Experts Find Vulnerabilities in AMD Zen Processor
German cybersecurity experts at TU Dresden discovered that Zen processor of AMD is susceptible to data-bothering meltdown like attacks in the end. Exploiting this vulnerability is an academic drill, turns out, there exist much easier and simpler techniques to meddle with systems. In simpler terms, it’s a reminder that modern CPU designs have various kinds of side channels, and many yet to be discovered.
The Register reports “in a paper [PDF] titled “Transient Execution of Non-Canonical Accesses,” released via ArXiv, Saidgani Musaev and Christof Fetzer analyzed AMD Zen+ and Zen 2 chips – namely the Epyc 7262, Ryzen 7 2700X, and the Threadripper 2990WX – and found that they were able to adversely manipulate the operation of the CPU cores.” When Spectre and Meltdown vulnerabilities came out, in the beginning experts said that Meltdown was only authenticated on Intel x86 chipsets. The list then included IBM hardwares and an Arm Cortex core, however, it was not clear if IBM parts had vulnerabilities. AMD in a statement said that Meltdown didn’t affect the processors.
“The way its chips executed load instructions meant data would not be fetched if architecturally disallowed in the processor’s current execution context, it said. In other words, load instructions executed in user mode can’t be used to discern the contents of kernel-mode memory, as expected.”
“Musaev and Fetzer say that’s true for classical Meltdown attacks that rely on fetching data from the L1 data cache and for a variant called Microarchitectural Data Sampling (MDS) that targets specific buffers. But they found another way to poison the way in which a CPU core access data in memory “that is very similar to Meltdown-type behavior,” said The Register.
Most importantly, this technique can’t be used by a single process to read a kernel or different process memory, however, a thread in the program can use it to affect different thread in the same memory space. It isn’t similar to a classic meltdown, where a Rogue app rips off keys from kernel memory. “The violation we report does not lead to cross address space leaks, but it provides a reliable way to force an illegal dataflow between microarchitectural elements,” said the experts.