Shulou(Shulou.com)06/01 Report--

This article shows you what the Lazy FPU Save/Restore loophole refers to. It is concise and easy to understand. It will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

0x00 vulnerability background

On June 14, 2018, Intel officially revealed that there is a vulnerability in the delayed storage of floating-point register state in the processor, which can be used to disclose the floating-point register status of another process in combination with speculative execution and side channel attacks, which may cause sensitive information disclosure. The vulnerability number is: CVE-2018-3665.

After evaluation, the 360-CERT team believes that the vulnerability risk level is high, and users are advised to refer to the relevant mitigation measures for defense.

0x01 vulnerability description

Modern processors can choose to postpone saving and restoring the context state of some CPU during process switching to improve system performance.

FPU is a floating-point unit, which can be used for high-precision floating-point operations, because not all applications use FPU, so take advantage of the deferred save / restore feature, if the newly scheduled process does not use FP instructions, there is no need to switch the FPU context state, so as to reduce the execution cycle and improve performance. When a new process uses the FP instruction, a "device unavailable (DNA)" exception is triggered, and the FPU context state is switched through exception handling.

With this feature, it is possible to speculate that execution and side channel attacks read values in the floating-point register cache of the process before triggering a DNA exception.

SSE,AVX,MMX also has this feature, and AES's encryption keys are usually stored in SSE registers, which may enable attackers to steal more valid information.

0x02 affects products

Intel Core-basedmicroprocessors

0x03 patching scheme

For Linux, system developers can start the kernel through the eagerfpu=on parameter and use the Eager FP recovery model instead of the Lazy FP recovery model. Under the Eager FP recovery model, the FPU context state is saved and restored regardless of whether the current process uses FPU or not.

For Windows, Lazy restore is enabled by default on Windows and cannot be disabled. You need the latest patch from Microsoft.

The above is what the Lazy FPU Save/Restore vulnerability refers to. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.