Newer Intel CPUs up to Alder Lake also suffer from Retbleed through BHI, another vulnerability that was disclosed earlier in the year, but exploitation is harder."īoth Intel and AMD have improved more recent chip architectures to make these sorts of attacks more difficult. "As for Skylake-based CPUs, this is harder to tell since they are a few years old now. We don't know the exact percentage in deployment, but we imagine it will be a significant fraction of AMD CPUs in production given that servers have a lifetime of 3-5 years usually. "In fact, the latest AMD Zen 2 was released last year. "Zen 3 has only been available for a bit more than a year, so all the AMD chips bought before that are vulnerable," they said. The technique's severity is somewhat reduced by the fact that it applies to older silicon: AMD CPU family 0x15 through 0x17 (the most recent of which shipped April 2021) or an Intel Core generation 6 through 8 (the most recent of which shipped Q3 2019).īut in an email to The Register, Wikner and Razavi said some of the affected chips are of fairly recent vintage. Intel's recent Atom, Celeron, Pentium chips can be lulled into a debug mode, potentially revealing system secrets.Intel fails to get Spectre, Meltdown chip flaw class-action super-suit tossed out.Another data-leaking Spectre bug found, smashes Intel, Arm defenses.Apple gets lawsuit over Meltdown and Spectre dismissed.The boffins say phantom jumps expand the attack surface of Retbleed but are more difficult to exploit because "the secret data needs to already be available in a register in the architectural path." "This allows speculative execution of code originating from arbitrary instruction boundaries, commonly known as phantom branches."ĪMD Zen 1, Zen 1+ and Zen 2 were found to be affected by phantom jumps. "By training the branch predictor to believe there exists a branch at a particular location, we therefore trigger a speculative branch, even in the absence of an architectural branch," the three researchers explain in a Retbleed addendum. And on AMD processors, they found "that any return instruction can be hijacked, regardless of the previous call stack, as long as the previous branch destination is correctly chosen during branch poisoning."ĭuring the course of their Retbleed investigation, Wikner, Razavi, and another ETH Zurich researcher Daniël Trujillo, discovered that AMD CPU cores perform phantom jumps (JMPs): these are branch predictions being made without a branch instruction actually present.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |