research group released Information about a new vulnerability affecting all AMD processors with Zen, Zen 2 and Zen 3 architectures. The vulnerability is called SQUIP (Scheduler Queue Usage via Interference Probing – using the scheduler queue through interference analysis). Attackers benefit from access to sensitive data.
Modern superscalar processors, capable of executing multiple instructions simultaneously, use multiple methods to further improve performance. One of the most efficient methods is multithreading (SMT), which splits the processor core into multiple logical cores to execute independent streams of instructions.
However, the implementation of SMP in modern AMD processors has been found to be vulnerable to a side-channel attack called SQUIP. Its essence lies in analyzing the instructions executed by the process by observing how it competes for resources with another process running on the same core. Zen, Zen 2, and Zen 3 processors are vulnerable to this issue because they use multiple scheduler queues, one for each worker. Zen, Zen 2 and Zen 3 SMT-enabled schedulers create conflicts between workloads, which opens up the ability to monitor scheduler queue conflicts through performance counters on the same hardware core.
Researchers from Graz University of Technology, Georgia Institute of Technology and the non-profit Lamarr Security Research found that an attacker thread, which thanks to SMT runs on the same hardware core as the victim thread, can parse the scheduler to gain access to sensitive data receive. The researchers demonstrated the practical implementation of the SQUIP attack on various systems with Ryzen and EPYC processors. As part of the demo, they were able to recover the RSA-4096 encryption key used by a process running in a different virtual machine but on the same CPU core.
“An attacker running their process on the same host and CPU core can see what types of instructions you are executing. This is possible due to the split scheduler in AMD processors.— said Daniel Gruss (Daniel Gruss), an employee of Graz University of Technology and one of the authors of the study.
Note that a similar scheme, with separate schedulers for each executing device, is used in the Apple M1 and M2 processors. However, they are not affected by the SQUIP vulnerability because Apple processors do not support multithreading. The issue can become relevant if an analogue of SMP is implemented in them.
According to reports, AMD was made aware of the SQUIP issue in December 2021 and assigned the ID CVE-2021-46778 with a severity rating of Medium. AMD released this week Notice with information about the presence of a vulnerability in processors with Zen, Zen 2 and Zen 3 architectures. “To mitigate the vulnerability, AMD encourages software developers to use existing best practices such as constant-time algorithms and avoidance of secret control flows.”says AMD’s recommendation.