AMD processors going back to 2011 suffer from worrying security holes

Pair of freshly revealed attacks have not yet been patched

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

AMD’s processors from as early as 2011 through to 2019 are carrying vulnerabilities that are as yet unpatched, according to some freshly published research.

Known as ‘Take A Way’ (every security problem needs a snappy name, of course), security researchers said that they reverse-engineered the L1D cache way predictor in AMD silicon in order to discover two new potential attack vectors.

Given all theattention which has been focusedon theflaws in Intel’s CPUsin recent times – vulnerabilities which haven’t affected AMD chips in a number of cases – this might just serve as a reminder that no one’s silicon is bulletproof.

As spotted byTom’s Hardware, Graz University of Technology released a paper detailing the vulnerabilities which AMD was informed of back in August 2019, although as mentioned, a fix has yet to be deployed.

The pair of exploits, dubbed Collide+Probe and Load+Reload, are side channel attacks (in the same vein asSpectre) that manipulate the aforementioned L1D cache predictor in order to access data that should otherwise be secure and unobtainable.

Thepaper(a PDF shared on Twitter by researcher Moritz Lipp) explains: “With Collide+Probe, an attacker can monitor a victim’s memory accesses without knowledge of physical addresses or shared memory when time-sharing a logical core.

“With Load+Reload, we exploit the way predictor to obtain highly-accurate memory-access traces of victims on the same physical core. While Load+Reload relies on shared memory, it does not invalidate the cache line, allowing stealthier attacks that do not induce any last level-cache evictions.”

Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.

Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.

The security researchers have already successfully leveraged these exploits on some common browsers, namely Chrome and Firefox. One of the researchers, Michael Schwarz, said that Collide+Probe has already been demonstrated being successfully leveraged via JavaScript in a browser, requiring no user interaction.

Performance concerns

The paper doesn’t just outline the problems here, though, but also provides potential solutions through both hardware and software mitigations, although no comment is made on whether software patches might be detrimental to system performance (as you may recall, there was a big fuss about this when it came to fixing Meltdown and Spectre).

AMD has yet to comment on the affair, but we’re guessing that situation will change soon enough.

As an interesting side-note, Tom’s observes thatHardware Unboxedspotted that ‘additional funding’ for the paper came fromIntel, and questions have been raised by some about potential conflicts of interest in that respect.

Another of the researchers, Daniel Gruss, addressed the matter on Twitter to note that he wouldn’t accept any funding which restricted his academic freedom and independence.

https://t.co/Z6LZoT4y3QOf course we could have just dropped that phd student off the paper instead 😉I’m happy that my funding sources do not restrict my academic freedom and independence. Otherwise I couldn’t accept that funding.March 7, 2020

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - ‘I Know What You Did Last Supper’ - was published by Hachette UK in 2013).

AMD Ryzen 9800X3D overclocking potential shown: CPU hits jaw-dropping 6.9GHz, exceeds 1,200 fps in Counter-Strike 2

Gigabyte spoils AMD’s Ryzen 9000X3D surprise by leaking flagship 16-core CPU, which could be something special for gamers with X3D ‘turbo mode’

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report