Viceroy's claim that AMD is worth nothing seems to be based purely on the discovery of security flaws in Ryzen and EPYC processors, but also seems to ignore its healthy graphics card and embedded chip businesses.

Earlier this week unknown information security outfit CTS Labs dropped a bombshell. All of AMD's new Ryzen and EPYC processors are vulnerable to one or more new classes of vulnerabilities it dubbed Ryzenfall, Masterkey, Fallout, and Chimera.

As has become the trend when disclosing major security vulnerabilities, CTS Labs disclosed the details of the vulnerabilities on a custom website built for the occasion, AMDflaws.com.

Unlike other security researchers who discover flaws of the magnitude they make it out to be, they only gave AMD a day's warning before going public with their findings.

Following a backlash from the InfoSec community, and the technical community in general, CTS Labs CTO Ilia Luk-Zilberman posted a lengthy explanation for why they didn't choose co-ordinated disclosure.

In short, they think keeping the vulnerability secret for months while a fix is developed puts consumers at risk. They believe that a better way is to inform the company and disclose the existence of the vulnerability at the same time, but not to release technical details until its been fixed.

The main problem in my eyes with this model is that during these 30/45/90 days, it’s up to the vendor if it wants to alert the customers that there is a problem. And as far as I’ve seen, it is extremely rare that the vendor will come out ahead of time notifying the customers – “We have problems that put you at risk, we’re working on it”. Almost always it’s post-factum – “We had problems, here’s the patch – no need to worry”.

The second problem is - if the vendor doesn’t fix it in time – what then? The researcher goes public? With the technical details and exploits? Putting customers at risk? How we have accepted this mode of operation is beyond me, that researchers advertise at the end of the time limit the technical details of the vulnerabilities “because” the vendor didn’t respond. Why should the customers pay for the vendor’s lack of actions. I understand – this is the model today and people follow suit, but I think we can do better.

I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never
put customers at risk.

For contrast, consider that Google Project Zero and other security researchers gave Intel and other chipmakers more than six months to address the Spectre and Meltdown vulnerabilities before disclosing them.

There are several other problems with Luk-Zilberman's argument, but arguing the pros and cons of co-ordinated disclosure is not the purpose of this post.

Let's talk about Viceroy.

Profiting from disaster

Viceroy Research is an organisation that shorts a stock, then releases a report explaining why they shorted the stock. That means they look into companies they think are overvalued on the stock market, bet that their stock price is going to drop, then release a report explaining why they think the company is bad.

They made a name for themselves in South Africa by releasing their detailed findings on Steinhoff as media reports about suspicious dealings at the company surfaced. Their reputation was dinged when they released a scathing report on Capitec Bank, resulting in backlash from the reserve bank and South Africa's investor community.

Now they've taken it a step further and gone after a major company listed on the NASDAQ. Maybe it would have been one thing if they claimed that AMD's stock is heavily overvalued, but they took it to yet another level, claiming that the company is worthless and will have to apply for bankruptcy.

While for many people Viceroy's business model already, understandably, leaves a bad taste in the mouth, its report on AMD was more suspicious than usual. It relied heavily on CTS Labs' disclosures and weighed in at a beefy 25 pages, yet somehow Viceroy was able to publish its analysis of it within hours of release.

A quick check of the of the documents shows that CTS-Labs' white paper detailing the AMD security flaws was timestamped 15:22 on 13 March, while Viceroy's PDF report is timestamped 16:25 that same day. Adobe Acrobat reports the creation date of the AMD Flaws whitepaper as 13:31 on 13 March.

Poor analysis

The problem with how the situation between CTS Labs, AMD, and Viceroy played out is that they appear to have raised legitimate security concerns, but their credibility has been completely undermined.

Several independent security experts said that they were given access to the technical details of the vulnerabilities, along with proof-of-concept exploits, and were able to verify CTS Labs' claims.

While there is no consensus on the severity of the flaws, the fact that the flaws exist don't seem to be in dispute. Ars Technica quoted David Kanter, founder of Real World Technologies, as one voice of moderation in the debate.

All the exploits require root access. If someone already has root access to your system, you're already compromised. This is like if someone broke into your home and they got to install video cameras to spy on you.

While he downplayed the severity of the vulnerabilities, Kanter did say that they were an embarrassment for AMD. Most of them reside in the Platform Secure Processor, which according to AMD is meant to provide a "foundation for platform security" as a "hardware root of trust".

Another security expert that has been widely quoted on this story is the CEO of Trail of Bits, Dan Guido. He said that AMD's Secure Processor is intended to be the one defensible part of the processor.

"The fact that you can upload unsigned code and get it to pass validation and the fact that you can manipulate all the mail slot handlers is not what I would expect as someone who needs to trust this component," said Guido.

However, all this is lost in the noise generated by Viceroy's report. The technologically literate are tripping over themselves to correct the inaccuracies, point out the conflict of interest, and cast aspersions on the CTS Labs report by its assumed association with Viceroy, given how quickly it was able to publish an analysis.

Here's the bottom-line

There is probably a legitimate security flaw in AMD's Secure Platform. It is hugely embarrassing for AMD, especially after its smugness in the whole Spectre/Meltdown affair.

However, Viceroy's assertion that AMD is worthless and on its way to bankruptcy as a result of the CTS Labs disclosures is simply inaccurate.

Allegations have been raised about whether its real intent was to manipulate AMD's stock price. AMD shares climbed to $12.00 on the day of the disclosure, before declining to $11.64 and ending higher compared to the day before. On the 14th AMD's stock tumbled to $11.30, but it climbed back to around $11.50 by close of trade yesterday.

Arguing about Viceroy's intention is a distraction from the fact that it is wrong. Viceroy utterly failed to mention Radeon or AMD's semi-custom business. AMD is more than Ryzen and EPYC.

AMD's Radeon graphics card business has boomed thanks to cryptocurrency mining and it still supplies the chips that power the PlayStation 4 and the Xbox One. (For those who might be wondering, these are chips based on AMD's Jaguar microarchitecture, which is not included in the CTS Labs disclosure.)

Unfortunately AMD doesn't separate its graphics card and semi-custom businesses out, but its last set of results were solid.

To give you an idea, here is a snapshot of its annual and quarterly results at 30 December 2017:

  • Computing and Graphics (Ryzen and Radeon)
    • Net revenue — $3 billion ($958 for the quarter)
    • Operating income — $147 million ($85 million for the quarter)
  • Enterprise, Embedded and Semi-Custom (EPYC, Xbox, and PlayStation)
    • Net revenue — $2.3 billion ($522 million for the quarter)
    • Operating income — $154 million ($19 million for the quarter)

For Viceroy to write off the whole company is premature and ignorant at best, and malicious at worst. That said, in situations like these I like to remember Heinlein's Razor, my favourite butchering of Hanlon's Razor:

Never attribute to malice that which can be adequately explained by stupidity. But don't rule out malice.