Boffins devise a new side-channel attack affecting all AMD CPUs

A group of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security devised a new side-channel attack that affects AMD CPUs.

Researchers Moritz Lipp and Daniel Gruss of the Graz University of Technology and Michael Schwarz of the CISPA Helmholtz Center for Information Security devised a new side-channel attack that affects AMD CPUs.

The group was one of the teams that first discovered Meltdown and Spectre vulnerabilities, their successful exploitation can allow threat actors to steal sensitive information from the memory of the vulnerable system.

The new attacks devised by the researchers leverage time and power measurements of prefetch instructions, experts pointed out that their variations can be observed from unprivileged userspace.

“We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information.” reads the announcement published by the experts.

Experts demonstrated their attack technique with multiple case studies in real-world scenarios.

The researchers demonstrated the first microarchitectural break of (fine-grained) the exploit mitigation technique KASLR on AMD CPUs. They monitored kernel activity (e.g. If audio is played over Bluetooth) and were able to establish a covert channel. The team also demonstrated also how to exfiltrate data from kernel memory using simple Spectre gadgets in the Linux kernel.

The flaws were collectively tracked as CVE-2021-26318, according to AMD the medium severity flaws impacts all of its CHIPS. However the chip maker doesn’t recommend any mitigations because the the attack scenarios presented by the researchers do not directly leak data across address space boundaries.

The researchers reported their findings to AMD on June 16th, 2020, and the remaining parts on November 24th, 2020. AMD acknowledged the findings and provided feedback on February 16th, 2021.

The research paper also includes countermeasures and mitigation strategies for the presented attacks such as:

Page Table Isolation;
FLARE;
Prefetch Configuration MSRs;
Restricting Access;

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.