Security

Intel chip flaw: Math unit may spill crypto secrets from apps to malware

Nasties on Cores, Xeons may lift computations, mitigations in place or coming


Updated A security flaw within Intel Core and Xeon processors can be potentially exploited to swipe sensitive data from the chips' math processing units.

Malware or malicious logged-in users can attempt to leverage this design blunder to steal the inputs and results of computations performed in private by other software.

These numbers, held in FPU registers, could potentially be used to discern parts of cryptographic keys being used to secure data in the system. For example, Intel's AES encryption and decryption instructions use FPU registers to hold keys.

In short, the security hole could be used to extract or guess at secret encryption keys within other programs, in certain circumstances, according to people familiar with the engineering mishap.

Modern versions of Linux – from kernel version 4.9, released in 2016, and later – as well as the latest spins of OpenBSD and DragonflyBSD are not affected by this flaw (CVE-2018-3665).

Windows Server 2008 is among the operating systems that will need to be patched, we understand, and fixes for affected Microsoft and non-Microsoft kernels are on their way. The Linux kernel team is back-porting mitigations to pre-4.9 kernels.

Essentially, hold tight, and wait for patches to land for your Intel-powered machines, if they are vulnerable. CVE-2018-3665 isn't the end of the world: malicious software has to be already running on your system to attempt to exploit it, and even then, it can only lift out crumbs at a time.

It is yet another complex, speculative-execution-related processor design flaw that is fascinating for industry watchers, an annoyance for some kernel programmers, and another thing for sysadmins and folks to patch for. There are worse bugs, a whole lot worse, in your word processor, PDF reader, or web browser, probably.

The brown exploit jumps over the lazy coprocessor

The security shortcoming involves what's known as lazy FPU state restore. Operating system kernels would only save and restore the floating-point unit (FPU) registers, and other context information, when programs were actually using the math unit.

This, it turned out today, through a security gaffe in Intel's blueprints related to Spectre-Meltdown Variant 3A, allows a program to obtain scraps of the FPU context of another app. Variant 3A allows applications to read system registers that only privileged code should be allowed to peek at.

The fix is to employ a mechanism called eager FPU state restore. These mitigations do not carry a performance hit – in fact, eager state switching can increase performance.

Intel is due to release an advisory with more details after 2pm PT (2100 UTC). It had planned to go live on June 27, however disclosure was brought forward to today after the OpenBSD and DragonflyBSD projects earlier this week published their patches to mitigate this issue – thus forcing the situation onto the world stage. The BSD teams went ahead after Intel declined to work with them under embargo and instead stuck to larger operating system vendors and makers.

A spokesperson for the American semiconductor giant told The Register today that it was alerted to the flaw by various researchers working independently, including one at Amazon:

This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks.

We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.

Intel considers the threat to be moderate. Google told us its systems are secured against this lazy FPU state restore cockup. Spokespeople for Amazon and Microsoft were not available for comment. ®

Updated to add

Red Hat has more technical details, here. RHEL 5, 6, and 7, and Enterprise MRG 2 not running kernel-alt are vulnerable. In a statement to The Register, the Linux vendor clarified that this a potential task-to-task theft of information:

Red Hat has been made aware of an issue where operating systems and virtual machines running on common modern (x86) microprocessors may elect to use “lazy restore” for floating point state when context switching between application processes instead of “eagerly” saving and restoring this state.

Exploitation of lazy floating point restore could allow an attacker to obtain information about the activity of other applications, including encryption operations. The underlying vulnerability affects CPU speculative execution similar to other recent side channel vulnerabilities.

In this latest vulnerability, one process is able to read the floating point registers of other processes being lazily restored. Red Hat’s mitigations are in various stages of availability via software (kernel) patches and configuration changes as described below.

Mitigations will not require microcode updates. In most cases, Red Hat Enterprise Linux 7 customers will not need to take action, while other users may need to apply software updates.

Amazon Web Services said it is protected. Intel's advisory is also now live, here.

"System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch," the x86 goliath explained.

"Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value."

There is, right now, no known exploit code circulating in the wild targeting this security vulnerability, we're told. One of the research outfits named above, Cyberus, has an advisory and background, here.

Final update

It was believed modern Microsoft Windows releases were immune to this bug: they are not, so get patching.

Additional reporting by Shaun Nichols.

Send us news
67 Comments

Facebook and Singapore teams looking for ways to get data centres relaxing in moist tropical climes

Heat and humidity are horrible, and your server can’t quaff a cocktail to cool off

Singapore’s two major universities — Nanyang Technological University (NTU) and the National University of Singapore (NUS) — have announced they are establishing a US$17.2M research program to develop data centre cooling tech that works in tropical environments.

“The new Sustainable Tropical Data Centre Testbed (STDCT) — the first of its kind in the tropics — will serve as an innovation hub for academia and industry to work together to future-proof the region’s data centre industry,” said NUS in their canned statement.

The program is primarily funded by National Research Foundation Singapore (NRF) and Facebook, which has made Singapore its Asian home. Singapore’s Infocomm Media Development Authority (IMDA) is supporting the university research, and additional industry partners include Ascenix Pte Ltd, CoolestDC Pte Ltd, Keppel Data Centres, New Media Express Pte Ltd, and Red Dot Analytics Pte Ltd.

Continue reading

Dem, Repub senators propose tax credits for factories that churn out chips on US soil

It'll be absolutely FABS-ulous, Wyden and Crapo promise

US senators introduced a law bill on Thursday offering semiconductor manufacturers tax credits to encourage them to build more fabrication plants on American soil as well as specialized equipment for chips.

The bipartisan Facilitating American-Built Semiconductors (FABS) Act [PDF] was backed by Senate Finance Committee Chair Ron Wyden (D-OR), and Ranking Member Mike Crapo (R-ID). It’s the latest piece of legislation proposed by Congress aimed at incentivizing the production of semiconductors in the United States as the world grapples with a global shortage of electronics components and materials to build everything from cars to video game consoles.

The FABS Act could help bolster US supply chains, meaning businesses would have to rely less on foreign manufacturers, particularly those across East Asia, and be able to more easily secure the kit they need. Chip production in America has fallen from 37 per cent of global output to 12 per cent over the past two decades as companies manufacture parts abroad because it's cheaper, according to the pair of senators.

Continue reading

Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks

Try it with phish'n'chips

Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform.

SLSA – short for Supply chain Levels for Software Artifacts and pronounced "salsa" for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.

"The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats," said Kim Lewandowski, Google product manager, and Mark Lodato, Google software engineer, in a blog post on Wednesday. "With SLSA, consumers can make informed choices about the security posture of the software they consume."

Continue reading

FYI: There's a human-less, AI robot Mayflower ship sailing from the UK to US right now

Follow this Plymouth to Plymouth trip online

A 15-metre-long autonomous human-free ship has begun a 3,000-odd-mile trip from the UK to the US to recreate the historic Mayflower voyage of 1620.

The Mayflower Autonomous Ship (MAS), named after the 17th century vessel that took more than 100 passengers from England to the present day's Massachusetts in America, set sail this week. It was launched from the seaside town Plymouth on Tuesday at 0400 UTC, and if all goes to plan, it’ll reach its American counterpart, the coastal city of Plymouth, MA, in a few weeks.

Built by Promare, a maritime non-profit, with technical support from IBM, the Mayflower has been testing its sailing and navigation skills since September last year to prepare for this trip. It uses radar to detect objects within 2.5 nautical miles, and a suite of cameras connected to an object-recognition system. This machine-learning software has been trained to identify cargo ships, fishing vessels, and floating shipping containers.

Continue reading

TITAN crypto-token does the opposite of zero to $60: Value plummets in hours

And did a code bug throw a spanner in the works for IRON investors?

A cryptocurrency token called TITAN collapsed on Wednesday, going from about $60 apiece to near zero in a matter of hours. The sales frenzy, attributed to a sell-off driven by whales – people who hold large amounts of a cryptocurrency in this context – also destabilized a so-called stablecoin known as IRON.

A stablecoin is pegged to a reserve asset like the dollar, the idea being there's less volatility when investors know they can redeem their fanciful crypto credits for paper depicting dead presidents or some other thing likely to retain value.

IRON, however, proved to be anything but stable because it is only partially collateralized (about 75 per cent) by the US dollar. The remainder of its value came from TITAN tokens, and when the TITAN price collapsed, IRON took a hit too. Among those caught up in the crypto run was tech moneybags Mark Cuban.

Continue reading

Ex-Brave staffer launches GDPR sueball in Germany over tech giants' real-time bidding for ad inventory

Privacy browser's former chief policy officer calls web advertising ecosystem 'the Biggest. Data. Breach. Ever'

Former Brave chief policy officer Johnny Ryan is continuing his crusade against the online advertising industry by filing a lawsuit against Google, Facebook, Amazon, Twitter, and US telco AT&T in Germany.

Ryan's latest campaign organisation, the Irish Council for Civil Liberties (ICCL), said in a statement that online advertising amounts to "the Biggest. Data. Breach. Ever" and accusing internet adland of compiling "secret dossiers" on every single netizen.

"These secret dossiers about you – based on what you think is private – could prompt an algorithm to remove you from the shortlist for your dream job," said Ryan. "A retailer might use the data to single you out for a higher price online. A political group might micro target you with personalised disinformation."

Continue reading

Roger Waters tells Facebook CEO to Zuck off after 'huge' song rights request

Ex-Pink Floyd uber-grouch calls social media mandroid 'one of the most powerful idiots in the world'

Grouchy former Pink Floyd bassist/vocalist Roger Waters launched an expletive-laden attack on human-impersonating Facebook CEObot Mark Zuckerberg after receiving a request from Instagram to use one of his songs in a promotional film.

Speaking at an event in New York to advocate for the release of Julian Assange, Waters held up a printed piece of paper he said he received "on the internet this morning", which included a request to use the Pink Floyd song 'Another Brick In The Wall (Part 2)' in exchange for what Waters described as "a huge, huge amount of money."

Continue reading

Chrome 'Conformance' for JavaScript frameworks says: If you don't follow our rules, your project won't build

Google knows best

Google's Chrome team has introduced projects to assist framework authors with what it considers best practice, starting mainly with the React-based Next.js.

A team of six people (apparently known internally as WebSDK) who work on Chrome introduced what it called project Aurora earlier this week, described as a "collaboration with framework authors." The post talks up the benefits of "strong defaults and opinionated tooling," based on experience with Google applications such as Search and Maps.

Aurora, said Google, will identify weak spots in web frameworks, specifically those that cause "user experience pain," and then fix them in a manner adaptable to other web frameworks as well. All the frameworks mentioned are JavaScript or TypeScript (which compiles to JavaScript), as you would expect from a browser team.

Continue reading

Your spacesuit ran into a problem and needs to restart

ISS solar array installation overran after a good old 'off and on again'

There are two things a spacewalker doesn't want to hear: "Can you turn it off and turn it on again?" and "What's that hissing sound?"

The IT solution of the ancients reached orbit yesterday as one of a pair of astronauts tasked with fitting a new solar array to the International Space Station (ISS) had to make his way back to the airlock in order to restart his spacesuit.

NASA astronaut Shane Kimbrough was not in any great danger during what the US space agency delicately called an "issue" with his spacesuit's display and control module (designed to provide a spacewalker with information on the status of the suit). Controllers also noted a spike in the pressure reading for his sublimator (used to keep things cool) and so sent the astronaut back to the airlock to perform a restart.

Continue reading

Space Force turtle expert uncovers $1.2m Cape Canaveral cocaine haul

30kg stash lost overboard by smugglers enough to get anyone out of their shell

A member of the newly inaugurated US Space Force discovered more than she bargained for as she conducted a survey of turtle nests on the coast around Cape Canaveral last month.

Angy Chambers, a civil engineer and wildlife manager with the 45th Civil Engineer Squadron, was forced to suspend her check on testudinal housing conditions when she noticed that packages containing $1.2m worth of cocaine had washed up on the beach.

Chambers contacted the 45th Security Forces Squadron – another component element of Space Launch Delta 45, the new Space Force unit in charge of Cape Canaveral – to ask them to secure the haul.

Continue reading

Graph DB slinger Neo4j secures $325m round of funding for $2bn valuation

Also touts sharded graph application running on 1,000 servers

Neo4j has secured another $325m in a funding round and said it was ready to demo a distributed graph database with a trillion relationships, sharded across 1,000 servers, returning queries in a matter of milliseconds.

New investors DTCP – formerly Deutsche Telekom Capital Partners – and Lightrock join existing investors One Peak Partners, Creandum, and Greenbridge Partners.

The latest injection of funds – which is said to value Neo4j at $2bn – adds to earlier rounds including $10.6m in 2011, $11m in 2012, $20m in 2015, $36m in 2016, and $80m in 2018.

Continue reading