AMD revealed information about a new class of microarchitectural attacks on its processors called Transient Scheduler Attack (TSA). This attack enables attackers to bypass CPU insulation mechanisms and extract data processed in other contexts, such as from user space to the core level or between guest systems.
A vulnerability was discovered during the development of tools by researchers from Microsoft and the Swiss Higher Technical School of Zurich. These tools were created to stress-test microarchitectural isolation between different access zones like cores, virtual machines, and processes.
The attack method exploits the timing dependency of certain instructions on the state of microarchitectural structures. When the processor expects quick data reading instructions from memory but fails to retrieve the data, a “false completion” state occurs. The processor may then speculatively execute other operations based on this incomplete data, potentially leaking sensitive information.
Although the cache and TLB (Translation Lookaside Buffer) conditions remain unchanged, the leaked data can impact the duration of other instructions, serving as a source of information leakage from microarchitectural structures. Two vulnerabilities have been identified based on the source of residual data leakage: TSA-SQ-TSA Store Queue (CVE-2024-36350) and TSA-L1-TSA L1 Data Cache (CVE-2024-36357).