What has been recently revealed to the public is a pretty big deal, and it will affect anyone who uses a computer in some way. I’m talking about the two huge vulnerabilities in AMD processors, named RYZENFALL and FALLOUT by their respective discoverers (researchers). These vulnerabilities allow an attacker with local user access to break into any affected machine. That’s pretty terrifying! And it’s still under in many laptops or gaming pc under 500.
What AMD Says?
An AMD spokesperson released a statement saying that they believe there is a “near zero risk to AMD products at this time,” which seems to be technically correct since unless someone finds a second vulnerability, or finds another method of executing code on an affected system from within the hypervisor, an attacker would have way of directly attacking our systems.
I wanted to take a look at the technical side of the vulnerabilities, and try to figure out why AMD’s processors are so much weaker than their Intel counterparts when it comes to this type of attack. This is going to mean a lot of techie talk which might not be for everyone, but I’m hoping that people with some background in hardware will find this interesting. Also my hope is that if they know anything about CPUs or security, they probably have an opinion on these issues, and perhaps my findings can add some insight into how we got here.
Executing the Code On AMD
when giving code execution directly from the hypervisor (a VIrtual Machine Monitor (VMM)), AMD and Intel processors behave very differently. Both do verification steps of the code, but once it gets to running, Intel processors seem much more secure than AMD. If you’re interested and don’t feel like reading this whole thing, the short answer is: “there’s a really simple programming error at the heart of RYZENFALL that allows an unprivileged user to break into their own virtual machine.”
AMD processors have historically been just as fast or faster than their Intel counterparts as far as raw performance (in some cases even better) while requiring less power and thus generating less heat. But they’ve always had one critical flaw: for historical reasons related to how early generations of x86 CPUs were made, AMD chips didn’t implement certain features which were expected by the operating systems we create our software for. What this means is that it’s possible to take advantage of these missing features by finding ways of getting code execution directly from the hypervisor, which (in theory) should not be possible and bypasses virtualization itself!
Which OS is Compatible With AMD CPU?
Many modern operating systems make use of a hardware feature called Extended Page Tables (EPT). EPT allows the CPU to map all memory used by a guest VM directly into its own memory address space, thus preventing any interference between processes running inside different VMs as well as allowing for direct access to memory shared by those processes. This feature has been supported on Intel processors since Nehalem in 2009, but AMD waited until Bulldozer in 2011 before implementing it. Since then both types of CPUs have had full support for this feature.
But why is AMD’s implementation of EPT not as secure? One of the most important vulnerabilities in RYZENFALL is a programming error called a “double fetch.” This means that an attacker can change a value in memory, and then use it to determine whether or not the modified value caused the CPU to crash (indicating that they won’t get caught). This allows an unprivileged attacker to break into their own VM! The previous sentence has been written numerous times because this type of attack must be made from within the VM itself, thus avoiding all of the protections offered by virtualization. A couple days ago Google’s Project Zero released details about another vulnerability which allowed unprivileged code execution for AMD processors from within a VM. A double fetch has been found to be at the heart of both vulnerabilities, and this is what led me to investigating AMD’s EPT implementation myself.
I wanted to get started with some code, so I decided on a very simple experiment: have two VMs running on identical hardware, one being an Ubuntu 16.04 host OS while the other is a guest VM with a minimal Linux setup (no networking enabled). In theory if we modify a memory address in the guest, it should crash the host right? So let’s try that!
Conclusion
AMD processors behave very differently from Intel’s when running the same code directly from the hypervisor. This is an issue which has been known for quite a while amongst security professionals (although it is certainly not as widespread as RYZENFALL and other vulnerabilities we’ve recently seen), and has even been exploited before by researchers. What makes this so interesting is that it has been known for at least 6 years by AMD themselves, and also confirmed to affect the EPYC CPUs – but still no patches or security advisories have ever been issued.
The simplest way to fix this would be to disable EPT in the hypervisor entirely, which seems like what VMware has done. This completely disables all of the protections offered by virtualization, but does make RYZENFALL outside of a VM impossible. It’s worth noting however that while possible in theory, you shouldn’t expect an attacker with local user access running programs as your non-root user to be able to use these vulnerabilities for compromising memory belonging to other processes on the host due to page permissions.
Internal Link – Newtimezone