1. Forum
  2. Usenet
  3. COMP.ARCH

  • Re: Zen Microcode

    From John Dallman@21:1/5 to Ormandy on Thu Mar 6 09:36:00 2025
    In article <m2s3p6F12efU1@mid.individual.net>, taviso@gmail.com (Tavis
    Ormandy) wrote:

    This might be interesting to regulars here, the scheme used by AMD
    to verify microcode patches are authentic was much weaker than
    intended. It turns out you can actually load your own patches.

    Oh, great. A new attack route for malware.

    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From MitchAlsup1@21:1/5 to All on Fri Mar 7 20:29:26 2025
    A "good try" at encryption is what engineers show management
    in order to claim they know what they are doing {{even when
    they really don't}}.

    I was in the meetings where the AMD architecture team discussed
    this "security issue" and I can name names.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to BGB on Thu Apr 3 07:47:42 2025
    On Sun, 9 Mar 2025 16:20:10 -0500, BGB wrote:

    In the latter case, the encryption would often be something like XOR'ing
    with a bit pattern or a Caesar cipher or similar.

    XOR is perfectly fine as an encryption technique, provided that the
    sequence being XORed with is sufficiently strongly pseudorandom.

    This is known as a “stream” cipher. Basically, any “block” cipher can be
    turned into a stream cipher by using it to generate the XOR sequence.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Savard@21:1/5 to Lawrence D'Oliveiro on Fri Jun 27 15:46:45 2025
    On Thu, 03 Apr 2025 07:47:42 +0000, Lawrence D'Oliveiro wrote:

    XOR is perfectly fine as an encryption technique, provided that the
    sequence being XORed with is sufficiently strongly pseudorandom.

    This is known as a “stream” cipher. Basically, any “block” cipher can be
    turned into a stream cipher by using it to generate the XOR sequence.

    One threat exists with using XOR, even with a good sequence. If you have a
    way of already knowing what the plaintext is, you will know which bits to invert in order to forge a different message.

    Also, "sufficiently strongly pseudorandom" would normally mean having good statistical properties, resembling those of a genuine random sequence.
    That's not the same as cryptosecure. A sequence could be ideal from that
    point of view, and yet completely predictable. For example, produce your
    stream by the XOR of the binary digits of pi with a linear congruential generator. That eliminates the statistical flaws of the linear
    congruential generator, but since everybody knows pi, it's still not
    secure.

    John Savard

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)