An unusual partnership between Google and AMD may offer a blueprint for how the tech industry can better tackle processor security risks before they spiral out of control. The only problem? The setup requires an equally rare level of trust, which may be hard for other companies to replicate.
On Tuesday, Google Cloud is releasing a detailed audit of AMD’s confidential computing tech, the result of a collaboration between Google’s Project Zero bug-hunting group, two teams within Google Cloud Security, and AMD’s firmware group. The audit follows years of Google Cloud putting increasing emphasis on its offerings for Confidential Computing—a suite of capabilities that keep customers’ data encrypted at all times, even during processing. The stakes are high, as customers increasingly depend on the privacy and security protections conferred by these services and the physical infrastructure underlying them, which is built on special secure processors from AMD. An exploitable vulnerability in Confidential Computing could be disastrous.
Flaws in how processors are designed and implemented pose massive risks, turning widely used chips into single points of failure in the computers, servers, and other devices in which they’re installed. Vulnerabilities in specialized security chips have particularly dire potential ramifications because these processors are designed to be immutable and provide a “root of trust” that all the other components of a system can rely on. If hackers can exploit a flaw in security chips, they can poison a system at that root and potentially gain undetectable control. So AMD and Google Cloud have developed an unusually close-knit partnership over more than five years to collaborate on auditing the Epyc processors used in Google Cloud’s sensitive infrastructure and attempting to plug as many holes as possible.
“When we find something and know that the safety is getting better, that’s the best,” says Nelly Porter, group product manager of Google Cloud. “It’s not pointing fingers, it’s combined effort to fix things. Adversaries have unbelievable capability, and their innovation is growing, so we need not only to catch up but to get ahead of them.”
Porter says the partnership with AMD is unusual because the two companies have been able to build up enough trust that the chipmaker is willing to let Google’s teams analyze closely guarded source code. Brent Hollingsworth, AMD’s director of the Epyc software ecosystem, points out that the relationship also creates space for pushing the boundaries on what types of attacks researchers are able to test. For example, in this audit, Google security researchers used specialized hardware to mount physical attacks against AMD technology, an important and valuable exercise that other chipmakers are increasingly focusing on as well, but one that goes beyond the traditional security guarantees chipmakers offer.
“Anybody who’s written software, anybody who’s created hardware, knows that it’s impossible to be perfect,” Hollingsworth says. “Over the years that we’ve been working together with Google, we’ve been providing them as much access as we possibly can and thinking about the problem from two different sides. And somewhere in the middle of that push and pull, we end up finding things that benefit everyone.”
The audit specifically delved into the defenses of the AMD Secure Processor (ASP) and the firmware of the AMD technology known as “SEV-SNP,” or Secure Encrypted Virtualization-Secure Nested Paging. SEV-SNP underlies Google Cloud’s Confidential Virtual Machines, a premium offering within Google Cloud’s general product that segments and encrypts a customer’s systems and manages the encryption keys to box out Google Cloud such that the company can’t access the customer’s data.
The two companies haven’t said specifically how many vulnerabilities were found and addressed through the recent audit, but the report outlines multiple specific findings, attack scenarios, and general areas for improvement. AMD says it has released firmware fixes for all the issues discovered through the audit, and Google Cloud says it has applied all of these patches and mitigations.
Both Google Cloud’s Porter and AMD’s Hollingsworth emphasize, though, that the true value of the partnership is in the repeated collaboration and review over time. The goal is that the findings will safeguard Google Cloud, but also improve security across the industry, and that the partnership can perhaps be a model for increased transparency between chipmakers and customers in general. As organizations increasingly rely on cloud providers to deliver most or all of their infrastructure, there are major security gains, but always the lurking fear that something could go wrong.
“You need to assume breach; you need to assume that things might happen,” Porter says. “And that’s why I think it’s so critical to have all the bugs fixed, but also to be talking very openly about this continuously. It’s not something we’re doing once and it’s finished. It’s ongoing.”