CTS Labs, a heretofore unknown Tel Aviv-based cybersecurity startup, has claimed it’s found over a dozen security problems with AMD Ryzen and EPYC processors. Linus Torvalds, Linux’s creator, doesn’t buy it.
Torvalds, in a Google+ discussion, wrote:
“When was the last time you saw a security advisory that was basically ‘if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?’ Yeah.”
Or, as a commenter put it on the same thread, “I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?”
They’ve got a point.
CTS Labs sprang out of nowhere to give AMD less than 24 hours to address these “problems.”
The startup has jazzed up its discoveries with a research paper, a video describing the vulnerabilities, and, of course, fancy names for them: Ryzenfall, Master Key, Fallout, and Chimera.
Why would they possibly do this? For Torvalds: “It looks more like stock manipulation than a security advisory to me.”
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: “Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.” But, Guido also admitted, “Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality.”
It’s that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him.
Are there bugs? Yes. Do they matter in the real world? No.
They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
This is far from the first such case. A recent Linux “vulnerability,” Chaos, required the attacker to have the root password. News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details.
Torvalds believes “it’s the security industry that has taught everybody to not be critical of their findings.”
He also thinks, “there are real security researchers.” For many of the rest, it’s all about giving even the most minor security bug. In Torvalds’ words: “A catchy name and a website is almost required for a splashy security disclosure these days.”
Torvalds thinks “security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use — and encourage — some critical thinking.”
This rant is far from the first time Torvalds has snarled at people or companies for focusing too much on what he sees as on the wrong end of security.
As he wrote on the Linux Kernel Mailing List (LKML) in 2008: “I refuse to bother with the whole security circus … It makes “heroes” out of security people, as if the people who don’t just fix normal bugs aren’t as important. In fact, all the boring normal bugs are _way_ more important, just because there’s a lot more of them. I don’t think some spectacular security hole should be glorified or cared about as being any more ‘special’ than a random spectacular crash due to bad locking.”
More recently, he doubled down on this position, saying last year about a proposed Linux kernel change, “Some security people have scoffed at me when I say that security problems are primarily ‘just bugs’. Those security people are f**king morons.”
What Torvalds really wants from security programmers and researchers, as he spelled out recently, is:
- the first step should *ALWAYS* be “just report it.” Not killing things, not even stopping the access. Report it. Nothing else.
- “Do no harm” should be your mantra for any new hardening work.
Do that, and you’ll make Torvalds, and a lot of other people who care about practical security, much happier.
- Linus ‘Linux’ Torvalds gives security developers guidance
- Linus Torvalds vs. the internet security pros
- Bogus Linux vulnerability gets publicity