• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

AMD Processors Since 2011 Hit with Cache Attack Vulnerabilities: Take A Way

btarunr

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,668 (7.43/day)
Location
Dublin, Ireland
System Specs
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard Gigabyte B550 AORUS Elite V2
Cooling DeepCool Gammax L240 V2
Memory 2x 16GB DDR4-3200
Video Card(s) Galax RTX 4070 Ti EX
Storage Samsung 990 1TB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Cybersecurity researcher Moritz Lipp and his colleagues from the Graz University of Technology and the University of Rennes uncovered two new security vulnerabilities affecting all AMD CPU microarchitectures going back to 2011, detailed in a research paper titled "Take A Way." These include "Bulldozer" and its derivatives ("Piledriver," "Excavator," etc.,) and the newer "Zen," "Zen+," and "Zen 2" microarchitectures. The vulnerabilities are specific to AMD's proprietary L1D cache way predictor component. It is described in the security paper's abstract as a means for the processor to "predict in which cache way a certain address is located, so that consequently only that way is accessed, reducing the processor's power consumption."

By reverse engineering the L1D cache way predictor in AMD microarchitectures dating from 2011 to 2019, Lipp, et al, discovered two new attack vectors with which an attacker can monitor the victim's memory accesses. These vectors are named "Collide+Probe," and "Load+Reload." The paper describes the first vector as follows: "With Collide+Probe, an attacker can monitor a victim's memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core." The second vector is described as "With Load+Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core." The two vulnerabilities have not been assigned CVE entries at the time of this writing. The research paper, however, describes the L1D cache way predictor in AMD processors as being vulnerable to attacks that can reveal contents of memory or even keys to a vulnerable AES implementation. For now there is no mitigation to these attacks, but the company is reportedly working on firmware and driver updates. Access the research paper here.



View at TechPowerUp Main Site
 
ACKNOWLEDGMENTS

We thank our anonymous reviewers for their comments and sugges-tions that helped improving the paper. The project was supportedby the Austrian Research Promotion Agency (FFG) via the K-projectDeSSnet, which is funded in the context of COMET - CompetenceCenters for Excellent Technologies by BMVIT, BMWFW, Styria, andCarinthia. It was also supported by the European Research Coun-cil (ERC) under the European Union’s Horizon 2020 research andinnovation programme (grant agreement No 681402). This workalso benefited from the support of the project ANR-19-CE39-0007MIAOUS of the French National Research Agency (ANR). Additional funding was provided by generous gifts from Intel. Any opinions, findings, and conclusions or recommendations expressed in thispaper are those of the authors and do not necessarily reflect theviews of the funding parties.
Click to expand...

Oh Intel... please never change.
 
sutyi said:
Oh Intel... please never change.
Click to expand...

Commissioned by AMD QA Consultants Determines AMD's Most Stable Graphics Drivers in the Industry

Recent drivers hell says otherwise
 
"Additional funding was provided by generous gifts from Intel."

I have a feeling that we will see more of this from now on, as the fruits of Intel's money become "published"...
 
Graz University of Technology has been in the forefront of security vulnerabilities research since Spectre and Meltdown. At least three of the authors of this paper were also among authors of their Meltdown paper and at least one was among authors of their Spectre paper.

I absolutely do not get the instant dismissal when someone spots Intel somewhere.
sutyi said:
Oh Intel... please never change.
Click to expand...
Fallout: Leaking Data on Meltdown-resistant CPUs said:
ACKNOWLEDGMENTS
We want to thank the reviewers for their feedback, as well as Vedad Hadžić from Graz University of Technology and Julian Stecklina from Cyberus Technology for contributing ideas and experiments. This work has been supported by the Austrian Research Promotion Agency (FFG) via the project ESPRESSO, which is funded by the Province of Styria and the Business Promotion Agencies of Styria and Carinthia. It was also supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia. It has also received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402), by the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-19-C-0531, and by the National Science Foundation under grant CNS-1814406. Additional funding was provided by a generous gift from Intel and AMD.
Click to expand...
Oh AMD... please never change?
 
Last edited:
Ok, this is some scary stuff. AMD has a serious problem to solve.

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

It will be interesting to review the analysis and CVE for these new vulnerabilities.
 
lexluthermiester said:
In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.
Click to expand...
Isn't this the same timing approach as Spectre? Which has already been mitigated by browsers not using accurate enough timers to mount a successful attack?
 
lexluthermiester said:
Ok, this is some scary stuff. AMD has a serious problem to solve.

In the referenced PDF, section 5.2.3, a method is described by which Javascript itself can be configured to attack a system and supply harvested data straight through both Chrome and Firefox browsers. Theoretically, ANY browser that uses Javascript(99%) can potentially be used to attack a subject system.

It will be interesting to review the analysis and CVE for these new vulnerabilities.
Click to expand...
Supposedly this only allows for short snippets of data and might not even be usable for a full password.
 
Chomiq said:
Want to bet that similar line can be found in Spectre and Meltdown papers?
Click to expand...
Actually, no. I checked. Spectre/Meltdown papers research was not supported by neither Intel nor AMD. More recent research has been supported by Intel and sometimes by AMD.
 
sutyi said:
Oh Intel... please never change.
Click to expand...
Recus said:
Commissioned by AMD QA Consultants Determines AMD's Most Stable Graphics Drivers in the Industry

Recent drivers hell says otherwise
Click to expand...

Nice race to the bottom, guys. You can crawl back into your hole now and leave this for the adults.
 
londiste said:
I absolutely do not get the instant dismissal when someone spots Intel somewhere.
Click to expand...

Then you don't know their history, the evidence on why nothing that is touched by Intel can be fully trusted is immense. You can chose to believe in the just world fallacy where everyone is well intended unless otherwise proven but I for one don't, seen too many instances when that wasn't the case.

For the record, I don't dismiss the paper, it's not like I think it's nonsense but I do question it's purpose and how well it was timed with other events.
 
Vya Domus said:
Then you don't know their history, the evidence on why nothing that is touched by Intel can be fully trusted is immense. You can chose to believe in the just world fallacy where everyone is well intended unless otherwise proven but I for one don't, seen too many instances when that wasn't the case.
Click to expand...
I do know the history. I would suspect better than most. Still, "nothing that is touched by Intel" is quite extreme, don't you think?
In line with the context used here, do you think we should dismiss any and all research papers Intel has been sponsoring? ;)
Vya Domus said:
For the record, I don't dismiss the paper, it's not like I think it's nonsense but I do question it's purpose and how well it was timed with other events.
Click to expand...
What events? This was disclosed to AMD last August and published now. Timing a 6-month window would seem too big of a hassle to even try.

Edit:
This is kind of weird though. Instead of discussing what the paper found, whether this has impact or merit (it should, being an academic paper which I assume is peer reviewed), we are discussing Intel because there is a sidenote in the paper that Intel supported researchers. This kind of support is not exactly abnormal.
 
Last edited:
Aslong as none of any vunerabilities are fantasy, they are legit, no matter who sponsored the research.
This research sponsoring is a legit method of competitive behaviour in my opinion and will lead to more secure products of all participants.
 
londiste said:
Actually, no. I checked. Spectre/Meltdown papers research was not supported by neither Intel nor AMD. More recent research has been supported by Intel and sometimes by AMD.
Click to expand...
Try CacheOut, "gifts" from both Intel and AMD.
 
londiste said:
This was disclosed to AMD last August and published now.
Click to expand...

Published now, right along when the financial analyst day took place. A pure coincidence I'd imagine.

londiste said:
Still, "nothing that is touched by Intel" is quite extreme
Click to expand...

First or second time around when Intel did something shady ? Yeah, it would be extreme. After the plethora of examples when that happened with some being confirmed and punished by authorities, nah not that extreme anymore. Again, it's your personal choice to believe nothing is wrong should be the de facto stance on this, mine isn't.
 
haters gonna hate.
 
If there is a vulnerability with Intel related products, we condemn them.
If there is a vulnerability with AMD related products we condemn Intel once again..
There is never anything wrong with AMD.
 
Stay on topic please. Discussion about the impact or real-world likelihood of the vulnerability affecting us is welcome. Sniping back and forth about "AMD this... Intel that" is not.
 
stimpy88 said:
"Additional funding was provided by generous gifts from Intel."

I have a feeling that we will see more of this from now on, as the fruits of Intel's money become "published"...
Click to expand...

Although I feel you, I must admit that all users benefit from this.

The more pressure on the companies the greater the chance they do things right.
 
Spectre is what again? They say in this report, the vulnerability is global accessibility of victim cache evict logs. So the question is spectre-mtd-... stay on point and not undue ad-nauseum much?
 
To ask some valid questions instead of continuing the bashing of AMD vs. Intel - under what circumstance can this be used?

Same jokes as with Intel's vulns where the attacker already needs to have full admin access to the system?
Can this be used from outside sources without actual access?
Can this be exploited via malicious websites?

Those questions should be discussed here....
 
At least, you cannot overshadow the real big impact as a base rate fallacy since the researchers spill the beans for you. You can bang all the drums you want, it doesn't make a spectre variant any more vulnerable than meltdown.
 
You must log in or register to reply here.
Back
Top