A group of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security devised a new side-channel attack that affects AMD CPUs.
Researchers Moritz Lipp and Daniel Gruss of the Graz University of Technology and Michael Schwarz of the CISPA Helmholtz Center for Information Security devised a new side-channel attack that affects AMD CPUs.
The group was one of the teams that first discovered Meltdown and Spectre vulnerabilities, their successful exploitation can allow threat actors to steal sensitive information from the memory of the vulnerable system.
The new attacks devised by the researchers leverage time and power measurements of prefetch instructions, experts pointed out that their variations can be observed from unprivileged userspace.
“We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information.” reads the announcement published by the experts.
Experts demonstrated their attack technique with multiple case studies in real-world scenarios.
The researchers demonstrated the first microarchitectural break of (fine-grained) the exploit mitigation technique KASLR on AMD CPUs. They monitored kernel activity (e.g. If audio is played over Bluetooth) and were able to establish a covert channel. The team also demonstrated also how to exfiltrate data from kernel memory using simple Spectre gadgets in the Linux kernel.
The flaws were collectively tracked as CVE-2021-26318, according to AMD the medium severity flaws impacts all of its CHIPS. However the chip maker doesn’t recommend any mitigations because the the attack scenarios presented by the researchers do not directly leak data across address space boundaries.
The researchers reported their findings to AMD on June 16th, 2020, and the remaining parts on November 24th, 2020. AMD acknowledged the findings and provided feedback on February 16th, 2021.
The research paper also includes countermeasures and mitigation strategies for the presented attacks such as:
- Page Table Isolation;
- Prefetch Configuration MSRs;
- Restricting Access;