Security

Intel chip flaw: Math unit may spill crypto secrets from apps to malware

Nasties on Cores, Xeons may lift computations, mitigations in place or coming


Updated A security flaw within Intel Core and Xeon processors can be potentially exploited to swipe sensitive data from the chips' math processing units.

Malware or malicious logged-in users can attempt to leverage this design blunder to steal the inputs and results of computations performed in private by other software.

These numbers, held in FPU registers, could potentially be used to discern parts of cryptographic keys being used to secure data in the system. For example, Intel's AES encryption and decryption instructions use FPU registers to hold keys.

In short, the security hole could be used to extract or guess at secret encryption keys within other programs, in certain circumstances, according to people familiar with the engineering mishap.

Modern versions of Linux – from kernel version 4.9, released in 2016, and later – as well as the latest spins of OpenBSD and DragonflyBSD are not affected by this flaw (CVE-2018-3665).

Windows Server 2008 is among the operating systems that will need to be patched, we understand, and fixes for affected Microsoft and non-Microsoft kernels are on their way. The Linux kernel team is back-porting mitigations to pre-4.9 kernels.

Essentially, hold tight, and wait for patches to land for your Intel-powered machines, if they are vulnerable. CVE-2018-3665 isn't the end of the world: malicious software has to be already running on your system to attempt to exploit it, and even then, it can only lift out crumbs at a time.

It is yet another complex, speculative-execution-related processor design flaw that is fascinating for industry watchers, an annoyance for some kernel programmers, and another thing for sysadmins and folks to patch for. There are worse bugs, a whole lot worse, in your word processor, PDF reader, or web browser, probably.

The brown exploit jumps over the lazy coprocessor

The security shortcoming involves what's known as lazy FPU state restore. Operating system kernels would only save and restore the floating-point unit (FPU) registers, and other context information, when programs were actually using the math unit.

This, it turned out today, through a security gaffe in Intel's blueprints related to Spectre-Meltdown Variant 3A, allows a program to obtain scraps of the FPU context of another app. Variant 3A allows applications to read system registers that only privileged code should be allowed to peek at.

The fix is to employ a mechanism called eager FPU state restore. These mitigations do not carry a performance hit – in fact, eager state switching can increase performance.

Intel is due to release an advisory with more details after 2pm PT (2100 UTC). It had planned to go live on June 27, however disclosure was brought forward to today after the OpenBSD and DragonflyBSD projects earlier this week published their patches to mitigate this issue – thus forcing the situation onto the world stage. The BSD teams went ahead after Intel declined to work with them under embargo and instead stuck to larger operating system vendors and makers.

A spokesperson for the American semiconductor giant told The Register today that it was alerted to the flaw by various researchers working independently, including one at Amazon:

This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks.

We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.

Intel considers the threat to be moderate. Google told us its systems are secured against this lazy FPU state restore cockup. Spokespeople for Amazon and Microsoft were not available for comment. ®

Updated to add

Red Hat has more technical details, here. RHEL 5, 6, and 7, and Enterprise MRG 2 not running kernel-alt are vulnerable. In a statement to The Register, the Linux vendor clarified that this a potential task-to-task theft of information:

Red Hat has been made aware of an issue where operating systems and virtual machines running on common modern (x86) microprocessors may elect to use “lazy restore” for floating point state when context switching between application processes instead of “eagerly” saving and restoring this state.

Exploitation of lazy floating point restore could allow an attacker to obtain information about the activity of other applications, including encryption operations. The underlying vulnerability affects CPU speculative execution similar to other recent side channel vulnerabilities.

In this latest vulnerability, one process is able to read the floating point registers of other processes being lazily restored. Red Hat’s mitigations are in various stages of availability via software (kernel) patches and configuration changes as described below.

Mitigations will not require microcode updates. In most cases, Red Hat Enterprise Linux 7 customers will not need to take action, while other users may need to apply software updates.

Amazon Web Services said it is protected. Intel's advisory is also now live, here.

"System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch," the x86 goliath explained.

"Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value."

There is, right now, no known exploit code circulating in the wild targeting this security vulnerability, we're told. One of the research outfits named above, Cyberus, has an advisory and background, here.

Final update

It was believed modern Microsoft Windows releases were immune to this bug: they are not, so get patching.

Additional reporting by Shaun Nichols.

Send us news
67 Comments

Intel flogs off majority stake in Altera to private equity for $4B

Buy high, sell low: FPGA biz cost x86 giant $16B decade ago

Not even Intel's top bosses know what's on CEO Lip-Bu Tan's chopping block

Chipzilla chief asked customers to be 'brutally honest' ... which will lead to what changes, we wonder

TSMC prepping for tariff turmoil, denies joint venture talks with Intel

Chip contract manufacturer not immune to 'uncertainties and risks' caused by Trump's import taxes

Intel's latest CEO Lip Bu Tan: 'You deserve better'

AMD it is, then. Or Nvidia, Arm, Qualcomm, RISC-V, MOS 6502 ...

Trump yanks CHIPS Act cash unless tech giants pony up more of their own dough

Commerce chief threatens to pull grants so firms double down on US spending

TSMC's US builds won't make America great at chips again, says ex-Intel boss Gelsinger

Argues making stuff using foreign-designed tech isn't leadership, as x86 giant shakes up board

God didn't have a plan for Gelsinger at Intel. Maybe there is one for his new gig, Gloo

Chip guru preaches virtues of 'values-aligned' pray-I, sorry, AI. He's also taken a VC gig

Intel cranks up accelerators in Xeon 6 blitz to outgun AMD

But you're probably not cool enough for Chipzilla's 288-core monster

Intel's new CEO: Chip world veteran Lip-Bu Tan

Restoring x86 giant to its former glory, a job no one will envy

Intel wins something: Judge tosses out shareholder lawsuit over foundry losses

If you find Chipzilla's financial figures hard to parse, don't worry, it stumped these folks, too

Broadcom reportedly investigates acquiring Intel’s chip design biz

Shhh. Don’t tell Hock Tan about those Xeons that unlock functions when you pay a fee

Wanna save Intel? Fire the board, bring back Pat, ex-CEO Craig Barrett says

Shareholders urged to press CTRL-Z on loyal Gelsinger's 'retirement'