4 is the Randomest Number Ever (Sort Of)

Google researchers have figured out how to break AMD’s processor security allowing them to load any processor microcode of their choosing.

They demonstrated this by loading microcode that had the chip produce the number 4 every time when asked for a random number.

In theory, only AMD (for their chips) or Intel (for theirs) should be able to update their microcode for obvious reasons.

AMD doesn’t document how their microcode works since they consider it a trade secret. That, apparently, didn’t stop Google from figuring out to load bogus microcode.

The Google folks released a proof of concept microcode update for the Milan family of Epyc chips and also for Ryzen 9 chips. The demo makes the Read Random instruction (RDRAND) ALWAYS output the number four when someone asks for a random number.

Random numbers are crucial to encryption, among other functions, so if random numbers are no longer random, encryption no longer encrypts anything.

If an adversary figures out how to exploit this weakness in say a data center with thousands of vulnerable servers, you can see that is not good.

Microcode is supposed to be digitally signed but apparently Google figured out a way to fool AMD’s authentication process.

The process works on Zen generation 1 through 4 processor chips.

The only good news is that the attack will not work in a virtual machine; the attacker needs kernel level ring 0 access at the host level. If the hacker already has that, it is, as a friend of mine used to say, game over!

AMD thanked the researchers. Sure. I am AMD had some words in private that are not fit for public consumption.

Credit: The Register

by