We show that the user-kernel isolation on AMD CPUs suffers from the same type of side-channel leakage that led to Meltdown on Intel CPUs. Specifically, we discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. We demonstrate this side channel with multiple case studies, e.g., by breaking (fine-grained) KASLR, monitoring kernel activity, and even leaking kernel memory with simple Spectre gadgets in the Linux kernel.
Moritz Lipp and Daniel Gruss, Graz University of Technology; Michael Schwarz, CISPA Helmholtz Center for Information Security
In this work, we critically analyze the efficacy prior work that proposed power side channel-based control flow monitoring for embedded devices. We propose an approach that allows an attacker who is aware of such defense to craft malicious code that resembles original code in its power use. As result, the monitor will misclassify malicious control flows as legimitate, and fail to detect the attack.
Yi Han, Matthew Chan, and Zahra Aref, Rutgers University; Nils Ole Tippenhauer, CISPA Helmholtz Center for Information Security; Saman Zonouz, Georgia Tech
For further details
"Amplification vulnerabilities in popular Internet services enable for powerful Distributed Denial-of-Service attacks. To date, finding these vulnerabilities is a largely manual effort[, typically driven by attacker groups in search for unknown vectors for which no mitigation strategies exist]. With AmpFuzz, we propose a greybox fuzzer that follows a protocol-agnostic approach to revealing new amplification vulnerabilities in network services."
Johannes Krupp, CISPA Helmholtz Center for Information Security; Ilya Grishchenko, University of California, Santa Barbara; Christian Rossow, CISPA Helmholtz Center for Information Security