Specter is alive: Side-channel attacks on AMD Ryzen and Intel Core possible

0
163

Via the micro-op caches, CPUs of the AMD Ryzen and Intel Core series can be attacked using a side channel via Specter. A research team from the University of Virginia has discovered the new security hole in all modern processors from AMD Ryzen 1000 alias Summit Ridge and Intel Core i-2000 alias Sandy Bridge.

I see dead µOps goes one level lower

The researchers have named the new approach for a side-channel attack, with the help of which actually protected data can be extracted from a processor, with the name I see dead µOps (PDF).

In addition to the current desktop processors up to the latest generations of the AMD Ryzen 5000 (test) and Intel Core i-11000 (test) series, all CPUs in the HEDT and server sector have been affected since 2011.

I see dead µOps uses the micro-op caches of modern CPUs (Image: UVA)

Unlike previous Specter attacks, which primarily took advantage of the main memory or shared L3 caches as well as speculative execution via branch prediction, the new side-channel attack goes one level deeper and directly attacks the so-called micro-op caches, a very fast SRAM in the immediate vicinity of the CPU cores. In a proof of concept (PoC), the research team was able to overcome the isolation of the most diverse memory address areas with the method.

The micro-op caches in detail (Image: UVA)

The use of the fast SRAM and the commands already decoded by the front end saves energy and time, since thousands of instructions do not have to be decoded again, but also makes modern CPUs vulnerable because there is no security check of the unencrypted commands in the waiting area (“gate”).

In another report, the research team compares the side-channel attack with a hypothetical scenario at an airport.

Think about a hypothetical airport security scenario where TSA lets you in without checking your boarding pass because it is fast and efficient, and you will be checked for your boarding pass at the gate anyway .

It predicts that the check will pass and could let instructions into the pipeline. Ultimately, if the prediction is incorrect, it will throw those instructions out of the pipeline, but this might be too late because those instructions could leave side-effects while waiting in the pipeline that an attacker could later exploit to infer secrets such as a password .

Ashish Venkat, Professor of Computer Science at UVA Engineering

According to the security researchers, the attack with the help of “I see dead µOps” also works in particular between two threads that share the resources of a CPU core using Simultaneous Multi-Threading (SMT).

A patch would cost a lot of performance

The implementation of appropriate patches against this type of attack, for example via Intel's Software Guard Extensions (SGX), would cost a lot of performance, since the iTLB (Instruction Translation Lookaside Buffer) would have to be emptied beforehand, the researchers continue.

< blockquote lang = "en" class = "text-width blockquote">

In the case of the previous Specter attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty. The difference with this attack is you take a much greater performance penalty than those previous attacks.

Patches that disable the micro-op cache or halt speculative execution on legacy hardware would effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn't feasible.

Xida Ren, Student of Computer Science at UVA Engineering

The universities of Virginia and California, which were involved in the investigation, notified AMD and Intel of the vulnerability in mid-April.