AMD Security Concerns Overshadowed by Circumstances

On Tuesday, a security research firm called CTS Labs released information regarding 13 security vulnerabilities that impact modern AMD processors in the Ryzen and EPYC families. CTS launched a website, a couple of explanatory videos, and a white paper detailing the collection of security issues, though without details of implementation (which is good).

On the surface, these potential exploits are a serious concern for both AMD and its customers and clients. With the recent tidal wave caused by the Spectre and Meltdown security vulnerabilities at the beginning of the year, which have led to some serious talk of hardware changes and legal fallout like lawsuits against chip giant Intel, these types of claims are taken more seriously than ever before. That isn’t by itself a negative for consumers – putting more emphasis of security and culpability on the technology companies will result in positive changes.

CTS Labs has four different categories of the vulnerabilities that go by the name Ryzenfall, Fallout, Masterkey, and Chimera. The first three affect the processor itself and the secure processor embedded in it while the last one (Chimera) affects the chipset used on Ryzen motherboards. The heart of the exploit on the processor centers on an ability to overwrite the firmware of the “Secure Processor”, a dedicated Arm Cortex A5 part that runs a separate OS. Its job is to handle security tasks like password management. Being able to take control of this part has serious implications for essentially all areas of the platform, from secure memory access to Windows secure storage locations.

The Chimera vulnerability stems from a years-old exploit in a portion of the ASMedia designed chipset that supports Ryzen processors, allowing for potential man-in-the-middle attacks to access network and storage traffic.

In all of these cases, the exploits require the attacker to have physical access to the system (to flash a BIOS) or elevated, root privileges. While not a difficult scenario to setup, it does put these security issues into a secondary class of risk. If you have a pre-compromised system, then there are a significant number of exploits that all systems are at risk of.

It is interesting to note from a technical standpoint that all of the vulnerabilities center around the integration of the Secure Processor, not the fundamental architecture of the Zen design. It is a nuanced difference, but one that separates this from the Spectre/Meltdown category. If these concerns are valid, its possible that AMD could somewhat easily swap out this secure processor design for another, or remove it completely for some product lines, without touching the base architecture of the CPU.

For its part, AMD has been attentive to the new security claims. The company was given less than 24 hours notice of the security vulnerabilities, a significant alteration to common security research practices. For Spectre/Meltdown, Intel and the industry were given 30-90 days notice, giving them time to do research and develop a plan to address it. CTS Labs claims that the quick release of its information was to keep the public informed. Without the time to do validation, AMD is still unable to confirm the vulnerabilities, as of this writing.

CTS is holding back details of implementation for the vulnerability from the public, which is common practice until the vendor is able to provide a fix.

There is more to this controversy, unfortunately, than simply the potential security vulnerabilities. CTS Labs also talked with other select groups prior to its public data release. The research entity pre-briefed some media outlets, which is not entirely uncommon. Secondary security researchers were given access to the POCs (proof on concepts) to validate the vulnerabilities. Again, that is fairly expected.

But CTS also discussed the security issues with a company called Viceroy Research that has been documented in the past as creating dicey financial situations for companies in order to make a short term profit, at least based on accusations. In this case, Viceroy published a paper on the same day of the release of CTS Labs own report calling for AMD to file for bankruptcy and that the stock should have a $0.00 value.

To be frank, the opinions contained in the paper are absurd, and show a clear lack of understanding of the technical concerns surrounding security issues and of the market conditions for high-tech companies. Calling for a total recall of products for what CTS has detailed on AMD’s Ryzen hardware, without understanding the complexity of the more direct hardware-level concerns of Spectre/Meltdown that have been in the news for three months leaves me scratching my head.

Because of this secondary paper and the implications of finances in play regarding the news, it paints the entire CTS Labs report and production in a very bad light. If the security concerns were as grave as the firm claims, and the risk to consumers is real, then they did a disservice to the community by clouding the information with the circus that devoured it.

With all that said, AMD should and appears to be taking the security concerns raised in this report with the level of seriousness it demands. AMD is working against a clock that might be unfair and against industry norms, but from my conversations with AMD personnel, the engineering and security teams are working around the clock to get this right. With the raised level of scrutiny around chip security after the Meltdown and Spectre release, no company can take the risk of leaving security behind.