Few days ago a group of researchers from the Technical University of Dresden unveiled that they identified a vulnerability (CVE-2020-12965) which enables a Meltdown-class attack on Zen + and Zen 2-based AMD processors.
Initially, AMD Zen + and Zen 2 processors were assumed not susceptible to Meltdown vulnerability, but the researchers identified a characteristic which leads to speculative access to protected memory areas when using non-canonical virtual addresses.
The investigatorss mention that the AMD64 architecture involves using only the first 48 bits of the virtual address and ignore the remaining 16 bits and with this it has been specified that bits 48 to 63 must always copy the value of bit 47.
That is, if this condition is violated and an attempt is made to address the address with arbitrary values of the upper bits, the processor throws an exception. The repeated padding of the upper bits leads to the division of the available address space into two blocks.
Addresses that fit within the specified blocks are called canonical, and invalid addresses with arbitrary higher bit content are called non-canonical. The lower range of canonical addresses, as a rule, is allocated for process data, and the upper range is used for kernel data (access to specified addresses from user space is blocked at the level of separation of privileges) .
The classic vulnerability Meltdown is based on the fact that during speculative execution Instructions, the processor can access a private data area and then discard the result, since the established privileges prohibit such access from the user process.
In the program, the speculatively executed block is separated from the main code by a conditional branch, which in real conditions always fires, but due to the fact that the conditional declaration uses a calculated value that the processor does not know during the anticipated execution of the code, speculative execution of all branching options takes place.
Since lspeculative operations use the same cache than for normally executed instructions, it is possible during execution speculative caching bookmarks that reflect the content of individual bits in a closed memory area, and then in normally executed code to determine its value through Time analysis accesses cached and non-cached data.
The peculiarity of the new vulnerability affecting AMD Zen + and Zen 2 processors, is that CPUs allow speculative execution read and write operations that access memory using invalid non-canonical addresses, just ignoring the upper 16 bits.
Therefore, in the speculative code execution process, the processor always uses only the lower 48 bits and address validation is done separately. If, when translating a non-canonical virtual address to a physical address in the associative translation buffer (TLB) if the canonical part of the address matches, the speculative load operation will return a value regardless of the contents of the upper 16 bits , allowing you to bypass memory sharing between threads. Later, the operation will be invalidated and discarded, but memory access will be performed and the data will be cached.
During the experiment, using the cache content detection technique FLUSH + RELOAD, the researchers were able to organize a channel for transmission of covert data to a speed of 125 bytes per second.
The same techniques that help block Meltdown attacks, such as using LFENCE instructions, can be used to defend against the new attack.
At the same time, the researchers note that, Compared to Intel processors, the architecture of A processorsMD limits the possibility of real attacks, but does not exclude the use of a new method in combination with other microarchitectural attacks to increase its effectiveness.
In particular, the proposed attack option does not allow to determine the content of the kernel memory areas and other processes, but is limited to the ability to gain access to other threads of the same program that are running in the same virtual memory space.