Tuesday, April 6th 2021

AMD Ryzen 5000 Series CPUs with Zen 3 Cores Could be Vulnerable to Spectre-Like Exploit

AMD Ryzen 5000 series of processors feature the new Zen 3 core design, which uses many techniques to deliver the best possible performance. One of those techniques is called Predictive Store Forwarding (PSF). According to AMD, "PSF is a hardware-based micro-architectural optimization designed to improve the performance of code execution by predicting dependencies between loads and stores." That means that PSF is another "prediction" feature put in a microprocessor that could be exploited. Just like Spectre, the feature could be exploited and it could result in a vulnerability in the new processors. Speculative execution has been a part of much bigger problems in CPU microarchitecture design, showing that each design choice has its flaws.

AMD's CPU architects have discovered that the software that relies upon isolation aka "sandboxing", is highly at risk. PSF predictions can sometimes miss, and it is exactly these applications that are at risk. It is reported that a mispredicted dependency between load and store can lead to a vulnerability similar to Spectre v4. So what a solution to it would be? You could simply turn it off and be safe. Phoronix conducted a suite of tests on Linux and concluded that turning the feature off is taking between half a percent to one percent hit, which is very low. You can see more of that testing here, and read AMD's whitepaper describing PSF.
Source: AMD Blog
Add your own comment

65 Comments on AMD Ryzen 5000 Series CPUs with Zen 3 Cores Could be Vulnerable to Spectre-Like Exploit

#1
las
This is the reason why most vulberabilies were found in Intel CPUs; www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."

AMD had plenty of vulnerabilies, even tho they don't pay people for finding them. Meaning, very few people will spend time trying to find them. Logic 101.

It's sad that AMD does not pay people for finding bugs, when tons of big tech companies do; www.guru99.com/bug-bounty-programs.html
Posted on Reply
#3
john_
Probably AMD copied some optimizations from Intel's book. Let's be honest. No one should be using Intel CPUs based on their security problems, right? Well everyone is using those and no one cares. From the teenager gamer to the highly experienced IT. Spectre, Meltdown? We forgoten those names long ago. So, why AMD try to keep it's CPUs as safe as possible and not offer what everyone wants? Performance.
Posted on Reply
#4
ratirt
HenrySomeone
AMD just relies on their fanboy base, that will put up with almost anything and usually does the beta testing for them. Makes financial sense if you think about it really - why do something yourself or pay others to do when it'll be done by your deluded fans free of charge... :cool:
Because, if you pay someone to find vulnerabilities you can also tell them not to put it into the public straight away. With tech savvy dudes (not fan boys) who like to do that type of things, they are not being payed anything by the company with the CPU architecture, they just like doing it and I guess they are good at it. The company that pays for the resources to find the exploits or vulnerabilities may also block the publicity of the findings or postpone it in time (exactly what Intel did) to fix it but still there are people, companies that are vulnerable anyway and they don't have any idea about it. Just because a company has a different approach, doesn't mean it's wrong and people who are involved in finding the vulnerabilities in the CPU architecture are not deluded fan boys because they are not being payed by the company that the CPU belongs to that's for sure.
Posted on Reply
#6
evernessince
"could be exploited"

Lot of anti-AMD comments for something that doesn't have an exploit yet. Mind you the performance difference is near nothing anyways so it wouldn't mean much to begin with. I'm guessing as usual, the typical suspects rush to the comments without reading.
Posted on Reply
#7
Hossein Almet
Question: which are the softwares that implement sandboxing? Also, there is no information about how to disable PSF.
Posted on Reply
#8
Chrispy_
john_
Probably AMD copied some optimizations from Intel's book. Let's be honest. No one should be using Intel CPUs based on their security problems, right? Well everyone is using those and no one cares. From the teenager gamer to the highly experienced IT. Spectre, Meltdown? We forgoten those names long ago. So, why AMD try to keep it's CPUs as safe as possible and not offer what everyone wants? Performance.
Spectre did actually hurt us in the datacenter; We tend to plan servers on 3 or 5 year lifespans for budget and ROI reasons. We had a lot of Xeon and very little Epyc and after the first round of updates we jumped from about half capacity to about 70% capacity with a trickle less capacity every time more patches were added. Since those hosts were running VMs with access to financial data and confidential data under NDA it would have been irresponsible to leave hyperthreading on too - so within 6 months of the first patches our half-capacity became almost maxed out and some of these servers had several years left on the clock before being budgeted for replacment.

The only reason things aren't as dire as they could have been is that COVID-19 has reduced the server loads these last 13 months. Under normal circumstances, the loss of performance from applying mitigation steps and patches would have f***ed us over, hard, and expensively.
Posted on Reply
#9
evernessince
las
This is the reason why most vulberabilies were found in Intel CPUs; www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."

AMD had plenty of vulnerabilies, even tho they don't pay people for finding them. Meaning, very few people will spend time trying to find them. Logic 101.

It's sad that AMD does not pay people for finding bugs, when tons of big tech companies do; www.guru99.com/bug-bounty-programs.html
Officially Intel has far more vulnerabilities than AMD. Any statement that AMD has more vulnerabilities because many of them have not yet been found is pure speculation. You say "Logic 101" but you are really making an assumption based on assumption. That's not logic.
Posted on Reply
#11
stimpy88
And those that say AMD has no security vulnerabilities because they don't pay bug bounties are crazy... Why crazy? Lets see...

1.) ALL CPUs have bugs, and some can be exploited... Shock, horror...
2.) Intel have their own engineers looking at AMD CPUS all day long, looking for some dirt that they can use to create a fake security research company, setup a flashy website with fancy graphics, complete with fancy names for the exploits, and drum up a lynch mob to tank AMD shares. Think it don't happen? yeah right...
3.) Ever heard of ransomware? Maybe there is no money in finding an exploit... yeah...
4.) ALL future CPUs will have bugs, and will be exploited...
Posted on Reply
#12
john_
las
This is the reason why most vulberabilies were found in Intel CPUs; www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."

AMD had plenty of vulnerabilies, even tho they don't pay people for finding them. Meaning, very few people will spend time trying to find them. Logic 101.

It's sad that AMD does not pay people for finding bugs, when tons of big tech companies do; www.guru99.com/bug-bounty-programs.html
Oh....WOW!!!!!

There are so many wrongs in your logic and others already mentioned a few. Intel could be paying not only so it can improve it's CPUs, but also to try to silence people as long as necessary to create hardware fixes for future revisions. Also no one should assume that Intel is not paying for vulnerabilities on Ryzen CPUs. Intel was really hit hard, for a period of time, with all those security holes on it's CPUs monopolizing the news. And while we can't say that they have payed people to create fictional problems on AMD CPUs (do you remember that Israeli firm? ), they probably have payed to find vulnerabilities in a competing product that is eating from their market share. Not to mention that huge companies, like Google, or Amazon, or Microsoft who use AMD's Epyc processors, probably keep looking for vulnerabilities themselves, or pay others to do so. They have plenty of money to spent.

Your logic reminds me of "Linux is as bad in security as Windows, we only don't see security problems on Linux because of it's small market share".
Posted on Reply
#13
Chrispy_
R-T-B
Makes me wonder why it's enabled at all...
Because it's one of 50+ different features that provide fractions of a percent. Together they constitute a meaningful double-digit IPC uplift. Individually, none of them are that significant.
Posted on Reply
#14
Vya Domus
john_
Probably AMD copied some optimizations from Intel's book. Let's be honest. No one should be using Intel CPUs based on their security problems, right? Well everyone is using those and no one cares. From the teenager gamer to the highly experienced IT. Spectre, Meltdown? We forgoten those names long ago. So, why AMD try to keep it's CPUs as safe as possible and not offer what everyone wants? Performance.
Parallel out-of-order and speculative execution as well as the caching mechanisms will always leave a window open for security issues. They are impossible to get rid of.
Posted on Reply
#15
efikkan
las
This is the reason why most vulberabilies were found in Intel CPUs; www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."
There is also Intel's extensive collaboration with research institutions and companies.
john_
Probably AMD copied some optimizations from Intel's book.
Most modern CPU microarchitectures relies on the same research which leads to similar mistakes and assumptions. Blaming Intel for AMD's mistakes, that's a stretch!
john_
Let's be honest. No one should be using Intel CPUs based on their security problems, right? Well everyone is using those and no one cares. From the teenager gamer to the highly experienced IT. Spectre, Meltdown?
All current microarchitectures with speculative execution, regardless if they are based on x86, ARM, Power or MIPS, share the "Spectre class" of vulnerabilities. Some of them may have mitigations in hardware, firmware or the OS level, but to my knowledge none of them has been redesigned to resolve the underlying problem (but they will). But as with any design flaw, you will not get rid of it until you have resolved the underlying issue. So we should expect Intel, AMD, etc. to have a continuous stream of such bugs, until major post-Spectre architectures are complete. Even the upcoming Sapphire Rapids was in development prior to Spectre, so it's going to take a while.

Any company making tech products should take any vulnerability seriously, but it's the risk and consequences which should dictate which customers should take action. The Spectre class bugs (and really Meltdown too) should be considered nearly "theoretical" problems. While you can certainly reproduce them in controlled environments, any successful exploit would still require access to running custom software locally, and usually a lot of time to extract useful information. Many of these known exploits are able to extract privileged data at bytes per second or kB per second, while it's burning your CPU with load for weeks or months to find something valuable. For desktop users, these exploits are pretty much irrelevant; if I'm able to run my program on your machine, then I already have access to everything in your user space, so I probably already own all your files anyway.

The Spectre class of bugs is only really scary for cloud providers, where there is a theoretical possibility that one VM can steal data from another, bypassing all layers of security. But I want to stress, this is practically theoretical, executing a such attack and gaining substantial useful and intact information is going to be hard, especially since data will be moved around by the time someone can dump enough of it. But those who are putting sensitive information or critical systems in the public cloud are pretty "stupid" anyways.

The real impact of Spectre is the cost of mitigations, while it's negligible for most users, it can be significant for very specific server loads or some edge cases.

Meanwhile, as normal desktop users, there are many more serious security issues to worry about, including your crappy router/access point, all the IoT devices you carelessly connect, and keeping your systems up to date and passwords managed.
Posted on Reply
#17
tabascosauz
This is the consumer space. Same as any Intel vulnerability - show me a real exploit that leverages this vulnerability in a way that poses an appreciable risk to the normal user, and I'll disable PSF. Otherwise, piss off with the fearmongering.

All this isn't even because of a CVE-assigned vulnerability. All this because of a goddamn whitepaper published by AMD, *speculating* on potential risks. Yeah no shit, it's speculative execution. And now all the trolls come out of the woodwork either defending their double standards for almighty AMD or thinking the tables have turned for their darling Intel.

Holy hell, some of the justifications on here are hokey as shit. Intel pays people to find bugs, but it's unreasonable to impose an NDA that gives them reasonable time to evaluate and solve it, and that constitutes a cover-up? What, did Intel pay dirty money to commission AMD to make this AMD whitepaper too? Jumping jack christ, some of the hypocrisy could be painted bright yellow and illuminated with floodlights and some of you would miss it.

AMD's current recommendation at the bottom of the whitepaper that is the friggin subject of this article: leave it on. So 5000 owners leave it on and go about your day. If this ever changes, and AMD makes a recommendation like Intel did to turn it off, then it would be wise to reconsider.
Posted on Reply
#18
R-T-B
Chrispy_
Because it's one of 50+ different features that provide fractions of a percent. Together they constitute a meaningful double-digit IPC uplift. Individually, none of them are that significant.
But they know this one individual feature constitutes a security risk. So I repeat the question.
Why_Me
If I had a dollar for every anti Intel post in the News Forum alone on this site I'd have a new RTX 3080 with money to spare. I've dealt with the AMD fanbois across the internet for well over a decade now and imo they are the scourge of the internet. Any article about Intel or an Intel product posted on the main page of a popular review and/or tech site is usually loaded with AMD fanbois posting underneath said article in the comment section with some of the most ignorant post imaginable.
You do realize you are doing the exact same shit here, right?
Posted on Reply
#19
1d10t
Most vulnerabilities have NEVER been seen exploited in the wild. Why? Because they are so difficult to pull off as to render them near impossible. The same goes for Intel's vulnerability lists. CVE lists are not as black and white as you would suggest with your assumptions. Just because a vulnerability exists does NOT make it easily or even generally exploitable. You need to do more research and learn that difference instead of making a blanket statement that has little bearing on reality.
I'll just leave it here, cause I know nothing about Predictive Store Forwarding (PSF) and MS didn't say anything about it so how is that gonna affect my casual activities as commoners :rolleyes:
Posted on Reply
#20
Chloe Price
What I'm wondering is that does this affect an average user at all, probably not?
Posted on Reply
#21
R-T-B
Chloe Price
What I'm wondering is that does this affect an average user at all, probably not?
As long as generalized workarounds are distributed to most end users assuring the hackers don't try to use these methods by and large, you'll likely never need to really worry.

They are still issues.
Posted on Reply
#22
Chrispy_
R-T-B
But they know this one individual feature constitutes a security risk. So I repeat the question.
R-T-B
Makes me wonder why it's enabled at all...
Well, presumably when it was originally enabled, it wasn't a known security risk.

Surely that's obvious? Is that really what you're asking?
Posted on Reply
#23
efikkan
Chloe Price
What I'm wondering is that does this affect an average user at all, probably not?
The exploit: no, not really
The mitigation: perhaps
R-T-B
As long as generalized workarounds are distributed to most end users assuring the hackers don't try to use these methods by and large
The Spectre class of bugs don't really allow people to hack your computer. They need to execute the attack locally on your computer, so essentially hack it first.
Posted on Reply
#24
R0H1T
las
This is the reason why most vulberabilies were found in Intel CPUs; www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."

AMD had plenty of vulnerabilies, even tho they don't pay people for finding them. Meaning, very few people will spend time trying to find them. Logic 101.

It's sad that AMD does not pay people for finding bugs, when tons of big tech companies do; www.guru99.com/bug-bounty-programs.html
No, smeltdown was discovered by Google's project zero! In fact Intel (almost) paid researchers to not disclose similar vulnerabilities out in the open :shadedshu:
According to the VU, Intel tried to downplay the severity of the leak by officially paying $40,000 in reward and "$80,000" in addition. That offer was politely refused.

"If it were up to Intel, they would have wanted to wait another six months"
www.nrc.nl/nieuws/2019/05/14/hackers-mikken-op-het-intel-hart-a3960208
Posted on Reply
#25
shadow3401
With Intel’s Rocket Lake CPUs proving to be a big, fat, and underwhelming flop last week all of a sudden "vulnerabilities" are being found in Zen 3 which might be or could be exploited. Compare that to Intel CPUs in which exploits can and will be exploited and does put user’s data at risk, I don't think there's much to see here and AMD did find and report it themselves after so kudos to them. (Not an AMD fan boy by the way I been using Intel CPUs from 1996 to 2018).
Posted on Reply
Add your own comment