CTS Labs, an almost unknown company from Tel Aviv, claimed to have discovered over a dozen security issues in the processors AMD Ryzen and EPYC. Linus Torvalds, the creator of Linux, publicly challenged them.
Torvalds, he says Google+:
When was the last time you saw a security tip say, "If you replace the BIOS or CPU microcode with a bad version, you may have security vulnerabilities?"
Or, as a commenter in the same thread mentioned below, “I found a flaw in the hardware. No device is safes: if you have physical access to a device, you can just grab it and walk away. Am I a security expert?”
They are right.
CTS Labs jumped out of nowhere to give AMD less than 24 hours to deal with these "problems".
Startup released its discoveries in a white paper and a video that describes the vulnerabilities. All of the security loops, of course, have fancy names: Ryzenfall, Master Key, Fallout and Chimera.
CTS Labs claimed in one interview which showed that AMD did not fix the problems for "many, many months or maybe even a year."
But why do they do that? According to Torvalds:
"It sounds more like a manipulation than a safety tip for me."
But see, this is for real errorthe. Dan Guido, CEO of Trail of Bits, a security company with a proven track record, stated that:
"Regardless of the advertising campaign, the errors are real, they are accurately described in the technical report (which is not public) the code with the exploits works."
But, Guido also admitted: "Yes, all bugs require admin [privileges], but all are bugs, and not some expected functionality."
The Linux creator agrees that these are bugs but that all of their advertising is bothering him:
Are there any errors? Yes. Do they matter in the real world? No.
A system administrator is required and it would be almost criminally negligent to give access to someone you don't know. For Torvalds, malicious security reports are annoying and distracting from the real thing work.
Torvalds believes that "there are real security researchers." According to Torvalds: "A catchy name and a website are almost essential for a security revelation these days."
Torvalds caustically states that "security people need to understand that they look like clowns because of this. The whole security industry just has to admit that they have a lot to do and that they need to use and encourage critical thinking. ”
What Torvalds really wants from developers and security researchers, as he recently wrote, is:
The first step should ALWAYS be "mention it". Mention it. Nothing else.
"Do no harm" should be your mantra for any new hardware work.
