AMD Zen 3 CPUs vulnerable to Spectre-like attacks via PSF feature

US chipmaker AMD advised customers last week to disable a new performance feature if they plan to use CPUs for sensitive operations, as this feature is vulnerable to Spectre-like side-channel attacks.

Called Predictive Store Forwarding (PSF), this feature was added to AMD CPUs part of the company’s Zen 3 core architecture, a processor series dedicated to gaming and high-performance computing, which launched in November 2020.

The feature implements a technique called speculative execution, which works by running multiple alternative CPU operations in advance to make results available faster, and then discarding “predicted” data once deemed unneeded.

Below is AMD’s high-level explanation for how PSF works under the hood:

It is common for a CPU to execute a load instruction to an address that was recently written by a store. Many modern processors implement a technique known as Store-To-Load-Forwarding (STLF) to improve performance in such cases. With STLF, data from the store is forwarded directly to the load without having to wait for it to be written to memory. In a typical CPU, STLF occurs after the address of both the load and store are calculated and determined to match.

PSF expands on this by speculating on the relationship between loads and stores without waiting for the address calculation to complete. With PSF, the CPU learns over time the relationship between loads and stores. If STLF typically occurs between a particular store and load, the CPU will remember this. When the CPUsees the store/load pair again, it may predict that STLF will occur and speculatively forward the data from the store to the load. This is done before confirming that the store and load are in fact to the same address.

In typical code, PSF provides a performance benefit by speculating on the load result and allowing later instructions to begin execution sooner than they otherwise would be able to. Most of the time, the PSF prediction is accurate. However, there are cases where the prediction may not be accurate and cause incorrect CPU speculation.

AMD

PSF vulnerable to side-channel attacks

But since 2018, the academic community has published research on a wide variety of attacks against “speculative execution,” attacks that have been used to break security barriers between apps inside the CPU and then leak app data via so-called side-channel attacks.

Past work includes attacks known as Spectre, Meltdown, Spectre-NG, ZombieLoad, Foreshadow, RIDL, Fallout, the LVI attacks, and many other more.

Daniel Gruss, an assistant professor at the Graz University of Technology and one of the researchers involved in discovering some of the attacks listed above told The Record that AMD’s SPF is theoretically vulnerable to some of the vulnerabilities disclosed in previous years.

“PSF in principle is an extension to more simple forms of store-to-load forwarding which is already exploitable in Spectre attacks. So it enables new variations of Spectre-STL (aka Spectre-v4) attacks,” Gruss told us in an email.

“PSF adds another possibility for an attacker to directly obtain values from a victim domain, if very specific gadgets exist in the victim domain.”

“While we have looked into store-to-load forwarding on AMD for our store-to-load forwarding paper [PDF], we didn’t observe this effect at the time. Research will now have to show whether an attacker can find or induce such Spectre PSF gadgets into a victim domain in a realistic scenario,” Gruss added.

AMD tells customers to disable PSF in some scenarios

While some of the previous attacks sometimes impacted AMD and Arm CPUs, most of the time, the attacks affected Intel’s processor since the company had pioneered using speculative execution for performance gains long ahead of its rivals.

However, AMD said it was aware of this past research and recognized that there might be instances where the PSF feature could expose its customers to variations of attacks like the ones above, as Gruss also suggested.

“In particular, programs that implement isolation, also known as ‘sandboxing’, entirely in software may need to be concerned with incorrect CPU speculation, which can occur due to bad PSF predictions,” AMD said in a security alert published last Friday.

The company recommends that hardware-based sandboxing be used instead, which is not affected by any type of PSF attacks.

Furthermore, if AMD customers want to be on the safe side, they can disable PSF entirely. The chipmaker has provided instructions on how PSF can be disabled on its Zen 3 architecture in its advisory [PDF].