Known as "Take A Way," the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD's Bulldozer microarchitecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption.
The research was published by a group of academics from the Graz University of Technology and Research Institute of Computer Science and Random Systems (IRISA), who responsibly disclosed the vulnerabilities to AMD back in August 2019.
"We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way," AMD said in an advisory posted on its website over the weekend.
"The researchers then pair this data path with known and mitigated software or speculative execution side-channel vulnerabilities. AMD believes these are not new speculation-based attacks."
While the notification doesn't go into specifics about mitigating the attack, Vedad Hadžić, one of the key researchers on the paper, said the vulnerability is still open to active exploitation.
With Intel coming under scrutiny for a string of flaws in its CPUs — from Meltdown, Spectre, ZombieLoad to the recent unpatchable CSME firmware flaw — the research is a reminder that no processor architecture is fully secure.
It's worth noting that some of the co-authors listed in the study were also behind uncovering the Meltdown, Spectre, and ZombieLoad vulnerabilities.
Collide+Probe and Load+Reload Attacks
Like the Intel Spectre attack, the pair of exploits — dubbed Collide+Probe and Load+Reload — manipulate the aforementioned L1D cache predictor in order to access data that should otherwise be secure and inaccessible.
"With Collide+Probe, an attacker can monitor a victim's memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core," the researchers outlined. "With Load+Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core."
L1D cache way predictor is an optimization mechanism that aims to reduce the power consumption associated with accessing cached data in memory:
"The predictor computes a μTag using an undocumented hash function on the virtual address. This μTag is used to look up the L1D cache way in a prediction table. Hence, the CPU has to compare the cache tag in only one way instead of all possible ways, reducing the power consumption."
The newly discovered cache attacks work by reverse-engineering this hashing function to track memory accesses from an L1D cache. While Collide+Probe exploits μTag collisions in AMD's L1D cache way predictor, Load+Reload takes advantage of the way predictor's handling of aliased addresses in the memory.
In other words, the two attack techniques can be employed to exfiltrate sensitive data from another process, sharing the same memory as the attacker or a process that's running on a different logical core of the CPU.
To demonstrate the impact of the side-channel attacks, the researchers established a cache-based covert channel that exfiltrated data from a process running on the AMD CPU to another stealthy process, achieving a maximum transmission rate of 588.9kB/s using 80 channels in parallel on the AMD Ryzen Threadripper 1920X processor.
With AMD's EPYC processors being embraced by popular cloud platforms such as Amazon, Google, and Microsoft, the fact that these attacks can be carried out in a cloud setting poses significant concerns.
Furthermore, the security researchers were able to successfully stage a Collide+Probe attack on some common browsers, namely Chrome and Firefox, by bypassing address space layout randomization (ASLR) in browsers, thereby reducing the entropy, and retrieving address information.
ASLR is a security implementation that's used to randomize and mask the exact locations of code and key data areas inside a CPU's memory. Put another way, it hinders a potential attacker from guessing target addresses and jumping to specific sections in the memory.
"In Firefox, we are able to reduce the entropy by 15 bits with a success rate of 98% and an average run time of 2.33 s (σ=0.03s, n=1000)," the researchers noted. "With Chrome, we can correctly reduce the bits with a success rate of 86.1% and an average run time of 2.90s (σ=0.25s, n=1000)."
Subsequently, the researchers used the same Collide+Probe attack to leak kernel memory data and even recover the encryption key from a T-table implementation that stores intermediate results of cryptographic operations using the AES cipher.
Mitigating the Attack
The good news is that the twin attacks can be mitigated through a variety of hardware-only, hardware and software changes, and software-only solutions — including designing the processor in a way that allows for dynamically disabling the way predictor temporarily and clearing the state of the way predictor when switching between kernel mode and user mode.
This is not the first time AMD processors have been found to be vulnerable to CPU attacks, including Spectre, forcing the company to release a slew of patches.
It remains to be seen if AMD will fix the flaws highlighted in the new research. We've reached out to AMD for comment and will update the story if we hear back.