Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security AMD Hardware

'Sinkclose' Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections (wired.com) 57

An anonymous reader quotes a report from Wired: Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it. At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away."
In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon."

The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.
This discussion has been archived. No new comments can be posted.

'Sinkclose' Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections

Comments Filter:
  • once again (Score:1, Interesting)

    by Anonymous Coward
    What SHOULD happen when people find security flaws is they are dumped immediately with exploitable code on Usenet so that the code gets into the wild with no chance of it getting taken down in order to properly incentivize manufacturers not to make garbage and customers not to buy garbage. Whoever the fuck came up with "responsible disclosure" needs to be shot.
    • By that definition, everything is garbage.

    • by SirSlud ( 67381 )

      if that was intended to be a demonstration of how the mind of a child works .. congratulations

    • Before you do that, let me clean the dust off my trusty MicroVAX box, so I could have some working computing hardware after the companies "stop making crap products". Because, you know, every current CPU has these shenanigans built-in: secure boot UEFI, system management mode, AMD PSP, Intel IME and whatnot.

    • Re:once again (Score:4, Insightful)

      by codebase7 ( 9682010 ) on Saturday August 10, 2024 @03:43AM (#64694230)
      No, what actually needs to happen is a complete ban on these kinds of hidden places in the silicon where only manufacturer code can run.

      People love to talk about "free markets" but this is anything but. A space where only manufacturer signed code can run is the best place to hide malware. Because only the manufacturer can fix it by design, and everyone else even if they have the skill required is completely dependent on the manufacturer's willingness to patch their SKU. A real free market would have plenty of options available for patches that wouldn't come from some manufacturer who's only concern is whether or not their next garbage SKU is found out before it reaches the market.

      The worst thing they ever did was declare a section of your device their personal playground that you the owner were forbidden from inspecting or altering.
      • I think you were heading here anyway, but just to be explicit...

        Manufacturers should release enough information and tools for users to continue fixing their own devices, and to share those fixes, after the manufacturer has stopped updating or supporting a device. That feels like the minimum we should start at... because then manufacturers won't do anything, but claim they're still supporting things, to not release information.

        How I first read your post was 'there should be no limit on code that is install

      • No, what actually needs to happen is a complete ban on these kinds of hidden places in the silicon where only manufacturer code can run.

        Sure, and let's go back to the days of 486 dx33 speeds because you think a modern processor is capable of functioning without management code on it. /s

    • > not to make garbage and customers not to buy garbage

      Impossible.

      X86/X64 is garbage. The whole architecture is designed to be insecure. We use it everywhere; we constantly patch it.

      We could stop making this security trash if we dumped it for a new security focused architecture. All current OS's will also be dumped, as no OS today is designed with that new architecture in mind.

      It would be a tidal shift in OS design and hardware design and it will be a BIG change. It won’t look or work like what

  • by 93 Escort Wagon ( 326346 ) on Friday August 09, 2024 @06:29PM (#64693662)

    Joke's on you... I only use 2004 AMD chips in all my machines!

  • Use it for cracking (Score:4, Interesting)

    by Anonymous Coward on Friday August 09, 2024 @06:35PM (#64693672)

    Use this to crack widevine, 4k bluray, any encryption that relies on trusting the hardware to be predictable

    • What MPAA produced these days is such a garbage that it's probably not worth the effort.

      • What's the MPAA? Are you under the impression that the only movies in the world are made by Americans?

    • Every Xbox and PlayStation of the last two generations uses AMD CPUs. If this SMM exploit can be introduced to them then it can be an unpatchable jailbreak.

      • by AmiMoJo ( 196126 )

        Maybe not unpatchable. It sounds like they can update the console's firmware mitigate the flaw, so unless you can already run arbitrary code very early in the boot process you won't be able to exploit it on current firmware... Assuming they implemented the fixes.

        Typically you need current firmware to play online, but if you just want to jailbreak then it may work if you can find an arbitrary code exploit.

  • So most processors with mulitcore and GPU optimizations....?

  • by ctilsie242 ( 4841247 ) on Friday August 09, 2024 @06:48PM (#64693696)

    This gets me wondering how much access one needs. Does this mean having unconstrained root, having access to kernel space, or maybe even just being able to execute code as a user? Saying "deep" really doesn't mean much, because that can easily just mean that someone ran a binary with an elevated or sudo command prompt, and now the code can run as root or LOCALSYSTEM without worry.

    I'm guessing unconstrained root or LOCALSYSTEM.

    • by Lehk228 ( 705449 ) on Friday August 09, 2024 @06:53PM (#64693700) Journal
      probably enough access to install a BIOS update
    • If you can overwrite the firmware that runs before the OS loads, or better yet overwrite the microcode, you've got more control than anything that loads later.

    • Lower level than the kernel. Bios level.

    • System Management Mode is generally regarded on x86 as ring(-3). Userspace is ring(3), kernel space is ring(0), and if a hypervisor is running that's generally ring(-1). System Management mode can also run a hypervisor (at least on Intel... I know, x86 is crazy). When you use a USB keyboard or something similar to interact with a BIOS, that's partially some drivers running in system management mode that are trapping back and forth between those contexts. SMM is about as game over as it gets.
    • In all honesty? Probably "able to run code in userland" is enough these days.

      Most people don't have multiple layers of security for data at rest on their devices. If you can get code execution as them, you have access to pretty much anything of value that the user added to the system. Taking advantage of that access is likely to be noticed. Especially on corporate networks, or if you want to deploy ransomware. Which reveals your presence and burns whatever access you had.

      The remaining 1% is just the raw
    • This is beyond kernel mode. This is even beyond hypervisor mode. This exploit permits arbitary code to run invisible to the kernel and hypervisors, and that code has full access to system ram, meaning it can invisibly read and change kernel and hypervisor memory. In effect, it is a rootkit running above the hypervisor, so could directly interfere with any VM on the system, or even directly interfere with security infrastructure in the hypervisor itself (recovering security keys, etc.)

      This root kit after
    • Comment removed based on user account deletion
  • I recently retired an AM3 board with a Phenom II x6 1090T from being my daily driver, but was somewhat looking for another case/PSU to house it so I can retire some even less powerful hardware. I guess I'll just let it lie and get some RAM for the X99 board I also have laying around (with a 5700K on it).

  • Skynet will take advantage of this...
  • by gweihir ( 88907 ) on Friday August 09, 2024 @07:36PM (#64693760)

    At that time you can simply re-flash the bios with malware and most people would not know the difference.

    • by gweihir ( 88907 )

      As a side-note, I have done SPI reflashing in circuit. Any decent PC shop should be able to do it.

    • Yes this is well inside the airlock.

      First you gotta get completely pwned.
      Then you might stay completely pwned without knowing it.

      well duh
      • This is just an extra tool. The malicious actor will likely exploit social engineering or some auto execution of unexpected data to get an initial foothold, then a few more vulnerabilities to get root access and then this so that they can be undetected and persistent inside your network while they use other exploits to move around and discover more things.
        • Translation:

          First you gotta get completely pwned.
          Then you might stay completely pwned without knowing it.
          • by gweihir ( 88907 )

            That depends in whether detecting this is hard. If it opens network connections or accepts them, it may not actually be hard to detect.

            • I'm not saying this is impossible, but it sounds like you would

              1) Need to get a foothold
              2) find a way to escalate to root
              3) install your bootkit
              4) cover your tracks on how you got in so you remain undetected

              If there is any network monitoring going on, you would hopefully notice odd behavior out of the compromised box and shut that down. If your network is secured enough, you wouldn't even fall victim or you would prevent the compromised box from communicating with the outside via unauthorized channels.

              Seems

              • by gweihir ( 88907 )

                Something like that. A high-effort specialized attack somewhat lacking an actual use-case. I doubt we will see it in the wild.

    • Indeed, but why target a very specific subset of hardware and firmware limited to a single manufacturer producing hundreds of varied products, when you can instead target a very commonly available centralised exploit across literal millions of machines?

      You don't go out of the way to flash BIOS for the same reason people don't go out of their way to attack Linux machines: Effort vs attackable victims is just too high to be worthwhile.

      • by gweihir ( 88907 )

        Well, maybe. This would still mean that your actual backdoor code works across most machines you attack. The exploit may be portable, but that does not mean you can do the same attack based on it.

        But this whole attack only makes sense if the victim got compromised on root level, and did a cleanup without changing the hardware and you want to re-compromise them after that. That probably gives you much less than just running whatever you do to get root against more computers. I doubt we will see this in the w

  • by Canberra1 ( 3475749 ) on Saturday August 10, 2024 @05:43AM (#64694270)
    Security 101. Confidentiality, Integrity, Availability and Auditability. In Security, they teach the first 3, and tell students that Auditability does not matter, trust the manufacturers. As you advance up, they tell you forensic audibility tools are hush hush, and besides, we don't want to tip off an untrusty employee who has noticed security permissions have changed (tipping him/her off). The contracts area say buy trusted brands - was IBM now Dell and HP - certain lines only. What they need is an F' key to dump certain checksums on the untouchable defect laden out of reach bits so that changes are detected and visible (auditability). After CrowdStrike and Master Keys leaking, bios graphics backdoors, we need this auditability that touches all areas. The final complaint is various bioses will NEVER get security patches, lucky if 2 years. Intel Spectre also demonstrated that the customer wore the performance decreases. You can also bet Graphics or AI cards/processors will have super duper DMA access and hidden instruction's .
  • OpenBSD demonstrated that a more proactive assault on software security flaws could produce better security, an approach that is only otherwise pursued in the most critical of software, and not always then. And, evidently, not pursued in consumer hardware at all.

    We've a steady accumulation of tools for evaluating logic, but it's still fairly primitive and rarely covered in any depth at university.

    With the planet dangerously fractured by partisanship, paranoia, and state-sponsored cyberwarfare (where the too

  • For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot

    So it's like communism, the problem is just that it was (always, everywhere) implemented wrong ...

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Saturday August 10, 2024 @08:56AM (#64694456)
    Comment removed based on user account deletion
  • I'm curious... Yes, I know a hardware flashing device would be more secure, but could a flash of malware infected BIOS code really block another flash of safe BIOS code through the normal means?

    Thinking more... I guess if the flashing process was b0rkened, that might be how. To always keep an area unchanged, or apply a break again. Probably fragile to attempt, but it might be hard to recover from (again needing the hardware SPI programmer).

Keep up the good work! But please don't ask me to help.

Working...