AMD CPUs for the past 9 years are vulnerable to data leak attacks

[flash13]

AMD CPUs for the past 9 years are vulnerable to data leak attacks

https://www.engadget.com/2020/03/08/amd-cpu-take-a-way-data-leak-security-flaw

 

 

It's not just Intel chips that are vulnerable to hard-to-fix security flaws. Researchers at the Graz University of Technology have detailed a pair of side channel attacks under the "Take A Way" name that can leak data from AMD processors dating back to 2011, whether it's an old Athlon 64 X2, a Ryzen 7 or a Threadripper. Both exploit the "way predictor" for the Level 1 cache (meant to boost the efficiency of cache access) to leak memory content. The Collide+Probe attack lets an intruder monitor memory access without having to know physical addresses or shared memory, while Load+Reload is a more secretive method that uses shared memory without invalidating the cache line.

Unlike some side channel attacks, it hasn't taken long to show how these exploits would work in the real world. The team took advantage of the flaws using JavaScript in common browsers like Chrome and Firefox, not to mention virtual machines in the cloud. While Take A Way only dribbles out a small amount of information compared to Meltdown or Spectre, that was enough for the investigators to access AES encryption keys.

It's possible to address the flaw through a mix of hardware and software, the researchers said, although it's not certain how much this would affect performance. Software and firmware fixes for Meltdown and Spectre have typically involved speed penalties, although the exact hit depends on the task.

We've asked AMD for comment. However, the authors suggest that AMD has been slow to respond. They said they submitted the flaws to AMD in late August 2019, but haven't heard back despite keeping quiet about the flaw for the past several months.

The findings haven't been without controversy, although it doesn't appear to be as questionable as some thought at first. While Hardware Unboxed found disclosures that Intel funded the research, raising concerns about the objectivity of the study, the authors have also received backing from Intel (and other sources) for finding flaws in the company's own chips as well as other products. It appears to just be a general effort to spur security research, then. As it stands, the funding source doesn't change the practical reality -- AMD may have to tweak its CPU designs to safeguard against Take A Way attacks going forward.

 

[Karlston]

Moved from General News.

 

(Security related, so better here)

[Matrix]

AMD CPUs are vulnerable to a severe new side-channel attack

"Finally, an issue with AMD CPUs!" - someone at Intel probably

 

 

 

Cutting corners: All AMD processors released since 2013 are vulnerable to a pair of new side-channel attacks, "Collide + Probe" and "Load + Reload." Both exploit weaknesses in AMD’s L1D cache way predictor, a tool that predicts where data is stored in the processor, to detect when that data is accessed. By combining the new exploits with existing methodologies, researchers from the Graz University of Technology were able to crack open all the secrets of AMD processors in labs and real-world servers.

Processors run a lot of software concurrently and essential to systems' security is keeping programs separate so that one can't see what the other is doing, but new research into AMD’s processors has uncovered flaws that allow data to be shared between programs running on the same core.

 

“The key takeaway of this paper is that AMD’s cache way predictors leak secret information,” says the research paper from the Austrian team.

In both new exploits, collectively called "Take A Way" flaws, attacking software begins by picking an address corresponding with the target data’s address. The attacker then accesses the data stored in their version of the address, but that creates a link based on the address within the cache and the way predictor. The route the processor will take to access that address next time is guaranteed to be quite quick. But if the address is triggered a third time, then the processor will get to it slowly.

 

All the attacker has to do, then, is bring up that address at regular intervals. If it comes up quick then the victim hadn’t accessed it during the interval, but if it takes a while, it was accessed. This allows the attacker to monitor when the victim accesses data stored within the processor, without knowing where that data is, and without the requirement of sharing memory with the victim.

 

 

From there the researchers paired the exploits with existing attack patterns and weaknesses to stir up some trouble. They constructed a covert channel between two pieces of software that are not meant to be able to communicate. They were able to break ASLR (address space layout randomization) which is a key step in accessing processor memory. Subsequently, they were able to leak kernel data and even crack AES encryption keys.

 

In short, that’s the better part of the processor cracked open. It’s not easy to do, and it involves combining a lot of different exploits in some complex ways, but it’s possible. AMD has yet to respond to the paper's allegations, and perhaps most importantly, announce if this can be fixed via a firmware update and at what kind of performance cost. The flaws reportedly affect some older Athlon CPUs as well as all Ryzen and Threadripper processors.

 

There are quite a few of these hardware exploits out and about, though most of them up until now have targeted Intel processors. There haven’t been any attacks recorded in the wild yet. Furthermore, defenses against this specific attack shouldn’t be too difficult to implement according to the researchers. The team claims they notified AMD of their findings last August, so the company has had a long time to react and hopefully have a software update to remedy most of the issues soon. They do suggest that a watertight seal might involve physical updates to the architecture though.

 

Source