AMD CPU Attack Vectors and Vulnerabilities

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, Mar 13, 2018.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    53,555
    Joined:
    May 18, 1997
    This is a very interesting way to go about announcing a "Severe Security Advisory on AMD Processors (PDF). The previous white paper link comes from the site, AMDFlaws.com. It is suggesting that AMD's entire new EPYC and Ryzen processor lines are open to thirteen "Critical Security Vulnerabilities and Manufacturer Backdoors." This comes at the suggestion of CTS-Labs, an Israel based security company. We are unsure if any of this has been replicated and verified or if any variants of these attack vectors are in the wild.

    Check out the video.

    This all seems to be a very well produced announcement of these issues if those do in fact exist. I am getting with our security expert today in order to discuss the validities of these complaints. No matter what becomes of that, this is a very odd way of announcing security issues. Simply announcing these types of issues with no forewarning is also considered extremely irresponsible and AMD did not get warning of more than 24 hours in advance. We will be reaching out to AMD for further comment, but I doubt we will hear much since it will have to take time to validate and investigate.

    The AMDFlaws.com domain was registered with GoDaddy on the 22nd of February and ownership of that domain is hidden by Domains By Proxy, LLC. That again strikes me as odd for a security company to hide the identity of domain ownership.

    EDIT:
     
    Last edited: Mar 13, 2018
  2. jfreund

    jfreund Gawd

    Messages:
    889
    Joined:
    Sep 3, 2006
    "CTS-Labs, an Israel based security company"

    Doesn't Intel do a lot of businesses in Israel?
     
    Wierdo, B00nie, Archaea and 19 others like this.
  3. thebufenator

    thebufenator Gawd

    Messages:
    981
    Joined:
    Dec 8, 2004
    I do believe that the Core arch was designed originally in Israel......
     
    dragonstongue and Ranulfo like this.
  4. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    53,555
    Joined:
    May 18, 1997
    You would be very correct, sir.

    Select a location to learn what it's like to work at Intel in Israel.



    Haifa ›
    Intel's Israel Development Centre (IDC) was established in 1974 as Intel's first design and development center outside of the United States.



    Jerusalem ›
    The Israel Development Centre has expanded geographically to several Israel locations, including Jerusalem, where the focus is on network and communications components.



    Petach Tikva ›
    Intel's design and development center in Petach Tikva is leading the development of components and software in the cellular communications market.



    Qiryat Gat ›
    Intel's fab in Qiryat Gat represents the largest single investment ever made in Israel by the private sector.



    Yakum ›
    The Intel design and development center in Yakum provides chipsets for mobile platforms.
     
  5. umeng2002

    umeng2002 Gawd

    Messages:
    733
    Joined:
    May 23, 2008
    Probably an Intel smear campaign. I believe all these exploits need root access or physical access to hardware.
     
    Revdarian, Wierdo, scan13 and 8 others like this.
  6. Gigus Fire

    Gigus Fire 2[H]4U

    Messages:
    2,686
    Joined:
    Oct 14, 2004
    I don't think a security company would just do free research and release the information without some monetary incentives. Fairly aggressive PR stunts if intel was involved.
     
    Revdarian, Uvaman2, [Ion] and 3 others like this.
  7. jfreund

    jfreund Gawd

    Messages:
    889
    Joined:
    Sep 3, 2006
  8. ir0nw0lf

    ir0nw0lf [H]ardness Supreme

    Messages:
    6,061
    Joined:
    Feb 7, 2003
    ^^^ Care to clue us in as to what info in particular we should be focusing on? Creation date? What?
     
    Uncle likes this.
  9. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    53,555
    Joined:
    May 18, 1997
    Research or development?
     
    griff30 likes this.
  10. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,508
    Joined:
    Nov 15, 2016
    the phrase "allows malicious code" was in many of those "flaws" if your system is running "malicious" code, thats your first issue.
     
  11. PaulP

    PaulP Gawd

    Messages:
    622
    Joined:
    Oct 31, 2016
    This whole thing smells like a well coordinated smear campaign.
     
  12. Sindalis

    Sindalis n00bie

    Messages:
    10
    Joined:
    Aug 27, 2014
    "The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly."
    https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/#

    Another article covering the topic, if true this to me points to a marketing and smear campaign rather than a legitimate independent security research. In any case, who paid for the research? that is not covered in their legal disclaimer or any information in the white paper.
     
  13. tunatime

    tunatime 2[H]4U

    Messages:
    3,181
    Joined:
    Sep 15, 2011
    Feels like an intel smear campaign
     
    Revdarian, Wierdo, B00nie and 13 others like this.
  14. Todd Walter

    Todd Walter Limp Gawd

    Messages:
    493
    Joined:
    May 10, 2016
    Not nearly enough paranoia in this thread. Who else knows that Intel is big in Israel and would like to see a wedge between them and AMD? Check for green fingerprints! :D
     
  15. Gideon

    Gideon [H]ard|Gawd

    Messages:
    1,686
    Joined:
    Apr 13, 2006
    See you banned Razor1 and look what he had to do :) In all seriousness tho it seems odd a security firm would hide their identity of site ownership. I wonder what AMD will have to say about this. Seems odd to me compared how these things normally get handled.
     
    dragonstongue and ecmaster76 like this.
  16. Chimpee

    Chimpee [H]ard|Gawd

    Messages:
    1,092
    Joined:
    Jul 6, 2015
    Sure looks suspicious, even if this is true, a lot of the issues seems to be PEBKAC, not in the same league as Spectre or Meltdown.
     
    _mockingbird likes this.
  17. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,095
    Joined:
    Nov 9, 2017
    It is only a "smear campaign" if none of it is true.
     
  18. kju1

    kju1 2[H]4U

    Messages:
    2,562
    Joined:
    Mar 27, 2002
    Godaddy, the slum lord of the internet domain registrars. Damn I hate that place.

    Anyway back to the topic: Something doesnt pass the sniff test here...
     
    Darth Kyrie likes this.
  19. thebufenator

    thebufenator Gawd

    Messages:
    981
    Joined:
    Dec 8, 2004
    Are you saying that, if Intel was the one funding that publication, that its legit, above board, and not a smear campaign?
     
    Revdarian, dragonstongue and Uncle like this.
  20. TurboGLH

    TurboGLH Limp Gawd

    Messages:
    503
    Joined:
    Dec 19, 2002
    Interesting disclaimer at the bottom of the white paper.

    "Although we have a good faith belief
    in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
     
    Revdarian, Armenius and jfreund like this.
  21. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,095
    Joined:
    Nov 9, 2017
    I am saying if it is all true, then the source is irrelevant.

    Quite frankly, if I was Intel, I would have commisioned the research to be done to find out of my competitiors had flaws and I would not hesitate to reveal the information.

    As long as the information is accurate, then you can get as mad as you want about how it came to light. At the end of the day, accurate information about flaws should be known.

    Now, AMD should have been given more time with the data, and that is a bit cheesy they were not.
     
    Armenius, Trimlock and BlueFireIce like this.
  22. thebufenator

    thebufenator Gawd

    Messages:
    981
    Joined:
    Dec 8, 2004
    A bit cheesy is not the correct term. This industry does not need competitors secretly funding security companies to find flaws in other product lines for marketing purposes.
     
    Revdarian and dragonstongue like this.
  23. Silent.Sin

    Silent.Sin Gawd

    Messages:
    980
    Joined:
    Jun 23, 2003
    Anandtech also pointed at the strange whois records, they obviously had no real desire to notify AMD with any sort of a proper lead time. amdflaws.com registered Feb 22, 2018 and the whitepaper hosted on safefirmware.com which was registered June 9, 2017 under the same sort of anonymous registrar. This is also CTS-Labs first disclosure of any kind. Seems like they took that weird fake "Skyfall and Solace" experiment and ran with it to give a marketing name to any of their findings and get their name out there. I couldn't find any real records of how the company was founded or funded but their name is a little tough to google for. Overall seems very fishy.

    Tin foil zone: Project Zero disclosed meltdown June 1 to the bigger involved companies, was safefirmware.com registered after that as a place to hold whatever anti-AMD PR recovery campaign they could find? Why are they even hosted on separate domains?

    Edit: correct date
     
    Last edited: Mar 13, 2018
    Revdarian likes this.
  24. jfreund

    jfreund Gawd

    Messages:
    889
    Joined:
    Sep 3, 2006
    As Kyle noted, hiding the ownership of the domain is suspicious. CTS-Labs put their splash screen right at the start of the videos; if they created the domain, why hide it?

    It's extremely irresponsible to announce security vulnerabilities without disclosing them to the responsible party and giving them time to address it. Google's Project Zero reported Spectre and Meltdown to Intel and AMD on 6/1/17, and the public disclosure occurred 7 months later. Now we have not only disclosure of possibly severe, but unverified, vulnerabilities announced without the opportunity for mitigation, but a website registered solely to promote the vulnerabilties.

    Extremely irresponsible at best, assuming everything reported is accurate. Potentially corporate libel. Giving CTS-Labs every benefit of the doubt, why put users at risk with this announcement? Hmm....
     
    Revdarian and Nightfire like this.
  25. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,242
    Joined:
    Apr 23, 2012
    I doubt it is Intel: they have a long-term perspective, and this will be either proved true or false in the next week or two. It won't help them sell to their main customers (Dell, Lenovo, etc) but it will bite them hard in the butt if they are found to be behind it and it's false.

    My bet is this is someone who has a short position on AMD stock.
     
  26. Imhotep

    Imhotep Gawd

    Messages:
    590
    Joined:
    Feb 12, 2014
    Haha, The disclaimer is the highlight of the day.

    "Although we have a good faith belief
    in our analysis and believe it to be objective and unbiased, you are advised that we may have,
    either directly or indirectly, an economic interest in the performance of the securities of the
    companies whose products are the subject of our reports."

    Theses guys must have fallen off of a goddamn tree just before they came up with this. Too bad the fucking thing was not done in crayons...lol :)
     
  27. ecmaster76

    ecmaster76 [H]ard|Gawd

    Messages:
    1,167
    Joined:
    Feb 6, 2007
    That's a good theory or just somebody trying to make a name for themselves to get investors

    This one is golden:
    Because stolen credentials aren't a problem on other chips? :facepalm:

    EDIT: Or this one:
    Also applies to anything newer than a potato

    EDIT2:
    Translation: if you are pwned the can pwn you more :rolleyes:

    EDIT3: Yep every single thing on there requires full system access to exploit. I wonder what Israel's standard for libel is...
     
    Last edited: Mar 13, 2018
    Revdarian, Armenius, [Ion] and 8 others like this.
  28. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,242
    Joined:
    Apr 23, 2012
    If what they discovered is true, it's perfectly legal (in the US) for them to take a short position on AMD before announcing it.
    It's not insider trading as the law defines it -- it's not insider information. But it will be highly profitable. :)
     
  29. JDanser

    JDanser Limp Gawd

    Messages:
    236
    Joined:
    Feb 9, 2012
    GASP! Flashing shady BIOS images can compromise security? That nice young man with the Ethereum shirt that offered to fix my computer for free had an ulterior motive!
     
    Revdarian, Armenius, [Ion] and 2 others like this.
  30. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,242
    Joined:
    Apr 23, 2012
    Armenius likes this.
  31. krotch

    krotch [H]ardness Supreme

    Messages:
    4,559
    Joined:
    Aug 12, 2004
    Sure. They're probably right next door to AMD Israel Advanced Micro Devices .

    Think you mean local attacks. Which is exactly what Meltdown is also.

    They all do it. It's essentially advertising for them, for possible future business. Get their name out there, I mean. How many of us even know who CTS Labs even were, before any of this?

    It's either that or bug hunters. When companies offer thousands of dollars for each bug, it can be well worth it to research for vulnerabilities for different companies. Could also just be a non-profit.


    So far, all I'm seeing is both Intel and AMD have vulnerabilities in their chips. Fanboys from both sides come to defend whatever side they follow with well...no good information really.
     
  32. dgingeri

    dgingeri 2[H]4U

    Messages:
    2,768
    Joined:
    Dec 5, 2004
    I think a great many people are smart enough to see through this 'issue'.
     
  33. PaulP

    PaulP Gawd

    Messages:
    622
    Joined:
    Oct 31, 2016
    OK, just for the sake of argument, let's say that everything they claim is true. It could still be a smear campaign. Just highly exaggerate the claims and word them to make things look as grim as possible. Then release the "report" with little or no warning to the victim, and use a website that can't be traced back to original authors. And the icing on the cake is to create a new company in another country to be the front for the effort. Using these techniques I could smear Mother Theresa. When people use highly unethical methods, you must question their "facts". When you look at their claims, you find that they all require a highly compromised system (administrator privileges, relflashing the BIOS with a "custom" version, using a modified and signed device driver) to use any of the exploits identified. Once a system is that compromised, you are screwed anyway, regardless of the underlying hardware.
     
  34. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,798
    Joined:
    Dec 15, 2003
    The fact they use GoDaddy. No self respecting company would ever use GoDaddy for anything.

    :)
     
  35. Mega6

    Mega6 Gawd

    Messages:
    984
    Joined:
    Aug 13, 2017
    whitepaper highlights:

    masterkey - Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update

    ryzenfall - Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    fallout - Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed.

    chimera - vulnerabilities are an array of hidden manufacturer backdoors inside AMD's Promontory chipsets. There exist two sets of backdoors, differentiated by their implementation: one is implemented within the firmware running on the chip, while the other is inside the chip's ASIC hardware.

    ###

    MasterKey needs physical access, ryzenfall and fallout appear to be digital signature exploits and chimera are AMD backdoors built on firmware or ASIC.
     
    tempertantrum likes this.
  36. shad0w4life

    shad0w4life Gawd

    Messages:
    640
    Joined:
    Jun 30, 2008
    Revdarian likes this.
  37. ecmaster76

    ecmaster76 [H]ard|Gawd

    Messages:
    1,167
    Joined:
    Feb 6, 2007
    Meltdown can escape a hypervisor. These "AMD flaws" don't appear to be able to. That's a huge difference alone. I think Meltdown doesn't even require admin access, just local execution. These all require elevated access

    The bit about signatures is just fluff since Windows wont even load an unsigned driver unless you have already gained admin access. See my analysis in previous post
     
    Revdarian and thebufenator like this.
  38. Brokennails

    Brokennails [H]ard|Gawd

    Messages:
    1,691
    Joined:
    Apr 29, 2006
    Jen- "Quick! Post something to distract from GPP uproar!"

    Lols
     
  39. krotch

    krotch [H]ardness Supreme

    Messages:
    4,559
    Joined:
    Aug 12, 2004
    The way I see it, if you have access to a machine already, gaining elevated rights will be a small cake walk for some. Nothing I can pull off, but many others will.

    Actually going through a red team inspection right now.
     
  40. ecmaster76

    ecmaster76 [H]ard|Gawd

    Messages:
    1,167
    Joined:
    Feb 6, 2007
    Not the same. JavaScript, for instance, is local execution but is a low privileged process that could nonetheless exploit Meltdown without any other privilege escalation (at least prior to OS/browser patches)
    Physical access == pwned
    Local execution != physical access
     
    Revdarian and Master_shake_ like this.
Tags: