All AMD CPUs Found Harboring Meltdown-Like Security Flaw
When news began to break three and a half years ago regarding a pair of new security flaws, Meltdown and Spectre, it quickly became apparent that plenty of eyeballs were laser-focused on Intel’s security implementations. There was nothing wrong with this, as such — CPU security deserves to be scrutinized — but in many cases, far more attention was being given to Intel over AMD. The question of whether AMD CPUs were more secure than Intel CPUs was widely debated in the enthusiast community, but to no clear conclusion.
While far more vulnerabilities were found in Intel chips, the researchers investigating these flaws often acknowledged that they either did not have access to AMD hardware to test or that the limited tests they had run on AMD kit using techniques known to disrupt Intel processors had not worked. We know there are differences in how AMD and Intel implement speculative execution, so it was never clear how much of AMD’s apparent immunity was due to hardware design and how much was provided by “security through obscurity.” AMD, to its credit, never told the press that its CPUs were immune to attacks like Spectre and Meltdown, and it didn’t launch any major advertising campaigns around the idea that it represented the “safe” x86 choice. Good thing, too.
Researchers have now found a Meltdown-equivalent attack that affects AMD processors.
This exploit targets the fact that non-canonical loads and stores only use the lower 48 address bits, not the full range. The research paper acknowledges that the attack against AMD CPUs is not executed in precisely the same manner as Intel CPUs, but the end result is the same. Meltdown is a vulnerability that abuses speculative execution to leak kernel data to applications that shouldn’t have access to it.
The authors write: “This class targets architecturally illegal data flow from microarchitectural elements s (e.g., L1 Cache, Store/Load-Buffer, Special Register Buffer). Such an illegal data flow allows an attacker to exploit transient execution to expose data and change the microarchitectural state.” According to the authors’ security analysis, AMD’s Meltdown variant “does not lead to cross-address space leaks, but it provides a reliable way to force an illegal data flow between microarchitectural elements.” The team believes this is the first demonstration of this type of flaw in an AMD chip.
AMD describes the issue as “AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits.” The full 64-bits of an address are not evaluated when performing speculative execution, and this can be exploited to leak data out of the CPU. AMD also states: “Potential vulnerabilities can be addressed by inserting an LFENCE or using existing speculation mitigation techniques as described in .”  refers to AMD’s most recent guide on how to manage speculative execution safely in AMD processors. It is not clear how relevant these ongoing Meltdown and Spectre issues are to the consumer market.
Intel CPUs that are vulnerable to MDS are vulnerable to this attack as well, and AMD’s Zen, Zen+, Zen 2, and Zen 3 are all affected. But in the more than three years since Spectre and Meltdown were disclosed, only one Spectre exploit is known to exist in the wild, and none targeting Meltdown. Meanwhile, companies continue to grapple with an epidemic of ransomware that clearly isn’t springing from speculative execution flaws.
Perhaps more to the point: Nobody seems much closer to fielding an actual replacement for speculative execution. The Morpheus chip we wrote about earlier this year is very interesting, but it’s also nowhere near to being a commercialized, shipping product for a number of reasons, not least of which is its speed. The performance benefit of executing some instructions before the CPU knows if it will need the results is one of the most fundamental building blocks of modern CPU cores.
There’s a reason why every high-performance core from every company, x86 or not, uses speculative execution. They may use it differently with a different level of exposure to a specific type of exploit, but the attack surface here is enormous. Locking out all possibility of attack without killing performance has proven very challenging.
We’ve raised this point regarding Meltdown and Spectre-style attacks in previous articles about Intel and we’re raising it here as well.
This is not meant to diminish the importance of hardware-based security, but after 3.5 years of disclosures, there’s very little evidence to suggest this is currently a meaningful problem.