The security gap AEPIC Leak is in current Intel processors of the Ice Lake, Tiger Lake and Alder Lake generations (Core i-10000, 11000, 12000, Xeon SP Gen 3). The AEPIC Leak is not a side channel, but a bug in the microarchitecture: The security experts from Sapienza Uni Rome, Graz University of Technology, Amazon AWS and CISPA rather use the registers of the Advanced Programmable Interrupt Controller (APIC) to transfer data read from the CPU caches.
More precisely, they read undefined areas of the so-called Superqueue (SQ), which connects the level 2 and level 3 caches of Intel processors with Sunny Cove-type cores.
The AEPIC leak attack (CVE-2022-21233) can be used to read secret key data, even from supposedly securely protected SGX enclaves.
However, only users with admin rights have access to the APIC registers. This significantly reduces the risk potential of AEPIC leak attacks. The security researchers also name a number of protective measures against AEPIC Leak and recommend Intel to avoid this error in future CPU cores.
Pietro Borrello and Andreas Kogler present AEPIC Leak at Black Hat USA 2022.
SQUIP side channel on AMD and ARM CPUs
SQUIP, which uses the scheduler queue of processor cores, is a side channel – similar to Specter-type vulnerabilities. With the “Scheduler Queue Contention Side Channel”, the attacker observes and manipulates the scheduler queue, which distributes the pending commands to the individual arithmetic units of the processor.
The SQUIP attack observes and manipulates the scheduler queue to eavesdrop on data.
(Bild: SQUIP: Exploiting the Scheduler Queue Contention Side Channel, Stefan Gast, Jonas Juffinger, Martin Schwarz, Gururaj Saileshwar, Andreas Kogler, Simone Franza, Markus Köstl, Daniel Gruss (Lamarr Security Research, Graz University of Technology, Georgia Institute of Technology))
While the CPU cores of Intel processors have common schedulers for all existing arithmetic units, the security researchers found out that AMD processors of the Zen 2 and Zen 3 generations as well as Apple’s M processors use so-called “Per-Execution-Unit Scheduler Designs”. multiple schedulers per CPU core. Each scheduler queue only supplies specific arithmetic units.
The AMD processor cores in turn have arithmetic units with different properties. So only ALU1 performs multiplication, division and CRC operations. Consequently, the scheduler always allocates such tasks to ALU1.
By now specifically filling the scheduler queue ALQ1 for this ALU1, the experts were able to generate reproducible delays that can be measured – for example with the help of performance counters, which the CPU conveniently provides itself.
These measurements of the processing times, which are necessary for the multiplication of certain data, for example, allow conclusions to be drawn about this data. This works particularly well when the “observation thread” (i.e. the malware, so to speak) runs as a second thread (sibling thread) on the second logical processor core of a CPU core with simultaneous multithreading (SMT). Therefore, as a countermeasure against SQUIP, the security researchers recommend doing without SMT. However, software countermeasures are also possible.
In principle, SQUIP would also be a security risk for ARM processor cores with multiple scheduler queues and SMT, as the authors explain. Such are not yet on the market.
Like the AEPIC Leak, Martin Schwarzl, Andreas Kogler and Daniel Gruss from Graz University of Technology were involved in uncovering the side channel SQUIP. At SQUIP, they cooperated with Lamarr Security Research and Stefan Gast, who also did his doctorate in Graz, and with the Georgia Institute of Technology.
To home page