Intel CPUs vulnerable to new transient execution side-channel attack

erek

erek

[H]F Junkie
Joined
Dec 19, 2005
Messages
10,897
Hmm

"“In our experiment, we found that the influence of the EFLAGS register on the execution time of Jcc instruction is not as persistent as the cache state,” reads the part about the evaluation of the experimental data.

“For about 6-9 cycles after the transient execute, the Jcc execute time will not be about to construct a side-channel. Empirically, the attack needs to repeat thousands of times for higher accuracy.”

The researchers admit that the root causes of the attack remain elusive and hypothesize that there’s a buffer in the execution unit of the Intel CPU, which needs time to revert if the execution should be withdrawn, a process that causes a stall if the ensuing instruction depends on the target of the buffer.

However, they still propose some non-trivial mitigations, such as changing the implementation of the JCC instruction to make adversarial execution measuring impossible under any condition, or rewriting the EFLAGS after transient execution to reduce its influence over the JCC instruction."

attack-overview.jpg

pseudocode.jpg

Source: https://www.bleepingcomputer.com/ne...-new-transient-execution-side-channel-attack/
 
They managed the attack on gen 6 and 7, with decreasing success rates out to 10’th. But this section they are attacking was redesigned completely in 11 gen onward. So I am curious if this is still an issue for new hardware.
 
Lakados said:
They managed the attack on gen 6 and 7, with decreasing success rates out to 10’th. But this section they are attacking was redesigned completely in 11 gen onward. So I am curious if this is still an issue for new hardware.
Click to expand...
Wasn't the 10980XE using a 9th-gen core design? (In any event, it was still using Skylake cores.)
 
Lakados said:
They managed the attack on gen 6 and 7, with decreasing success rates out to 10’th. But this section they are attacking was redesigned completely in 11 gen onward. So I am curious if this is still an issue for new hardware.
Click to expand...
This side-channel thing is hard or impossible to avoid in the hardware design. There are so many moving parts in the modern CPU design. They probably forgot to review some new design parts, or the review process even does not exist. A more practical approach is to hide the design details as much as possible, until one day someone notice it. Then fix what is broken.
 
Has anyone tested this on AMD? I am curious just in terms of my own security and not in the intel vs AMD prick measuring way.
 
1_rick said:
Wasn't the 10980XE using a 9th-gen core design? (In any event, it was still using Skylake cores.)
Click to expand...
The 7980XE, 9980XE and 10980XE were all essentially the same CPU. Oh, there were a few changes to each one but they were all Skylake variants.
 
Elf_Boy said:
Has anyone tested this on AMD? I am curious just in terms of my own security and not in the intel vs AMD prick measuring way.
Click to expand...
You just reminded me that AMD's Secure Processor can actually harbor malware that persists even with a roll back and OS re-install. Was that ever fixed or did AMD sweep it under the rug?
 
  • Like
Reactions: uOpt
like this
You must log in or register to reply here.
Back
Top