Print this page
Published in News

Torvalds wades into CTS Labs' AMD chip security report

by on15 March 2018

Smells like stock manipulation

IT's Mr Sweary and the creator of Linux, has hit out at CTS Labs' AMD chip security report saying that it "looks more like stock manipulation than a security advisory".

CTS Labs has claimed it's found over a dozen security problems with AMD Ryzen and EPYC processors. Linus Torvalds, Linux's creator, doesn't buy it.

Writing on a Google+ discussion group Torvalds said that you don't get security advisories that were basically: "If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."

Or, as a commenter put it on the same thread: "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"

CTS Labs sprang out of nowhere to give AMD less than 24 hours to address these "problems" having given security advisors a week to look at the issue.

The startup has jazzed up its discoveries with a research paper, a video describing the vulnerabilities, and, of course, fancy names for them: Ryzenfall, Master Key, Fallout, and Chimera.

CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway.

Torvalds said: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality".

Torvalds agrees these are bugs, but all the hype annoys the heck out of him because they do not matter in the real world.

They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done. He said that a  recent Linux "vulnerability", Chaos, required the attacker to have the root password.

"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."

Torvalds believes: "It's the security industry that has taught everybody to not be critical of their findings."

He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."

Torvalds thinks "security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."


Last modified on 15 March 2018
Rate this item
(0 votes)