the hand that feeds IT © 1998–2020