A group of researchers from Graz University of Technology (Austria), previously known for developing the MDS, NetSpectre, Throwhammer and ZombieLoad attacks, disclosed a new side-channel attack (CVE-2021-46778) on the AMD processor scheduler queue, used to schedule instruction execution in different CPU execution units. The attack, called SQUIP, allows you to determine the data used in calculations in another process or virtual machine or organize a hidden communication channel between processes or virtual machines that allows you to exchange data bypassing system access control mechanisms.
AMD CPUs based on 2000st, 5000nd, and 3000rd generation Zen microarchitectures (AMD Ryzen XNUMX-XNUMX, AMD Ryzen Threadripper, AMD Athlon XNUMX, AMD EPYC) are affected when using Simultaneous Multithreading Technology (SMT). Intel processors are not susceptible to attack, as they use a single scheduler queue, while vulnerable AMD processors use separate queues for each execution unit. As a workaround to block information leakage, AMD recommended that developers use algorithms that always perform mathematical calculations in constant time, regardless of the nature of the data being processed, and also avoid branching based on secret data.
The attack is based on an assessment of the level of contention occurrence (contention level) in different scheduler queues and is carried out through the measurement of delays when starting check operations performed in another SMT thread on the same physical CPU. To analyze the content, the Prime + Probe method was used, which implies filling the queue with a reference set of values and determining changes by measuring the access time to them when refilling.
During the experiment, the researchers were able to completely recreate the private 4096-bit RSA key used to create digital signatures using the mbedTLS 3.0 cryptographic library, which uses the Montgomery algorithm to raise a number to a power modulo. It took 50500 traces to determine the key. The total attack time took 38 minutes. Attack variants are demonstrated that provide a leak between different processes and virtual machines controlled by the KVM hypervisor. It is also shown that the method can be used to organize covert data transfer between virtual machines at a rate of 0.89 Mbit/s and between processes at a rate of 2.70 Mbit/s with an error rate of less than 0.8%.
Source: opennet.ru