Researchers at the University of Graz has published a number of security vulnerabilities in the current CPU from AMD, then the manufacturer had not spoken to in seven months in which to do this.
It belongs to the good tone, with a manufacturer’s awareness of the security vulnerabilities in their products before to publish it. After that, a Team from the University of Graz, was appointed to Intel’s competitor, AMD, is in August, 2019, by a number of possible Side-Channel attacks, and to bring them under the name of “Take Shape” (PDF), put together, are not, however, in all of them.
The examination of but One Way, and explore the Implications for the Security of the AMD Cache, a Way Predictor, we reverse-engineered AMD’s L1D cache, a way predictor, resulting in two new methods of attack. I accept @ #AsiaCCS ’20 – https://t.co/gQ4cN9PYsX – cc @duxcode @misc0110 @Blood-drenched mandarin orange @moltres pic.twitter.com/sTZizLqEHn
— Moritz Lipp (@mlqxyz) On march 6, 2020
After a seven-month-old, without any reaction from the house of AMD, the Team decided that, in the final analysis, the release of the results. And all at once the manufacturer responds to it, but it’s still like that.
All AMD CPU for 2011
The discovery of vulnerabilities that affect all AMD processors from the 2011 model year. Including the most recent, Epyc, in addition to the old Athlon 64 X2 is based on the architecture Bulldozer, and Ryzen processors, Based on the name of the Zen and Zen+ and-Zen2 introduced in the processor’s micro-architecture.
So the CPU is affected, it is due to the nature of the possible breach of security. This is an undocumented area of the L1 data cache is possible. Given the fact that both the structure and the function of the Caches, the L1-year in particular, the safety gap, in the year 2011.
Jump up to the prediction, the L1 Cache as the root cause of the problem
Specifically, the researchers found two ways to attack, depending on the type of forecast is the so-called Path of the Balloon, and the data cache. The researchers refer to them as “Conflict+in sample” and “Load+Reload”. As such, they were able to observe the accesses to the memory and the portions of the read access, in the sense that both of them have taken place at the heart of it.
The potential for risk is low
A sober, considered the potential risks and, in particular, in the case of a local device that is very small and it is not on a par with the latest processors from Intel, the security vulnerabilities are known. At the time, the entire records can be called upon in the attack, only a single Meta-data. This is unacceptable and needs to be corrected, a data base, the scandal is not going to show up, but rather than.
The Correction is a Microcode update is required. In addition to this, it wouldn’t be worth it, even more so than that of the L1 Cache architecture of thought.
AMD responds to it, but it doesn’t do anything
After the message had been generated, the vulnerabilities of the security in the Twitter, a little bit of attention, you looked at AMD yesterday, Saturday, has issued an attestation report. The manufacturer denies this, however, is that this is a new security vulnerability. In spite of this, it is under the generic term used for the possible Side-Channel attacks are now classified in well-known. At the very least, users can protect themselves by the usual Best Practices about it.
In particular, this includes constant Updates of the operating system, and is used in libraries, as well as the Firmware for all the components, and the Coding guidelines, secure Code and, in general, more cautious in dealing with the Computer, as well as the use of an anti-virus Software is Note included in the price.
In the meantime, the research group that in and of itself has been criticized, because it is a part of their work from the Intel provided. Quickly AMD had been located in gaps such as on a work commissioned by the microsoft corporation.
The Team has been forced to make it clear that you have to do a search in the general security of your Computer, including your money, the Intel, the lush heads of state and government-Bug-bounty-program you would like to receive. These programs, almost all of the well-known manufacturers. As a reward, expert, external, where it can be displayed for vulnerabilities in their products. Information about the Intel-Bug-Bounty-program can also be found in the current safety report for the year 2019 ” (PDF).
Fit for: for Intel patches for the security vulnerabilities in the CPU, for the third Time in a year