Meltdown and Spectre have long been a nightmare for Intel, since then researchers have devised a side-channel attack for AMD CPUs. This attack exploits power and time prefetch to access information leaking from AMD chips.
About AMD Prefetch Attack
A team of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security have devised a new side-channel attack targeting AMD CPUs. The team has previously been involved in Meltdown and Spectre attack discovery too.
This time, they have shared insights about the attack that involves time and power variations of the prefetch instructions to expose AMD leaks to an underprivileged user.
The researchers came up with this discovery after studying AMD architecture, since it was believed to not be vulnerable to Meltdown and Spectre that threatened Intel. They found that AMD also exhibits side-channel leaks via prefetch instructions. Hence, executing attacks similar to TLBleed on Intel becomes possible for AMD too.
Briefly, they demonstrated a full microarchitectural KASLR (kernel address space layout randomization) break on AMD that works on all major OS.
As stated about the prefetch instructions time in their research paper,
We demonstrate that the side-channel leakage of the prefetch instructions allows spying on kernel activity. As the timing of the prefetch instructions does not only rely on the page-table level but additionally on the TLB state, our attack leaks whether the kernel currently uses a targeted kernel page.
Whereas, regarding the power variations, they noted,
Since the Zen (family 17H) microarchitecture, AMD CPUs provide a Running Average Power Limit (RAPL) interface. The recently released Linux 5.8 kernel includes the
amd_energydriver providing unprivileged access to per-core energy measurements. Consequently, with this kernel version, AMD CPUs are vulnerable to power side-channel attacks from user space as an alternative to timing-based attacks.
AMD Recommends Mitigations
The researchers confirmed that they responsibly disclosed their findings to AMD in 2020. Consequently, AMD acknowledged the bug and shared mitigations in early 2021.
Regarding the vulnerability, CVE-2021-26318, in an advisory, AMD stated,
The attacks discussed in the paper do not directly leak data across address space boundaries. As a result, AMD is not recommending any mitigations at this time.
As for the mitigations, AMD recommends keeping the respective devices updated with the latest OS versions, implementing the latest patches of the critical libraries, implementing secure coding methodologies, and keeping the devices safe with antimalware software.