[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[LAwLz]

9 hours ago, laminutederire said:

One thing that really bothers me is that it does not seem to be that huge of a deal, when you see that Linux is not mentioned anywhere: meaning that if absolutely nothing can be done on Linux, that's just a software issue, and it therefore can be mitigated, contrary to what the guys from CTS are claiming.

It's more complicated than "it's a software issue so it can be patched". Like I said earlier, the vulnerability is in the PSP itself. This should not be possible regardless of which OS you are running, and once the payload is delivered the OS should be irrelevant.

The lack of GNU/Linux mention doesn't really mean much. It might be that they have only tested it on Windows.

 

 

9 hours ago, laminutederire said:

When you build around both ideas you see that those individuals no matter how right they were, should maybe end up in jail for the way they disclosed it. Because everything in the way it was disclosed points towards manipulation through unfair assumptions, exaggeration of impact or exaggeration of the impossibility to fix it, as well as downright conspiracy theories that they won't succeed in proving when they speak of backdoors (which are to be left purposely).

I could not disagree more. Jailtime for disclosing a vulnerability? Ridiculous.

Did you know that we used to have 0 day disclosures in public mailing lists? This disclosure, vague and inflammatory as it may be, still does not contain the PoC and can therefore not be abused that easily in the wild.

Don't get me wrong, the disclosure was bad, but we really don't want to start making laws banning disclosures done outside of certain government approved ways. That opens up a massive can of worms.

 

 

9 hours ago, laminutederire said:

And that's the same exaggeration that were going on on those 23 pages from you in particular, that made the debate remain polarized for the most part. And if you were perceived as the anti amd side was basically that you were purposely painting a picture which was exaggerated against amd, just like the paper does. (And there was a caution to observe in such a situation to avoid chaos, which you refused to let some us have in the discussion by the way).

I don't think I have exaggerated anything. Maybe I am looking at this completely wrong, but in my eyes there have been a large amount of "AMD extremists" which have been spreading a lot of misinformation and talked about this even though they don't understand the first thing about it. And as I have replied to them, I have had to brought up why these things are issues, and I have tried to stick to facts. But, when you are on the extreme end of things, people with neutral and factual stances on issues can be perceived as being on the opposite end of the spectrum, just because the gap between the extremist and the neutral person's stance is so vast.

 

That goes for all types of discussions by the way. Extremists always see anything but views that perfectly align with their own as extremists on the other side.

 

Want me to stop posting? Stop posting incorrect statements (this is a general statement not aimed at you specifically). It really is as simple as that. But people just can't help themselves talking about things they don't have the slightest clue about.

 

(And yes, I realize this is exactly what I would be saying if I was an AMD hater trying to pour gas on this dumpster fire of a thread, but I'd like to think I'm not).

[Arika]

22 minutes ago, Misanthrope said:

Sorry but not "just" but also due to the fact that the described vulnerabilities require pretty damn compromised circumstances to compromise them further. As in once you have that much access to a system you can probably do some damage, maybe not as much but it's already fairly bad.

So would you prefer they didn't announce it at all and just kept it to themselves? What kind of logic is that?

 

If there's a flaw or exploit, regardless of how complex, it should be bought to the attention of the manufacturer. I agree that the way they announced it is questionable but it doesn't change the fact that it exists and needs to be fixed

[Misanthrope]

2 minutes ago, Sierra Fox said:

So would you prefer they didn't announce it at all and just kept it to themselves?

I never said that: I did not even imply that. Stop trying to win arguments nobody is having with you, particularly not me.

 

Because I can tell you what kind of logic is the one you're using.

[Arika]

4 minutes ago, Misanthrope said:

I never said that: I did not even imply that. Stop trying to win arguments nobody is having with you, particularly not me.

 

Because I can tell you what kind of logic is the one you're using.

So then what are you getting at? you are saying it such a complex exploit  that your system has to be in a state that it would not normally be in to have such a flaw exploited....and?

 

then i will ask you

 

do you think it should have been announced?

do you think it should be fixed?

[LAwLz]

Also, Arrigo Triulzi that a lot of nay sayers were quoting in the beginning has made a few more tweets.

 

Spoiler

A few clarifications on my stance wrt AMDFLAWS:

1) make no mistake, those are vulnerabilities,

2) my stance, which I continue to stand behind, is that they were disproportionately hyped to levels rarely seen before and the threat to the average user is negligible,

3) the vulnerabilities as described point to a flaw in the interface between the AMD security processor and its drivers which can be tricked into loading malicious code into the security processor. This is Not Good™.

4) furthermore there is the subtle indication that the security processor as implemented (and, possibly, as designed) is too powerful for its own good being able to modify IOMMU mappings. This is Not Good™ either.

5) the flaws point to the security processor being susceptible to making a mockery of all the various fancy "trusted boot" and verification settings in Windows. It means the "trust" bit is no longer there: a boon for those wanting open booting on TPM-enabled systems for sure but again, not a design goal…

6) there is an unsubtle hint that an outsourced chipset is vulnerable. This opens a can of worms of major proportions in the middle of the current geopolitical situation. If your computer has TS/SC stuff on it and this chipset then "oops."¹

(¹ this is not to say that other persistent backdoors were not available in PCs, simply add one.)

 

Bottom line: trust is fickle. AMD messed up the implementation, possibly the design, definitely the QA and, what is to me most concerning, the QA on an outsourced chipset they sell as their own.

But it is /not/ a company killer nor does it imperil the average user.

 

And also this one:

*Cough cough* @PPCs-Kat *cough cough*

There were more people saying this but I don't remember their names.

 

 

 

 

In other news, if the MasterKey exploit can be used to manipulate or disable the PSP then it might be possible to make AM4 boards run Libreboot.

[laminutederire]

20 minutes ago, LAwLz said:

It's more complicated than "it's a software issue so it can be patched". Like I said earlier, the vulnerability is in the PSP itself. This should not be possible regardless of which OS you are running, and once the payload is delivered the OS should be irrelevant.

The lack of GNU/Linux mention doesn't really mean much. It 

Well I'm sorry but you cannot say my interpretation is wrong. It's as possible that it is an issue only with w10 as it is an issue inherent of the psp. You're spreading misinformation just now by affirming pseudo facts of I were to nitpick. We have too few details to decide whether your version or mine or others is true at this point. That's why I'm pointing out logically true statement based on hypothesis that I present as hypothesis. Remains that once you're infected it becomes OS agnostic as described, but that doesn't entail that it cannot be a software issue on Windows only.

 

I agree that most people post their feelings, and I myself had that urge that I decided to not act on, to wait for info about what's going on.

 

I'm not saying they deserve jail for the disclosure, but rather because they intentionally blew things out of proportion to the point it's almost lying and it is arguable that they caused disruption to amd and that it is a bit defamatory to say the least. And that intent to hurt should be punished in some way.

[Razor01]

Just now, laminutederire said:

Well I'm sorry but you cannot say my interpretation is wrong. It's as possible that it is an issue only with w10 as it is an issue inherent of the psp. You're spreading misinformation just now by affirming pseudo facts of I were to nitpick. We have too few details to decide whether your version or mine or others is true at this point. That's why I'm pointing out logically true statement based on hypothesis that I present as hypothesis. Remains that once you're infected it becomes OS agnostic as described, but that doesn't entail that it cannot be a software issue on Windows only.

 

I agree that most people post their feelings, and I myself had that urge that I decided to not act on, to wait for info about what's going on.

 

I'm not saying they deserve jail for the disclosure, but rather because they intentionally blew things out of proportion to the point it's almost lying and it is arguable that they caused disruption to amd and that it is a bit defamatory to say the least. And that intent to hurt should be punished in some way.

 

The legal ramifications of how they did something is total different from the significance of their findings, putting them together just makes things mess to have any meaningful discussion.  Just better to separate those two and keep them apart.

[LAwLz]

13 minutes ago, laminutederire said:

It's as possible that it is an issue only with w10 as it is an issue inherent of the psp.

No, because the OS should not be able to do these modifications to the PSP.

Your root of trust should not be able to be modified from the OS running beneath it in the trust hierarchy.

If this is a conscious design decision then AMD are quite frankly run by imbecilic, but I'd like to give them a bit more credit than that and say it's an oversight in their design and/or QA.

 

13 minutes ago, laminutederire said:

You're spreading misinformation just now by affirming pseudo facts of I were to nitpick.

No I am not.

 

13 minutes ago, laminutederire said:

but that doesn't entail that it cannot be a software issue on Windows only.

That might be true. The payload might only be able to be delivered through Windows. That does not mean it is a Windows issue though. The issue is that the PSP can be modified in this way to begin with.

Like I said earlier, I don't see how you can classify this as anything but a PSP issue. It doesn't make sense to say this is a Windows issue because Windows is not the target. It's just the proxy used for the attack. But in any case, I think it is quite irrelevant because calling it a Windows issue (which I think is illogical and wrong) or calling it a PSP issue doesn't change anything (except maybe masturbate to the idea that AMD can do no wrong, or that this is Microsoft's fault).

[Trixanity]

If a lot of these vulnerabilities are inherent to the PSP, isn't it then an ARM issue? The PSP is an ARM processor employing ARM's TrustZone technology. We don't know if AMD has modified it or if the issue stems from how it's implemented. Depending on the issue, it could be problematic for other chip designers using TrustZone as well. If so, all of these vulnerabilities would actually stem from AMD outsourcing chip designs to third parties. Not that it makes AMD exempt from blame as they did vouch for it to begin with. But that would be a funny scenario and perhaps a lesson learned.

[Razor01]

5 minutes ago, Trixanity said:

If a lot of these vulnerabilities are inherent to the PSP, isn't it then an ARM issue? The PSP is an ARM processor employing ARM's TrustZone technology. We don't know if AMD has modified it or if the issue stems from how it's implemented. Depending on the issue, it could be problematic for other chip designers using TrustZone as well. If so, all of these vulnerabilities would actually stem from AMD outsourcing chip designs to third parties. Not that it makes AMD exempt from blame as they did vouch for it to begin with. But that would be a funny scenario and perhaps a lesson learned.

 

Might not be inherent to ARM, ARM just licenses the IP for it, the company using the IP has to create their chips based on that IP.  Its more likely a design flaw then a flaw in the IP.

[Misanthrope]

1 hour ago, Sierra Fox said:

So then what are you getting at? you are saying it such a complex exploit  that your system has to be in a state that it would not normally be in to have such a flaw exploited....and?

 

then i will ask you

 

do you think it should have been announced?

do you think it should be fixed?

Yes I think they should be announced however I also think it's possible to announce them under far better circumstances.

Yes I think they should be fixed, I just don't think the priority is anywhere near as high as the alarmist tone of the paper suggests.

 

See how people are capable of nuanced opinions and don't need to be beholden to your forced binary choices?

[Arika]

2 minutes ago, Misanthrope said:

Yes I think they should be announced however I also think it's possible to announce them under far better circumstances.

Yes I think they should be fixed, I just don't think the priority is anywhere near as high as the alarmist tone of the paper suggests.

Then we're on the same page. 

[NinjaQuick]

4 hours ago, mynameisjuan said:

Dont know about you but our dev staff is completely fine with no admin rights. You see its companies like you and the other guys that allow admin access and some how get infected and make it to databases and accounts and then are leaked online. There should always be admins only and there is group policy that can wave admin rights to specific programs, which again, if you IT dept had a brain could do. 

Odd, hadn't realized Microsoft was such a hotbed of leaks.

[laminutederire]

30 minutes ago, LAwLz said:

 

Not it shouldn't I can only agree with that, but should it be only modifiable through Windows, that'd mean only the software of Windows is allowed to do it, which points to an oversight on the Windows implementation, which is bad but not as bad as it would necessitate a recall.

Well you're presenting an hypothetico deductive thought process without proving that the first hypothesis is true ( and I don't blame you, not many people have the details to know what exactly is happening (and it may be highly non trivial) ).

I am not saying amd can do no wrong. It remains that it could only be done through Windows which would lead to something wrong with their drivers for the chipset, and possibly they messed up the modules they coded for Microsoft. I'm pretty sure both Intel and amd write code for Microsoft to give them an abstraction barrier for them not to have to recode everything. And that would most probably the code messing up everything.

The issue with the PSP here would be that it is too trusting of what you could give to it, but then again, it is supposed to trust the OS at some point, and it is a valid assumption for AMD to allow as long as they make sure that the trusted part of the OS can be indeed trusted and not modified by malicious codes.

It's like when you want to design cryptographic protocols, at some point you'll have to make the assumption that the protocols are executed correctly, and the idea is not to isolate nodes of the network but rather to ensure that you can notice when there is an attack on the protocol.

I'm fairly convinced Ryzen has no issue with rejecting things from actors that it are not supposed to send it things, but rather that the software allowed to talk to it is being externally controlled in their attack, which can be mitigated without touching the psp ( and making the flaws more OS dependant). I don't know if I'm being very clear thoigh

[laminutederire]

59 minutes ago, Razor01 said:

 

The legal ramifications of how they did something is total different from the significance of their findings, putting them together just makes things mess to have any meaningful discussion.  Just better to separate those two and keep them apart.

The fact remains that they do not deserve a place in the scientific community because of the way they inappropriately behave. Genius or not, an ass** remains one! (We know a few of them in history (Like Cauchy, he was brilliant, but he did so many unethical things that he does not deserve to be held in high regards) ).

[Razor01]

25 minutes ago, laminutederire said:

The fact remains that they do not deserve a place in the scientific community because of the way they inappropriately behave. Genius or not, an ass** remains one! (We know a few of them in history (Like Cauchy, he was brilliant, but he did so many unethical things that he does not deserve to be held in high regards) ).

 

 

And that has nothing to do with their findings though.  Just like Cauchy, his findings were still valid lol.

[ravenshrike]

9 hours ago, mr moose said:

No.  This has nothing to do with Intel.

While there is no direct evidence that this has to do with Intel the fishy thing is that CTS was created 2-3 weeks after Intel was informed of MELTDOWN and it is very, very clearly a hatchet job against AMD given the name of the website and the 24hr notice.

 

That being said, the 24 hour notice could easily very well be that CTS knows that patches to make the exploits in question exponentially more difficult or even impossible are relatively easy to create. After all, their disclaimer was explicitly that the entire hatchet job was their opinion which means they could be lying through their teeth about the difficulty of any fixes in order to maximize their short term financial position.

[WMGroomAK]

Just wanted to post that Ian Cutress with Anandtech published the transcript and interpretations of their call with CTS and it makes for an interesting read...

 

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

 

[ItsMitch]

10 minutes ago, WMGroomAK said:

Just wanted to post that Ian Cutress with Anandtech published the transcript and interpretations of their call with CTS and it makes for an interesting read...

 

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

 

Quote

 

IC: The standard procedure for vulnerability disclosure is to have a CVE filing and a Mitre numbers. We have seen in the public disclosures, even 0-day and 1-day public disclosures, have relevant CVE IDs. Can you describe why you haven’t in this case?

ILO: We have submitted everything we have to US Cert and we are still waiting to hear back from them.

IC: Can you elaborate as to why you did not wait for those numbers to come through before going live?

ILO: It’s our first time around. We haven’t – I guess we should have – this really is our first rodeo.

DK: I think the biggest question that I still have is that ultimately who originated this request for analysis – who was the customer that kicked this all off?

ILO: I definitely am not going to comment on our customers.

 

2

lol yikes

[Razor01]

was just going to type that

 

this article just raised even more questions!

[JuNex03]

34 minutes ago, SC2Mitch said:

lol yikes

"It’s our first time around. We haven’t – I guess we should have – this really is our first rodeo. "

 

Wait what? I thought they had 16 yrs of experience?

[Trixanity]

Despite being supposed experts with 16 years of experience, they seem to know very little. It seems to be all PR. I think someone handed them a smoking gun. 

 

I just can't wrap my head around the idea of people so confused and ignorant being able to find 13 vulnerabilities just like that.

 

So yeah, I don't think these guys did the work. They're a proxy to cover up the trail.

[ravenshrike]

2 minutes ago, Trixanity said:

Despite being supposed experts with 16 years of experience, they seem to know very little. It seems to be all PR. I think someone handed them a smoking gun. 

Well, if 16 people work at the company and it was started a year ago...

 

 

 

Addendum - Well, it was started 9 months ago. So maybe 20 people work at the company.

[ItsMitch]

22 minutes ago, JuNex03 said:

"It’s our first time around. We haven’t – I guess we should have – this really is our first rodeo. "

 

Wait what? I thought they had 16 yrs of experience?

lemme just reiterate, Y I K E S 

[leadeater]

Quote

What we found are these backdoors that we have been describing that come built into the chips – there are two sets of backdoors, hardware backdoors and software backdoors, and we implemented clients for those backdoors. The client works on AMD Ryzen machines but it also works on any machine that has these ASMedia chipsets and so quite a few motherboards and other PCs are affected by these vulnerabilities as well. If you search online for motherboard drivers, such as the ASUS website, and download ASMedia drivers for your motherboard, then those motherboards are likely vulnerable to the same issues as you would find on the AMD chipset. We have verified this on at least six vendor motherboards, mostly the Taiwanese manufacturers. So yeah, those products are affected.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

 

So why did they specifically target AMD in the report? They state they were originally investigating ASMedia yet their report does not reflect that, should they not report on the flaws found in the ASMedia chipsets then correlate that through to the AMD chipsets and show that in their findings. Their effected products list for Chimera don't mention any ASMedia chipsets at all but they are effected and they even said this during the call.

 

Quote

It seems a bit odd for a company looking into ASMedia related flaws to then turn their focus onto AMD’s secure processor, using the chipset vulnerabilities as a pivot point. ASMedia chips, especially the USB host controllers cited by CTS-Labs, are used on literally tens of millions of Intel-based motherboards around the world, from all the major OEMs. For a large period of time, it was hard to find a system without one. The decision to pivot on newer AMD platforms is a weak argument, the wishy-washy language when discussing projects at the start of the company’s existence, and the abrupt ending to the call when asked to discuss the original customer could be construed (this is conjecture here) that the funding for the product was purposefully directional towards AMD.

So I'm not the only person who noticed that oddity....

 

Quote

The confusion between microcode and FPGA in the discussion also raised an eyebrow or three.

Not kidding, CPUs are not FPGAs but you can update microcode on those so why couldn't you on the chipset.

 

Quote

YLZ: We would love to, but there is one quirk. According to Israel export laws, we cannot share the vulnerabilities with people outside of Israel, unless they are a company that provides mitigations to such vulnerabilities. That is why we chose the list. But look, we are interested in the validation of this – we want people to come out and give their opinion, but we are only limited to that circle of the vendors and the security companies, so that is the limitation there.

 

Quote

Lastly, the legal argument of not being able to share the details outside of Israel, or only to registered security companies outside of Israel, was an interesting one we were not expecting. This being coupled with the lack of knowledge on the effect of an open disclosure led us to reach out to our legal contacts that are familiar with the situation. This led to the line:

 

“It’s BS, no restrictions.”

 

Some of our contacts, and readers with security backgrounds, have privately confirmed that most of this is quite fishy. The combination of the methodology and presentation with a new company that both claims to have experience but can’t do CVE numbers is waving red flags.

CTS needs to get better lawyers to properly advise them on what they can actually do, or not do.