CPU Security Flaws MELTDOWN and SPECTRE

PSP related "Ryzenfall" requires admin level access and vendor-signed malicious driver
Fallout requires admin level access and vendor-signed malicious driver
Chimera requires admin level access and vendor-signed malicious driver (also they claim that because some asmedia controllers have "bad firmware and software" (according to CTS Labs anyway), Promontory clearly has them too)

The claim isn't that the driver is malicious, just that a signed binary is part of the exploit. There are classes of attack that can exploit vulnerabilities like the loader authenticating a payload, but flaws in validation, check-once and switch, or loading to an area that can be modified can allow for a hostile payload to piggyback on the signed driver after the signature check. One of the PS3 hack variants did something similar, I think.

Some alternate possibilities are a compromised or negligent third party leaking their key, or a hacked PSP from the Masterkey exploit being able to leak out values that can be used in later ones. These seem so salacious that I would have expected them to be used to embarrass AMD further, particularly the latter. However, this doesn't seem necessary per the claims.

That there are security analysts with their names and places of work now firmly in the legal crosshairs if they willfully lied about seeing working POC for the exploits is what I think gives some sign this is more than just a hoax.

For AMD's Pro and EPYC lines, the excuse that you need admin rights is not good enough for the TPM and SEV elements of the platform, particularly since the PSP and southbridge allow for un-scannable and persistent exploit. A good chunk of that value-add is the idea that the hardware is supposed to be more resilient against compromised admins or hardware intercepted in transit.
A throwaway install can give someone admin rights, with persistence negating software wipes as a mitigation.
 
Let's assume for two lines, that these claims and CTS Labs are technically legit.
Their alleged background is in military intelligence, thus, an undiscovered backdoor makes much more sense for guys like them than something more easily exploitable - even if it requires physical access to the machine or network in question. MI are usually not the guys trying to scam one in a million people for their credit cards details and rather conduct very targeted attacks on key people/infrastructure.
[disclaimer: in my browser, that were two lines only]

Apart from that, I also find their publishing method and they way they are building their case highly dubious.
 
From what I've read, their company used to create malware apps that mined bitcoins on consumer desktops.

Read the Anandtech thread on this, some interesting stuff found out about this so-called security company.
 
Let's assume for two lines, that these claims and CTS Labs are technically legit.
Their alleged background is in military intelligence, thus, an undiscovered backdoor makes much more sense for guys like them than something more easily exploitable - even if it requires physical access to the machine or network in question. MI are usually not the guys trying to scam one in a million people for their credit cards details and rather conduct very targeted attacks on key people/infrastructure.
[disclaimer: in my browser, that were two lines only]

Apart from that, I also find their publishing method and they way they are building their case highly dubious.
For international business and especially HPC scale/R&D research engineering they would be wary of state sponsored espionage hacking (also applies to politics and relevant organisations or depts being compromised as well but different approach/CPU platforms involved); two countries come to mind.
Part of the reason the initial article I linked differentiated between perspective of risk and state sponsored versus more broader concerns.
Both are a potential risk/impact but in different ways and perspectives, still it is appalling how this was handled by those involved and it could be argued some of this with the shorting could be defined as organised insider trading (would need a court order to pull all records and communications to prove if this has happened).
None of the tech journalists have picked up on this angle (context organised insider trading), really SEC should be approached about this.
 
Last edited:
Would be fixed for next-gen consoles. I guess what's more worrying is every CPU is getting these epic security vulnerabilities. Workload on shoring them up and making the hardware genuinely secure needs to be increased.
 
Last edited:
Let's assume for two lines, that these claims and CTS Labs are technically legit.
Their alleged background is in military intelligence, thus, an undiscovered backdoor makes much more sense for guys like them than something more easily exploitable - even if it requires physical access to the machine or network in question.
Although it seems like physical access isn't required for most of the exploits, and even the Masterkey exploit's needing physical access may be conditional on whether the motherboard supports a BIOS update via executable. It would still require administrative privileges and there may be more flexibility with physical access.
A BIOS update spoofing an official release might widen the net a bit. The PSP's role in AMD's CPU and GPU boot process includes validating its firmware and never allowing the SOC to exit its launch state if it was tampered. If the enclave in the SOC does have enough persistence to allow the PSP to remain hacked even if the OS and motherboard were restored to factory default, and AMD doesn't provide a way to scan through the PSP's payload or for secure apps to query the PSP's version (in a non-spoofed way?), it might not be possible to be fully confident of the CPU after an incursion or anomaly is detected. It might be a challenge to craft an update that can somehow get past hacked firmware, which could just act like it read in the payload without applying it. Sony did find ways to claw back from the rooted status of the PS3's security however, so the possibility is there.

A new stepping or chips still in AMD's controls could be updated with the fix, though chips in the wild may not have 100% certainty.
Everyone has effectively committed to some kind of secure software or secure enclave method, though challenges like this show that when these have a vulnerability there's often not a lot of defense in depth and frequently little external visibility of what could be wrong.

MI are usually not the guys trying to scam one in a million people for their credit cards details and rather conduct very targeted attacks on key people/infrastructure.
Stock manipulation is one possibility, or perhaps extortion? Hackers do shop zero-days around for purchase, though I wouldn't expect a somewhat obscure short-seller winning out in a real bidding war with the sorts of organizations that can buy these.
 
will see if fixes badly affects performances... in a console fixes that stole even a 10% of performances would be a disaster
 
will see if fixes badly affects performances... in a console fixes that stole even a 10% of performances would be a disaster
The PSP's not powerful enough to be used in a performance-critical manner anyway. It's a Cortex A5 and part of its security measures might be purposefully being slow to reduce the effectiveness of brute forcing or timing attacks, similar to what Apple and other security engines do.
It's meant to provide functions at specific points in the system's initialization and occasionally provide secure functions.

Also, at least Sony doesn't seem to have aimed for a security level that even rises to the compromised one AMD may have, given what was revealed by the PS4 hacks.
 
Just read and as FYI the number of shares used for short selling increased by 15 million shares before the release of the security vulnerability, that is a fair amount of equity.
From one article:
On Friday and Monday, short selling of AMD's stock increased by about 15 million shares, according to S3 Partners, a financial analytics firm. That brought overall short interest in the chipmaker to about 180 million shares, the most since at least 2010.

"Over the last several days there was a spike in short selling that was completely out of the norm," said Ihor Dusaniwsky, S3 Partners' head of research.

So the out of the norm behaviour started to happen before the release of the information, suggesting organised insider trading behaviour with stock price manipulation (although the vulns seem to be real), albeit not on a large financial institute/hedge fund scale, but still pretty notable when considering stock price and around 15 million shares involved.
 
Last edited:
I meant microcode fixes that then compromise more or less CPU performances that are needed to be at a fix, stable level in consoles
 

Someone's going to a lot of effort to try and damage AMD. Even making a website to do it, and designing logos for the different classes of carefully named exploits. 24 hours notice for AMD and their partners.

Building a website to slickly promote your warnings of dire threats to users ( "we just want people to know!!") before you've even notified the vendor. lol.
 
On the topic of Spectre and Meltdown, Intel has announced that its Cascade Lake server refresh and the a refresh of its 8th Gen desktop chips should have hardware mitigations for Spectre V2 and Meltdown. V1 is the one that remains problematic for a near-term hardware fix due to the more general nature of the vulnerability versus the more specific privilege transitions or targeted hardware structures for the other vulnerabilities.

How Intel's fixes would work is described as some type of "partitioning" system for privilege levels and contexts.
There are conceptually modest changes like wiring in a check for userspace to kernel memory acceses earlier in the pipeline for Meltdown, and possibly hard-wired or microcode changes for tagging branch hardware by kernel/user and possibly per-context, or perhaps invalidating things like the return stack automatically at system calls or virtual context switches.
 
they deleted my posts...

they were related to a lot of new discovered bugs in AMD Ryzen that as Meltdown & Spectre may be patched at the cost of performances that in turn (if into a console) may create a lot of problems...
 
they deleted my posts...

they were related to a lot of new discovered bugs in AMD Ryzen that as Meltdown & Spectre may be patched at the cost of performances that in turn (if into a console) may create a lot of problems...

I believe they were moved to the security flaw thread in the PC forum, although they appear to have been sorted into it in a disjoint fashion. My point is that it is not clear what mechanism would create such a penalty, since the items affected generally are not meant to be in a performance-critical path anyway.
 
Anandtech interview with CTS-Labs ....
One, if the vulnerabilities exist: It is very likely that these vulnerabilities are real. A secondary attack vector that could install monitoring software might be part of a multi-layer attack, but offering a place for indiscriminant monitoring of compromised systems can be seen as an important hole to fix. At this point, the nearest trusted source we have that these vulnerabilities are real is from Alex Ionescu, a Windows Internals Expert who works for CrowdStrike, one of the companies that CTS-Labs says has the full disclosure documents. That is still a stage a bit far from us to warrant a full confirmation. Given that Trail of Bits required 4-5 days to examine CTS-Labs work, I suspect it will take AMD a similar amount of time to do so. If that is the case, AMD might have additional statements either on Friday or Monday, either confirming or rebutting the issues, and discussing future action.
https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs
 
Last edited by a moderator:
lol they are so full of shit. Backgrounds in cyber-security for years apparently yet they didn't know standard procedures for security exploits? And they decided to release to the public to make customers aware even though they knew these things normally take months to fix, yet the obvious recent example and much much worse exploits (don't require considerable means to exploit them) with Spectre/Meltdown were provided to Intel/AMD 6+ months in advance.

Good to see AT asking the obvious difficult questions there and some real floundering by CTS. Especially at the end lol.
 
full of shit. Backgrounds in cyber-security for years apparently yet they didn't know standard procedures for security exploits? And they decided to release to the public to make customers aware even though they knew these things normally take months to fix, yet the obvious recent example and much much worse exploits (don't require considerable means to exploit them) with Spectre/Meltdown were provided to Intel/AMD 6+ months in advance.
And their CEO is also a hedge fund manager.

Wanna bet they have a largish short position on AMD ?

Cheers
 
What are the laws regarding an Israeli company in this context?
 
Back
Top