How To Make Any AMD Zen CPU Always Generate 4 As a Random Number
'Google security researchers have discovered a way to bypass AMD's security, enabling them to load unofficial microcode into its processors and modify the silicon's behaviour at will. To demonstrate this, they created a microcode patch that forces the chips to always return 4 when asked for a random number. Beyond simply allowing Google and others to customize AMD chips for both beneficial and potentially malicious purposes, this capability also undermines AMD's secure encrypted virtualization and root-of-trust security mechanisms.' -- source: https://it.slashdot.org/story/25/02/09/2021244 Cheers, Peter
On Mon, 10 Feb 2025 15:09:06 +1300, Peter Reutemann quoted:
' ... this capability also undermines AMD's secure encrypted virtualization and root-of-trust security mechanisms.'
No single source of random numbers should ever be considered entirely trustworthy. But if you can combine a bunch of them, in such a way that, as long as at least one of them can still be trusted (you don’t have to know which one(s)), the results will be good, then that makes any attacker’s job that much harder. This is the basis behind Fortuna <https://en.wikipedia.org/wiki/Fortuna_(PRNG)>.
On Mon, Feb 10, 2025 at 03:09:06PM +1300, Peter Reutemann wrote:
'Google security researchers have discovered a way to bypass AMD's security, enabling them to load unofficial microcode into its processors and modify the silicon's behaviour at will. To demonstrate this, they created a microcode patch that forces the chips to always return 4 when asked for a random number.
Beyond simply allowing Google and others to customize AMD chips for both beneficial and potentially malicious purposes, this capability also undermines AMD's secure encrypted virtualization and root-of-trust security mechanisms.'
The reference in the original article to the obligatory xkcd comic strip is missing. It is: https://xkcd.com/221/ We once had a PhD student who did exactly that. He generated one random number and used that one number in every place he needed a random number throughout his complete simulation! Sigh. Cheers, Michael.
participants (3)
-
Lawrence D'Oliveiro -
Michael Cree -
Peter Reutemann