In a previous article we talked about a bug that cannot be fixed in Intel processors prior to the tenth generation and now on this occasion a bug affecting AMD processors. And it is that a team of researchers from the Graz University of Technology (Austria), formerly known for developing attack methods for MDS, NetSpectre, Throwhammer, and ZombieLoad.
Now they worked to conduct research on specific AMD hardware optimizations and developed two new methods to attack third-party channels that manipulate data leaks during the prediction of cache channels of the first level of AMD processors.
Methods can be used to reduce ASLR protection, restore keys in vulnerable AES deployments and increase the efficiency of the Specter attack.
In their research they report that they identified problems in the implementation of the channel prediction mechanism (shape predictor) in the first-level CPU data cache (L1D), used to predict which cache channel a specific memory address is reflected.
The optimization used in AMD processors is based on μ-tag verification. μTag is calculated by applying a specific hash function to the virtual address. During the operation, eChannel prediction mechanism uses μTag to determine the cache channel for the table.
Therefore, μTag allows the processor to limit itself to accessing only one specific channel, without listing all the options, which significantly reduces CPU power consumption.
Vulnerability manifests itself in AMD processors based on microarchitectures Bulldozer, Piledriver, Steamroller, Zen (Ryzen, Epic), Zen + and Zen2.
AMD was notified of the issue on August 23, 2019, but has yet to release a report with information about the vulnerability blocking.
According to investigators, issue may crash at microcode update level by providing MSR bits to selectively disable the channel prediction system, similar to how Intel did to manage the shutdown of transition prediction mechanisms.
During the reverse engineering of the channel prediction system implementation on various generations of AMD processors manufactured between 2011 and 2019, Two new techniques for targeting third-party channels were revealed:
- Collide + Probe: allows an attacker to track memory access for processes running on the same logical core as the CPU.
The essence of the method is to use virtual addresses that cause hash collisions of the function used to calculate μTag to track memory access. Unlike the Flush + Reload and Prime + Probe attacks used on Intel processors, Collide + Probe does not use shared memory and works without knowing the physical addresses. - Load + Reload: allows to determine very precisely the memory access traces in the same physical core of the CPU. The method is based on the fact that a physical memory cell can be located in the L1D cache only once.
That is, accessing the same memory location at a different virtual address will force the cell out of the L1D cache, allowing you to track memory access. Although the attack relies on shared memory, it does not reset cache lines, making it possible to carry out stealth attacks that do not displace data from the top-level cache.
Based on the Collide + Probe and Load + Reload techniques, the researchers demonstrated various attack scenarios through third party channels:
The possibility of using methods is shown to organize a hidden indirect communication channel between two processes, which allows data to be transmitted at speeds of up to 588 kB per second.
Using collisions in μTag, it was possible to reduce the entropy for different variants of Address Space Layout Randomization (ASLR) and bypass ASLR protection in the core in a fully up-to-date Linux system.
The possibility of an attack is shown to reduce the ASLR entropy of both user applications and the use of JavaScript code executed in the sandbox environment and code that runs in another guest environment.