Lawfare’s Nicholas Weaver reports on the CHIMERA computer vulnerability:
But CHIMERA, unlike the others, is a series of vulnerabilities not in the processor but instead in the “chipset”—the separate component in a computer that acts to interface all the peripherals (USB devices, network, speakers, etc.) to the computer’s central processing unit (CPU). AMD did not design their own chipset. Instead they contracted ASMedia, a Taiwanese company, to design and build it for them.
The chipset itself has privileged permissions, meaning that it’s able to read and write all of the computer’s memory—including the memory that is supposed to be otherwise off limits. Attackers can access the chipset by taking control of the computer’s operating system. And if they can then take over the chipset, they can bypass the last-line protections shielding the computer’s memory from interference. Because this includes the secure regions of the computer, which are supposed to be protected from even the operating system, a chipset compromised by an attacker can evade even those last defenses. Evading these defenses allows the attacker to read cryptographic keys or other secure secrets which are supposed to be protected against even an operating-system compromise.
Only a few high-security users actually take advantage of these features, and these defenses only come into play once the operating system is already compromised, so the overall impact for most is minor. But for those few high-security users, it’s a concern. Attackers with access to those cryptographic keys could access whatever secrets were protected by that last measure of security. This may include allowing them to read encrypted messages, impersonate the computer’s server to others, access authentication tokens in order to login to other computers, and more.
As a software engineer, let me just say Gah! Who let these guys have unrestrained access to memory? That’s a broken hand offense, as in we find the guy who let this happen and break his hand a few times.
And who’s the designer and implementer of the chip set? Not AMD, who sells the entire package of CPU and chipset. Their chipset designer and supplier is ASMedia of Taiwan. Back to Nicholas:
Supply chain attacks are a significant threat to U.S. national security, as many of the components of our computers are made overseas. A rogue manufacturer or government could easily compromise huge swaths of our computing infrastructure by sabotaging the products we buy. And there is a significant possibility CHIMERA might be an effort to do just that.
CTS labs needs to provide more details establishing whether CHIMERA is indeed a set of deliberate backdoors. If it is, that should trigger a significant investigation by the United States. A supply chain attack of this power would be one of the most significant cyberattacks ever. And if we want to defend against such attacks, or even attempts to disguise such attacks as accidents, we need a full accounting.
And if I may cross-pollinate from a recent decision by the Trump Administration:
The threat of China factored heavily into the U.S. government’s decision to block Broadcom’s proposed buyout of Qualcomm.
President Donald Trump, for his part, officially declared on Monday that the proposed $117 billion deal was prohibited on national security grounds. The president said in his order that “there is credible evidence” leading him to believe that Broadcom through control of San Diego-based Qualcomm “might take action that threatens to impair the national security of the United States.”
That conclusion may seem extreme given that Broadcom is based in Singapore — and looking to redomicile to the U.S., where it conducts most of its operations — but it’s not a fear of the Southeast Asian city state that is raising national security concerns. [CNBC]
Regardless of Broadcom’s stated intentions about moving, this is one of the few decisions by the Trump Administration with which I agree – even if it turns out that Trump’s motives are nefarious, rather than security-driven. Many technology suppliers can easily be subverted by autocratic nations overseas (heck, we have been known to try that ourselves), and while Broadcom may be based in Singapore, the truth of the matter is that it’s not all that hard for a company to fly a flag of convenience, to borrow an old maritime term.
And there is no doubt there is some value to having world leaders in critical technologies dwelling within our national borders. The world is not a free market, and while a strict free marketer would dispute any notion that the United States has a free market, we are freer than most. Selling decisions, supply decisions, technology subversion ….
It’s rough world out there, baby, and sometimes the market has to taken a back seat to security requirements.