A team of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security. developed a novel side-channel exploit that targets AMD CPUs.
Moritz Lipp and Daniel Gruss of the Graz University of Technology, along with Michael Schwarz of the CISPA Helmholtz Center for Information Security, established the new attack technique. They were first to uncover the Meltdown and Spectre vulnerabilities, which opened the door for numerous additional side-channel attack methods targeting commonly used chips.
These side-channel exploits generally permit a malicious program installed on the targeted system to leverage CPU flaws to access potentially sensitive information in memory linked with other apps, such as credentials and encryption keys.
Several of the side-channel assaults revealed in recent years have targeted Intel processors, but systems powered by AMD processors are not protected, as per the recently published research.
“In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information,” the researchers explained in the abstract of their paper.
The study presented numerous attack scenarios, one of which researchers used a Spectre attack to disclose confidential material from the operating system and provided a novel way for building a covert channel to steal information.
In addition, the research suggests having discovered the first "full microarchitectural KASLR (kernel address space layout randomization) break on AMD that works on all major operating systems." KASLR is an attack mitigation method, and the experts demonstrated how an intruder might defeat it on laptops, desktop PCs, and cloud virtual machines.
AMD was notified about the results in mid-and late 2020, the vendor recognized them and gave a response in February 2021; the flaws have been assigned the CVE identifier CVE-2021-26318 and a medium severity grade by AMD.
The chipmaker acknowledged that perhaps the problem affects all of its processors, but it isn't suggesting any additional mitigations since "the attacks discussed in the paper do not directly leak data across address space boundaries."
Lipp feels that their most recent study covers several intriguing features of AMD CPUs that might spur further investigation into side-channel assaults.
He further explained, “For instance, we use RDPRU as a timing primitive as the typically used rdtsc instruction has a lower resolution on AMD. This allows to distinguish events with only a slight timing difference. On the other hand, we use the reported energy consumption of the AMD driver to mount an attack. While this driver has now been removed from the Linux kernel, using this energy source could be interesting to mount other power side-channel attacks as we have shown on Intel with the PLATYPUS attacks.”
