Contemporary superscalar microprocessors with out-of-order execution use a number of ways to boost their performance. Simultaneous multi-threading (executing more than one threads of code on a CPU core) is one of the most efficient ways to improve processor performance.
But AMD's implementation of SMT appears to be vulnerable to the so-called SQUIP side-channel attack that can reveal a 4096-bit RSA key fairly quickly.
All of AMD's Zen microarchitectures have separate scheduler queues per execution unit (so do Apple's M1-series CPUs). Each of these schedulers maintains separate queues from where the μops are issued for the corresponding execution units. AMD’s scheduler with SMT enabled introduces interferences across workloads, which opens doors to observe scheduler queue contention via performance counters and unserialized timer reads across sibling threads on the same core. Such priming and probing allows it to perform a side-channel attack on scheduler ques. The researchers call the method Scheduler Queue Usage (i.e., occupancy) via Interference Probing, or SQUIP.
The vulnerability affects all of AMD's existing Ryzen processors with Zen 1/2/3 microarchitectures. To exploit the weakness and get access to data processed by the same CPU core, perpetrators need to run malicious code on that CPU core first, which is not particularly easy. Meanwhile, complete mitigation of SQUIP might require disabling SMT technology on all of AMD's existing Zen-based processors, which will seriously hurt their performance.
"An attacker running on the same host and CPU core as you, could spy on which types of instructions you are executing due to the split-scheduler design on AMD CPUs," explained Daniel Gruss, a computer researcher from Graz University of Technology, in a conversation with The Register. "Apple's M1 (probably also M2) follows the same design but is not affected yet as they haven't introduced SMT in their CPUs yet."
AMD reportedly confirmed the problem — currently called AMD-SB-1039: Execution Unit Scheduler Contention Side-Channel vulnerability on AMD Processors — and said that the company considers it a 'medium severity' threat.
"AMD recommends software developers employ existing best practices including constant-time algorithms and avoiding secret-dependent control flows where appropriate to help mitigate this potential vulnerability," AMD's mitigation reads.
