New vulnerabilities in AMD and Intel processors: AEPIC & SQUIP
International teams of experts have identified weaknesses in numerous current CPU types from AMD and Intel that could also affect future ARM chips.
The security gap AEPIC Leak is in current Intel processors of the Ice Lake, Tiger Lake and Alder Lake generations (Core i-10000, 11000, 12000, Xeon SP Gen 3). The AEPIC Leak is not a side channel, but a bug in the microarchitecture: The security experts from Sapienza Uni Rome, Graz University of Technology, Amazon AWS and CISPA rather use the registers of the Advanced Programmable Interrupt Controller (APIC) to transfer data read from the CPU caches.
More precisely, they read undefined areas of the so-called Superqueue (SQ), which connects the level 2 and level 3 caches of Intel processors with Sunny Cove-type cores.
The AEPIC leak attack (CVE-2022-21233) can be used to read secret key data, even from supposedly securely protected SGX enclaves.
However, only users with admin rights have access to the APIC registers. This significantly reduces the risk potential of AEPIC leak attacks. The security researchers also name a number of protective measures against AEPIC Leak and recommend Intel to avoid this error in future CPU cores.
Intel provides SGX patches and microcode updates as a countermeasure against AEPIC Leak, see Intel Security Advisory Intel-SA-00657 (2022.2 IPU – Intel Processor Advisory). Accordingly, Intel classifies the risk of the vulnerability as “medium”.
AMD provides more information on SQUIP in AMD Security Bulletin AMD-SB-1039 (Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors). A list of affected Ryzen, Epyc and Ryten Threadripper processors can also be found there. Accordingly, the risk level “Medium” also applies to CVE-2021-46778.
SQUIP side channel on AMD and ARM CPUs
SQUIP, which uses the scheduler queue of processor cores, is a side channel – similar to Specter-type vulnerabilities. With the “Scheduler Queue Contention Side Channel”, the attacker observes and manipulates the scheduler queue, which distributes the pending commands to the processor’s individual arithmetic units.
While the CPU cores of Intel processors have common schedulers for all existing arithmetic units, the security researchers found that AMD processors of the Zen 2 and Zen 3 generations and Apple’s M processors use so-called “per-execution-unit scheduler designs”. multiple schedulers per CPU core. Each scheduler queue only supplies specific arithmetic units.
The AMD processor cores in turn have arithmetic units with different properties. So only ALU1 performs multiplication, division and CRC operations. Consequently, the scheduler always allocates such tasks to ALU1.
By now specifically filling the scheduler queue ALQ1 for this ALU1, the experts were able to generate reproducible delays that can be measured – for example with the help of performance counters, which the CPU conveniently provides itself. The time measurement also works with unprivileged timer reads that do not require admin rights.
These measurements of the processing times, which are necessary for the multiplication of certain data, for example, allow conclusions to be drawn about this data. This works particularly well when the “observation thread” (i.e. the malware, so to speak) runs as a second thread (sibling thread) on the second logical processor core of a CPU core with simultaneous multithreading (SMT). Therefore, as a countermeasure against SQUIP, the security researchers recommend doing without SMT. However, software countermeasures are also possible.
In principle, SQUIP would also be a security risk for ARM processor cores with multiple scheduler queues and SMT, as the authors explain. Such are not yet on the market.
Like the AEPIC Leak, Martin Schwarzl, Andreas Kogler and Daniel Gruss from Graz University of Technology were involved in uncovering the side channel SQUIP. At SQUIP, they cooperated with Lamarr Security Research and Stefan Gast, who also worked at Graz University of Technology, and with the Georgia Institute of Technology.
