Wait a minute. I thought from the day one, these vulnerabilities exploit ARM's TrustZone inside Zen uarch and probably Excavator as well. I also knew that ASMedia chip had some contribution on it, but nothing like what Joel from ExtremeTech descibed. Need a quick recap here.CTS Labs Responds to Allegations of Bad Faith Over AMD CPU Security Disclosures, Digs Itself a Deeper Hole
Looks like they're also claiming they compromised Intel motherboards with ASMedia chips as well.
Should have been asmediaflaws.com if anything.
Here is a video with Ian Cutress talking about all this: https://www.youtube.com/watch?v=cj3_AILPvU0
I just watched half of it. I agree completely. Its like Ian was saying "its all crap, they don't know what they are doing, its probably just PR....etc", but he was very careful to not actually say that. I think he did great.It's a long watch but there are some good details in there about the story and his call with CTS. Lots of questions he posed with no real answer, deflections, obvious lack of understanding of the modern server/compute environment, lack of understanding of modern security protocol, certain elements of their story changing, outright lying (according to other industry contacts) about not being able to share details with anandtech due to Israeli law, etc.
Ian is careful about not drawing complete conclusions which he shouldn't given his position and lack of expertise in all these areas, but luckily we don't have that standard in a casual tech forum and can call a spade a spade.
It's out.I just wish his article would better reflect the stance he showcases in the video.
So have we seen proof of concept exploits yet?
Wait a minute. I thought from the day one, these vulnerabilities exploit ARM's TrustZone inside Zen uarch and probably Excavator as well. I also knew that ASMedia chip had some contribution on it, but nothing like what Joel from ExtremeTech descibed. Need a quick recap here.
Now I get a clearer picture about this. Like formulav8 said, it should be asmediaflaws.com. As for TrustZone feature (thanks for addressing it, Ian!), somehow it only affects Zen-based CPU and not others.
IC: Most enterprise level networks are built upon systems that rely on virtual machines (VMs), or use thin clients to access VMs. In this circumstance no OS has bare metal access due to the hypervisor unless the system is already compromised…
ILO: Can I stop you there? That is not correct. That is entirely incorrect. We are talking about companies. You know we have a company here – imagine you had a company with four floors with workstations for employees that run Windows and sometimes you have a domain environment on the network….
IC: Those are desktop systems, I specified enterprise.
ILO: Yeah, this is enterprise, this is a company. As I said it has four floors with computers inside. They may be running Ryzen Pro workstations. They may have a Microsoft Windows Domain server, maybe a file server, and what we are talking about here is lateral movement inside corporate networks like this one. This is ABC, this is what happens on TSX all over the world with reports about how Chinese hackers behave when they hack US companies and this is how it looks like.
This call took place at 1:30pm ET on 3/14. After the call, we sent a series of 15 questions to CTS-Labs at 6:52pm ET on the same day. As of 7:10pm ET on 3/15, we have not had a response. These questions included elements related to
- The use of a PR firm which is non-standard practice for this (and the PR firm were not involved in any way in our call, which is also odd),
- Viceroy Research, a company known for shorting stock, and their 25-page blowout report published only three hours after the initial announcement,
- And the 2018 SEC listing of the CFO as the President of NineWells Capital, a hedge fund based in New York, that has interests in equity, corporate debt investments, and emphasis on special situations.
On the other hand, I think that it also gives the vendors a lot of control on how it wants to address these vulnerabilities and they can first deal with the problem then come out with their own PR about the problem, I’m speaking generally and not about AMD in particular here, and in general they attempt to minimize the significance. If the problem is indicative of a widespread issue, as is the case with the AMD processors, then the company will company probably would want to minimize it and to play it down.
As for TrustZone feature (thanks for addressing it, Ian!), somehow it only affects Zen-based CPU and not others.
Now I get a clearer picture about this. Like formulav8 said, it should be asmediaflaws.com. As for TrustZone feature (thanks for addressing it, Ian!), somehow it only affects Zen-based CPU and not others.
At some place they said clearly that they tested against others secure processors and didn't worked?
It seems a bit odd for a company looking into ASMedia related flaws to then turn their focus onto AMD’s secure processor, using the chipset vulnerabilities as a pivot point. ASMedia chips, especially the USB host controllers cited by CTS-Labs, are used on literally tens of millions of Intel-based motherboards around the world, from all the major OEMs. For a large period of time, it was hard to find a system without one. The decision to pivot on newer AMD platforms is a weak argument, the wishy-washy language when discussing projects at the start of the company’s existence, and the abrupt ending to the call when asked to discuss the original customer could be construed (this is conjecture here) that the funding for the product was purposefully directional towards AMD.
IC: Can you describe how you came up with the names for these exploits?
YLZ: It was our creativity and fervent imagination.
IC: Did you pre-brief the press before you spoke to AMD?
ILO: What do you mean by pre-brief the press?
IC: We noticed that when the information went live, some press were ready to go with relevant stories and must have had the information in advance.
ILO: Before our announcement you mean?
IC: Correct.
ILO: I would have to check the timing on that and get back to you, I do not know off the top of my head.
DK: I think the biggest question that I still have is that ultimately who originated this request for analysis – who was the customer that kicked this all off?
ILO: I definitely am not going to comment on our customers.
DK: What about the flavor of customer: is it a semiconductor company, is it someone in the industry, or is it someone outside the industry? I don’t expect you to disclose the name but the genre seems quite reasonable.
ILO: Guys I’m sorry we’re really going to need to jump off this call but feel free to follow up with any more questions.
It's a long watch but there are some good details in there about the story and his call with CTS. Lots of questions he posed with no real answer, deflections, obvious lack of understanding of the modern server/compute environment, lack of understanding of modern security protocol, certain elements of their story changing, outright lying (according to other industry contacts) about not being able to share details with anandtech due to Israeli law, etc.
Ian is careful about not drawing complete conclusions which he shouldn't given his position and lack of expertise in all these areas, but luckily we don't have that standard in a casual tech forum and can call a spade a spade.
In all likelihood they were trying to short AMD stock by using the vulnerabilities[1]. Beyond this I'm not sure why everyone is so up in arms about this whole situation. CTS doesn't owe anyone anything and they don't have any obligation to whatever vendor they might be working on. You could even argue it's probably better they just let it out than sitting on it for months/years.
[1] https://news.ycombinator.com/item?id=16598061
It's Scam, Scammers should be in jail.
And what exactly did they do that was illegal? Trading on non-public information that you got from your own research and then announcing it is not illegal. How much you stand to gain may be up for debate however.
"And what of Trustonic's TEE? Unlike QSEE's model, trustlets are unable to map-in and modify physical memory. In fact, the security model used by Trustonic ensures that trustlets aren't capable of doing much at all. Instead, in order to perform any meaningful operation, trustlets must send a request to the appropriate “driver”. This design is conducive to security, as it essentially forces attackers to either compromise the drivers themselves, or find a way to leverage their provided APIs for nefarious means. Moreover, as there aren't as many drivers as there are trustlets, it would appear that auditing all the drivers in the TEE is indeed feasible. "
" Although trustlets aren't granted different sets of “capabilities”, drivers can distinguish between the trusted applications requesting their services by using the caller's UUID. Essentially, well-written drivers can verify that whichever application consumes their services is contained within a “whitelist”, thus minimising the exposed attack surface. Sensitive operations, such as mapping-in and modifying physical memory are indeed unavailable to trusted applications. They are, however, available to any driver. As a result, driver authors must be extremely cautious, lest they unintentionally provide a service which can be abused by a trustlet."
What about the vendors customers? It's OK to put them at risk just to make a couple dollars?In all likelihood they were trying to short AMD stock by using the vulnerabilities[1]. Beyond this I'm not sure why everyone is so up in arms about this whole situation. CTS doesn't owe anyone anything and they don't have any obligation to whatever vendor they might be working on. You could even argue it's probably better they just let it out than sitting on it for months/years.
[1] https://news.ycombinator.com/item?id=16598061
Shorting stock is not illegal, it's what investors on the stock market do all the time. Using information you have that others don't is not illegal unless that information was gained illegally (e.g. insider trading). The stock market is just another form of gambling where everyone plays every edge they can to it's full advantage, it's not there to be nice and fair.If they have shorted stock, they have damaged not just AMD for their own gain, but AMD shareholders as well. Such an act has potential of $billions in damage.
Of course not, but when it comes to making lots money people are fast to put their morals aside. Look how many people on these forums mine crypto (another form of gambling) despite it basically wasting the earths resources for no real gain, and greasing the wheels of the criminal underworld (you pay for your drugs, guns, slaves, child porn in crypto). Not so much protest for an activity that's making geeks here money despite it being arguably worse then what CTS are doing.What about the vendors customers? It's OK to put them at risk just to make a couple dollars?
Shorting stock is not illegal, it's what investors on the stock market do all the time. Using information you have that others don't is not illegal unless that information was gained illegally (e.g. insider trading). The stock market is just another form of gambling where everyone plays every edge they can to it's full advantage, it's not there to be nice and fair.
Of course not, but when it comes to making lots money people are fast to put their morals aside. Look how many people on these forums mine crypto (another form of gambling) despite it basically wasting the earths resources for no real gain, and greasing the wheels of the criminal underworld (you pay for your drugs, guns, slaves, child porn in crypto). Not so much protest for an activity that's making geeks here money despite it being arguably worse then what CTS are doing.
And what exactly did they do that was illegal? Trading on non-public information that you got from your own research and then announcing it is not illegal. How much you stand to gain may be up for debate however.
In all likelihood they were trying to short AMD stock by using the vulnerabilities[1]. Beyond this I'm not sure why everyone is so up in arms about this whole situation. CTS doesn't owe anyone anything and they don't have any obligation to whatever vendor they might be working on. You could even argue it's probably better they just let it out than sitting on it for months/years.
[1] https://news.ycombinator.com/item?id=16598061
And here we go