AMD's Zen Architecture Is Vulnerable To A New Insidious SMT Security Flaw
Researchers have detailed the SQUIP attack, which is particularly worrisome for users of AMD Zen 1, Zen 2 and Zen 3 processors. Researchers were able measure the precise degree of Scheduler Queue Usage (i.e., occupancy) via Interference Probing, giving the attack its name. Using this technique, it was possible in tests to recover a full RSA-4096 encryption key from a user on a co-located virtual machine (VM) and co-located process.
SQUIP is claimed by researchers from the Graz University of Technology, the Georgia Institute of Technology, and the Lamarr Security Research Center to be the first side-channel attack on scheduler queues. Regular readers will be aware of the raft of side-channel memory reading vulnerabilities a few years back, with the most famous being Spectre and Meltdown. Here the data isn’t spied upon in memory, but within the processor scheduler queue. For this reason, AMD Zen 1, Zen 2 and Zen 3 processors are the most vulnerable – with per execution unit scheduler queues and SMT (simultaneous multi-threading) providing the co-located VM/process snooping opportunities.
Based on the above information, this vulnerability is not likely to be a huge problem for home PC users, enthusiasts and gamers. The attack as it is currently known to work relies on a few special conditions – namely that the attacker and victim must have co-located VMs or processes using the same physical core but run their code on different SMT threads. Thus, the victim’s process can be spied upon by an attacker using the other core thread in a VM. The researchers were able to extract data at a rate of 0.89 Mbit/s from a co-located VM and a rate of 2.70 Mbit/s from a co-located process with very high degrees of accuracy.
Intel processors are not vulnerable to this attack as they have a single scheduler queue. Meanwhile, Apple Silicon processors with split scheduler queues do not currently utilize SMT.