AMD and Google have announced an intricate, high-level collaboration on cybersecurity research for AMD’s server-class EPYC CPUs, a collaboration that has now been running for five years. According to Wired, the partnership leveraged two Google Cloud Security research teams along with Google’s Project Zero (a cybersecurity research arm within the company) and AMD’s firmware group.
The goal was to test AMD’s security hardware and processors through seemingly unprecedented access to AMD’s source code and security mechanisms. In the post-mortem collaboration report (ongoing), the partnership announced the discovery and implementation of mitigation for 19 security vulnerabilities in total. That’s 19 fewer attack vectors on one of the world’s most successful server architectures.
Researchers focused their efforts primarily on AMD’s Secure Processor (ASP) implemented in AMD’s third-generation EPYC in Milan. Google engineers had access to the source code for the ASP, along with production samples to test the hardware attacks. Of particular interest to Google was AMD’s next-generation implementation of Secure Nested Paging (SEV-SNP), a feature that allows virtual machines (VMs) to remain confidential from the hypervisor itself. The engineering teams examined the design and implementation of SEV’s source code, wrote custom test code, and performed hardware security tests, attempting to identify any vulnerabilities that emerged.
Brent Hollingsworth, director of AMD’s EPYC software ecosystem, stressed that the partnership has brought together AMD and Google’s best and brightest, opening the way to previously unknown attack vectors and pushing creativity on attack levels, whether they are based on software or hardware.
As the “chip-in-the-chip” responsible for cryptographic data encryption, AMD’s ASP is a generic processor “core” whose functionality can be developed by AMD and its hardware and firmware design teams. But with every additional layer of security comes the ability to add attack vectors against this centralized security mechanism, a potentially serious point of failure that can throw entire system security out of the proverbial window (with root access invisibility). ) should it be compromised.
It is at this level of impact that the AMD-Google partnership was formed; According to Nelly Porter, Google Cloud’s group product manager, the goal isn’t to point the finger or call out AMD’s vulnerabilities – it’s a combined and collaborative effort by companies to strengthen their defenses against increasingly creative and technically skilled attackers. Cyber security has always been seen as a step backwards against those who would violate it; both AMD and Google want to be at the forefront of efforts to reverse the game.
The partnership was primarily motivated by Google’s offering of its Confidential Computing services, which aim to keep customer data encrypted at all times, whether at rest, in transit, or while processing. As a result of the growing reliance on cloud computing services (ranging from classic workload offloading to cloud, cloud gaming, or even cloud-based operating systems like Microsoft’s Windows 365 Cloud), the risk posed by potential vulnerabilities in security infrastructure could give rise to billions of dollars in losses. Considering AMD’s part in the research effort, the company is well aware of the benefits that can be drawn from both companies’ experience in improving their products.
The audit could show a necessary shift from the “hidden secrets” approach that companies are known to adopt regarding their products and intellectual property security. As cybersecurity incidents have exploded in number, impact and complexity in recent years, the impact of successful attacks only tends to increase. The news also comes at a time when ransomware groups are showing increasing activity: cybersecurity firm Secureworks recently called the world’s attention to the apparent resurgence of hacker group REvil.
Cybersecurity is one of the most important endeavors in the world, following the near-complete digitization of services, money (whether in traditional FIAT-based bank accounts or the currently bloody and crimson streets of cryptocurrency and DeFi) and global infrastructure. Flip one binary towards zero can potentially flip globalization and the economy around the world. And it is something that no company or individual wants to experience.