A new paper released by the Graz University of Technology details two new "Take A Way" attacks, Collide+Probe and Load+Reload, that can leak secret data from AMD processors by manipulating the L1D cache predictor. The researchers claim that the vulnerability impacts all AMD processors from 2011 to 2019, meaning that the Zen microarchitecture is also impacted. (
PDF)
The university says it disclosed the vulnerabilities to AMD on August 23, 2019, meaning it was disclosed in a responsible manner (
unlike the CTS Labs debacle), but there isn't any word of a fix yet. We've pinged AMD for comment.
We've become accustomed to news of new Intel vulnerabilities being disclosed on a seemingly-weekly basis, but other processor architectures, like AMD and ARM, have also been impacted by some vulnerabilities, albeit to a lesser extent. It's hard to ascertain if these limited discoveries in AMD processors are triggered by a security-first approach to hardened processor design, or if researchers and attackers merely focus on Intel's processors due to their commanding market share: Attackers almost always focus on the broadest cross-section possible. We see a similar trend with malware being designed for Windows systems, by far the predominant desktop OS, much more frequently than MacOS,
though that does appear to be changing.
In either case, we expect AMD's architectures to gain more attention from researchers as the company gains more prominence in the semiconductor market.
Like we've seen with many of the recent attacks against modern processors, the two AMD vulnerabilities center on side-channel approaches, in this case a Spectre-based attack, that enable researchers to tease out what would normally be protected information. Here's a description of the technique from the whitepaper:
"We reverse-engineered AMD’s L1D cache way predictor in microarchitectures from 2011 to 2019, resulting in two new attack techniques. With Collide+Probe, an attacker can monitor a victim’s memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core. With Load+ Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core. While Load+Reload relies on shared memory, it does not invalidate the cache line, allowing stealthier attacks that do not induce any last level-cache evictions."
The researchers were able to exploit the vulnerability via JavaScript run on Chrome and Firefox browsers. The paper suggests several possible remedies for the vulnerability through a combined software and hardware approach, but doesn't speculate on the performance hit associated with the suggested fixes.
The paper lists a wide array of funding from multiple sources, including the Austrian Research Promotion Agency, the European Research Council, and the French National Research Agency.
However, as
spotted by Hardware Unboxed, the paper also says that "Additional funding was provided by generous gifts from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties."
This has, of course, generated plenty of attention, but it is noteworthy that the study's Intel-funded co-authors have also disclosed Intel vulnerabilities in the past (10 on Intel, including Spectre, Meltdown, and Zombieload, three on ARM, two on AMD, and one on IBM). The lead
researcher also responded on Twitter, disclosing that Intel funds some of its students and the university fully discloses the sources of its funding. He also noted that Intel doesn't restrict the universities' academic freedom and independence, and that Intel has funded the program for two years.
Intel has disclosed,
as recently as two weeks ago, that it funds research into product security and also awards prizes to researchers for finding holes in its architectures (Intel Bug Bounty program
PDF), so this doesn't appear to be a case of Intel directly funding research against its competitor. The paper also engages in responsible disclosure of its funding sources, which makes any nefarious intent questionable. To cover the bases, we've also reached out to Intel for comment on the matter. According to the paper, Intel has already patched a similar vulnerability in its processors.
All modern processors have vulnerabilities, they are the most complex devices designed by humankind, after all, so crafty researchers will continue to find holes in the architectures. But that's better than discoveries made by those with malicious intent, particularly state actors, that could be exploited for years unbeknownst to the masses.
We'll update as we learn more.
