CPU Security Flaws MELTDOWN and SPECTRE

Discussion in 'PC Industry' started by Bondrewd, Jan 2, 2018.

  1. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,135
    Likes Received:
    2,935
    Location:
    Well within 3d
    The claim isn't that the driver is malicious, just that a signed binary is part of the exploit. There are classes of attack that can exploit vulnerabilities like the loader authenticating a payload, but flaws in validation, check-once and switch, or loading to an area that can be modified can allow for a hostile payload to piggyback on the signed driver after the signature check. One of the PS3 hack variants did something similar, I think.

    Some alternate possibilities are a compromised or negligent third party leaking their key, or a hacked PSP from the Masterkey exploit being able to leak out values that can be used in later ones. These seem so salacious that I would have expected them to be used to embarrass AMD further, particularly the latter. However, this doesn't seem necessary per the claims.

    That there are security analysts with their names and places of work now firmly in the legal crosshairs if they willfully lied about seeing working POC for the exploits is what I think gives some sign this is more than just a hoax.

    For AMD's Pro and EPYC lines, the excuse that you need admin rights is not good enough for the TPM and SEV elements of the platform, particularly since the PSP and southbridge allow for un-scannable and persistent exploit. A good chunk of that value-add is the idea that the hardware is supposed to be more resilient against compromised admins or hardware intercepted in transit.
    A throwaway install can give someone admin rights, with persistence negating software wipes as a mitigation.
     
    CarstenS, Grall, Malo and 1 other person like this.
  2. CarstenS

    Veteran Subscriber

    Joined:
    May 31, 2002
    Messages:
    4,798
    Likes Received:
    2,056
    Location:
    Germany
    Let's assume for two lines, that these claims and CTS Labs are technically legit.
    Their alleged background is in military intelligence, thus, an undiscovered backdoor makes much more sense for guys like them than something more easily exploitable - even if it requires physical access to the machine or network in question. MI are usually not the guys trying to scam one in a million people for their credit cards details and rather conduct very targeted attacks on key people/infrastructure.
    [disclaimer: in my browser, that were two lines only]

    Apart from that, I also find their publishing method and they way they are building their case highly dubious.
     
    Lightman likes this.
  3. Malo

    Malo Yak Mechanicum
    Legend Veteran Subscriber

    Joined:
    Feb 9, 2002
    Messages:
    7,102
    Likes Received:
    3,167
    Location:
    Pennsylvania
    From what I've read, their company used to create malware apps that mined bitcoins on consumer desktops.

    Read the Anandtech thread on this, some interesting stuff found out about this so-called security company.
     
  4. CSI PC

    Veteran Newcomer

    Joined:
    Sep 2, 2015
    Messages:
    2,050
    Likes Received:
    844
    For international business and especially HPC scale/R&D research engineering they would be wary of state sponsored espionage hacking (also applies to politics and relevant organisations or depts being compromised as well but different approach/CPU platforms involved); two countries come to mind.
    Part of the reason the initial article I linked differentiated between perspective of risk and state sponsored versus more broader concerns.
    Both are a potential risk/impact but in different ways and perspectives, still it is appalling how this was handled by those involved and it could be argued some of this with the shorting could be defined as organised insider trading (would need a court order to pull all records and communications to prove if this has happened).
    None of the tech journalists have picked up on this angle (context organised insider trading), really SEC should be approached about this.
     
    #264 CSI PC, Mar 15, 2018
    Last edited: Mar 15, 2018
    Lightman likes this.
  5. HBRU

    Regular Newcomer

    Joined:
    Apr 6, 2017
    Messages:
    429
    Likes Received:
    47
  6. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,921
    Likes Received:
    11,506
    Location:
    Under my bridge
    Would be fixed for next-gen consoles. I guess what's more worrying is every CPU is getting these epic security vulnerabilities. Workload on shoring them up and making the hardware genuinely secure needs to be increased.
     
    #266 Shifty Geezer, Mar 15, 2018
    Last edited: Mar 15, 2018
    milk, BRiT and HBRU like this.
  7. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,135
    Likes Received:
    2,935
    Location:
    Well within 3d
    Although it seems like physical access isn't required for most of the exploits, and even the Masterkey exploit's needing physical access may be conditional on whether the motherboard supports a BIOS update via executable. It would still require administrative privileges and there may be more flexibility with physical access.
    A BIOS update spoofing an official release might widen the net a bit. The PSP's role in AMD's CPU and GPU boot process includes validating its firmware and never allowing the SOC to exit its launch state if it was tampered. If the enclave in the SOC does have enough persistence to allow the PSP to remain hacked even if the OS and motherboard were restored to factory default, and AMD doesn't provide a way to scan through the PSP's payload or for secure apps to query the PSP's version (in a non-spoofed way?), it might not be possible to be fully confident of the CPU after an incursion or anomaly is detected. It might be a challenge to craft an update that can somehow get past hacked firmware, which could just act like it read in the payload without applying it. Sony did find ways to claw back from the rooted status of the PS3's security however, so the possibility is there.

    A new stepping or chips still in AMD's controls could be updated with the fix, though chips in the wild may not have 100% certainty.
    Everyone has effectively committed to some kind of secure software or secure enclave method, though challenges like this show that when these have a vulnerability there's often not a lot of defense in depth and frequently little external visibility of what could be wrong.

    Stock manipulation is one possibility, or perhaps extortion? Hackers do shop zero-days around for purchase, though I wouldn't expect a somewhat obscure short-seller winning out in a real bidding war with the sorts of organizations that can buy these.
     
    Grall, pharma and Lightman like this.
  8. HBRU

    Regular Newcomer

    Joined:
    Apr 6, 2017
    Messages:
    429
    Likes Received:
    47
    will see if fixes badly affects performances... in a console fixes that stole even a 10% of performances would be a disaster
     
  9. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,135
    Likes Received:
    2,935
    Location:
    Well within 3d
    The PSP's not powerful enough to be used in a performance-critical manner anyway. It's a Cortex A5 and part of its security measures might be purposefully being slow to reduce the effectiveness of brute forcing or timing attacks, similar to what Apple and other security engines do.
    It's meant to provide functions at specific points in the system's initialization and occasionally provide secure functions.

    Also, at least Sony doesn't seem to have aimed for a security level that even rises to the compromised one AMD may have, given what was revealed by the PS4 hacks.
     
  10. CSI PC

    Veteran Newcomer

    Joined:
    Sep 2, 2015
    Messages:
    2,050
    Likes Received:
    844
    Just read and as FYI the number of shares used for short selling increased by 15 million shares before the release of the security vulnerability, that is a fair amount of equity.
    From one article:
    So the out of the norm behaviour started to happen before the release of the information, suggesting organised insider trading behaviour with stock price manipulation (although the vulns seem to be real), albeit not on a large financial institute/hedge fund scale, but still pretty notable when considering stock price and around 15 million shares involved.
     
    #270 CSI PC, Mar 15, 2018
    Last edited: Mar 15, 2018
    Lightman and BRiT like this.
  11. HBRU

    Regular Newcomer

    Joined:
    Apr 6, 2017
    Messages:
    429
    Likes Received:
    47
    I meant microcode fixes that then compromise more or less CPU performances that are needed to be at a fix, stable level in consoles
     
  12. function

    function None functional
    Legend Veteran

    Joined:
    Mar 27, 2003
    Messages:
    5,136
    Likes Received:
    2,248
    Location:
    Wrong thread
    Someone's going to a lot of effort to try and damage AMD. Even making a website to do it, and designing logos for the different classes of carefully named exploits. 24 hours notice for AMD and their partners.

    Building a website to slickly promote your warnings of dire threats to users ( "we just want people to know!!") before you've even notified the vendor. lol.
     
  13. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,135
    Likes Received:
    2,935
    Location:
    Well within 3d
    On the topic of Spectre and Meltdown, Intel has announced that its Cascade Lake server refresh and the a refresh of its 8th Gen desktop chips should have hardware mitigations for Spectre V2 and Meltdown. V1 is the one that remains problematic for a near-term hardware fix due to the more general nature of the vulnerability versus the more specific privilege transitions or targeted hardware structures for the other vulnerabilities.

    How Intel's fixes would work is described as some type of "partitioning" system for privilege levels and contexts.
    There are conceptually modest changes like wiring in a check for userspace to kernel memory acceses earlier in the pipeline for Meltdown, and possibly hard-wired or microcode changes for tagging branch hardware by kernel/user and possibly per-context, or perhaps invalidating things like the return stack automatically at system calls or virtual context switches.
     
    Lightman likes this.
  14. HBRU

    Regular Newcomer

    Joined:
    Apr 6, 2017
    Messages:
    429
    Likes Received:
    47
    they deleted my posts...

    they were related to a lot of new discovered bugs in AMD Ryzen that as Meltdown & Spectre may be patched at the cost of performances that in turn (if into a console) may create a lot of problems...
     
  15. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,135
    Likes Received:
    2,935
    Location:
    Well within 3d
    I believe they were moved to the security flaw thread in the PC forum, although they appear to have been sorted into it in a disjoint fashion. My point is that it is not clear what mechanism would create such a penalty, since the items affected generally are not meant to be in a performance-critical path anyway.
     
  16. pharma

    Veteran Regular

    Joined:
    Mar 29, 2004
    Messages:
    2,972
    Likes Received:
    1,656
    Anandtech interview with CTS-Labs ....
    https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs
     
    #276 pharma, Mar 16, 2018
    Last edited: Mar 16, 2018
    Bludd likes this.
  17. Malo

    Malo Yak Mechanicum
    Legend Veteran Subscriber

    Joined:
    Feb 9, 2002
    Messages:
    7,102
    Likes Received:
    3,167
    Location:
    Pennsylvania
    lol they are so full of shit. Backgrounds in cyber-security for years apparently yet they didn't know standard procedures for security exploits? And they decided to release to the public to make customers aware even though they knew these things normally take months to fix, yet the obvious recent example and much much worse exploits (don't require considerable means to exploit them) with Spectre/Meltdown were provided to Intel/AMD 6+ months in advance.

    Good to see AT asking the obvious difficult questions there and some real floundering by CTS. Especially at the end lol.
     
  18. Gubbi

    Veteran

    Joined:
    Feb 8, 2002
    Messages:
    3,530
    Likes Received:
    875
    And their CEO is also a hedge fund manager.

    Wanna bet they have a largish short position on AMD ?

    Cheers
     
    Shortbread, Alexko, Grall and 4 others like this.
  19. HBRU

    Regular Newcomer

    Joined:
    Apr 6, 2017
    Messages:
    429
    Likes Received:
    47
    yep... I guess SEC will investigate
     
  20. Malo

    Malo Yak Mechanicum
    Legend Veteran Subscriber

    Joined:
    Feb 9, 2002
    Messages:
    7,102
    Likes Received:
    3,167
    Location:
    Pennsylvania
    What are the laws regarding an Israeli company in this context?
     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...