Security Implications of AMD’s Cache Way Predictors - funding by Intel

[erek]

Intel funded this.

"To optimize the energy consumption and performance of their CPUs, AMD introduced a way predictor for the L1-data (L1D) cache to predict in which cache way a certain address is located. Consequently, only this way is accessed, significantly reducing the power consumption of the processor. In this paper, we are the first to exploit the cache way predictor. We reverse-engineered AMD’s L1D cache way predictor in microarchitectures from 2011 to 2019, resulting in two new attack techniques. With Collide+Probe, an attacker can monitor a victim’s memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core. With Load+ Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core. While Load+Reload relies on shared memory, it does not invalidate the cache line, allowing stealthier attacks that do not induce any lastlevel-cache evictions. We evaluate our new side channel in different attack scenarios. We demonstrate a covert channel with up to 588.9 kB/s, which we also use in a Spectre attack to exfiltrate secret data from the kernel. Furthermore, we present a key-recovery attack from a vulnerable cryptographic implementation. We also show an entropy-reducing attack on ASLR of the kernel of a fully patched Linux system, the hypervisor, and our own address space from JavaScript. Finally, we propose countermeas "

https://twitter.com/Cmoney_319/status/1236078894253473797

 

[Jim Kim]

There are 3 fingers pointing back at iNtel.

 

[etudiant]

There is real benefit if such vulnerabilities are made into marketing tools.
The current methods for finding and solving these weaknesses are pretty ineffectual, relying as they do on some small number of academics. Certainly the intelligence agencies are no help.
A dog eat dog marketing competition inspired by this study should be most effective at highlighting the biggest vulnerabilities and pushing the suppliers to fix them

 

[DooKey]

Who cares who funded it? If AMD has vulnerabilities we need to know about it.

 

[Sycraft]

Well what should happen is that it shouldn't be a marketing tool, but rather when a company finds something they let the other company know quietly so they can fix it before public disclosure. Most companies are good about this, but not all. Some companies are good most of the time but make it marketing when it suits them. Google is known to do this.

Regardless, as I've said before we'll see more of these kind of attacks against CPUs. There isn't some magic sauce that can be used to just make things immune. Covert channel attacks against CPUs are a new arena in the security war and it will be ongoing, like other security. Some will be fixed, others will be mitigated, but some we'll just have to deal with and work around. Covert channel attacks are a part of life, and we have potential covert channels in useful things. ICMP can be used as a covert channel for exfiltrating data, for example.

As AMD starts gaining in market share, expect to see more against AMD simply because of prominence. Whoever is the big dog gets looked at the most, that's just how it goes.

 

[erek]

Well what should happen is that it shouldn't be a marketing tool, but rather when a company finds something they let the other company know quietly so they can fix it before public disclosure. Most companies are good about this, but not all. Some companies are good most of the time but make it marketing when it suits them. Google is known to do this.

Regardless, as I've said before we'll see more of these kind of attacks against CPUs. There isn't some magic sauce that can be used to just make things immune. Covert channel attacks against CPUs are a new arena in the security war and it will be ongoing, like other security. Some will be fixed, others will be mitigated, but some we'll just have to deal with and work around. Covert channel attacks are a part of life, and we have potential covert channels in useful things. ICMP can be used as a covert channel for exfiltrating data, for example.

As AMD starts gaining in market share, expect to see more against AMD simply because of prominence. Whoever is the big dog gets looked at the most, that's just how it goes.

https://www.tomshardware.com/news/n...witter&utm_medium=social&utm_campaign=dlvr.it

 

[Chimpee]

https://www.tomshardware.com/news/n...witter&utm_medium=social&utm_campaign=dlvr.it

I am not surprise that Intel funded the researcher as a lot of big companies do collaborate with bunch of University's Researcher or provide grants to fund their research. I have seen Nvidia and Intel funding bunch of researchers at UC Berkeley back when I was managing funds for UCB. I would have much bigger issue if there were no disclosure of funding source.

My opinion, as long as there are speculative branching in CPU, there will always be some sort of exploit to be found.

 

[Loose Nut]

Whats the difference if Intel is his shidoshi?

 

[Algrim]

Maybe Intel should take that funding research and, I don't know, just maybe use it to fix the untold legions of security flaws in their own products? Sure, it's good to know what the flaws are in your competition but I think the cash is a bit misplaced here.

 

[Dead Parrot]

I don't really care who funded it. If the finding is a real vulnerability, then great. While they are at it, test the chip sets, USB controllers, NIC ports, mouse ports, etc and then start on the drivers for all of the above.

 

[Red Falcon]

Agreed with finding the vulnerabilities, and also agreed with Intel fixing their multitude of issues before focusing on another's product.
Props to them for finding it, now go back to finding their own shit, please.

 

[DrLobotomy]

I would like to thank Intel for saving AMD some R&D monies so they can focus on making better CPU's. I mean after all Intel is using licensed x86 tech from AMD so it is a win-win.

 

[M76]

Who cares who funded it? If AMD has vulnerabilities we need to know about it.

The news here, is not that AMD has a vulnerability, it's that they'd rather spend R&D resources on finding flaws with the competition than fixing their own already exposed flaws.

This flaw is about the same as any of the attack vectors found in intel, all of which need local access to the computer to exploit. None of that affects me, until they start mitigating and I start loosing performance.

 

[DooKey]

The news here, is not that AMD has a vulnerability, it's that they'd rather spend R&D resources on finding flaws with the competition than fixing their own already exposed flaws.

This flaw is about the same as any of the attack vectors found in intel, all of which need local access to the computer to exploit. None of that affects me, until they start mitigating and I start loosing performance.

This spending by Intel wasn't even pennies on the dollar. It's laughable to say they aren't spending R&D resources on their own flaws. As many have said before, AMD isn't some flawless company that's immune from security vulnerabilities in their CPU's just because.

 

[/dev/null]

There is real benefit if such vulnerabilities are made into marketing tools.
The current methods for finding and solving these weaknesses are pretty ineffectual, relying as they do on some small number of academics. Certainly the intelligence agencies are no help.
A dog eat dog marketing competition inspired by this study should be most effective at highlighting the biggest vulnerabilities and pushing the suppliers to fix them

Pretty much this.

If it's actually a VALID (proven to work) attack that Intel found, props to them. There is a good chance someone else already found it & intel is just bringing it to light. If it leads to better products for everyone, it's a win/win.

 

[M76]

AMD isn't some flawless company that's immune from security vulnerabilities in their CPU's just because.

Good luck arguing against some figment of your imagination. I'm not even needed here.

 

[Tsumi]

Maybe Intel should take that funding research and, I don't know, just maybe use it to fix the untold legions of security flaws in their own products? Sure, it's good to know what the flaws are in your competition but I think the cash is a bit misplaced here.

Intel can't truly fix anything until they release a new architecture. It makes no financial sense to port a 10 nm architecture to 14 nm. They need to fix their process problems, but throwing more money and people at the problem isn't the answer. The right skills in a coordinated group working together is the solution, but there is a limit to how fast they can work.

The news here, is not that AMD has a vulnerability, it's that they'd rather spend R&D resources on finding flaws with the competition than fixing their own already exposed flaws.

This flaw is about the same as any of the attack vectors found in intel, all of which need local access to the computer to exploit. None of that affects me, until they start mitigating and I start loosing performance.

If you bothered reading the article, Intel just generally funds this university group and doesn't specifically tell them what to do with the money. This same group has exposed Intel vulnerabilities in the past, and it is good that large tech companies give money to universities.

Pretty much this.

If it's actually a VALID (proven to work) attack that Intel found, props to them. There is a good chance someone else already found it & intel is just bringing it to light. If it leads to better products for everyone, it's a win/win.

Intel didn't find anything, just a stupid clickbait title by erek. The news is barely making the rounds on the internet, so it's really poor marketing if that is what it was attempting to be.

 

[Derangel]

The news here, is not that AMD has a vulnerability, it's that they'd rather spend R&D resources on finding flaws with the competition than fixing their own already exposed flaws.

This flaw is about the same as any of the attack vectors found in intel, all of which need local access to the computer to exploit. None of that affects me, until they start mitigating and I start loosing performance.

Intel funds quite a bit of academic research, including research that has found flaws in their own processors. They're not specifically going "focus only on finding issues with AMD to make us look better", they're supporting research to find any flaws.

https://twitter.com/lavados/status/1236088594584014848

That's is one of the authors of the research paper

 

[erek]

Good luck arguing against some figment of your imagination. I'm not even needed here.

figments of imagination are cool i like them

 

[serpretetsky]

This flaw is about the same as any of the attack vectors found in intel, all of which need local access to the computer to exploit. None of that affects me, until they start mitigating and I start loosing performance.

I thought some of the intel ones can be executed remotely. Also, with respect to this one:

The researchers were able to exploit the vulnerability via JavaScript run on Chrome and Firefox browsers.

doesn't this mean it can be executed remotely?

 

[M76]

If you bothered reading the article, Intel just generally funds this university group and doesn't specifically tell them what to do with the money. This same group has exposed Intel vulnerabilities in the past, and it is good that large tech companies give money to universities.

Intel funds quite a bit of academic research, including research that has found flaws in their own processors. They're not specifically going "focus only on finding issues with AMD to make us look better", they're supporting research to find any flaws.

https://twitter.com/lavados/status/1236088594584014848

That's is one of the authors of the research paper

That's good if true, but in my experience you don't need an actual deal or agreement to know the deal.
Research stops being independent as soon as it is funded by companies with vested interests. Even if unconsciously you'll be biased to not bite the hand that feeds you.

Unrelated thought:

In most use cases performance is more important than these predictive execution vulnerabilities. If security was the only concern in home building everyone would live in nuclear fallout shelters. But we don't, because we have other priorities. I think the same principle should be applied to consumer cpus. If you can increase performance by allowing a minor security hole that can only be exploited if the malicious code is already executing locally, then it should be the consumers preference whether they want absolute security (which is impossible BTW) or maximize computing performance.

 

[Tsumi]

That's good if true, but in my experience you don't need an actual deal or agreement to know the deal.
Research stops being independent as soon as it is funded by companies with vested interests. Even if unconsciously you'll be biased to not bite the hand that feeds you.

Unrelated thought:

In most use cases performance is more important than these predictive execution vulnerabilities. If security was the only concern in home building everyone would live in nuclear fallout shelters. But we don't, because we have other priorities. I think the same principle should be applied to consumer cpus. If you can increase performance by allowing a minor security hole that can only be exploited if the malicious code is already executing locally, then it should be the consumers preference whether they want absolute security (which is impossible BTW) or maximize computing performance.

That is a good point. Attacks that look at what the other core is doing by running as an administrator on the same CPU really only affects cloud computing. If someone has administrative access over your local computer, you're screwed already. No reason for a consumer computer to need protection against that, and other attacks like it.

Perhaps we'll see an even greater divergence between server and consumer CPUs. Server CPUs will have hardened security with performance penalties, while consumer CPUs will favor performance with some security holes.

 

[M76]

I thought some of the intel ones can be executed remotely. Also, with respect to this one:
doesn't this mean it can be executed remotely?

java code runs locally, not on the server. So by remote you mean it can be executed by visiting a malicious site, then you're right. But at that point I think the malicious code can cause harm without explotiing any of these predictive execution flaws. It seems to me that these flaws are only a major concern on virtualized systems where you can use them to jailbreak into other clients.

 

[IdiotInCharge]

I mean after all Intel is using licensed x86 tech from AMD so it is a win-win.

...which is based on tech that AMD licensed from Intel, and implemented in AMD architectures that use massive amounts of Intel IP. Actually entirely based on Intel IP except for AMD extending Intel's 32bit x86 to 64bit.

 

[Derangel]

That's good if true, but in my experience you don't need an actual deal or agreement to know the deal.
Research stops being independent as soon as it is funded by companies with vested interests. Even if unconsciously you'll be biased to not bite the hand that feeds you.

Unrelated thought:

In most use cases performance is more important than these predictive execution vulnerabilities. If security was the only concern in home building everyone would live in nuclear fallout shelters. But we don't, because we have other priorities. I think the same principle should be applied to consumer cpus. If you can increase performance by allowing a minor security hole that can only be exploited if the malicious code is already executing locally, then it should be the consumers preference whether they want absolute security (which is impossible BTW) or maximize computing performance.

Did you even read the tweet? That group has found more Intel problems than any other platforms. Based on the guy’s profile it looks like they’re the ones that found Zombieload, Meltdown, and Spectre.

 

[IcePickFreak]

Intel didn't find anything, just a stupid clickbait title by erek. The news is barely making the rounds on the internet, so it's really poor marketing if that is what it was attempting to be.

It's says funded, not found. And if he posted the info without disclosing it was funded by Intel, everyone would be losing their shit about that not being pointed out.

 

[ChadD]

Good on the researcher.... for finding it. Hopefully they reported it properly and didn't just dump it. I am confident AMD will have it fixed in hardware before Intel fixes half of the spec attacks their own chips are susceptible too.

Now if only Intel would funnel more funds to researchers working on their own product, or better yet perhaps hire a few to do some in house testing of their own designs before they launch them.

 

[thesmokingman]

This is like sending Giuliani to Ulkraine. I call BS until it's actually verified by a 3rd party.

 

[IdiotInCharge]

I am confident AMD will have it fixed in hardware before Intel fixes half of the spec attacks their own chips are susceptible too.

Now if only Intel would funnel more funds to researchers working on their own product, or better yet perhaps hire a few to do some in house testing of their own designs before they launch them.

Why post this when you know that Intel has had current known vulnerabilities fixed in hardware for years, waiting on their fabs to catch up?

If this is actually new to AMD, it's going to take years to fix in hardware, simply due to development cycles involved.

 

[Sycraft]

Why post this when you know that Intel has had current known vulnerabilities fixed in hardware for years, waiting on their fabs to catch up?

If this is actually new to AMD, it's going to take years to fix in hardware, simply due to development cycles involved.

Because in the geek world, AMD is the good guy and Intel is the bad guy. That's how a lot of people see them and they don't consider that maybe it is more nuanced than that. Since AMD is the "good guy" they will of course be able to make everything secure easily, because that's what good guys do. Intel. doesn't secure their stuff not because they can't, but because they are a "bad guy" and just don't want to.

So you take that simplistic view of good vs bad that people are prone to, combine it with a lack of understanding about computer security (which is a very complex topic so no surprise most people don't understand it) and lack of knowledge about how long chip design takes and there you go.

 

[blackmomba]

Because in the geek world, AMD is the good guy and Intel is the bad guy. That's how a lot of people see them and they don't consider that maybe it is more nuanced than that. Since AMD is the "good guy" they will of course be able to make everything secure easily, because that's what good guys do. Intel. doesn't secure their stuff not because they can't, but because they are a "bad guy" and just don't want to.

So you take that simplistic view of good vs bad that people are prone to, combine it with a lack of understanding about computer security (which is a very complex topic so no surprise most people don't understand it) and lack of knowledge about how long chip design takes and there you go.

In the real world, Intel has over 250 vulnerabilities in hardware. Compared to the rest of this markets players, that's enormous

That'll give anyone trust issues

 

[Master_shake_]

great!

now i have to update my chart.

]

also

https://twitter.com/CDemerjian/status/1236333792358531074

it's not a hardware flaw. it's software

 

[Master_shake_]

this is just getting better and better

3/7/20


We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way. The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities. AMD believes these are not new speculation-based attacks.


AMD continues to recommend the following best practices to help mitigate against side-channel issues:

• Keeping your operating system up-to-date by operating at the latest version revisions of platform software and firmware, which include existing mitigations for speculation-based vulnerabilities
• Following secure coding methodologies
• Implementing the latest patched versions of critical libraries, including those susceptible to side channel attacks
• Utilizing safe computer practices and running antivirus software

intel can't catch a break. amd has already fixed it.

 

[thesmokingman]

They're trying to deflect from their recent news coverage, smh.

 

[Red Falcon]

https://twitter.com/CDemerjian/status/1236333792358531074

it's not a hardware flaw. it's software

From a post there:

It isn't, it is a timing attack. You can do timing attacks against nearly anything which is why Spectre attacks are so widespread and painful. The paper talks about mitigations in HW but most are SW and turning off HT for everything, not just AMD.

Once again, Intel's HyperThreading is garbage, and needs to be disabled to just to mitigate the issue.
Intel seriously needs to get their shit together - not for them, but for everyone else locked into their products!

 

[Captain Newmackwa]

It's interesting how the Intel CSME flaw was publicly disclosed right before AMD's Financial Analyst Day 2020 and then now, this comes out. Hmmm. The timing is probably a coincidence or is mud slinging going on behind the scenes between these companies?

At the end of the day, security wins. Better this situation than having these flaws exploited in the wild without our knowledge and without any mitigations being done about them. Hopefully by now, security will be a priority in chip design going forward. Not just performance.

 

[thesmokingman]

It's interesting how the Intel CSME flaw was publicly disclosed right before AMD's Financial Analyst Day 2020 and then now, this comes out. Hmmm. The timing is probably a coincidence or is mud slinging going on behind the scenes between these companies?

At the end of the day, security wins. Better this situation than having these flaws exploited in the wild without our knowledge and without any mitigations being done about them. Hopefully by now, security will be a priority in chip design going forward. Not just performance.

Did AMD fund the disclosure though?? Intel's issue was that it was supposed to be fixed but it was actually not.

 

[Tsumi]

this is just getting better and better



intel can't catch a break. amd has already fixed it.

Considering they actually notified AMD about this exploit 6 months ago in August 2019, yeah, AMD better have a software fix in place by now for what appears to be a relatively minor flaw.

It's says funded, not found. And if he posted the info without disclosing it was funded by Intel, everyone would be losing their shit about that not being pointed out.

I know what it says. However, by putting it in the title, it attracts people waiting for any opportunity to attack Intel without reading the story first, as evidenced by these last few posts.

 

[Master_shake_]

Considering they actually notified AMD about this exploit 6 months ago in August 2019, yeah, AMD better have a software fix in place by now for what appears to be a relatively minor flaw.

it was fixed when they had a mitigation for spectre

they used an already fixed spectre vairaint to exploit this new flaw

 

[ChadD]

Because in the geek world, AMD is the good guy and Intel is the bad guy. That's how a lot of people see them and they don't consider that maybe it is more nuanced than that. Since AMD is the "good guy" they will of course be able to make everything secure easily, because that's what good guys do. Intel. doesn't secure their stuff not because they can't, but because they are a "bad guy" and just don't want to.

So you take that simplistic view of good vs bad that people are prone to, combine it with a lack of understanding about computer security (which is a very complex topic so no surprise most people don't understand it) and lack of knowledge about how long chip design takes and there you go.

One company has a track record of including hardware security holes in hardware years after they come to light. The other has a track record of taking some pretty big design risks while somehow still not doing stupid things like allowing software to read random bits of cache without permission. lol
Yes Intel has fixed a lot of their terrible caching systems that where ignoring basic permission security.... as long as you buy the right stepping at least. Intel has a habit of selling older steppings for years cause they are so far behind the eight ball on demand. I'm sure its not a problem for big clients... but smaller customers get whatever Intel can get out the door. You can still buy brand new Intel chips with steppings with less then all their current hardware mitigation included.

This AMD vulnerability may never be "fixed" in hardware as its not really a flaw. Its working as intended. It can be exploited by software... and its software that needs to mitigate it. The hardware isn't doing anything really dangerous. Nothing more then a standard speculation engine anyway. You can't exploit this with standard software.

As Charlie Demerjian from semi accurate said on twitter...
" So I read the AMD Takeaway paper and, well, it is another Spectre attack. It isn't a hardware flaw and anyone who claims it is didn't read the paper or doesn't understand jack all about side channels and security. It is real but it is mostly a software problem. "

IMO this isn't a major exploit.... you can use this to read a bit of memory you shouldn't be able to but NOT anything kernel related. The chip still does what its supposed to and does check if the software has permission to retreive anything from kernel space before handing it over. (unlike chips produced by someone else) In order to achieve this novel AMD exploit... this research had to run a custom kernel. That part will be left out in Intel marketing. Running on a standard non modified kernel this exploit won't do much of anything accept perhaps read some data from other USER space software. Its not going to be pulling Crypto keys or anything important out of kernel space without the nefarious software somehow first managing to completely replace the kernel with a custom kernel with software permissions hinked up.

This is basically a non story. The headline should read. "Paid Intel researcher... finds way to compromised ANY CPU running a custom hacked Kernel. " This is all tripe. Side channel attacks are possible ON any CPU with any form of cache speculation even if its been patched in hardware to not give user land software kernel access.... if you run a modified kernel that has had its permissions bits tossed and flipped.