AMD Processors Since 2011 Hit with Cache Attack Vulnerabilities: Take A Way

[btarunr]

Cybersecurity researcher Moritz Lipp and his colleagues from the Graz University of Technology and the University of Rennes uncovered two new security vulnerabilities affecting all AMD CPU microarchitectures going back to 2011, detailed in a research paper titled "Take A Way." These include "Bulldozer" and its derivatives ("Piledriver," "Excavator," etc.,) and the newer "Zen," "Zen+," and "Zen 2" microarchitectures. The vulnerabilities are specific to AMD's proprietary L1D cache way predictor component. It is described in the security paper's abstract as a means for the processor to "predict in which cache way a certain address is located, so that consequently only that way is accessed, reducing the processor's power consumption."

By reverse engineering the L1D cache way predictor in AMD microarchitectures dating from 2011 to 2019, Lipp, et al, discovered two new attack vectors with which an attacker can monitor the victim's memory accesses. These vectors are named "Collide+Probe," and "Load+Reload." The paper describes the first vector as follows: "With Collide+Probe, an attacker can monitor a victim's memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core." The second vector is described as "With Load+Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core." The two vulnerabilities have not been assigned CVE entries at the time of this writing. The research paper, however, describes the L1D cache way predictor in AMD processors as being vulnerable to attacks that can reveal contents of memory or even keys to a vulnerable AES implementation. For now there is no mitigation to these attacks, but the company is reportedly working on firmware and driver updates. Access the research paper here.



View at TechPowerUp Main Site

 

[sutyi]

ACKNOWLEDGMENTS

We thank our anonymous reviewers for their comments and sugges-tions that helped improving the paper. The project was supportedby the Austrian Research Promotion Agency (FFG) via the K-projectDeSSnet, which is funded in the context of COMET - CompetenceCenters for Excellent Technologies by BMVIT, BMWFW, Styria, andCarinthia. It was also supported by the European Research Coun-cil (ERC) under the European Union’s Horizon 2020 research andinnovation programme (grant agreement No 681402). This workalso benefited from the support of the project ANR-19-CE39-0007MIAOUS of the French National Research Agency (ANR). Additional funding was provided by generous gifts from Intel. Any opinions, findings, and conclusions or recommendations expressed in thispaper are those of the authors and do not necessarily reflect theviews of the funding parties.

Oh Intel... please never change.

 

[Recus]

Oh Intel... please never change.

Commissioned by AMD QA Consultants Determines AMD's Most Stable Graphics Drivers in the Industry

Spoiler: ...

Recent drivers hell says otherwise

 

[stimpy88]

"Additional funding was provided by generous gifts from Intel."

I have a feeling that we will see more of this from now on, as the fruits of Intel's money become "published"...

 

[londiste]

Graz University of Technology has been in the forefront of security vulnerabilities research since Spectre and Meltdown. At least three of the authors of this paper were also among authors of their Meltdown paper and at least one was among authors of their Spectre paper.

I absolutely do not get the instant dismissal when someone spots Intel somewhere.

Oh Intel... please never change.

ACKNOWLEDGMENTS
We want to thank the reviewers for their feedback, as well as Vedad Hadžić from Graz University of Technology and Julian Stecklina from Cyberus Technology for contributing ideas and experiments. This work has been supported by the Austrian Research Promotion Agency (FFG) via the project ESPRESSO, which is funded by the Province of Styria and the Business Promotion Agencies of Styria and Carinthia. It was also supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia. It has also received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402), by the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-19-C-0531, and by the National Science Foundation under grant CNS-1814406. Additional funding was provided by a generous gift from Intel and AMD.

Oh AMD... please never change?

 

[lexluthermiester]

Ok, this is some scary stuff. AMD has a serious problem to solve.

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

It will be interesting to review the analysis and CVE for these new vulnerabilities.

 

[londiste]

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

Isn't this the same timing approach as Spectre? Which has already been mitigated by browsers not using accurate enough timers to mount a successful attack?

 

[Chomiq]

Oh Intel... please never change.

Want to bet that similar line can be found in Spectre and Meltdown papers?

 

[TheLostSwede]

Ok, this is some scary stuff. AMD has a serious problem to solve.

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

It will be interesting to review the analysis and CVE for these new vulnerabilities.

Supposedly this only allows for short snippets of data and might not even be usable for a full password.

 

[londiste]

Want to bet that similar line can be found in Spectre and Meltdown papers?

Actually, no. I checked. Spectre/Meltdown papers research was not supported by neither Intel nor AMD. More recent research has been supported by Intel and sometimes by AMD.

 

[Vayra86]

Oh Intel... please never change.

Commissioned by AMD QA Consultants Determines AMD's Most Stable Graphics Drivers in the Industry

Spoiler: ...

Recent drivers hell says otherwise

Nice race to the bottom, guys. You can crawl back into your hole now and leave this for the adults.

 

[Vya Domus]

I absolutely do not get the instant dismissal when someone spots Intel somewhere.

Then you don't know their history, the evidence on why nothing that is touched by Intel can be fully trusted is immense. You can chose to believe in the just world fallacy where everyone is well intended unless otherwise proven but I for one don't, seen too many instances when that wasn't the case.

For the record, I don't dismiss the paper, it's not like I think it's nonsense but I do question it's purpose and how well it was timed with other events.

 

[londiste]

Then you don't know their history, the evidence on why nothing that is touched by Intel can be fully trusted is immense. You can chose to believe in the just world fallacy where everyone is well intended unless otherwise proven but I for one don't, seen too many instances when that wasn't the case.

I do know the history. I would suspect better than most. Still, "nothing that is touched by Intel" is quite extreme, don't you think?
In line with the context used here, do you think we should dismiss any and all research papers Intel has been sponsoring?

For the record, I don't dismiss the paper, it's not like I think it's nonsense but I do question it's purpose and how well it was timed with other events.

What events? This was disclosed to AMD last August and published now. Timing a 6-month window would seem too big of a hassle to even try.

Edit:
This is kind of weird though. Instead of discussing what the paper found, whether this has impact or merit (it should, being an academic paper which I assume is peer reviewed), we are discussing Intel because there is a sidenote in the paper that Intel supported researchers. This kind of support is not exactly abnormal.

 

[_Flare]

Aslong as none of any vunerabilities are fantasy, they are legit, no matter who sponsored the research.
This research sponsoring is a legit method of competitive behaviour in my opinion and will lead to more secure products of all participants.

 

[Chomiq]

Actually, no. I checked. Spectre/Meltdown papers research was not supported by neither Intel nor AMD. More recent research has been supported by Intel and sometimes by AMD.

Try CacheOut, "gifts" from both Intel and AMD.

 

[EarthDog]

So... @R-T-B, what's the story here...

Much ado about nothing? Something?

 

[Vya Domus]

This was disclosed to AMD last August and published now.

Published now, right along when the financial analyst day took place. A pure coincidence I'd imagine.

Still, "nothing that is touched by Intel" is quite extreme

First or second time around when Intel did something shady ? Yeah, it would be extreme. After the plethora of examples when that happened with some being confirmed and punished by authorities, nah not that extreme anymore. Again, it's your personal choice to believe nothing is wrong should be the de facto stance on this, mine isn't.

 

[mtcn77]

Much ado about nothing? Something?

Yeah, R-T-B we need more semantic arguments. Like the kind that don't show up when meltdown is mentioned, but brought up the instant it is called a spectre variant. Let us throw the baby out with the bathwater.

 

[Mr.Mopar392]

haters gonna hate.

 

[Turmania]

If there is a vulnerability with Intel related products, we condemn them.
If there is a vulnerability with AMD related products we condemn Intel once again..
There is never anything wrong with AMD.

 

[the54thvoid]

Stay on topic please. Discussion about the impact or real-world likelihood of the vulnerability affecting us is welcome. Sniping back and forth about "AMD this... Intel that" is not.

 

[zlobby]

"Additional funding was provided by generous gifts from Intel."

I have a feeling that we will see more of this from now on, as the fruits of Intel's money become "published"...

Although I feel you, I must admit that all users benefit from this.

The more pressure on the companies the greater the chance they do things right.

 

[mtcn77]

Spectre is what again? They say in this report, the vulnerability is global accessibility of victim cache evict logs. So the question is spectre-mtd-... stay on point and not undue ad-nauseum much?

 

[Dragonsmonk]

To ask some valid questions instead of continuing the bashing of AMD vs. Intel - under what circumstance can this be used?

Same jokes as with Intel's vulns where the attacker already needs to have full admin access to the system?
Can this be used from outside sources without actual access?
Can this be exploited via malicious websites?

Those questions should be discussed here....

 

[mtcn77]

At least, you cannot overshadow the real big impact as a base rate fallacy since the researchers spill the beans for you. You can bang all the drums you want, it doesn't make a spectre variant any more vulnerable than meltdown.