All AMD CPUs Found Harboring Meltdown-Like Security Flaw

All AMD CPUs Found Harboring Meltdown-Like Security Flaw

When news began to break three and a half years ago regarding a pair of new security flaws, Meltdown and Spectre, it quickly became apparent that plenty of eyeballs were laser-focused on Intel’s security implementations. There was nothing wrong with this, as such — CPU security deserves to be scrutinized — but in many cases, far more attention was being given to Intel over AMD.

The question of whether AMD CPUs were more secure than Intel CPUs was widely debated in the enthusiast community, but to no clear conclusion. While far more vulnerabilities were found in Intel chips, the researchers investigating these flaws often acknowledged that they either did not have access to AMD hardware to test or that the limited tests they had run on AMD kit using techniques known to disrupt Intel processors had not worked.

We know there are differences in how AMD and Intel implement speculative execution, so it was never clear how much of AMD’s apparent immunity was due to hardware design and how much was provided by “security through obscurity.” AMD, to its credit, never told the press that its CPUs were immune to attacks like Spectre and Meltdown, and it didn’t launch any major advertising campaigns around the idea that it represented the “safe” x86 choice. Good thing, too. Researchers have now found a Meltdown-equivalent attack that affects AMD processors.

All AMD CPUs Found Harboring Meltdown-Like Security Flaw

The research paper acknowledges that the attack against AMD CPUs is not executed in precisely the same manner as Intel CPUs, but the end result is the same. Meltdown is a vulnerability that abuses speculative execution to leak kernel data to applications that shouldn’t have access to it. The authors write: “This class targets architecturally illegal data flow from microarchitectural elements s (e.g., L1 Cache, Store/Load-Buffer, Special Register Buffer). Such an illegal data flow allows an attacker to exploit transient execution to expose data and change the microarchitectural state.”

According to the authors’ security analysis, AMD’s Meltdown variant “does not lead to cross-address space leaks, but it provides a reliable way to force an illegal data flow between microarchitectural elements.” The team believes this is the first demonstration of this type of flaw in an AMD chip. AMD describes the issue as “AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits.” The full 64-bits of an address are not evaluated when performing speculative execution, and this can be exploited to leak data out of the CPU. AMD also states: “Potential vulnerabilities can be addressed by inserting an LFENCE or using existing speculation mitigation techniques as described in [2].” [2] refers to AMD’s most recent guide on how to manage speculative execution safely in AMD processors.

It is not clear how relevant these ongoing Meltdown and Spectre issues are to the consumer market. Intel CPUs that are vulnerable to MDS are vulnerable to this attack as well, and AMD’s Zen, Zen+, Zen 2, and Zen 3 are all affected. But in the more than three years since Spectre and Meltdown were disclosed, only one Spectre exploit is known to exist in the wild, and none targeting Meltdown. Meanwhile, companies continue to grapple with an epidemic of ransomware that clearly isn’t springing from speculative execution flaws.

Perhaps more to the point: Nobody seems much closer to fielding an actual replacement for speculative execution. The Morpheus chip we wrote about earlier this year is very interesting, but it’s also nowhere near to being a commercialized, shipping product for a number of reasons, not least of which is its speed. The performance benefit of executing some instructions before the CPU knows if it will need the results is one of the most fundamental building blocks of modern CPU cores. There’s a reason why every high-performance core from every company, x86 or not, uses speculative execution. They may use it differently with a different level of exposure to a specific type of exploit, but the attack surface here is enormous. Locking out all possibility of attack without killing performance has proven very challenging.

We’ve raised this point regarding Meltdown and Spectre-style attacks in previous articles about Intel and we’re raising it here as well. This is not meant to diminish the importance of hardware-based security, but after 3.5 years of disclosures, there’s very little evidence to suggest this is currently a meaningful problem.

Continue reading

Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference
Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference

Intel's Raja Koduri will speak at a Samsung foundry event this week — and that's not something that would happen if Intel didn't have something to say.

Samsung May Build $10B Foundry in Austin, Texas
Samsung May Build $10B Foundry in Austin, Texas

Samsung may be planning a new $10B foundry in Austin Texas, with an aggressive plan to challenge TSMC.

OnePlus Founder’s New Startup Bought the Husk of Andy Rubin’s Essential
OnePlus Founder’s New Startup Bought the Husk of Andy Rubin’s Essential

OnePlus's cofounder recently left to start a new venture called Nothing. Currently, Nothing makes nothing, so that's a fitting name. It might make something soon now that it has purchased the husk of Andy Rubin's smartphone startup.

Samsung’s Austin Foundry Is Still Offline, More Than 2 Weeks Later
Samsung’s Austin Foundry Is Still Offline, More Than 2 Weeks Later

Samsung's Austin foundry is still offline, increasing the chance that its shutdown will meaningfully contribute to the semiconductor shortage.