Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs
Researchers have disclosed the details of new timing and power-based side-channel attacks that affect all CPUs made by AMD, but the chipmaker says no new mitigations are necessary.
The new attack method was discovered by researchers Moritz Lipp and Daniel Gruss of the Graz University of Technology and Michael Schwarz of the CISPA Helmholtz Center for Information Security. They were among those who discovered the original Meltdown and Spectre vulnerabilities, research that paved the way for many other side-channel attack methods targeting widely used processors.
These side-channel attacks typically allow a malicious application installed on the targeted system to exploit CPU weaknesses in order to obtain potentially sensitive information, such as passwords and encryption keys, from memory associated with other apps.
Many of the side-channel attacks disclosed over the past years targeted Intel processors, but systems powered by AMD processors are not immune either, as the newly presented research shows.
The new attacks demonstrated by Lipp, Gruss and Schwarz leverage time and power measurements of prefetch instructions.
“In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information,” the researchers explained in the abstract of their paper.
They have demonstrated several attack scenarios, including one in which they mounted a Spectre attack to leak sensitive data from the operating system, and showed a new method for establishing a covert channel to exfiltrate data.
The researchers also claim to have identified the first “full microarchitectural KASLR (kernel address space layout randomization) break on AMD that works on all major operating systems.” KASLR is an exploit mitigation technique and the experts showed how an attacker could break it on laptops, desktop PCs, and virtual machines in the cloud.
The findings were reported to AMD in mid- and late 2020, and the vendor acknowledged them and provided feedback in February 2021.
AMD has assigned the CVE identifier CVE-2021-26318 and a medium severity rating to the vulnerabilities. The chipmaker has confirmed that the issue impacts all of its processors, but it’s not recommending any new mitigations due to the fact that “the attacks discussed in the paper do not directly leak data across address space boundaries.”
AMD’s advisory lists a series of recommendations for mitigating side-channel attacks in general, such as keeping operating systems, software and firmware up to date, and following secure coding practices.
Lipp has confirmed for SecurityWeek that mitigations already exist for the attacks they have described, but noted that not all of them are enabled by default on AMD CPUs.
Lipp believes their latest research discusses some interesting properties of AMD processors that could fuel future research into side-channel attacks.
“For instance, we use RDPRU as a timing primitive as the typically used rdtsc instruction has a lower resolution on AMD. This allows to distinguish events with only a slight timing difference,” Lipp explained via email. “On the other hand, we use the reported energy consumption of the AMD driver to mount an attack. While this driver has now been removed from the Linux kernel, using this energy source could be interesting to mount other power side-channel attacks as we have shown on Intel with the PLATYPUS attacks.”
Earlier this year, researchers described a voltage glitching attack that shows AMD’s Secure Encrypted Virtualization (SEV) technology may not provide proper protection for confidential data in cloud environments.