Meltdown-like vulnerability found in AMD CPUs

[WolframaticAlpha]

Summary

Researchers have now found a Meltdown-equivalent attack that affects AMD processors. This apparently affects all AMD processors, including Zen 3. Called "Transient Execution of Non-canonical Accesses," this vulnerability acts very similarly to the already-disclosed Meltdown vulnerability that only impacts Intel CPUs. 

 

Quotes

Quote

The research paper acknowledges that the attack against AMD CPUs is not executed in precisely the same manner as Intel CPUs, but the end result is the same. Meltdown is a vulnerability that abuses speculative execution to leak kernel data to applications that shouldn’t have access to it. The authors write: “This class targets architecturally illegal data flow from microarchitectural elements s (e.g., L1 Cache, Store/Load-Buffer, Special Register Buffer). Such an illegal data flow allows an attacker to exploit transient execution to expose data and change the microarchitectural state.”

 

My thoughts

Software mitigations incoming. Software slow down imminent. I am not an expert on these matters, but probably this would require some software patches, that will give slowdowns, akin to intel's spectre and meltdown patches.

 

Sources

https://hothardware.com/news/amd-zen-cpus-vulnerable-meltdown-style-security-vulnerability

https://www.tomshardware.com/news/zen2-processor-vulnerability-mitigation

https://www.extremetech.com/computing/326558-all-amd-cpus-found-harboring-meltdown-like-security-flaw

[RejZoR]

I appreciate they didn't call it some dumb sensationalist name this time around.

[Master Disaster]

If you read into this a bit more it seems like this is only a theoretical attack vector, yes they have a way to reliably get the CPU to execute non canonical code on paper but unlike Meltdown, there is no proof of concept exploit yet.

 

17 minutes ago, WolframaticAlpha said:

My thoughts

 

Software mitigations incoming. Software slow down imminent. I am not an expert on these matters, but probably this would require some software patches, that will give slowdowns, akin to intel's spectre and meltdown patches.

From one of your sources

Quote

AMD describes the issue as “AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits.” The full 64-bits of an address are not evaluated when performing speculative execution, and this can be exploited to leak data out of the CPU. AMD also states: “Potential vulnerabilities can be addressed by inserting an LFENCE or using existing speculation mitigation techniques as described in [2].” [2] refers to AMD’s most recent guide on how to manage speculative execution safely in AMD processors.

LFENCE - https://c9x.me/x86/html/file_module_x86_id_155.html

 

Seems like an instruction that forces the CPU to wait and load instructions in the correct order rather than jumping ahead according to its speculative data though I'm not an expert in ASM (heck I'm not even a beginner in ASM) so I'd love for someone who knows more to chime in and explain.

 

Edit - Heres the [2] from the quote - https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf

[LAwLz]

45 minutes ago, Master Disaster said:

If you read into this a bit more it seems like this is only a theoretical attack vector, yes they have a way to reliably get the CPU to execute non canonical code on paper but unlike Meltdown, there is no proof of concept exploit yet.

This is false.

The researchers created a POC that they used to reliably exploit this security hole. That's why they have a table for "AMD CPUs we tested" as well as example code in their paper.

They also found that older Intel CPUs are also vulnerable. They tested it on an i7-10510U as well and that was not vulnerable. Intel introduced hardware mitigation for MDS in Cascade Lake and Ice Lake so presumably anything earlier than 10th gen Intel is vulnerable. Might be worth putting that in the title so we don't end up in another scenario like with Spectre where people thought it was only Intel that were affected, even though AMD was too.

[MultiGamerClub]

sigh

Another exploit that *might* harm my processor? oof.

And i have a 3600 at best.

Edited September 2, 2021 by MultiGamerClub
Pressed enter twice and the post got posted.. Ehhh?? Dont know if bug so im just adding text now.

[Arika]

Gee who would have thought that there is no magic sauce that makes one brand of CPU immune to security vulnerabilities.

[Master Disaster]

3 hours ago, LAwLz said:

This is false.

The researchers created a POC that they used to reliably exploit this security hole. That's why they have a table for "AMD CPUs we tested" as well as example code in their paper.

They also found that older Intel CPUs are also vulnerable. They tested it on an i7-10510U as well and that was not vulnerable. Intel introduced hardware mitigation for MDS in Cascade Lake and Ice Lake so presumably anything earlier than 10th gen Intel is vulnerable. Might be worth putting that in the title so we don't end up in another scenario like with Spectre where people thought it was only Intel that were affected, even though AMD was too.

Yeah, I totally missed the link to the paper PDF. After reading through it I see they did manage to execute the exploit.

 

1 hour ago, Arika S said:

Gee who would have thought that there is no magic sauce that makes one brand of CPU immune to security vulnerabilities.

Quantum?

[Demonking]

Just when you think you're safe on AMD.

[Chiyawa]

It's just a matter of time that people found way to exploit the system. Playstation, XBox, Nintendo and Sega consoles are no exception either. Even the new Apple M1 processors are very prone to exploits and attacks.

[RejZoR]

On 9/2/2021 at 12:14 PM, Arika S said:

Gee who would have thought that there is no magic sauce that makes one brand of CPU immune to security vulnerabilities.

Question now is, what they'll do about it. Intel was pretty crap about it and the issues always trailed several generations back. How will AMD approach this will make all the difference.

[Arika]

22 minutes ago, RejZoR said:

 How will AMD approach this will make all the difference.

No it won't, people's responses to Intel's vulnerabilities was never about how they handled it. It's always "lolol another intel vulnerability,  glad I'm with amd" and the like, putting amd on a fake pedestal of security.

[mr moose]

1 hour ago, Arika S said:

No it won't, people's responses to Intel's vulnerabilities was never about how they handled it. It's always "lolol another intel vulnerability,  glad I'm with amd" and the like, putting amd on a fake pedestal of security.

I can guarantee AMD's response time to release a mitigation will be on par with Intel's if we scale for only having to deal with zen Arch's.   Intel had to deal with all processors going back a decade or so simply because their product was good enough to build on and refine for so long. If anything the fact AMD succumbed to the same type of exploit given this exploit was theorized to exist way back before they started designing these CPU's means AMD's desire to give you a less secure product for the sake of selling CPU's is just as  shit as Intel's. 

 

 

Anyway, as I said in the last thread about this,  There is no difference between AMD and Intel when it comes to security and exploits.   All we know are the ones they have disclosed,  the ones we don;t know about are the dangerous ones.

 

 

[Fasterthannothing]

I thought this was basically a given after all the exploits found on Intel. I mean it's not like it's vastly different underlying engineering.  It doesn't matter if your Intel on AMD fanboy/fangirl these exploits are going to happen and unless you like slow performance well then honestly you should be running the latest chips for maximum security.

[StDragon]

7 hours ago, mr moose said:

Intel had to deal with all processors going back a decade or so simply because their product was good enough to build on and refine for so long. If anything the fact AMD succumbed to the same type of exploit given this exploit was theorized to exist way back before they started designing these CPU's means AMD's desire to give you a less secure product for the sake of selling CPU's is just as  shit as Intel's. 

That's not a fair assessment. No one knew that speculative execution could have been exploited like this, so active security around it was never a factor in design. So much so that it wasn't even an x86 thing, it effected ARM CPUs too.

 

The paradigm in computing science with regards to speculative execution was so fundamentally flawed that the only true mitigation was to simply disable it; in this case hyper-threading. Or, flush L cache in transactions that cross between kernel and user space.

 

Now there's all sorts of mitigation's in software, but the primary solution is via the emphasis on VBS where the kernel space is isolated via virtualization. And this is where Windows 11 comes in as it makes VBS support in CPU hardware (MBEC / GMET) a hard floor requirement.

[mr moose]

5 hours ago, StDragon said:

That's not a fair assessment. No one knew that speculative execution could have been exploited like this,

 

Speculative execution has been proposed to be a thing for well over a decade now.   How it gets exploited was always the unknown part and the very reason it took them so long to find the method for Intel processors (i.e they knew they could, it's just that working  it out took a decade).  Most of us knew it was only ever a mater of time before they discover the process through which to exploit it in other processor architectures.  

 

 

[Chiyawa]

16 hours ago, RejZoR said:

Question now is, what they'll do about it.

Technically, aside from OS patches, they can't do anything about it. This is hardware level flaw,so it's already there. They can only depend on OS having a good security measure that this type of vulnerability are prevented from executing. Just like Intel and the Spectre, there's no permanent fix.

[12345678]

I wonder how do those researchers get paid

I mean do they search those in the free time or what?

[Chiyawa]

Just now, 12345678 said:

I wonder how do those researchers get paid

I mean do they search those in the free time or what?

Usually, giant tech company like Google and Amazon do offer bug bounty for those who can manage to found a vulnerability in their system. Of course, another way is that some institutions were commissioned to actively seek out bugs and vulnerability. Other time, it was just hackers trying to access the system that they don't have permission for. There's also community bug bounty or white hat hackers who actively exploit the system and report back to the company on their findings.

[12345678]

24 minutes ago, Chiyawa said:

Usually, giant tech company like Google and Amazon do offer bug bounty for those who can manage to found a vulnerability in their system. Of course, another way is that some institutions were commissioned to actively seek out bugs and vulnerability. Other time, it was just hackers trying to access the system that they don't have permission for. There's also community bug bounty or white hat hackers who actively exploit the system and report back to the company on their findings.

except that they do pay only if you can find specific issues

besides they aren't always that willing to pay, or what do they offer as a bounty, is a ridicolous amount of money

so I doubt thats it...

 

I was more curios if there was some sort of public campain where they basically get paid by studying

but I didnt specify

[Chiyawa]

Just now, 12345678 said:

I was more curios if there was some sort of public campain where they basically get paid by studying

but I didnt specify

I see. Well, to my knowledge, I know tech giants do come up with bug bounty, though I haven't really try out because I'm not software engineer.

 

I know some firms are actually paid by companies or organization to hunt for exploits. Hackers (especially Black Hat Hackers) do it for the thrill of it, like trying to lock pick a treasure chest. Other than that, I don't have any idea whether these bug hunters or white hat hackers and exploiters are paid for their job (usually they are paid, but there are some actually work for free just to kill time).

[Fasterthannothing]

1 hour ago, 12345678 said:

I wonder how do those researchers get paid

I mean do they search those in the free time or what?

Spoiler

Intel paid them

 

 

 

[WhitetailAni]

Do we have a name for this yet?
"Bonsai", maybe?

Also, this:

Spoiler

 

[leadeater]

4 hours ago, mr moose said:

Speculative execution has been proposed to be a thing for well over a decade now.   How it gets exploited was always the unknown part and the very reason it took them so long to find the method for Intel processors (i.e they knew they could, it's just that working  it out took a decade).  Most of us knew it was only ever a mater of time before they discover the process through which to exploit it in other processor architectures.  

Speculative execution isn't a flaw or a security theory. Speculative execution is branch prediction with execution on the basis that what is predicted might actually be used so it's faster to have the result already before it is required.

 

Quote

Branch prediction is done by the processor to try to determine where the execution will continue after a conditional jump, so that it can read the next instruction(s) from memory.

 

Speculative execution goes one step further and determines what the result would be from executing the next instruction(s). If the branch prediction was correct, the result is used, otherwise it is discarded.

 

The security flaws are in regards to gaining access to transient data caused by these speculative executions or keeping the cache data around for prediction input.

 

AMD did actually build in specific cache and memory protection in to Zen to guard against speculative execution security flaws, that was why many of the Intel flaws in the first round did not affect AMD/Zen because the safeguards that were put in place did protect improper reading of data in that way.

 

What we have here is a discovery of a way that does get around the current safeguards.

[leadeater]

Rather important update below, included comments from source researcher.

 

 

Quote

One of the researchers, Said Musaev, has expressed regret over how the flaw has been described by media, saying "it is a hardware flaw, which leads to side channels" and "'THIS IS NOT A VULNERABILITY', just a flaw in hardware." What he means by this is that the AMD processors have a flaw that allows unintended behavior to be forced, and this could become a vulnerability or strengthen existing exploits, but the whitepaper doesn't go so far as to describe a workable vulnerability.

 

 

 

TL;DR It is not currently a security vulnerability status yet, it's a hardware flaw that could turn in to one and the proof of concept was to show the flaw existence and isn't yet actually a security vulnerability. I've used yet multiple times on purpose, because it likely will.

[Arika]

15 minutes ago, leadeater said:

What he means by this is that the AMD processors have a flaw that allows unintended behavior to be forced

which is a vulnerability......

 

it may not have been used in this way yet, but it is VULNERABLE to be used in this way.

 

it's absolute semantics to not call it a vulnerability.

 

 

Even the dictionary definition of the word says it's a vulnerability. The flaw exists, therefore is it vulnerable

Vul·ner·a·bil·i·ty

noun: vulnerability; plural noun: vulnerabilities

1. the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.