New AMD Side Channel Attacks Discovered, Impacts Zen Architecture (archive)
A new paper released by the Graz University of Technology details two new "Take A Way" attacks, Collide+Probe and Load+Reload, that can leak secret data from AMD processors by manipulating the L1D cache predictor. The researchers claim that the vulnerability impacts all AMD processors from 2011 to 2019, meaning that the Zen microarchitecture is also impacted. (PDF)
The university says it disclosed the vulnerabilities to AMD on August 23, 2019, meaning it was disclosed in a responsible manner (unlike the CTS Labs debacle), but there isn't any word of a fix yet. We've pinged AMD for comment.
We've become accustomed to news of new Intel vulnerabilities being disclosed on a seemingly-weekly basis, but other processor architectures, like AMD and ARM, have also been impacted by some vulnerabilities, albeit to a lesser extent. It's hard to ascertain if these limited discoveries in AMD processors are triggered by a security-first approach to hardened processor design, or if researchers and attackers merely focus on Intel's processors due to their commanding market share: Attackers almost always focus on the broadest cross-section possible. We see a similar trend with malware being designed for Windows systems, by far the predominant desktop OS, much more frequently than MacOS, though that does appear to be changing.
(Score: 1, Interesting) by Anonymous Coward on Sunday March 08 2020, @12:08PM
Personally it seems like this is a "medium" security vulnerability, at least so far. The flaw may enable additional attacks that are more dangerous than those revealed in the paper.
Most of their attacks only break ASLR or KASLR. While that's not good, ASLR only mitigates against unknown vulnerabilities. It's like wearing a condom during a one night stand. Breaking ASLR doesn't do anything by itself - you need to pair it with another vulnerability to accomplish anything.
The attacks that work from Javascript mostly point to more improvement being needed in browser sandboxes and don't really say much about this vulnerability one way or another.
The attacks that can leak real kernel data only work in conjunction with Spectre. While the existing default kernel protection against Spectre isn't adequate, it seems like the Meltdown protection would be (with the same performance cost). It might be that a less performance impacting mitigation would be possible since the overall attack is much less comprehensive than Meltdown. It also means that Zen 2 processors (Ryzen3000 series and the matching Threadripper and Epyc CPUs) are unaffected as they are not vulnerable to Spectre.