HoTWiReZ's DoMaiN Forum Index HoTWiReZ's DoMaiN
HoTWiReZ's FoRuM

FAQFAQ
SearchSearch
MemberlistMemberlist
UsergroupsUsergroups
RegisterRegister
ProfileProfile
Log in to check your private messagesLog in to check your private messages
Log inLog in

US-CERT Takes AMD To Task On Driver Security

 
Post new topic   Reply to topic    HoTWiReZ's DoMaiN Forum Index -> Technology News
News BoT
RSS Feed


Joined: 11 May 2006
Posts: 32637
 PostPosted: Fri Jun 08, 2012 4:00 pm    Post subject: US-CERT Takes AMD To Task On Driver Security Reply with quote Back to top
<p align="center"></p><p><p>
In a bit of an odd move, the US Computer Emergency Readiness Team (US-CERT) has posted a vulnerability report and a blog post taking AMD to task over their drivers and the impact on system security. As the United States&rsquo; de-facto internet security agency &ndash; a public-private organization under the control of the DHS &ndash; US-CERT is both a front-line organization for developing responses to cybersecurity threats and on a more typical day is responsible for organizing and publishing reports and notices about computer system vulnerabilities. So while it&rsquo;s common for US-CERT to publish information regarding specific vulnerabilities, it&rsquo;s much less common for them to get involved with general security weaknesses.</p>
<p>
So what has drawn US-CERT&rsquo;s attention? It turns out that AMD&rsquo;s drivers don&rsquo;t properly behave with/support a vulnerability mitigation feature called Address Space Layout Randomization (ASLR). ASLR serves to make it harder for software vulnerabilities to be exploited by randomizing certain program structures in memory, so that the addresses of these structures cannot reliably be predicted and attacked. Although not undefeatable, ASLR can reduce a number of different types of attacks from a system-owning exploit into a program crash that keeps the system secure. In other words ASLR can&rsquo;t fix the underlying vulnerabilities in programs, but it can help mitigate the problem so that a proper fix can be instituted.</p>
<p>
Because of the chaotic nature of ASLR not every program (particularly legacy programs) can work with it, and for that reason since its introduction in Windows Vista in 2006 ASLR has been a per-program feature that is only enabled with applications that are flagged as being compatible. However because most applications can handle it just fine, systems requiring higher security can use the Enhanced Mitigation Experience Toolkit (EMET) to enable ASLR across the system, which forcibly activates ASLR for all programs.</p>
<p>
It&rsquo;s this last bit that has caught the US-CERT&rsquo;s attention. As it stands AMD&rsquo;s video drivers are not ASLR compatible. Turning on ASLR will cause AMD&rsquo;s drivers to crash, making always-on ASLR unusable on systems using AMD&rsquo;s drivers.</p>
<p>
From a practical perspective this isn&rsquo;t an issue that affects more than a handful of users. Unlike DEP it&rsquo;s not something that can be turned on from within Windows, so even technical users like ourselves almost never have ASLR in always-on mode. However for governments and other high value institutions this means they&rsquo;re forced to choose between AMD hardware and ASLR, which is not something they want to be worrying about. Furthermore it&rsquo;s been the long-standing goal of computer security organizations to get OSes and programs to a state where ASLR can be enabled globally for every user, a very messy transition that is held back by programs and drivers that are still not ASLR compatible.</p>
<p>
Drivers in turn are of particular concern here because of how they interact with the Windows kernel, with video drivers in particular having high access levels for performance purposes, a position that will only become more entrenched as GPUs continue to become more CPU-like and more important to even fundamental computing. All of this is compounded by the fact that AMD in has already been in the spotlight for security vulnerabilities as their drivers were found to have a security exploit in 2007.</p>
<p>
Ultimately the US-CERT is looking to apply pressure to AMD to get them to finally make their drivers ASLR compatible, even going so far as to specifically testing and naming Intel and NVIDIA as having ASLR compatible drivers in the vulnerability note. Having an arm of the US Government breathing down your neck does tend to get results, doubleplus so since the US Government is also a massive IT buyer. In the meantime typical computer users have nothing to be concerned about &ndash; and this is the important part for most of us &ndash; but it&rsquo;s unfortunate that AMD has let themselves end up in this situation in the first place.</p>
<p>
Source: Slashdot</p>
</p>

Read more...

Source: AnandTech
This channel features the latest computer hardware related articles.
 
Display posts from previous:   
Post new topic   Reply to topic    HoTWiReZ's DoMaiN Forum Index -> Technology News All times are GMT - 4 Hours
Page 1 of 1

 

HoTWiReZ's DoMaiN © HoTWiReZ
Cobalt 2.0 phpBB theme/template © 2002-2005 Jakob Persson (forumthemes/bbstyles)
Powered by phpBB © 2001, 2002 phpBB Group