New AMD Side Channel Vulnerabilities found - AMD Reacts and Downplays

sverek

2020-03-09 08:58

The Graz University of Technology performed a lot of Vulnerability tests ion the past, but the reality is also that they are partially funded by intel, it seems.

Boy, it gonna be good. Please AMD and Intel, call out each others holes and secure your shit. I am all for it.

#5767345

anticupidon

2020-03-09 09:02

Good to see that security folks are ever vigilant. Now, AMD is having its share of vulnerabilities. Let's see how this will pan out.

#5767376

fantaskarsef

2020-03-09 09:49

Well, everybody gets a security problem for free with speculative execution. Maybe that's a generally dangerous way of creating CPU architectures... I wonder if they will be searching for an alternative route down the way.

sverek:

Boy, it gonna be good.

While I agree with you as usual, the full paragraph tells more than the first line:

The Graz University of Technology performed a lot of Vulnerability tests ion the past, but the reality is also that they are partially funded by intel, it seems. The paper mentions this, and really, just read it: "Additional funding was provided by generous gifts from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties." Albeit a curiosity, the co-authors of the Intel-funded study also revealed Intel's vulnerabilities in the past.

#5767392

Kaarme

2020-03-09 10:28

It's pretty hard to take seriously an Intel funded study on AMD CPUs, but it's not like we wouldn't have known AMD's CPUs have their own vulnerabilites. They are just far less numerous than Intel's.

#5767411

skimike

2020-03-09 11:53

Everything I have seen about this vulnerability since it popped up last Friday suggests that it leaks metadata rather than actual data. Has anyone read anything to the contrary?

#5767413

Dribble

2020-03-09 12:08

I do wonder if AMD have less vulnerabilities because (a) they tried to be more secure then Intel (b) they just got lucky or (c) no one has really tried to attack them yet?

#5767426

barbacot

2020-03-09 13:04

Yes, the study is made with Intel funds but only for the purpose of scientific development - Intel gives this kind of grants regularly: https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/intel-2019-product-security-report.pdf It's their "Bug Bounty program" so nothing unfair or conspiracy here... I think that with the market gains that AMD makes today they will get more and more attention and who knows...maybe more bugs discovered and fixed. It's crazy to think that AMD CPU's are "perfect" or "flawless" compared to Intel related to security - today CPU's are incredibly complex architectures and things get overlooked - Intel, AMD makes no difference, the important thing is for these flaws to be discovered and patched up quickly.

#5767427

Kool64

2020-03-09 13:08

Inserting obligatory "I don't care about security" quote.

#5767429

Denial

2020-03-09 13:23

Dribble:

I do wonder if AMD have less vulnerabilities because (a) they tried to be more secure then Intel (b) they just got lucky or (c) no one has really tried to attack them yet?

Combination of all the above.

barbacot:

Yes, the study is made with Intel funds but only for the purpose of scientific development - Intel gives this kind of grants regularly: https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/intel-2019-product-security-report.pdf It's their "Bug Bounty program" so nothing unfair or conspiracy here... I think that with the market gains that AMD makes today they will get more and more attention and who knows...maybe more bugs discovered and fixed. It's crazy to think that AMD CPU's are "perfect" or "flawless" compared to Intel related to security - today CPU's are incredibly complex architectures and things get overlooked - Intel, AMD makes no difference, the important thing is for these flaws to be discovered and patched up quickly.

Yeah people were flipping out about this over at /r/amd but it's the same authors that discovered meltdown/spectre under the same funding

#5767430

fantaskarsef

2020-03-09 13:30

Denial:

Yeah people were flipping out about this over at /r/amd but it's the same authors that discovered meltdown/spectre under the same funding

Imho the sad part is, people are supposed to be smart, talking about highly specialised technology and applyances, and yet if it fits certain sentiments, they casually "forget" about that fact.

#5767440

schmidtbag

2020-03-09 13:56

I'd deem this problem worth concerning over, though I'm curious what the fix is and the performance impact as a result.

#5767458

H83

2020-03-09 15:03

So very piece of hardware has vulnerabilities... Not sure if this is assuring or concerning...

#5767466

D3M1G0D

2020-03-09 15:21

I don't think this is anything to worry about. AMD's statement indicates that these are not new side-channel attacks but relies on known and mitigated side-channel attacks (bolded):

We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way. The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities. AMD believes these are not new speculation-based attacks.

As such, if you've already applied patches for those known side-channel attacks then it should also protect you from this. The only thing needed is to keep your system up-to-date and fully patched, as AMD recommends.

#5767472

JamesSneed

2020-03-09 15:36

I would downplay it as well. They had to modify the kernel to pull this off. Meaning this is already fixed with patches. Academically they are new vulnerabilities but back in the real world these are already fixed so are not really new threats.

#5767499

SbbKbb

2020-03-09 16:54

I find it very funny at anyone with Windows 10 being worried about security of they processor 🙂 On the other hand anyone that remembers the history more than one week cant bee surprised with Intels shortcuts(read speed over security) and they malversation and bribery, sorry lobbying 🙂 And no, i am not an AMD fanboy. I am to old for this nor iv ever been hostage of an corporation but i remember history. Zx Spectrum,C64,Cyrix,AMD,VIA,Intel,Nvidia,ATI. Iv had them all in some point of time wen they had a good product. And for the moment i believe AMD till proven otherwise.

#5767501

Kool64

2020-03-09 17:09

If we are to believe the reports AMD is including this in the Spectre/Meltdown side channel attacks. Thus the issue was resolved years ago.

#5767516

jbscotchman

2020-03-09 18:43

I won't lose any sleep over this.

#5767532

Turanis

2020-03-09 19:44

From what I know from Wiki: Zen 2 (e.g. R5 3600,R7 3700,etc) includes hardware mitigations against the Spectre V4 speculative store bypass vulnerability. This side speculations are not very very horrorific with new Ryzen as some cpus from other side. 🙂

#5767536

JamesSneed

2020-03-09 20:02

Kool64:

If we are to believe the reports AMD is including this in the Spectre/Meltdown side channel attacks. Thus the issue was resolved years ago.

If you read the paper they had to mod the kernel because existing OS patches mitigate the vulnerability. You don't have to trust in AMD the paper itself is basically saying a properly patched system isn't susceptible to these newly found vulnerabilities.

#5767552

Turanis

2020-03-09 20:31

The drama will be if Intel will do not much more in the next cpu architecture. 😉