The AMD defense force doesn’t have a single evidence to debunk their findings. It may be fake it may be real. But let’s hide this because it hurts mah favorite brand.
There's nothing to defend here when there are zero evidence and obviously the whitepaper barely makes any sense. You need a signed bios in one attack to run the malicious code.
It's like saying that MS is potentially distributing malware, because they sign their and their partners' drivers with a key and if that key is available, then you could sign your malware and spread it as MS software.
This has happened before and the key was published by mistake by microsoft... that's how you get those rights to produce and run signed s/w.
Can we just stop with the anti-semitic crap already?
Ain't helping.
What has this become, the JIDF?
The guy said that Jew politics are shady, and reality shows that they claimed Palestine's land as theirs, they built a Wall to keep the natives away from their territory, they keep expanding their borders with various methods, including bombing and they kill on sight anyone who seems not to happy about those israeli soldiers who walk around with rifles.
You should not disagree with the jews, goy, that's antisemetic.
Malware, through same methods that infects thousands of PC each day.
You have 0, that's zero, idea what you are talking about. Malware is many things, it's adware, trojan, virus, rootkit. Most malware doesn't run with root priviledges in many systems, it just needs a certain type of privileges to do its work. Most malware doesn't get planted magically on a PC, and it is usually a user's fault.
I could go on and on, but it's a lost cause, with people who have already shaped opinions and specific dislikes, not even mentioning the theoretical background.
Anyhoo, here's a simple example about the "rm -rf /" malware.
System: Loonix distro w/ systemd.
Systemd mounts Bios partitions in /dev/ and some versions mount it with write privileges for the root user...
If you "run rm -rf /" , you delete parts of your memory mapped bios. what does this mean? It means for for the motherboard to get bricked.
2 bios chips? you have a great chance that you will get it to POST in the next reboot.
1 bios chip? either you have to bring your soldering iron, or try an SPI programmer and there might be a chance for that motherboard.
How does this example align with the current situation?
You could for example take that file pointer from /dev/ and fill it with your "crafted bios"
then from the paper:
>Exploiting MASTERKEYrequires an attacker to be able to reflash the BIOS with a specially crafted BIOS update
nice, and how do you do that
>we suspect an attacker couldoccasionally still succeed in reflashing the BIOS
"suspect"... so you are not very sure.
let's go forth
>This could be done by first exploiting RYZENFALL or FALLOUT
nice, so I have to read Ryzenfall (that's a big claim there on the name) first
let's go to Ryzenfall's technique.
>Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed
What?
So you tell me that asrock, asus, asmedia, american bios, can haz malware with their AMD supplied key?
so, you get the sign, you sign your code and this means that you can have either some microcode running on the cpu in ring -X, or on the bios itself.
How do you obtain the key? well someone has to provide it to you.
So there's no flaw there, a CPU, a peripheral, an embedded system _must_ run digitally signed firmware.
Where's the flaw? I have no idea? MS mistakenly had debug symbols on one of their supplied drivers, they lost a key, they invalidated it and its past.... we had good laughs.
But how come the almighty hack4z0rd W2zzard come up with "malware?
let's see the paper: a 20 page whitepaper that has zero facts, many mistakes, some ridiculous assumptions and some repetitive charts has 32 occurrences of the word "malware".
They are talking about the Arm Trustzone security "flaws", which ofc you have to exploit(if any) in order to gain access to the AMD PSP processor and there's hardly any mention of "Arm flaw".
There's some claim on twitter by one of the CTS guys, that ASMedia has an open windows on their firmware and there's no "ASMedia flaw" (they even say that asmedia's flaw exists because a few years ago asmedia lost a key :facepalm: )
conclusion:
there are some people out there, like w2zzard, who feel that it is their duty to bash some companies... and this has an impact on their sites. I found this thread because w2zzard wrote what he thinks is plausible, backlinks to amdflaws.com, then amdflaws.com backlinks here to say that this is a credible source(someone's opinion) so go read the "article on tpu or vice(
uke: ) or other yellow sites.
If there's some PoC that does this, e.g. they get the key from a signed f/w with debug symbols still on the binary( doubt it coz of many embedded system reasons), then you just gain the ability to talk to the cpu. the Arm trustzone and the AMD PSP is well documented on some extend, therefore there's no "security by obscurity" as e.g. in the Intel ME where they didn't even said to the people that they ran on minix.
Unlike the PSP, ME has security flaws, that's why they found many parts of that system, that's how they found the OS it's running, the TCP/IP stack and so forth... that's how the documentation for the ME was written.
Arm trustzone IPs and f/w is available for purchase via Arm holdings. There's nothing to hide, the system has perfect documentation and there's a sh-tload of companies using it and debugging it. You set your own key and the system is secured.
That's a totally different approach and to be quite honest security by obscurity was a method they used in the 50s and 60s.
bonus:
the fail overflow team managed to get priviledges on the ps4 to run linux. how did they did it? there's a video on yt about this. The most interesting thing is that they had physical access to the board, a soldering iron, cables, programmers and a southbridge that was not made by AMD and had privileges to do IOMMU/DMA with the cpu.
They could easily claim "amdead" "ambankrupt" "$0 stock value" and what not, but they are professionals, first, and foremost they are people who have the background to do such exploits.
They knew it's not a Jaguar flaw when your southbridge rights on the memory of the system which is supposed to alter.
grats TPU, you gained, for another time, a few cheap Clicks.
clap();
wait(2000);
clap();
wait(2000);
clap();
return;
P.S.: I might be a Jew, you don't know. Disagreeing with me makes you an potential anti-semite. How does that make you feel? How are you going to sleep tonight?
P.S.: I wonder if there's an occurrence of code running so close to the metal and called malware. If my memory serves me right, this term is not used in bare metal situations and requires an OS and a security flaw to be called malware by researchers (those who submit papers, not those with a credit card and internet access to namecheap for a domain), but I am not sure. Food for thought anyways. See ya in several years again when another bubble hits the market.
