AMD processors from 2011 to 2019 vulnerable to two new attacks

Academics disclose new Collide+Probe and Load+Reload attacks on AMD CPUs.

AMD processors from 2011 to 2019 vulnerable to two new attacks

AMD processors manufactured between 2011 and 2019 (the time of testing) are vulnerable to two new attacks, research published this week has revealed.

The two new attacks impact the security of the data processed inside the CPU and allow the theft of sensitive information or the downgrade of security features.

The research team said it notified AMD of the two issues in August 2019, however, the company has not released microcode (CPU firmware) updates, claiming these "are not new speculation-based attacks," a statement that the research team disagrees with.

The L1D cache way predictor

The two new attacks target a feature of AMD CPUs known as the L1D cache way predictor.

Introduced in AMD processors in 2011 with the Bulldozer microarchitecture, the L1D cache way predictor is a performance-centric feature that reduces power consumption by improving the way the CPU handles cached data inside its memory.

A high-level explanation is available below:

The predictor computes a μTag using an undocumented hash function on the virtual address. This μTag is used to look up the L1D cache way in a prediction table. Hence, the CPU has to compare the cache tag in only oneway instead of all possible ways, reducing the power consumption.

The two new attacks were discovered after a team of six academics -- from the Graz University of Technology in Austria and the Univerisity of Rennes in France -- reverse-engineered this "undocumented hashing function" that AMD processors were using to handle μTag entries inside the L1D cache way predictor mechanism.

"Knowledge of these functions is the basis of our attack technique," the research team said.

Knowing these functions, allowed the researchers to recreate a map of what was going on inside the L1D cache way predictor and probe if the mechanism was leaking data or clues about what that data may be.

amd-tested-cpus.png

Collide+Probe and Load+Reload

The result of their work was the discovery of two new attacks, named Collide+Probe attack and Load+Reload.

These two attacks are somewhat similar to classic Flush+Reload and Prime+Probe attacks, which have been exploited in the past by other researchers to leak data from Intel CPUs, but not AMD CPUs, primarily because the way AMD CPUs handle cached data is different from Intel processors.

Below is a high-level explanation of the two attacks:

In the first attack technique, Collide+Probe, we exploit μTag collisions of virtual addresses to monitor the memory accesses of a victim time-sharing the same logical core.

In the second attack technique, Load+Reload, we exploit the property that a physical memory location can only reside once in the L1D cache. Thus, accessing the same location with a different virtual address evicts the location from the L1D cache. This allows an attacker to monitor memory accesses on a victim, even if the victim runs on a sibling logical core.

In simple terms, the two attacks can be used to monitor how processes interact with the AMD cache, and then leak small parts of data from other apps.

Test results suggest the attacks are dangerous

But attacks on CPUs and their caches have been detailed for many years now. What makes them truly dangerous is if they can be exploited in the wild.

In a very small number of cases are CPU vulnerabilities a danger to users.

For example, an Intel bug that was patched last year was revealed earlier this week to be much worse than previously thought. However, even if the bug impacts more products and can leak more data than previously thought, exploiting it requires jumping through a series of hoops that limit its applicability in the real world.

The Collide+Probe and Load+Reload bugs are not that kind of attack, at least, according to researchers. These attacks can be exploited in real-world scenarios, and with rather ease, without needing physical access, special equipment, or to break apart computer cases to connect to hidden ports -- like many past CPU attacks have required.

The research team said it managed to exploit the two AMD vulnerabilities via JavaScript and in a cloud computing environment -- making the two attacks a palpable danger for real-world deployments of AMD processors.

Breaking ASLR

In a first experiment, they said they managed to run a malicious process on an AMD CPU that used a covert data exfiltration channel to steal data from another process running on the processor. Data exfiltration speed was clocked at 588.9 kB/s, which the research team said it put it in the upper echelon of covert data exfiltration methods.

Second, researchers said they also used the Collide+Probe attack to reduce the entropy (ability to produce random numbers) of different ASLR implementations. ASLR stands for Adress Space Layout Randomization and is a security mechanism used to randomize and cloak the locations of where code executes inside a CPU's memory. If an attacker breaks ASLR, they can predict where code executes, and plan for other attacks.

Researchers said they broke kernel ASLR on a fully updated Linux system, but also ASLR for operating systems and apps running inside hypervisors (cloud/virtualized environments).

These attacks required planting malicious code on the same machine, however, the attack is also portable to the web, via malicious JavaScript loaded inside a browser.

"We tested our proof-of-concept in both the Chrome 76.0.3809 and Firefox 68.0.2 web browsers as well as the Chrome V8 standalone engine," the research team said.

"In Firefox, we are able to reduce the entropy by 15 bits with a success rate of 98% and an average run time of 2.33 s (σ=0.03s, n=1000). With Chrome, we can correctly reduce the bits with a success rate of 86.1% and an average run time of 2.90s (σ=0.25s, n=1000).

amd-aslr.png

In addition, researchers said they used the same Collide+Probe attack to recover the encryption key from an AES T-table implementation, a commonly used encryption algorithm.

AMD's controversial response

The good news is that this attack vector can be patched. The researchers provided various mitigations and countermeasures in their paper, titled "Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors" [PDF available for downloaded from here or here].

"Our attacks demonstrate that AMD's design is vulnerable to side-channel attacks," the research team said.

However, in a message posted on its security portal, AMD has denied that these two new attacks are a concern, claiming that the two new attacks "are not new speculation-based attacks" and that they should be mitigated through previous patches for speculative execution side channel vulnerabilitie.

But in a subsequent email, the research team told ZDNet that AMD's response is "rather misleading," that AMD never engaged with their team after the initial report last August, and that the attacks still work on fully-updated operating systems, firmware, and software even today.


These are also not the first CPU attacks to impact AMD processors. AMD CPUs have also been proven vulnerable to attacks like Spectre v1 (CVE-2017-5753), Spectre v1.1 (CVE-2018-3693), Spectre v1.2, Spectre v2 (CVE-2017-5715), CVE-2018-3640, SpectreNG (CVE-2018-3639), SpectreRSB, NetSpectre, and a cluster of seven other side-channel attacks.

When inquired on Twitter if these attacks are as bad as any of the above, one of the researchers said they are not, at least not on the scale of how Meltdown and Zombieload impacted Intel CPUs, which could leak data from inside a CPU's memory much faster and in larger chunks.

Updated to add AMD's official public response.