AMD misses a trick in security battle

AMD could have been making it known that it was ahead of the game on buffer-overflow protection all year but it has instead opted not to - why?
Written by David Berlind, Inactive

In response to my recommendation to cancel all non-AMD system buys, many people have been asking what changed recently that caused me to reach this conclusion.

Answer: Nothing.

As the release of SP2 drew closer, and I interviewed several Microsoft officials about the update, the interviewees spoke of a buffer-overflow countermeasure in SP2 as though it were one of SP2's most important security features.

When I started to explore the countermeasure in detail earlier this month, one of the first of Microsoft's Web pages describing SP2 that I happened to find said, "Microsoft is working with microprocessor companies to help Windows support hardware-enforced data execution prevention (DEP) on microprocessors that contain the feature. Data execution prevention uses the CPU to mark all memory locations in an application as non-executable, unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, an application or Windows component will not run it."

The page lacked the additional information that Windows XP users needed to determine whether or not their systems supported DEP. Noting the omission, I assumed that both Intel and AMD were already supporting the feature and that, to finish off my coverage of SP2, I only needed to figure out what the manufacturing cut-off dates were in terms of systems that didn't support DEP versus those that did. But a search of the Web turned up a recent story in The Register that alerted me to the fact that support for DEP wasn't yet available in Intel's Nocona Xeon processors. Within a few hours, I learned that AMD has been shipping processors with DEP support for over a year, while Intel -- except for Itanium -- wouldn't be shipping its DEP-supporting "XD" processors until Q4 2004. "XD" is Intel parlance for DEP and stands for "execute disable".

None of this, however, is really last week's news. Had I learned of the disparity earlier, or spotted a story by News.com's John Spooner in February 2004 about SP2's support for hardware-enforced buffer-overflow protection, I would most certainly have issued my recommendation back then. In other words, AMD's competitive advantage on the security front didn't start last week. Technically, it started when buyers first had the opportunity to buy DEP-capable systems in 2003. But it wasn't until February that users of XP should have learned of the significance of the feature (SP2's forthcoming support of it).

Bottom line? If you purchased a computer since February that doesn't support DEP (for example, any non-Itanium Intel-based PC), you've purchased a computer that is unable to take advantage of this important security feature. From a security perspective, it could be argued that you purchased an obsolete system.

So, who is to blame? Certainly not Intel. Yes, Intel has been caught with its pants down for the second time this year. (The first time was its acknowledgement of AMD's 32/64 hybrid plan in the form of a copycat product known as Nocona). But, since February, many of us have been happily buying Intel-based PCs not knowing that we'd be in for a surprise come August when SP2 finally shipped. We could have purchased Athlon 64, Sempron, or Opteron-based systems (collectively known as AMD64-based systems) with their Enhanced Virus Protection (EVP) technology (AMD's pet name for the same thing Microsoft calls "DEP" and that Intel calls "XD"). But according to Mercury Research, only 15 percent of system purchases contain AMD processors. Of those who did purchase AMD systems, I doubt any based their decision on the presence of EVP.


AMD blew it. Microsoft could have chimed in as well, alerting its customers to the types of systems we'd need in order to take full advantage of the security features in SP2, but it didn't. (During a recent ZDNet audiocast interview, Microsoft Security Business Technology Unit vice president Rich Kaplan couldn't even tell me what processors to look for.)

But AMD had the most to lose. At a time when Intel was already reeling from the Nocona "admission", AMD had a golden opportunity to compound the success that it's starting to see in the market. With security at the top of all of our minds, the company could have, starting in February, claimed that if we bought anything but AMD systems, we'd be committing our budgets to obsolete systems. But it didn't. AMD ran no big ads alerting buyers to the mistake we might be making, made no warnings to the press. Sure, many such communications from vendors are pure propaganda. But, in this case, there would have been an element of truth to AMD's claims -- if it had ever claimed them. It didn't. AMD's division marketing manager Bahr Mahony disagreed with me, saying "We have been promoting this capability since the introduction of the Athlon 64 processors in September 2003. We've been promoting across OEMs and retailers and promoting the capability through our own promotional efforts."

Even if it did promote the capability, promoting the capability and competing on the capability are very different things. On 25 February, 2004, the same day as News.com's story was published, AMD did issue a press release with the heading "AMD and Microsoft to Provide Customers with New Security Technology". But it drew no attention to Intel's lack of a similar feature. If mentioning Intel is off-limits in its press releases, AMD could have at the very least said something like "AMD is the only microprocessor company to offer this feature." But it didn't. The most newsworthy aspect of AMD's collaboration with Microsoft went unnoticed.

Apparently thinking the world needed a reminder, AMD on 9 August issued another press release under the heading "AMD Fortifies PC Security For Business and Consumers." But, even with three or four months still to go before DEP-supporting Intel boxes hit the streets, AMD once again missed an opportunity to distinguish its offerings from what else is currently available today. This time, we reported on Intel's shortcoming, saying "Although AMD's larger rival is expected to add similar features to its chips later this year, those chips will take some time to work their way into the market. EVP can be switched on in existing AMD64 processor systems, which have been shipping for about a year, just as soon as Microsoft's SP2 is installed."

A review of the reader comments area below my initial blog entry on this issue reveals a host of conspiracy theories regarding why I would have made such a pro-AMD recommendation. "Methinks I smell a rat," said one reader. "You must own a lot of AMD stock," said another. I do not own any AMD stock, and I'm certainly not here to fight the battles of AMD or any other vendor. The only one that can do that is AMD. But apparently, its competitive advantage department is still sleeping at the wheel. Advantage, Intel.

Editorial standards