OSDev.org

I have noticed that (as far as I can tell) no one here has mentioned the kerfluffle over the claims that Ryzen processors have some kinds of inherent flaws, with side issues of whether the claims have any merit (possibly verging on probably); whether the company making the claims, CTS Labs, should have given AMD more than 24 hours' warning before making the claim public (maybe); whether the severity of the problems alleged really is a showstopper for Ryzen/Epyc or not, since they all require the system to already be compromised in other ways before these flaws can be exploited (probably not); whether CTS has a financial motive for throwing shade on AMD above and beyond the validity and severity of the alleged security flaws (impossible to say yet); and what connection, if any, there is between CTS and Viceroy Investments, a stock brokerage specializing in short selling (legal, if a bit of a morally gray area) which in the past has been accused of spreading fraudulent information for the purpose of manipulating the prices of stocks they are targeting (at best a dirty trick and at worst potential very illegal, depending on just how they are doing it) who published a massive 'obituary' of AMD mere hours after the CTS release (rather too quickly not to have been written before the announcement, some argue) and are openly shorting AMD stocks (not proven, but looking suspiciously likely).

It has also been muddied by a lot of vicious fanboyism by supporters of AMD, on the one hand, and supporters of Intel, on the other, leading to a lot of flames but very little light being shed.

I am actually sort of pleased to see that no one here is rising to this bait, but something about the coverage of all this has me scratching my head. I didn't want to bring this up, but I would appreciate some clarification, if anyone can give it.

You see, all six of the alleged flaws are described as being problems with the chipset, and specifically, with (IIUC) a set of ASMedia ASICs which incorporate a flashable firmware and an ARM32 CPU. These ASICs (I am pretty sure they are ASICs...) include both the usual chipset features, such as some USB host controllers, the PS/2 keyboard/mouse controller, the memory MUX, the PCIe bridges, and so forth, as well as a new, specialized security unit which is comparable to the Intel Management Engine.

Now, here's the thing: while some of these ASICs are inside the processor packaging, they are separate chips from the CPU proper. Furthermore, the majority of the chipset isn't part of the CPU package at all, but is part of the motherboard. It is not clear from the coverage I have seen which parts of the chipset are affected, and so far as I can tell, no one else is even bringing up the question.

For those who don't know this, there are some parts of a PC's chipset that have to be part of the motherboard, rather than the CPU, because these parts of the chipset are what mediate between the CPU and its associated package, on the one side, and the specific motherboard hardware, on the other - each motherboard has to have it's own unique version of that part of the chipset, which translates requests from the CPU to the motherboard. This divided locus of control is necessary because of how the chipsets for PCs in particular evolved; you don't see it on single-board computers, or even (IIUC) Macintosh systems, because they don't have the many variant configurations - or historical baggage - the PC platform does.

The motherboard chipset capabilities are, generally speaking, defined by what the CPU manufacturer supports in the processor-side chipsets, but the board-side chipsets themselves are the business of the motherboard manufacturers. While mobo builders often contract the chipset ASICs from the CPU manufacturer, or more likely, the chip manufacturer whom the CPU builders hired to provide them (more on this later), it is possible to have a chipset which is from a different source instead, though such sources must have the details of the CPU interface to make them; for example, nVidia has their NForce chipsets, which are (again, IIUC) alternatives to several of the Intel and AMD motherboard chipsets.

This, by the bye, is why there can be multiple chipset families which can be used with the different CPU socket types and CPU families - the difference between, say, an Intel B250 chipset and a Z270 chipset that supports the same CPUs and socket, is the support for the more advanced (and expensive) motherboard features which a given model of CPU is able to engage. But that's getting away from things.

Anyway, I mention all of this because there seems to be a lot of confusion on just what chipsets are allegedly flawed, and whether a flawed chipset - either on the processor package or on the motherboards - constitutes a flaws in the CPUs themselves.

I have not read the white paper alleging the flaws, but my expectation is that the allegations would all relate to the processor chipsets - otherwise, it would be a flaw in the mobos, not the CPUs, and while it would represent a massive problem as the motherboard manufacturers would need to recall their boards and would need to work out a replacement strategy with AMD, the chips themselves wouldn't be flawed.

But even if the processor chipsets are flawed, and even if those flaws cannot be corrected in firmware (which hasn't even been addressed as far as I know), it says little about the CPUs themselves, I think. While recalling the existing CPUs and developing a replacement chipset for future die packages would be monumentally expensive, not to mention humiliating, it is not impossible, and I doubt that it would amount to a death-blow to AMD - especially since their x86 CPU market is not even their primary business (they are much more involved in embedded systems, just as Intel is, with the desktop market being mostly a prestige business rather than a cash cow).

It just seems that this is much ado about nothing, especially in comparison to Spectre, which is known to affect AMD CPUs just as much as it does Intel CPUs (and ARM CPUs for that matter), and cannot be entirely fixed in firmware on any of the processors affected by it.

The whole thing seems like a tempest in a teapot, and I think that, more than anything, is why it looks so suspicious to many people.

NOTE: I AM NOT A SECURITY EXPERT. ANY OPINION HERE IS THE OPINION OF A LAYMAN. THE INFORMATION BELOW IS FOR EDUCATIONAL PURPOSES ONLY, AND SHOULD NOT BE USED FOR DECISIONS. THE AUTHOR DISCLAIMS ANY WARRANTY AS TO THE ACCURACY OF STATEMENTS BELOW. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE TEXT BELOW, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

I had a hard time even finding the website for CTS labs (for those wondering, it is cts-labs.com), and clicking around a bit it already feels very fishy. Most of the site is literally the same text pasted above a different list of external sources, and at best it is a very poorly executed company website. Not exactly what I would expect to see for a reputable security lab.

Next, the whitepaper explicitly states it does not give any details on the executions of the exploits. That alone is weird, as it allows literally no one (except maybe AMD, since they claimed to have given technical details to them) to verify that their findings are reasonable.

Ignoring that, let us next take a look at their supposed "attacks":

Masterkey: This one requires bios flashing capability. I am very sorry, but when an attacker can flash BIOS, it is game-over. That holds regardless of any flaws one might be able to exploit using that.

Ryzenfall: This requires "local-machine elevated administrator" access (pretty much full access to the operating system, and I guess from their wording that running inside a VM is not enough), and their text suggest it is an attack against the code running on the secure processor inside ryzen chips. Even if this is a legitimate problem, a simple firmware upgrade should be more than sufficient for mitigating it. Furthermore, requiring local administrator access on an OS running on bare metal is usually game over anyway, so this one again is probably not that big of an issue.

Fallout: Again, requires "local-machine elevated administrator", so all the previous caveats apply. Here they do not give any hints on how the exploit is supposed to work, or even how it is different from Ryzenfall.

Chimera: According to their claim, this is an exploit of the Promontory (or X370 for us consumers) chipset. They claim them to be some sort of pair of manufacturer backdoors, one implemented in hardware and the other in firmware. Given the fact that this is most likely a VERY complex chip given the diagrams AMD released for it, I seriously wonder how they can now that one of the found backdoors is implemented in hardware. Furthermore, they dont give any information as to the level of access they needed in order to exploit the problem.

Furthermore, all of the above attacks seem very specific in naming the companies that provided the (technology behind) the various components in the cpu attacked.

Combined, I would say that these attacks seem very much like scraping the bottom of the barrel, if they are real at all. There may be some small situations where Ryzenfall or Fallout might be relevant (e.g. where it is reasonable for an adversary to have administrator access but not declare the machine pwned), but I find it hard to find any realistic scenarios for that.

Schol-R-LEA, your (and the rest of the media's) assement that this seems mostly designed to raise as much of a stink as possible for stock price manipulation seems rather likely. Given that, I would not be surprised if this will lead to future legal action, and this prospect might also explain why (as far as I can find) AMD hasn't yet given any response to the supposed attacks.

There are more reasons to believe it is rather fishy, gamersnexus has a nice breakdown of them at https://www.gamersnexus.net/industry/32 ... h-cts-labs. One of the highlights for me is the following sentence in the legalese at the end of the whitepaper:

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

This is basically them declaring that they may or may not have shorted amd stock, or are heavily invested in a company that just shorted amd stock. All in all, I wouldn't be surprised if this is (potentially illegal, I am no expert in securities fraud so I can't tell what is and isn't legal about this) stock manipulation.

Edit: I missed the AMD response, but it is literally just a stock response saying they are looking into it. The only thing of note is that cts-labs was apparently new to them as well.
Edit2: Also fishy for a security lab is that their website is not willing to load over https

A couple of other interesting points which may or may not be relevant (legally, not technically):

A company called CTS Labs was incorporated in England and Wales in 2016. It was dissolved in 2017.

The American CTS Labs was founded in 2017 with a very young-looking Management Team. What better way of getting your tech startup known than making some headlines? Just saying...

Cheers,
Adam

Hi,

Schol-R-LEA wrote:I have noticed that (as far as I can tell) no one here has mentioned the kerfluffle over the claims that Ryzen processors have some kinds of inherent flaws, with side issues of whether the claims have any merit (possibly verging on probably); whether the company making the claims, CTS Labs, should have given AMD more than 24 hours' warning before making the claim public (maybe); whether the severity of the problems alleged really is a showstopper for Ryzen/Epyc or not, since they all require the system to already be compromised in other ways before these flaws can be exploited (probably not); whether CTS has a financial motive for throwing shade on AMD above and beyond the validity and severity of the alleged security flaws (impossible to say yet); and what connection, if any, there is between CTS and Viceroy Investments, a stock brokerage specializing in short selling (legal, if a bit of a morally gray area) which in the past has been accused of spreading fraudulent information for the purpose of manipulating the prices of stocks they are targeting (at best a dirty trick and at worst potential very illegal, depending on just how they are doing it) who published a massive 'obituary' of AMD mere hours after the CTS release (rather too quickly not to have been written before the announcement, some argue) and are openly shorting AMD stocks (not proven, but looking suspiciously likely).

As far as I can tell; the claims are real "problems" but are mostly minor/irrelevant issues that are being deliberately exaggerated, either to increase publicity for CTS (less likely) or to manipulate the stock market (more likely).

Note: part of the reason I think that publicity is less likely is that "24 hour notice before disclosure" is abnormal and likely to leave a stain on the reputation of CTS, and part of the reason I think that stock market manipulation is more likely is that the wording in the whitepaper is biased against AMD (not a neutral/professional description of facts you'd expect) and that some of the claims (flaws in ASMedia's chips) effect Intel systems but CTS seem to be ignoring this and trying their hardest to discredit AMD alone.

For the claims themselves; AMD have finished analysing the claims and published an official response. I'd rate AMD's response as "refreshingly honest" - they don't seem to be trying to downplay the severity of the claims in the way a PR company would.

AJ wrote:The American CTS Labs was founded in 2017 with a very young-looking Management Team. What better way of getting your tech startup known than making some headlines? Just saying...

Getting your tech startup known as "3 stupid script kiddies" probably isn't a great strategy...


Cheers,

Brendan

OK, the AMD press release is good to see, and while I do think they hammered the issue of "you know, someone could do a lot worse than this if they had root to begin with" point home a bit much, given the behavior of both CTS Labs and Viceroy Investments - especially Viceroy - they have every right to do so.

Also, reading this and some of the other material answers one of my earlier questions, while underscoring how misleading the original report was - of the six issues, four of them are with the motherboard chipsets, not the CPU package chipsets, and as AMD states outright (though in a surprisingly understated manner), none are issues with the CPU dies themselves.

While chipset issues - especially processor chipset issues - are serious, they are not even close to being the sort of pervasive, ingrained problem that Meltdown and (especially) Spectre are, ad these particular issues are ones which, while far from negligible, are not catastrophic either. The fact that CTS was explicitly drawing parallels between the problems they uncovered, and the far more severe problems affecting - well, every processor architecture using out-of-order execution, in the case of Spectre - seems a real reach.

And the way CTS rushed the paper to press, even if it was meant honestly with an eye to forcing AMD's hand as they claim - which is questionable - just means that these quick fix BIOS updates are more likely to have bugs in them than if AMD had had the time to work with ASMedia on fixes for the chipsets themselves, or to get sufficient testing done on the mitigation they have managed to do.

The funny thing is, the main effect of this, following right on the heels of the Spectre, Meltdown and Rowhammer releases, might well be to drive greater investor interest in Mill and RISC-V, which can at least claim that they don't have these specific problems (just many others that haven't been found yet). I doubt it will be significant even then, as even the legitimate problems seem to have mostly driven stock prices of the affected chipmakers up rather than down, but it might give them a small bump as well.