Zen 2 AMD chips are affected by this one.

    • CoolYori [she/her]
      ·
      1 year ago

      This is actually a rather stupid problem CPU manufacturers keep get into. Intel got into this swamp before because of it and it all has to relate to how they implement features of hyper-threading. Its also part of the classic "fast, secure, or cheap" pick only two industry.

  • CoolYori [she/her]
    ·
    1 year ago

    Don't ask me why but I want to make an Oops Its All Microcode cereal box meme pic.

  • culpritus [any]
    ·
    edit-2
    1 year ago

    WTAF

    The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000/4000/5000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage.

    The Zenbleed vulnerability is filed as CVE-2023-20593 and allows data exfiltration (theft) at a rate of 30kb per core, per second, thus providing adequate throughput to steal sensitive information flowing through the processor. This attack works across all software running on the processor, including virtual machines, sandboxes, containers, and processes. The ability for this attack to read data across virtual machines is particularly threatening for cloud service providers and those who use cloud instances.

    explanation from the researcher:

    "The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

    We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!

    This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file," says Ormandy.

    How are cloud providers going to deal with this? Will there be a fire sale of used Zen2's?

    • gaycomputeruser [she/her]M
      ·
      1 year ago

      Server processors have already been patched. https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html#mitigation Luckily it's unlikely to effect individual users (too much) as this seems to be a decently technical exploit.

      • silent_water [she/her]
        ·
        1 year ago

        no this affects users as well. it's triggerable from arbitrary javascript. there will be demos up within a week. the only saving grace is that this only affects a single generation rather than literally the whole product stack a la meltdown.

    • culpritus [any]
      ·
      1 year ago

      Same, thought I was affected until I double checked. I'm still on 2000 series which isn't affected so far.

  • PaX [comrade/them, they/them]
    ·
    edit-2
    1 year ago

    jokerfied Love living in the age of ubiquitous hardware side channels because our wonderful for-profit electronics industry is focused on getting the chips to go faster and have more features above all else.

    Sometimes I think we need a radical new approach to computing but I'm not sure what it is. Probably involves the burial of the instruction set architecture approach (it's already dead, everything is microcoded anyway). Maybe logic processors. Maybe hardware stack machines (unlikely). Transport-triggered architectures might play a role.

    Death to America and PCs.