AMD's Zen Architecture Is Vulnerable To A New Insidious SMT Security Flaw

AMD Zen SQUIP flaw
Researchers have detailed the SQUIP attack, which is particularly worrisome for users of AMD Zen 1, Zen 2 and Zen 3 processors. Researchers were able measure the precise degree of Scheduler Queue Usage (i.e., occupancy) via Interference Probing, giving the attack its name. Using this technique, it was possible in tests to recover a full RSA-4096 encryption key from a user on a co-located virtual machine (VM) and co-located process.

SQUIP is claimed by researchers from the Graz University of Technology, the Georgia Institute of Technology, and the Lamarr Security Research Center to be the first side-channel attack on scheduler queues. Regular readers will be aware of the raft of side-channel memory reading vulnerabilities a few years back, with the most famous being Spectre and Meltdown. Here the data isn’t spied upon in memory, but within the processor scheduler queue. For this reason, AMD Zen 1, Zen 2 and Zen 3 processors are the most vulnerable – with per execution unit scheduler queues and SMT (simultaneous multi-threading) providing the co-located VM/process snooping opportunities.

Based on the above information, this vulnerability is not likely to be a huge problem for home PC users, enthusiasts and gamers. The attack as it is currently known to work relies on a few special conditions – namely that the attacker and victim must have co-located VMs or processes using the same physical core but run their code on different SMT threads. Thus, the victim’s process can be spied upon by an attacker using the other core thread in a VM. The researchers were able to extract data at a rate of 0.89 Mbit/s from a co-located VM and a rate of 2.70 Mbit/s from a co-located process with very high degrees of accuracy.

SQUIP scheduler and SMT flaw

The researchers have put forward some countermeasures that could be applied to processor architectures going forward to close SQUIP attack vectors. Mitigating measures could include making schedulers symmetric, moving to a single scheduler design, or bolstering the isolation of threads.

Intel processors are not vulnerable to this attack as they have a single scheduler queue. Meanwhile, Apple Silicon processors with split scheduler queues do not currently utilize SMT.

AMD has already assigned the SQUIP flaw a CVE identifier CVE-2021-46778 and says it is a ‘medium’ severity issue.