[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[ARikozuM]

Why is the same Gamers Nexus video posted at least 10* times?

 

* Hyperbole

[leadeater]

1 hour ago, ARikozuM said:

Why is the same Gamers Nexus video posted at least 10* times?

 

* Hyperbole

Because there's 29 pages of BS so no one can be bothered to check if it's been posted already.

 

P.S. 10 is probably accurate.

[mr moose]

2 hours ago, ARikozuM said:

Why is the same Gamers Nexus video posted at least 10* times?

 

* Hyperbole

 

Because every time it gets posted the facts change. 

[yian88]

Its funny people actually believe this is true.

#AMDidNothingWrong

Cant you see its well done campaign against AMD's latest processors, they dont even talk about old ones, they have icons logos and acronyms well prepared for every fake vulnerability.

Im not even surprised this happened Intel had to come with a diversion im surprised it took them this long and am im surprised people actually believe aka "HA see AMD sucks too" lol.

[Space Reptile]

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 



yay

[ScratchCat]

20 minutes ago, Space Reptile said:

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 



yay

The issues are real, however the issues also probably apply to anything with a co-processor and an updatable BIOS.

 

Anandtech had an call with CTS:

• They seem not as professional as other groups, they did not know/lied about the rules governing security issues in Israel and irresponsibly released information about the issues after 24 hours.
• There is still no explanation on how Viceroy could produce the 25 page report in less than 3 hours after the exploits were released.
• Lack of preparing CVEs even though they worked for Unit 8200, the Israeli NSA.
• Complete focus on how catastrophic this is and how AMD cannot not fix these issues within months.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

[mr moose]

8 hours ago, Space Reptile said:

why are people still replying in this thread? 

 

oh i see , LAwLz is replying to every post trying to tell everyone its real ..... 



yay

What does sand look like from so close?

[corsairian]

On 3/13/2018 at 8:25 AM, VegetableStu said:

WHERE'S YOUR AMD NOW?!

 

(I kid please put down that nice pitchfork you have there my nose hurts)

Just gotta pick your poison. Intel bugs or AMD bugs? 

[ravenshrike]

2 hours ago, mr moose said:

What does sand look like from so close?

Like tiny bits of obsidian. It's very pretty. The sound of the surf is nice as well. The fact of the matter is we have no clue about how serious these flaws actually are because the relevant authorities were not given significant time to study them, execute them, and attempt to fix or mitigate them due to the rather FUCKING obvious attempt at a hatchet job targeting AMD. All we actually know is what they can accomplish given effectively unlimited access to a system. This is about as useful in determining their impact as a pine cone used for toilet paper.

[Razor01]

1 minute ago, ravenshrike said:

 This is about as useful in determining their impact as a pine cone used for toilet paper.

LOL now I can't get that picture out of my head

[mr moose]

3 minutes ago, ravenshrike said:

 The fact of the matter is we have no clue about how serious these flaws actually are

 

This is the only bit of your post that is relevant.     Until we know this, dismissing their importance is foolish.   As has been made abundantly clear many times over in this thread;  There is a difference between the cock sacks that tried to use these exploits for personal gain, and the legitimacy of the exploits.   No one here is or has defended CTS.  but many of us want proper investigation of the exploits.  And to be honest trivializing the exploits because people can't separate the two above mentioned issues is disingenuous to all security in the tech world. 

 

 

[ravenshrike]

3 minutes ago, mr moose said:

but many of us want proper investigation of the exploits.

The clock for which started what, 5 days ago? Meanwhile you and Lawlz are Chicken Littleing over them. The earliest you're going to see significant analysis on them is gonna be at least 2-3 weeks, and probably longer. Well, unless the fixes for them are really easy which is still a possibility.

[mr moose]

9 minutes ago, ravenshrike said:

The clock for which started what, 5 days ago? Meanwhile you and Lawlz are Chicken Littleing over them. The earliest you're going to see significant analysis on them is gonna be at least 2-3 weeks, and probably longer. Well, unless the fixes for them are really easy which is still a possibility.

How does that change anything we've said?    So far you keep trying to argue that time of reporting and motivation for reporting have some sort effect on the legitimacy of the threat.

 

That makes no sense and is conflating separate issues.

[ravenshrike]

13 minutes ago, mr moose said:

How does that change anything we've said?    So far you keep trying to argue that time of reporting and motivation for reporting have some sort effect on the legitimacy of the threat.

 

That makes no sense and is conflating separate issues.

Meanwhile you and Lawlz are flagrantly conflating legitimacy and magnitude. The exploits exist, yes, and they appear to do what is claimed. But that is all that is known about them at this time. To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

[Ryujin2003]

2 hours ago, corsairian said:

Just gotta pick your poison. Intel bugs or AMD bugs? 

[ARikozuM]

Someone finally made a Star Troopers reference. We're done here. Close up the site, it's been nice knowing y'all. 

[leadeater]

4 minutes ago, Ryujin2003 said:

-snip-

What we need then is some Powered Armor to help kill these damn bugs.

[LAwLz]

44 minutes ago, ravenshrike said:

To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

You are correct in saying that it is premature to claim these vulnerabilities are on par or worse than Spectre/meltdown.

I am not sure why you brought that up though because neither @mr moose nor I have said they are.

[Mira Yurizaki]

1 hour ago, ravenshrike said:

Meanwhile you and Lawlz are flagrantly conflating legitimacy and magnitude. The exploits exist, yes, and they appear to do what is claimed. But that is all that is known about them at this time. To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

I think the only person who suggested it was the equivalent of Meltdown is the OP.

 

Anyway, would you rather prefer the local police not respond to some kid's bomb threat because "obviously it was a kid who was trolling us" and it happens to be the real thing?

[mr moose]

1 hour ago, ravenshrike said:

Meanwhile you and Lawlz are flagrantly conflating legitimacy and magnitude. The exploits exist, yes, and they appear to do what is claimed. But that is all that is known about them at this time. To say they are on par or worse than SPECTRE/MELDOWN is beyond premature until third parties do extensive in-depth testing.

That is completely untrue,  outside of the OP I don't think anyone and certainly not me has made claims regarding the severity of the threats, we have always maintained it is an unknown and for that reason alone should not be dismissed as trivial.

[derr12]

just saw the video of one of the exploits posted by CTS.

 

-Step 1 find a datacenter with an unlocked door

-step 2 place gun to head of admin for root access to hypervisor (because only an idiot lets the hypervisor access the public network)

-step 3 load custom bios. 

-step 4 Profit?

[Mira Yurizaki]

I have speculation that what CTS disclosed may not really be a new vulnerability.

 

I made a reference to the x86 Memory Sinkhole flaw once or twice recently and something clicked in my mind. For those not familiar with the x86 Memory Sinkhole, it was a hardware flaw discovered by security researcher Christopher Domas and presented in BlackHat 2015. Here's the video of it:

The gist of the attack is:

• This exploits a flaw with the implementation of the movable memory window of the Advanced Programmable Interrupt Controller (APIC). The flaw is that the APIC memory window can slide over the memory range where System Manager (basically the security part of Intel systems) lives. Through some carefully crafted instructions, you can tell System Manager to access and execute stuff in memory under your control.
  • According to Wikipedia, AMD licensed APIC from Intel starting with the Athlon. So APIC has lived with AMD for a long time.
• The attacker installs and runs an "attack driver", which requires root access.
• This driver invokes System Manager to execute memory outside of its own little bubble.
• In the demonstration, System Manager was tricked into installing a rootkit into itself that sniffs the contents of the processor's registers. When a magic number appears on it, System Manager escalates the context to root privileges and anything ran after is ran as root.

If I understand it, Mastereky, Ryzenfall, and Fallout requires the attacker to install tainted firmware which breaks the PSP. This sounds suspiciously similar to how Christopher attacked the demonstration machine. Christopher noted towards the end of his presentation (around 40:25) that in AMD's documentation, "the APIC window takes precedence over the SMRAM window." This is the flaw that Christopher used to attack Intel systems, meaning that AMD as of 2015 (I'm presuming he read the most recent one and AMD had kept it up to date) should be vulnerable to Memory Sinkhole.

 

The real question is whether or not AMD fixed Memory Sinkhole in Zen. I'd have no reason to believe AMD would've fixed it prior because that was about when AMD was full on "new micro-architecture!" mode. And if Memory Sinkhole was not fixed in Zen and is vulnerable to Memory Sinkhole, I wouldn't be surprised if CTS just prepackaged this flaw into something else and presented it as new.

 

EDIT: Some background research tells me Memory Sinkhole may be mitigated through software: http://blog.jacobtorrey.com/mitigations-to-the-memory-sinkhole

[mr moose]

5 minutes ago, M.Yurizaki said:

I have speculation that what CTS disclosed may not really be a new vulnerability.

 

I made a reference to the x86 Memory Sinkhole flaw once or twice recently and something clicked in my mind. For those not familiar with the x86 Memory Sinkhole, it was a hardware flaw discovered by security researcher Christopher Domas and presented in BlackHat 2015. Here's the video of it:

The gist of the attack is:

• This exploits a flaw with the implementation of the movable memory window of the Advanced Programmable Interrupt Controller (APIC). The flaw is that the APIC memory window can slide over the memory range where System Manager (basically the security part of Intel systems) lives. Through some carefully crafted instructions, you can tell System Manager to access and execute stuff in memory under your control.
  • According to Wikipedia, AMD licensed APIC from Intel starting with the Athlon. So APIC has lived with AMD for a long time.
• The attacker installs and runs an "attack driver", which requires root access.
• This driver invokes System Manager to execute memory outside of its own little bubble.
• In the demonstration, System Manager was tricked into installing a rootkit into itself that sniffs the contents of the processor's registers. When a magic number appears on it, System Manager escalates the context to root privileges and anything ran after is ran as root.

If I understand it, Mastereky, Ryzenfall, and Fallout requires the attacker to install tainted firmware which breaks the PSP. This sounds suspiciously similar to how Christopher attacked the demonstration machine. Christopher noted towards the end of his presentation (around 40:25) that in AMD's documentation, "the APIC window takes precedence over the SMRAM window." This is the flaw that Christopher used to attack Intel systems, meaning that AMD as of 2015 (I'm presuming he read the most recent one and AMD had kept it up to date) should be vulnerable to Memory Sinkhole.

 

The real question is whether or not AMD fixed Memory Sinkhole in Zen. I'd have no reason to believe AMD would've fixed it prior because that was about when AMD was full on "new micro-architecture!" mode. And if Memory Sinkhole was not fixed in Zen and is vulnerable to Memory Sinkhole, I wouldn't be surprised if CTS just prepackaged this flaw into something else and presented it as new.

Wasn't that presentation only made after AMD and Intel fixed the issue?

[Mira Yurizaki]

Just now, mr moose said:

Wasn't that presentation only made after AMD and Intel fixed the issue?

Intel independently discovered it and fixed it in Sandy Bridge. AMD is up in the air.

 

Christopher also likely only researched it in-depth on Intel systems before formally disclosing it, making it appear to be an Intel-only flaw.

[WMGroomAK]

AMD just posted an initial assessment of the CTs Lab findings and it looks like they agree that there are some issues, however they think they can mitigate all of this with some BIOS & Firmware patches without impacting performance.

 

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

 

Quote

On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions.
 
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

 

As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues. A useful clarification of the difficulties associated with successfully exploiting these issues can be found in this posting from Trail of Bits, an independent security research firm who were contracted by the third-party researchers to verify their findings.