http://www.tomshardware.com/news/design-flaws-backdoors-amd-ryzen,36657.htmlSpeaking of games being played a relatively unknown start-up, an Israeli virus research firm has suddenly and loudly (as in with less than 24 hours between first notice and full on web publication of "suspected vulnerabilities") slammed AMD Ryzen and EPYC Chips chipsets for 5 to 15 different discrete "manners that the chipsets could possibly be made vulnerable".
All of which are predicated on breaking
all of the industry standard protection protocols that both AMD and Intel currently rely upon. And accusing the AMD platform security module of being a total "backdoor" failure while NOT being able to crack that door open at all in their very limited to non-existing testing.
The Israeli company is being lambasted for premature and erroneous assumptions, however, even AMD states that the potential threats found ARE PERHAPS POTENTIALLY REAL and
if they are ever exploited they could render the entire affair into an open book. As such, AMD is investigating the claims.
The fact they cannot be exploited now is a relief, but it points out that both AMD and Intel indeed rely too much on these "platform security modules" and "management engines" and both have blended them into the boot cycle so thoroughly that it they if they were cracked, then the machine instantly and permanently becomes a defunct paperweight that cannot be trusted without a complete motherboard swap out.
This "off the cuff" form of unverified slander attack smells just about like an old-style paid third party FUD attack as would have been orchestrated in the past by Intel, and it is just what the old Intel would have done 10 years ago to any upcoming competitor that was actually threatening their PC business. Paint them thoroughly with thick coating of stinky lumpy brown mud ...... so what if 3 months from now it is all disproven, once it is painted on it cannot be completely removed --- and by 3 months it has done the job it was intended to do -- create FEAR, UNCERTAINTY and DISMAY which derails the competitor's plans.
Stink is stink is stink ......
AMD was squaring up to take 25-30% of Intel's market share away from them this upcoming year based in part because AMD lost 20% less of a performance hit due to Meltdown and Spectre ---
the highly suspicious timing and general shakiness of this FUD attack is fairly obvious to all experienced industry review persons. However, the responsible review mangers at Tom's Hardware and the ones at AMD all say the various attack methodologies mentioned need to be properly evaluated by SOMEONE OTHER THAN CTS-LABS, THE ISRAELI FIRM THAT OUTED ALL THE VARIOUS PREMATURE VAGUE ACCUSATIONS.
Also note: CTS-LABS has a disclaimer about their claims down at the bottom of things, intended to cover their butts because they didn't TEST their allegations at all, really.
They simply ran with allegation info taken directly off of the web in creating some of their scenarios.The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.What to take away about it all --- PCs on the web are always going to be vulnerable to some degree, but right now they likely suck a lot more than they should suck and
a completely new boot system is really needed to tighten up this whole constant bleeding sore "security module / management engine" vulnerability thing. This can only take place over time and will be announced as "improvements" and "new features".
Allowing security firms license to "out"
completely unproven and theoretical attack modes
functionally without any peer review should be the subject of normal lawsuits under the libel and slander "count up the damages" legal code we have today. That "cover your butt disclaimer" from CTS makes up a fine smoking gun for a libel court lawsuit to use, actually.
The standard Google used was to get initial verification, then to advise Intel and AMD privately up front, give them 200 days to get their act together, ample time to get additional confirmation from MULTIPLE world class industry security peers (while moving on fixing the issues) that the flaws are both real and are able to be accessed and THEN GO PUBLIC with a calm, factual announcement that laid out data and facts and the actual corrections done to date.
Kudos to AMD for keeping calm and responding very correctly and responsibly to this overnight hack job. Intel did not do nearly as well given 200 days to get ready. After loudly denying the issues completely for several weeks, the first Intel patches were full of non-corrective BS junk and the original set of Intel fixes actually caused re-booting loops and had to be pulled back by Microsoft the very next week.
Also note that if any of these items are judged by impartial review persons to be "worth re-coding to avoid their effects" that all Intel units are vulnerable to each one of these specious scenarios in an equivalent fashion.My take on all of it is that Linux (Torvalds and crew) had fixes in place inside the Linux Kernel for all of Meltdown and most of Spectre before the waiting period was half over as Torvald's Linux boys were part of the impartial review crew and they reviewed it by FIXING it so it couldn't happen (and by doing so said that Industry Wide that all chipsets had some real issues that really did require fixing). Linus will do likewise with these allegations.
===================================================
http://www.tomshardware.com/news/cts-labs-amd-ryzenfall-ryzen-epyc,36660.htmlTo What End And For What Purpose?Yet it's important to note that the circumstances surrounding the vulnerabilities' disclosure, and the fact that this is a brand new company, have raised questions about CTS Labs' intentions. It feels like a hit job on AMD, aimed at torpedoing its stock price. That may be unfair to CTS Labs, but optics and decorum are important to perception, and perception is reality for many.People are beginning to investigate CTS Labs and the hit job they just did on AMD. I would expect a lawsuit or two to follow along in due time as both AMD and ASMedia (the company that makes the secure boot chipset system that AMD uses) will suffer both real and clearly accountable financial damages due to CTS Lab's irresponsible and unsupported accusatory actions.
CTS Labs is now under the gun to do a proper peer review and they are DENYING they have any need or responsability to do this. CTS's stock holdings, financial transactions and any direct communications with various other entities are also being investigated at this time.
====================================================
https://www.google.com/search?q=torvalds+slams+cts&oq=torvalds+slams+cts&aqs=...http://www.zdnet.com/article/bogus-linux-vulnerability-gets-publicity/Torvalds, in a Google+ discussion, wrote:"When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
They've got a point.Linus and Zdnet have actually articulated the root issue ---- small Security Companies feel that if there is not a killer CRISIS taking place right now then they got no new customers. So they are making urgencies up out of nothing now so they can be paid to "fix" them.
CTS should be sued for slander and libel and
clearly put out of business as a warning to other little crap security companies to be A LOT MORE CAREFUL IN WHAT THEY SAY.
If CTS was paid to do this "research", then DOJ resources need to do up a case of conspiracy to commit fraud and nail all the parties involved. We already see some of the elements of conspiracy to commit fraud on the part of the "confirming" little security company that has just suddenly popped into existence and entered the discussion with the intent to bail out CTS when CTS got their tit into the wringer for not doing any form of confirmation.
If CTS leadership had any stock purchases / sales involved in these various precipitous accusation actions that they made, then their CEO or whomever should go to jail ......
Ditto if CTS was paid to do this "research". Jail for both of the parties involved is indicated.
===================================================
AMD flaws independently verified by two credible sourcesA few hours after CTS Labs took a beating on social media and some infosec blogs, Dan Guido, the CEO of Trail of Bits —another security company— came forward to confirm that the CTS Labs report was real and contained actual vulnerabilities.
Yaron Luk, the CFO of CTS Labs, confirmed to Bleeping Computer yesterday via email that the company had asked the Trail of Bits team to run an independent review of their findings, a fact that Guido confirmed on Twitter.
13 Mar
Dan Guido
@dguido
So this
http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
Dan Guido
@dguido
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
2:36 PM - Mar 13, 2018
First wave reports from technical experts that had nothing to do with it originally are coming in now.
Furthermore, earlier today, Alex Ionescu, one of the most respected figures in the security research community, also confirmed that, he too, had seen the technical report that CTS Labs sent AMD, and that it contained "legit design & implementation issues."This last guy is well known and
he had nothing to do with any of it, he like Torvalds is a responsible early mover on bug stuff like this.
Alex Ionescu
@aionescu
On the #AMDflaws — I have seen the technical details and there are legit design & implementation issues worth discussing as part of a coordinated disclosure effort. The media storm and handling around that is sadly distracting from a real conversation around security boundaries.
Oh well, AMD has got some fixing to do.