Recently a team of researchers from the Graz University of Technology (Austria) and the Helmholtz Center for Information Security (CISPA) released information about a vulnerability (CVE-2021-26318) on all AMD processors which could allow Meltdown-class side channel attacks.
Faced with the personal disclosed information of AMD made it known that it considers it inappropriate to take special measures to block the problem, since the vulnerability, like a similar attack detected in August, is of little use in real conditions, since mentions that it is limited by the current limits of the process address space and requires sequences of instructions (gadgets) in the kernel. To demonstrate the attack, the researchers loaded their own kernel module with an artificially added device. In real life, attackers can, for example, regularly use vulnerabilities in the EBPF subsystem to replace the necessary sequences.
From a practical point of view, the attack can be used to organize covert data transmission channels, monitor the activity in the kernel or obtain information about addresses in the kernel memory to avoid the protection based on the randomization of addresses (KASLR) in the process of exploiting vulnerabilities in the kernel.
We discovered time and power variations of the prefetch instruction that can be observed from a non-privileged user space. Unlike previous work on prefetch attacks at Intel, we showed that the prefetch instruction at AMD filters out even more information. We demonstrate the importance of this side channel with multiple case studies in real world settings. We demonstrate the first breakdown of the KASLR microarchitecture.
To defend against this new attack, AMD has recommended the use of secure encryption techniques that help block Meltdown attacks, like using LFENCE statements. Researchers who identified the issue recommend enabling stricter memory page table isolation (KPTI), which was previously only used for Intel processors.
During the experiment, the researchers managed to leak information from the kernel to a process in user space.or at a speed of 52 bytes per second, if there is a device in the kernel that performs the operation, several methods have been proposed to extract the information stored in the cache during the speculative execution through third-party channels.
The first method is based on the analysis of the deviations of the execution timen for the processor instruction and the second for the change in the change in power consumption when "PREFETCH" (Prefetch + Power) is executed.
We monitor the kernel activity, for example if the audio is played via Bluetooth, and we establish a covert channel. Finally, we even filtered kernel memory at 52.85 B / s with simple Specter devices on the Linux kernel. We show that stronger page table isolation should be enabled on AMD CPUs by default to mitigate our successfully submitted attacks
Recall that the classic Meltdown vulnerability is based on the fact that during speculative execution of instructions the processor can access a private data area and then discard the result, since the established privileges prohibit such access from the user process. In the program, the speculatively executed block is separated from the main code by a conditional branch, which under real conditions is always fired, but due to the fact that the conditional declaration uses a calculated value that the processor does not know during early code execution , speculative execution of all branching options is carried out.
Since speculative operations use the same cache than for normally executed instructions, it is possible during speculative execution to cache markers that reflect bit content individual files in a closed memory area, and then in the code normally executed to determine their value through time analysis accesses cached and non-cached data.
Finally if you are interested in knowing more about it, you can check the details In the following link.