Researchers at ETH Zurich have identified a series of vulnerabilities in AMD’s CPUs. The vulnerabilities have been identified in CPUs with the Zen 3 and Zen 4 architecture in particular and are present across the board in both desktop and laptop CPUs and APUs with the architecture.
The vulnerability, identified now as “Inception”, takes advantage of speculative execution, a technique where a computer predicts and performs operations it anticipates needing in the future. Using an attack method called Training in Transient Execution (TTE), the affected CPUs can be manipulated to believe that they have seen a certain set of instructions before even if it has never happened before.
In the simplest of terms, the exploit acts exactly like how Leonardo DiCaprio and his team did in the movie “Inception”. Similar to how they were able to plant an idea to retrieve information, the vulnerability in AMD CPUs can do the same thing.
In fact, XDA Developers described that “Inception” takes its name from the movie of the same title, where the central concept involves implanting an idea in someone’s dream. In the exploit context, researchers metaphorically implant an “idea” into the CPU during its “dream-like” state, causing it to execute incorrect instructions. This manipulation of the CPU’s control flow is the core mechanism exploited by Inception.
Exploiting A Kernel Memory Breach
The vulnerability poses a serious security threat as “Inception” is an end-to-end exploit that can covertly leak sensitive information from Zen 3 and Zen 4 processors. The exploit can access confidential kernel memory, including sensitive files like “/etc/shadow” on Linux systems. This file holds hashed user account passwords, typically safeguarded and accessible only to the root user.
According to XDA Developers, with a leakage rate of up to 39 bytes per second, Inception has the capability to retrieve these passwords within 40 minutes.
Exploitation of Speculative Execution
The workings of Inception draw parallels to a similar exploit named Zenbleed. ETH Zurich researchers leveraged the TTE technique to craft an attack capable of infiltrating AMD Zen CPUs. This involves manipulating speculative execution to carry out actions that may not be immediately necessary, a strategy often used to optimise processing.
A central component in this attack is the Branch Target Buffer (BTB) and the Return Stack Buffer (RSB). Inception disrupts branch prediction during the transient window by introducing fresh predictions into the branch predictor. This action creates more powerful transient windows, which can then be exploited to overflow the Return Stack Buffer. Ultimately, this allows Inception to take control of the CPU.
Preventing Exploitation and Mitigation Strategy
AMD has acknowledged the vulnerability in a recent bulletin. The company has released a µcode patch for the affected processors which can be applied via a BIOS update.
According to XDA Developers, like Intel’s “Spectre” vulnerability, effective mitigation strategies remain challenging. One proposed mitigation approach involves flushing the branch predictor during context switches. However, this could inflict significant performance degradation.
If you are using one of the following processors, it would be best to check for a BIOS update.
Desktop CPUs & APUs:
- 3rd & 4th Gen AMD EPYC CPUs
- Ryzen 5000 & 4000 Series Desktop Processors (including CPUs like Ryzen 5 5600G or Ryzen 7 4700G APUs)
- Ryzen 7000 Series Desktop Processors
- Ryzen Threadripper PRO 5000WX Series Processors
Mobile CPUs:
- Ryzen 5000 Series Mobile Processors
- Ryzen 6000 Series Processors (with Radeon Graphics)
- Ryzen 7035 Series Processors (with Radeon Graphics)
- Ryzen 7030 Series Processors (with Radeon Graphics)
- Ryzen 7040 Series Processors (with Radeon Graphics)
- Ryzen 7045 Series Processors
