News New AMD Side Channel Attacks Discovered, Impacts Zen Architecture

valeman2012

Distinguished
Apr 10, 2012
1,272
11
19,315
For those of you who thought Intel was the only line vulnerable...
These people were hyped to see that. It really really disappointing that the discovery was more than 90 days ago and yet no attempt to resolve 2 very major security flaw on AMD CPU.
 
Last edited by a moderator:

Deicidium369

Permanantly banned.
BANNED
Mar 4, 2020
390
61
290
There are ZERO real world exploits for any of the vulnerabilities - they are lab tests and are not exploitable in the wild... it's not like it's a piece of malware. This goes for Intel and AMD. If you allow someone unfettered physical access to your server in the real world - you need to look for another job.

More and more of these vulnerabilities will be coming for AMD - until now they were a novel niche CPU with no real installed base - if you aren't looking, you aren't finding. I would be more worried about the rowhammer type attacks - those can be exploited rather easily.
 
  • Like
Reactions: riesengebirge

valeman2012

Distinguished
Apr 10, 2012
1,272
11
19,315
As I wrote back when the first bugs in Intel's chips were discovered: only a matter of time until AMD-specific bugs are found, AMD just wasn't getting as much attention previously as the minority player.
There are ZERO real world exploits for any of the vulnerabilities - they are lab tests and are not exploitable in the wild... it's not like it's a piece of malware. This goes for Intel and AMD. If you allow someone unfettered physical access to your server in the real world - you need to look for another job.

More and more of these vulnerabilities will be coming for AMD - until now they were a novel niche CPU with no real installed base - if you aren't looking, you aren't finding. I would be more worried about the rowhammer type attacks - those can be exploited rather easily.
Its alarming and i betting these amd individuals would say "this discovery was paid by Intel" on community forums in order to cover their major disappointment of being wrong.
 
Last edited by a moderator:
For those of you who thought Intel was the only line vulnerable...
this is a specter style attack, which means it requires physical access to the computer, adjustments to the bios and administrative passwords to work.

In short it's a nothing burger. that's not to say AMD isn't vulnerable to security risks, but this one is a whole lot of nothing. because if someone has that much access to the computer, they don't need a virus.
 

USAFRet

Titan
Moderator
this is a specter style attack, which means it requires physical access to the computer, adjustments to the bios and administrative passwords to work.

In short it's a nothing burger. that's not to say AMD isn't vulnerable to security risks, but this one is a whole lot of nothing. because if someone has that much access to the computer, they don't need a virus.
And how many comments have we seen in the last couple of years with:
"I'll never buy Intel again because of these vulnerabilities!" Spectre, Metldown, etc.

Given enough access and poking around, all code has a hole.
 

deksman

Distinguished
Aug 29, 2011
233
19
18,685
No one ever said that AMD's CPU's are 'untouchable' by potential security exploits... however, AMD remains LEAST AFFECTED (at least compared to Intel), and are usually quick to respond with security patches.

The sheer amount of security vulnerabilities that affect Intel are usually more important for servers and data centres (where big money is).
On an individual user level, a person is not very likely to encounter issues related to these exploits... however, out of the two, Zen uArch is (and I am repeating myself here) 'least affected'.
 

InvalidError

Titan
Moderator
Given enough access and poking around, all code has a hole.
It is possible to write secure code, albeit on the smaller end of things. A lot of the insecurity in modern software comes from pervasive use of off-the-shelf blobs, rarely vetting those blobs and how they are used. Kind of hard to fully vet code in modern environments where "hello world" involves 50 million lines of external code most people have zero visibility into.
 

TechLurker

Reputable
Feb 6, 2020
152
85
4,660
It was just a matter of time, considering Ryzen has become popular enough to warrant serious vulnerability research and in this case, it was the research project of a graduate/postgraduate hoping for a PhD.

They were also responsible enough to at least give AMD advance notice in August 2019 (for any title-only readers), so it'll be interesting to see if AMD already addressed this quietly via past BIOS updates (IE: Doing their job without needing to be prodded like Intel) and improved hardware security for Zen 3 and 4 (and even maybe newer production stock, like the AF 1200/1600 and newer batches of 2000 and 3000 series).

That said, it's nice that Intel is indirectly providing bug bounties on AMD's behalf. Sure, AMD takes a minor hit from sensationalist titles once a vulnerability is found, but they also don't have to pay for bug bounties themselves. And like this research paper, digging into Ryzen for that PhD is fresh territory, as opposed to trying a paper on a new Intel vulnerability.

Considering AMD has 2 active teams that compete with each other on Ryzen development, the sooner any vulnerabilities are discovered, the faster AMD can respond and amend in-progress development.
 
  • Like
Reactions: Makaveli

nofanneeded

Respectable
Sep 29, 2019
1,541
251
2,090
AMD or intel does not matter much both are US companies. and USA wants to "spy" on the WORLD.

I find it funny that most of the bugs are found by Europe. and I find it funny that they dont hire european scientist to monitor the designs of the CPU ...

I have a relative professor in Germany , in Computer engineering , and he told me , "these bugs can be avoided easily from early stages of design , but they put it there and turn a blind eye on them , and all what you read in the news is to fool the people, as a Scientist I am telling you it is avoidable from the beginning."
 
  • Like
Reactions: riesengebirge

yeeeeman

Distinguished
Jul 2, 2011
24
3
18,515
No one ever said that AMD's CPU's are 'untouchable' by potential security exploits... however, AMD remains LEAST AFFECTED (at least compared to Intel), and are usually quick to respond with security patches.

The sheer amount of security vulnerabilities that affect Intel are usually more important for servers and data centres (where big money is).
On an individual user level, a person is not very likely to encounter issues related to these exploits... however, out of the two, Zen uArch is (and I am repeating myself here) 'least affected'.
AMD is less affected by Intel bugs because they are two different solutions to the same problem. It also means that AMD has different vulnerabilities compared to Intel and given the focus on Intel products now, it is no wonder they find more Intel vulnerabilities.
Give time to AMD to become more popular and you'll see how full of holes they are also.
 

USAFRet

Titan
Moderator
AMD or intel does not matter much both are US companies. and USA wants to "spy" on the WORLD.
In the consumer CPU space, there is zero need for any govt to "spy" on people at the CPU level.

People willingly give up ALL their deepest secrets and post them online. Sometimes even willingly pay for the privilege of doing so.

Google/MS/Amazon/FB/Apple knows more about you than you do.
 

clsmithj

Distinguished
Nov 30, 2011
40
6
18,535
What about the Ryzen Threadripper CPUs, those are also ZEN based, but they handle memory completely different than the AM4 Ryzens?
 

valeman2012

Distinguished
Apr 10, 2012
1,272
11
19,315
If you wanted to be able to spy on people, you wouldn't use bugs that have no practical exploit method to do it.
In the consumer CPU space, there is zero need for any govt to "spy" on people at the CPU level.

People willingly give up ALL their deepest secrets and post them online. Sometimes even willingly pay for the privilege of doing so.

Google/MS/Amazon/FB/Apple knows more about you than you do.
I mean look at these AMD individuals response....it seem likes they saying "at least better than Intel security flaws"..."Intel is worst"....."Intel paid security researchers to find AMD security flaws"....."amd is less affected because it popular". I swear you see these on forums and hardware articles soon.

What matter is? AMD had 90 days+ to fix and nothing. After Ryzen releases, AMD officials say they the up most best security out there (this right after multiple intel security issue discoveries). These are 2 security issue on AMD products that are major because it much simpler to hack more than all Intel Security issue.
 

Joe15555

Distinguished
Nov 9, 2008
6
7
18,515
Just to make it clear, this vulnerability was demonstrated to expose META-DATA and allow for 'covert' communication between two processes (that would need to work together). The real world utilization or impact of these discoveries is trivial, and is not even remotely on par with the Intel vulnerabilities that were discovered in Meltdown and Zombieload. In the discovered Intel vulnerabilities, the Intel processor flaws were leaking actual system memory/data.

Don't take my word for it though, here is a twitter response from one of the research paper's authors:


View: https://mobile.twitter.com/gnyueh/status/1236178639483527168


li baao - "Thanks a lot for your work! I find it hard to read a paper which is irrelevant to my profession. Is this vulnerability as severe as Meltdown or Zombieload? "

Daniel Gruss- "Certainly not. The attacks leak a few bit of meta-data. Meltdown and Zombieload leak tons of actual data. "



All the best...
 
Last edited: