Announcement

Collapse
No announcement yet.

A Backdoor In AMD's Catalyst OpenCL Library?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Doesn't look much like a keylogger or a phone home

    Originally posted by Idonotexist View Post
    Here, as well as in PasteBin http://pastebin.com/iaFnmDNW, is my decompilation of that 32-bit x86 assembler code.

    Code:
    /*
    ebp+0x10: arg1
    ebp+0xC:  alignmentPadding?
    ebp+0x8:  arg0
    ebp+0x4:  __return_address
    ebp+0x0:  __old_base_pointer
    ebp-0x4:  
    */
    
    
    
    int osTestBackdoorATI(int arg0, DWORD* arg1){
        //prologue
        //push ebx
        //esp -= 0x74
        
        //load arg0 into edx
        //do damage to ebx with __i686.get_pc_thunk.bx
        //load arg1 into ecx
        
        if(arg0 == 1){//goto osTestBackdoorATI+96;
            return (unsigned)(unsigned char)
                osMemStateDifferent(arg1[0], arg1[1]);
        }else if(arg0 == 2){//goto osTestBackdoorATI+72;
            return (unsigned)(unsigned char)
                osMemStateDumpAllObjectsSince(arg1[0]);
        }else if(arg0 == 0){//goto osTestBackdoorATI+48;
            return (unsigned)(unsigned char)
                osMemStateCheckPoint(arg1[0]);
        }else{
            return 0;
        }
        
        //esp += 0x74
        //pop ebx           REPLICATED BEFORE EACH RETURN STATEMENT
        //epilogue
    }
    Where DWORD is with high likelyhood a pointer type.

    I remain thoroughly unconvinced by the hyperventilation about backdoor spying here. This looks like a legitimate multiplex API to debug and checkpoint the state of the implementation.
    I don't see anything in this that looks like an IP address or a URL, the sort of thing the kind of backdoor I worry about would have to include. If there was one in Catalyst, it wouold have to be be elsewhere-but AMD would be nuts to risk such a thing existing and being discovered. They are not Intel and cannot tell their customers to put up or shut up.

    Comment


    • #47
      Originally posted by svanheulen View Post
      And now, for those who prefer a less sensationalist news source...

      Note how you haven't seen such outrageous claims by known and reputable sources. I don't doubt MS has a lot of cooperation with government agencies, and like any sane person I'm not going to justify that, but to be fair it's not like they have much of a choice. Look at what happened to Lavabit and others.

      Comment


      • #48
        Complete decompilation

        It's confirmed; Under the light assumption of no self-modifying code, there is no back door.

        Here is the disassembly of all machine code reachable from the function "osTestBackdoorATI", for the latest Linux Catalyst 13.12 x86-64 bit version from here (http://www2.ati.com/drivers/linux/am...x86.x86_64.zip).

        Code:
        libamdocl64.so:     file format elf64-x86-64
        
        
        Disassembly of section .text:
        
        000000000074f270 <osTestBackdoorATI>:
          74f270:       48 83 ec 38             sub    $0x38,%rsp
          74f274:       83 ff 01                cmp    $0x1,%edi
          74f277:       74 47                   je     74f2c0 <osTestBackdoorATI+0x50>
          74f279:       83 ff 02                cmp    $0x2,%edi
          74f27c:       74 2a                   je     74f2a8 <osTestBackdoorATI+0x38>
          74f27e:       31 c0                   xor    %eax,%eax
          74f280:       85 ff                   test   %edi,%edi
          74f282:       74 0c                   je     74f290 <osTestBackdoorATI+0x20>
          74f284:       48 83 c4 38             add    $0x38,%rsp
          74f288:       c3                      retq   
          74f289:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
          
          74f290:       48 8b 3a                mov    (%rdx),%rdi
          74f293:       e8 08 39 00 00          callq  752ba0 <osMemStateCheckPoint>
          74f298:       48 83 c4 38             add    $0x38,%rsp
          74f29c:       0f b6 c0                movzbl %al,%eax
          74f29f:       90                      nop
          74f2a0:       c3                      retq   
          74f2a1:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
          
          74f2a8:       48 8b 3a                mov    (%rdx),%rdi
          74f2ab:       e8 10 39 00 00          callq  752bc0 <osMemStateDumpAllObjectsSince>
          74f2b0:       48 83 c4 38             add    $0x38,%rsp
          74f2b4:       0f b6 c0                movzbl %al,%eax
          74f2b7:       c3                      retq   
          74f2b8:       0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
          74f2bf:       00 
          
          74f2c0:       48 8b 72 08             mov    0x8(%rdx),%rsi
          74f2c4:       48 8b 3a                mov    (%rdx),%rdi
          74f2c7:       e8 e4 38 00 00          callq  752bb0 <osMemStateDifferent>
          74f2cc:       48 83 c4 38             add    $0x38,%rsp
          74f2d0:       0f b6 c0                movzbl %al,%eax
          74f2d3:       c3                      retq   
          74f2d4:       66 66 66 2e 0f 1f 84    data32 data32 nopw %cs:0x0(%rax,%rax,1)
          74f2db:       00 00 00 00 00
        
        ...
        
        0000000000752ba0 <osMemStateCheckPoint>:
          752ba0:       31 c0                   xor    %eax,%eax
          752ba2:       c3                      retq   
          752ba3:       66 66 66 66 2e 0f 1f    data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
          752baa:       84 00 00 00 00 00 
        
        0000000000752bb0 <osMemStateDifferent>:
          752bb0:       31 c0                   xor    %eax,%eax
          752bb2:       c3                      retq   
          752bb3:       66 66 66 66 2e 0f 1f    data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
          752bba:       84 00 00 00 00 00 
        
        0000000000752bc0 <osMemStateDumpAllObjectsSince>:
          752bc0:       31 c0                   xor    %eax,%eax
          752bc2:       c3                      retq   
          752bc3:       66 66 66 66 2e 0f 1f    data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
          752bca:       84 00 00 00 00 00


        And here is the corresponding hand-decompiled C, which was a joke to obtain.


        Code:
        typedef void* DWORD;// Guessing the arguments are void* pointers.
        
        int osTestBackdoorATI(int arg0, void* arg1, DWORD* arg2){
            (void)arg1;
            switch(arg0){
            	case 1:  return osMemStateDifferent          (arg2[0], arg2[1]);
            	case 2:  return osMemStateDumpAllObjectsSince(arg2[0]);
            	case 0:  return osMemStateCheckPoint         (arg2[0]);
            	default: return 0;
            }
        }
        
        unsigned char osMemStateDifferent(DWORD* a, DWORD* b){
        	return 0;
        }
        
        unsigned char osMemStateDumpAllObjectsSince(DWORD* p){
        	return 0;
        }
        
        unsigned char osMemStateCheckPoint(DWORD* p){
        	return 0;
        }
        In all likelyhood the "osMemState*" functions have a body that is protected by an #ifdef DEBUG of some kind, and for release builds a "return 0" statement is substituted. This may explain the unused argument arg1.

        Comment


        • #49
          Originally posted by chuckula View Post
          ...When thinking about Intel vs. AMD here's the easiest way to frame the question: "Would my machine even boot if I stripped out all the Linux code contributed by company X". If you strip out AMD's contributions, then even on an AMD box your machine would still boot fine (you might lose GPU drivers if you use open-source AMD drivers). If you strip out all the Intel-contributed code, your AMD box wouldn't even come close to completing a boot sequence.
          AMD is apparently a Gold Member in the Linux Foundation. Intel is higher by being Platinum though, but don't give the illusion that AMD contributes barely nothing at all.

          Comment


          • #50
            Originally posted by mlkj
            A compiler would never generate empty functions like that. Not unless you disabled ~every optimisations.
            So what you're saying is it may have been compiled with Delphi?

            Comment


            • #51
              Originally posted by Espionage724 View Post
              AMD is apparently a Gold Member in the Linux Foundation. Intel is higher by being Platinum though, but don't give the illusion that AMD contributes barely nothing at all.
              Platinum looks more like a "We just want a huge logo above everybody else"-club anyway, and upon first glance I see ARM and Canonical (and Nvidia teehee) as only Silver members, but to be completely honest I don't think that page is a rank of how much they contribute (in things other than money) or anything like that.

              Intel and Nvidia fanboys can bash AMD as much as they want, but I'd love to see what they'd think if AMD actually didn't exist. That'd result in Intel having a monopoly on the CPU market and Nvidia having a monopoly on the GPU market: Intel and Nvidia NEED AMD to be successful, and without AMD even if there weren't any legal problems with holding a monopoly, there'd be consumer problems: i3 CPUs costing $1000, GTX x50 model number GPUs costing $1000, motherboards costing $2000, and no work being done to improve any products since there's no need.


              Michael, you can't honestly tell me that had this been for Nvidia you wouldn't have waited for a response from them before opening your mouth. If you want AMD to send you shit, show you can be an objective and unbiased person...

              Comment


              • #52
                Originally posted by Idonotexist View Post
                It's confirmed; Under the light assumption of no self-modifying code, there is no back door.

                Here is the disassembly of all machine code reachable from the function "osTestBackdoorATI", for the latest Linux Catalyst 13.12 x86-64 bit version from here (http://www2.ati.com/drivers/linux/am...x86.x86_64.zip).

                Code:
                libamdocl64.so:     file format elf64-x86-64
                
                
                Disassembly of section .text:
                
                
                0000000000752ba0 <osMemStateCheckPoint>:
                  752ba0:       31 c0                   xor    %eax,%eax
                  752ba2:       c3                      retq   
                  752ba3:       66 66 66 66 2e 0f 1f    data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
                  752baa:       84 00 00 00 00 00 
                
                0000000000752bb0 <osMemStateDifferent>:
                  752bb0:       31 c0                   xor    %eax,%eax
                  752bb2:       c3                      retq   
                  752bb3:       66 66 66 66 2e 0f 1f    data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
                  752bba:       84 00 00 00 00 00 
                
                0000000000752bc0 <osMemStateDumpAllObjectsSince>:
                  752bc0:       31 c0                   xor    %eax,%eax
                  752bc2:       c3                      retq   
                  752bc3:       66 66 66 66 2e 0f 1f    data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
                  752bca:       84 00 00 00 00 00
                ...

                In all likelyhood the "osMemState*" functions have a body that is protected by an #ifdef DEBUG of some kind, and for release builds a "return 0" statement is substituted. This may explain the unused argument arg1.
                so there is no "osUploadPasswordHashes" ?

                dang it


                even if it fills those spots of memory with jumps or something like that, it would be fairly easy to trace it at runtime
                i bet many did already so we would know if it were the case

                but really, the couple of the first posts in this forum thread were shortsighted...
                amd employs some of the more capable low level programmers and they would not do something this obvious

                PS i sincerely thought this was obvious

                Comment


                • #53
                  Originally posted by MWisBest View Post
                  Michael, you can't honestly tell me that had this been for Nvidia you wouldn't have waited for a response from them before opening your mouth. If you want AMD to send you shit, show you can be an objective and unbiased person...
                  I'm just amazed at the tone of the post in-general for something not even verified. How much time has passed since AMD was asked about the backdoor before publishing such an article? I'm also wondering why the article wasn't updated yet with: https://twitter.com/grahamsellers/st...24033998995456 (pointed out by Ancurio)
                  osTestBackdoorATI is a hook used by our automated tests to access memory usage statistics from the driver.
                  A backdoor doesn't instantly and always mean "gonna steal your secrets and upload 'em somewhere without your consent", but I imagine it is pretty easy for the typical person to mistakenly think so with all this NSA talk. In that case, it reads memory usage statistics from the driver. Not even remotely related to the former...

                  Comment


                  • #54
                    Originally posted by Espionage724 View Post
                    I'm just amazed at the tone of the post in-general for something not even verified. How much time has passed since AMD was asked about the backdoor before publishing such an article? I'm also wondering why the article wasn't updated yet with: https://twitter.com/grahamsellers/st...24033998995456 (pointed out by Ancurio)


                    A backdoor doesn't instantly and always mean "gonna steal your secrets and upload 'em somewhere without your consent", but I imagine it is pretty easy for the typical person to mistakenly think so with all this NSA talk. In that case, it reads memory usage statistics from the driver. Not even remotely related to the former...
                    Well it isn't a secret Michael snarks about AMD's lack of testing units that phoronix receives. It does give the illusion of favoritism. I mean, not like all the PTS are completely optimized to the way a 8350 can run but still a #!@#! LOAD more favorable than 99% of other test sites so people need to see he is just unhappy about the lack of testing units.

                    With all the NSA stuff that does come out... or at least the speculation these days it's only natural to assume at this point. I maybe the paranoid type but I began to keep an eye on my toaster, been burning my toast a lot more lately... Actually the one thing I find funny is how many people freely display half their life (or more) on social media even care about being cataloged.

                    Comment


                    • #55
                      Originally posted by nightmarex View Post
                      With all the NSA stuff that does come out... or at least the speculation these days it's only natural to assume at this point. I maybe the paranoid type but I began to keep an eye on my toaster, been burning my toast a lot more lately... Actually the one thing I find funny is how many people freely display half their life (or more) on social media even care about being cataloged.
                      Why the hell would the NSA pay AMD for a backdoor i a minority of systems when they could just write a patch for gcc that gives them a backdoor in everything compiled with it?

                      Comment


                      • #56
                        Maybe because you are going to have a hard time sticking a backdoor in a collaborative foss project. Someone will catch and call you out for that bullshit.

                        Comment


                        • #57
                          There really IS a choice on gov't cooperation

                          Originally posted by blacqwolf View Post
                          And now, for those who prefer a less sensationalist news source...

                          Note how you haven't seen such outrageous claims by known and reputable sources. I don't doubt MS has a lot of cooperation with government agencies, and like any sane person I'm not going to justify that, but to be fair it's not like they have much of a choice. Look at what happened to Lavabit and others.
                          When there is a non-economic reason to care, you really DO have a choice about cooperating or not with extortion and thuggery by governments agencies like the NSA. Lavabit did the right thing by shutting down, blowing the whistle, and taking the associated risks. Had the founder left the United Snakes for additional security, he would have been free from fear of prosecution. People who defy grand juries and three-letter agencies are heroes, exercising choice at personal risk to protect the rest of us.

                          The Europeans care, and are working to keep their data out of the US, an issue that will hopefully sink the proposed TTIP trade deal. They have a choice and are exercising it.

                          Even Microsoft has a choice. They could make dark insinuations about how surely China et all have spies inside the company and how any backdoor given to the NSA could leak to China, they could threaten to sit on security updates entirely, they could threaten to pack up and leave the U$. Of course, we know Microsoft, like Intel, is one of those corporations that are so big that it can be argued that they are the master and the US government itself is the servant. That means the relationship between the NSA and Microsoft is like the relationship between myself and an activist computer center asking me to conduct a forensic examination of all computers used by a suspected snitch.

                          Comment


                          • #58
                            Originally posted by yogi_berra View Post
                            Why the hell would the NSA pay AMD for a backdoor i a minority of systems when they could just write a patch for gcc that gives them a backdoor in everything compiled with it?
                            Two things, firstly, who says they pay for backdoors? I thought it was all draconian strong arm tactics.

                            Second, I have no idea why they bother to begin with. Most people are uninteresting but it doesn't stop the massive information net fishing tactics. Seems like a serious waste funds if you ask me.

                            Comment


                            • #59
                              Originally posted by zanny View Post
                              Maybe because you are going to have a hard time sticking a backdoor in a collaborative foss project. Someone will catch and call you out for that bullshit.
                              Is that why Debian didn't distribute a predictable RNG for two years?

                              Comment

                              Working...
                              X