All AMD CPUs Affected by New Side Channel Attacks
Researchers disclosed details about a new side channel attack that affects all AMD CPUS. The new attack method was discovered by researchers Moritz Lipp and Daniel Gruss of the Graz University of Technology and Michael Schwarz of the CISPA Helmholtz Center for Information Security. They were part of the team that the original Meltdown and Spectre vulnerabilities. These side-channel attacks allow a malicious app installed on the targeted system to exploit CPU weaknesses in order to steal sensitive information, such as passwords and encryption keys, from memory associated with other apps. Many of the side-channel attacks disclosed over the past years targeted Intel processors, such as the intel side channel attack in June 2018. Systems powered by AMD processors are not immune either, as the newly presented research shows.
The new attacks demonstrated by Lipp, Gruss and Schwarz leverage time and power measurements of prefetch instructions. Compared to previous work on prefetch attacks on Intel, the researchers showed that the prefetch instruction on AMD leaks even more information. They have demonstrated several attack scenarios, including one in which they mounted a Spectre attack to leak sensitive data from the operating system, and showed a new method for establishing a covert channel to steal data. The researchers have also identified the first full microarchitectural kernel address space layout randomization break on AMD that works on all major operating systems. KASLR is an exploit mitigation technique and the researchers showed how a hacker could break it on laptops, desktop PCs, and virtual machines in the cloud.
AMD has been made aware of the flaw and they assigned the CVE identifier CVE-2021-26318 as a medium severity rating. AMD confirmed that the issue impacts all of its processors, but it's not recommending any new mitigations due to the fact that "the attacks discussed in the paper do not directly leak data across address space boundaries." AMD lists a series of recommendations for mitigating side-channel attacks in general, such as keeping operating systems, software and firmware up to date, and following secure coding practices.
Mitigations already exist for the attacks but not all of them are enabled by default on AMD CPUs. Researchers used the reported energy consumption of the AMD driver to mount an attack and could be used to mount other power side-channel attacks. Attacks that rely on monitoring power consumption for data exfiltration are not unheard of. However, many of the methods disclosed in the past required physical access to the targeted system and they involved the use of oscilloscopes. The new attack uses the RAPL interface instead of an oscilloscope to monitor power consumption. The measurements from the RAPL interface can be obtained even by an unprivileged user via a Linux driver, which allows an unprivileged malicious application installed on the targeted system to monitor power consumption and correlate it to the data being processed, which allows it to obtain sensitive information.