AMD published report with safety analysis of optimization technology PSF (PREDICTIVE STORE FORWARDING), implemented in the processors of the ZEN series 3. During the study, theoretically confirmed appliance to the PSF technology of the attack method Spectre-STL (Spectre-V4) identified in May 2018, but in practice capable of attacking the code templates has not yet been found and the overall danger is estimated as minor.
Recall that the Spectre-V4 attack (SPECULATIVE STEPASS) is based on the recovery of data that has been inserted in the processor cache after discing the result of speculative operations during the processing of alternating recording and reading operations using indirect addressing. When the read operation follows the record operation (for example, MOV [RBX + RCX], 0x0; MOV RAX, [RDX + RSI]), the shift of reading addresses can already be known due to the performance of similar operations (read operations are performed much more often and Reading can be done from the cache) and the processor can speculate to read earlier recording, without waiting for the displacement of indirect addressing for recording.
This feature allows the read instructions to gain access to the old value at some address during the save operation is not completed. In case of prediction error, the unsuccessful speculative operation will be discarded, but the traces of its execution will remain a processor cache and can be retrieved by one of the ways to determine the contents of the cache based on the analysis of the change in access to the processed and not processed data.
PSF technology implements STLF optimization (Store-to-Load-Forwarding), speculatively performing reading operations based on predicting the relationship between read and write operations. When using STLF, the processor performs the “LOAD” operation with data directly redirected from the last “Store” command, but without waiting for the actual recording in the result of the result, but making sure that the addresses used in the “Load” and “store” commands are coincided. The PSF optimization makes checking addresses speculative and performs the “Load” operation before the completion of the calculation of addresses information, if before that the Store / Load pair manipulates in one address was performed.
If the forecast was not true, then the state refuses.