Recent years have brought microarchitectural security intothe spotlight, proving that modern CPUs are vulnerable toseveral classes of microarchitectural attacks. These attacksbypass the basic isolation primitives provided by the CPUs:process isolation, memory permissions, access checks, andso on. Nevertheless, most of the research was focused on In-tel CPUs, with only a few exceptions. As a result, few vulner-abilities have been found in other CPUs, leading to specula-tions about their immunity to certain types of microarchi-tectural attacks. In this paper, we provide a black-box anal-ysis of one of these under-explored areas. Namely, we inves-tigate the flaw of AMD CPUs which may lead to a transientexecution hijacking attack. Contrary to nominal immunity,we discover that AMD Zen family CPUs exhibit transient ex-ecution patterns similar for Meltdown/MDS. Our analysisof exploitation possibilities shows that AMDs design deci-sions indeed limit the exploitability scope comparing to In-tel CPUs, yet it may be possible to use them to amplify othermicroarchitectural attacks.

中文翻译：

---

非规范访问的瞬时执行

近年来，微架构安全性成为人们关注的焦点，证明现代 CPU 容易受到几类微架构攻击。这些攻击绕过 CPU 提供的基本隔离原语：进程隔离、内存权限、访问检查等。尽管如此，大部分研究都集中在英特尔 CPU 上，只有少数例外。因此，在其他 CPU 中发现的漏洞很少，导致人们猜测它们对某些类型的微架构攻击具有免疫力。在本文中，我们对这些未充分探索的区域之一进行了黑盒分析。即，我们调查可能导致瞬时执行劫持攻击的 AMD CPU 的缺陷。与名义免疫相反，我们发现 AMD Zen 系列 CPU 表现出类似于 Meltdown/MDS 的瞬态执行模式。我们对漏洞利用可能性的分析表明，与英特尔 CPU 相比，AMD 的设计决策确实限制了可利用范围，但仍有可能使用它们来放大其他微架构攻击。