Another day, another vulnerability. This time, it’s AMD’s turn, with a broad swathe of its modern CPU lines falling victim to a dangerous driver vulnerability that could leave PCs open to all manner of attacks.
As reported by TechSpot, the flaw is in the driver for AMD Platform Security Processor (PSP), and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory. Today, we’ll take a look at what the role of the PSP is, and how this vulnerability can be used against affected machines.
What is a PSP, Anyway?
The AMD Platform Security Processor is functionally the company’s equivalent to the Intel Management Engine (ME), which we’ve discussed before. AMD refers to it as a subsystem “responsible for creating, monitoring, and maintaining the security environment.” It consists of an ARM microcontroller core baked into the main CPU die, and interfaces with the main system memory, IO, and CPU registers.
In short, it’s a coprocessor that has access to just about every part of the computers to which it’s inside. This makes it a prime target for attacks. Introduced around 2013, it’s also entirely closed source, existing as an unknown black box within modern AMD CPUs, which makes the security-conscious highly wary. Operating at a low-level, entirely outside the purview of the main CPU and operating system, the PSP, like the IME, is often considered a potential backdoor into a machine.
CPUs have been adding security features for years, with other technology including AMD’s Secure Memory Encryption and Intel’s System Guard Extensions. These subsystems allow sections of memory to be partitioned off and secured for special uses. However, these features have also proved to be subject to vulnerabilities too.
How The Vulnerability Works
The vulnerability is found in a range of AMD chipsets. It affects everything from modern Ryzen processors to chips stretching all the way back at least as far as the AMD Athlon X4 from 2013 according to AMD’s own disclosure. The issue was first reported to the company by [Kyriakos Economou] from ZeroPeril Ltd, who prepared a useful report on the vulnerability.
The vulnerability gives low privileged users access to uninitialised memory. This may sound unimportant, but uninitialised memory is often teeming with data left behind from prior processes, even if the computer has been rebooted or power cycled. It can be an easy way to gain access to encryption keys, password hashes, or all manner of other data that is sitting in unallocated RAM.
The first part of the problem is when a user makes a call to the AMD driver to allocate some uninitialised memory using the AMD PSP. When a request is made to initialise a certain amount of memory, the driver rounds up the request to the default memory page size, usually on the order of 4096 bytes.
If the user requests to initialise 1 byte, the driver will round that up to a full 4096 bytes, and allocate that much memory to the user. However, it will only initialise the first byte, leaving the rest in its prior state. The user can then access the remaining 4095 bytes which have been untouched, thus gaining access to the contents of uninitialised memory.
The second problem involves calls to the driver to free up contiguous memory space that has previously been allocated. When certain calls of this type are made, the driver does not properly release the allocated memory and keeps it privately associated to the original process making the call. This creates a memory leak and can quickly tie up great amounts of memory, making it unavailable to the rest of the system.
The research group were able to access gigabytes of uninitialised memory. The data recovered included everything from user password hashes to pool addresses that could help an attacker get around security features like kernel address space layout randomization (KASLR) which try to make it harder for hackers to know where to find crucial system areas in memory.
Patch Early, Patch Often
Thankfully, downloading the latest AMD chipset drivers should be enough to stave off any potential attacks. AMD’s advice is to upgrade to the ADM PSP driver 5.17.0.0 through Windows Update, or to download AMD Chipset Driver 3.08.17.735. Presumably, this solves the issue by properly zeroing out memory during allocation, as well as freeing up memory properly when its no longer needed.
Overall, a software fix is enough to solve the issue, and its a vulnerability that lacks some of the scare factor of bigger finds like Meltdown and Spectre from years past. However, it just goes to show that computer security is an ever-shifting target. There’s always another vulnerability lurking just around the corner.
Hopefully they can figure out a fix. Unlike the Intel ME, the PSP cannot be really disabled much as it functions as a root of trust for the processor and does memory init (https://www.igorslab.de/en/inside-amd-bios-what-is-really-hidden-behind-agesa-the-psp-platform-security-processor-and-the-numbers-of-combo-pi/)
As I understand it in most if not all Intel Processors the ME is just as impossible to ignore, and does basically all the same things…
At some point they have to realise the right fix is to get rid of these hidden processors doing who knows what – give the operating system direct access to all the hardware, so errors become much easier to fix, and there is some confidence that you know what the processor is doing. Or at the very least vastly reduce their direct access to the rest of the hardware…
When it could transparently from the users perspective and probably quite trivially, once the exploit becomes found, own all the data and IO on the machine, it owns the whole computer and you can’t do anything about it as neither the user, or OS has any way to know its happened.
– your OS won’t know its broadcasting all your secrets, the best it might be able to note is that your 100mb network link was slightly slower during that transfer than it usually is, as the master for the NIC was sending stuff on its own
– your OS won’t know your processor cores are being used rather hard mining crypto bollocks for somebody else, but maybe could notice the CPU temps are higher than they should be (assuming the Man in the Middle PSP/ME chip doesn’t fudge that number).
If you must have the ME/PSP type functionality it should be as a small co-processor with its own small RAM cache and accesses only to the IO it absolutely must have – so for most of these things it needs to be master of one network port, and send signals to the OS/CPU – and even that isn’t exactly secure, just less awful…
Well networking equipment has an admin port so computers should as well since the real users of this feature are geeks who know what they’re doing, and/or businesses and corporations that can deal with the added complexity.
This would be a far batter way to implement it and it would be upgradable.
They already did… The patch is available from multiple places.
What about linux systems? Where do you get revised drivers for them?
You don’t. This was a bug with the Windows drivers.
It looks to me more like the issue is not with the PSP itself, but the _WINDOWS_ drivers for the chipset. So it does not affect users of other OSses like Linux at all. I think this is an important part that should be mentioned in a article like this.
I’m going to take a little issue with:
[Quote]However, it just goes to show that computer security is an ever-shifting target. There’s always another vulnerability lurking just around the corner.[/quote]
This wasn’t a new failure type. This wasn’t even a failure type that is new this millenium. This was simply a failure to follow best practices, specifically allocate only the memory needed, and initialize all the memory that’s allocated. We’ve know this for so many years, and yet it still doesn’t get followed, even in this case which is the driver for a security product.
Some bugs are novel and interesting and require new best practices to guard against, such as spectre and meltdown. This is not that type. This isn’t a moving target, this is a target that’s been nailed in place for 30, 40, even 50 years and still got missed.
Welp, I meant this to be an independent comment, not a reply.
I agree. Even the ‘referenced’ article hardly mentioned ‘Windows’. Yet reading between the lines, this is simply a ‘Windows Driver Security Problem’ and not an AMD hardware problem at all…. so for most of us ‘who cares’. End of story.
Every time these issues come up they make it sound ‘Earth shaking – sky is falling’ when most are not even worth reading about :) .
Well Windows has a 73% market share so how much of a sonic boom do you all need?
https://www.statista.com/statistics/218089/global-market-share-of-windows-7/
But, the attacker (it appears) needs physical access to the machine. Needs to get by the normal security on the machine even if low level, and then needs to install an application to begin ‘exploiting’ this hole. And has to be on a machine that is worth the risk of exploiting…. So…. for most of the 73% market share users I would hazard the guess as not an issue… Just like all the Spectre and meltdown and other security holes…. Not saying the bugs need to be fixed and patched at some point. Just not the big issue as it is made out to be by sensational journalism.
That said, I always thought the PSP as separate and needed an external connection to access. But from this article, you can get to it by installing a driver in the OS running on the main processor. That seems to be a security hole in itself.
The headline is misleading at best, click-bait at worst. This isn’t a flaw in the AMD processor it’s a flaw in the Windows driver. Hardware flaws are a big deal. Yet another windows bug is not. Keep the systems patched and move on.
While it does say it is the driver in the second paragraph, the misleading intent of the title/ headline is clear – clickbait. I may just be extra cranky today but I for one am getting tired of this BS. If an artical isn’t worth an accurate title, it (and the author) are not worth reading
One of the few times it’s good in not having the latest and greatest.
Because old abandoned code and software is always free of security issues.
You can usually run the latest and greatest code and software on old hardware, even hardware pre this ME type hidden master processor that has been rather too popular for a very long time…
And if you run a Linux Distro it will even run well on such hardware – I still have a few of the original Intel Atoms going – very basic and slow processors, diabolically slow running windows, even the vintage of windows they were apparently designed for, but on Linux performance is good enough. Eventually support will be dropped for them, but as Linux keeps functionality with old processors for decades after their retirement (so far at least) got many more years left in them before they become a paint to run the latest software on.
a 2013 AMD processor is hardly the latest and greatest…
Does the extra red communist+++ Chinese 3A5000 and 3C5000L include their equivalent of the FISA IME/PSP core ?
‘Loongson Zhongke is known as the “first domestic CPU”, mostly adopts the MIPS architecture and successfully developed the LongISA instruction set by itself. In late July, Loongson Zhongke launched two processors, 3A5000 and 3C5000L. The code names of these two processors are also quite interesting. The former is “KMYC70”-“70th anniversary of the War of Resisting US Aggression and Aid Korea”, and the latter is “CPC100”-“100th anniversary of the founding of the Party”. It is really red and specialized, and it is worthy of being a 100% localized Chinese “chip”‘ https://inf.news/en/tech/d914953afc8cf73cff0bff16fd07703b.html
One can hope that Europe with their European Processor Initiative (EPI) to gain rapid global market share do NOT include an equivalent of the FISA IME/PSP core ( their first 143 prototypes were recently produced at globalfoundries using their 22FDX low-power technology) – https://www.european-processor-initiative.eu/epi-epac1-0-risc-v-test-chip-samples-delivered/
In my opinion it is a backdoor, NSA endorsed Clipper Chip failed so the IME/PSP was the replacement for that with a gagged FISA court order.
I would not trust any processor out of China with anything but trivial work loads.
As far as the IME timeline goes, I’ve been relatively close to it since it was first proposed by Intel. It had nothing to do with the NSA and everything with customer capture and upselling. Though I wouldn’t be surprised if the spooks jiujitsued the thing into something that’s useful to them as well.
Well, as some commenters pointed out already, the title is definitely misleading. It is a driver issue, not a platform issue. But I am sure a correct title would not attract as much attention.
What I always wondered, what is the purpose of the PSP for Joe schmoe.bI mean, I get the whole remote management stuff for big oegs, but for everybody else … What do we really need it for?
Also what are the risks for us none windows users. Its a backdoor and a security risk for sure, but other then that?
To be honestly though, if this was about security etc, it should be more or less all open source, otherwise its just not auditable or trust worthy.
Closed source code is audited all the time, probably even more than open source code. Big customers with important stuff and deep pockets ask for code reviews and audits on a routine basis.
As far as trustworthy goes, check out the rate and the severity of the bugs found in open source projects, project that into the future and wow, trust is a bad idea here.
The research I’ve seen basically said that they’re both about as bad as one another, just open-souce issues are fixed on average slightly faster once identified. So I don’t think the “more eyes are better” argument holds up in terms of stopping issues getting into the codebase; however, where it helps is that once an issue is found, more people can help out.
I would argue more eyes are always better at preventing bugs and shoddy piles of kludges that just about function, as somebody looks at something that terrible it doesn’t stay a kludge, or doesn’t get used at all – doesn’t mean there are going to be no flaws, as of course there are its a stupidly complex system where every programmer is having to at some point trust other programmers worked to the hymn sheet and documented their work properly etc..
However for me the big gain you get from opensource is a fix that is actually fit for purpose more often – as with so many eyes looking at the fix it can’t be a bodge that opens other cans of worms, it actually has to fix the issue (or at worst its a bodge for a while, and everyone knows it, while the more complex but correct fix is created).
In the closed source world whatever flaw is found is often wallpapered over, sometimes not even remotely fixed, just the one avenue that had actually been used covered, not the underlying flaw that made that bug/exploit happen, so a short while later you find that flaw has been being exploited in the wild because the fix was so shoddy and folks were now looking at the right spot…
Agreed seems to be more trouble than it’s worth the world would be a much better place without these black boxes.
Both AMD and Intel are amercian companies.
My best guess is they’re being forced to put those backdoors in their processors by some 3 letter agency and forced to lie about it’s origins, so they put in some efforts to make it look like it’s doing something useful.
While that is very possible, its also a useful feature set these elements provide for the right customers – and those customers are the ones that order such large piles of parts you have to cater to them to thrive as a big manufacturer…
So I’d not be so sure its pressure from the 3 letters to fit such a system, but keeping them poorly/undocumented and with such high levels of system integration/access might be, but never underestimate laziness/cost cutting – it is I would suggest much cheaper and simpler to put such features into every chip the way they do than keep it isolated from everything it doesn’t absolutely need to provide the management functions…
Great, I could update *IF* I was running Windows. Have not checked, maybe they do Linux drivers now… LOL; it’s all broken!