Prefetch Side Channels Undermine the Isolation Between User and Kernel Space on AMD CPUs


This new technical paper titled “AMD Prefetch Attacks through Power and Time” is from researchers at Graz University of Technology and CISPA Helmholtz Center for Information Security. Note, this is a prepublication paper for the USENIX Security Symposium in Boston in August 2022.   This paper includes countermeasures and mitigation strategies, and the paper indicates that the findings were disclosed in AMD back in 2020 and AMD provided feedback in Feb 2021.


“Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs.

In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.”

Find the technical paper here (prepublication).  AMD addressed this issue here.

Moritz Lipp and Daniel Gruss, Graz University of Technology; Michael Schwarz, CISPA Helmholtz Center for Information Security

Chip Backdoors: Assessing The Threat
Steps are being taken to minimize problems, but they will take years to implement.
Security Risks Widen With Commercial Chiplets
Choosing components from a multi-vendor menu holds huge promise for reducing costs and time-to-market, but it’s not as simple as it sounds.
Chip Substitutions Raising Security Concerns
Lots of unknowns will persist for decades across multiple market segments.
Standardizing Chiplet Interconnects
Why UCIe is so important for heterogeneous integration.
Technical papers on Security

Leave a Reply

(Note: This name will be displayed publicly)