Lazy FP state restore

Lazy FPU state leak (CVE-2018-3665), also referred to as Lazy FP State Restore[1] or LazyFP,[2][3] is a security vulnerability affecting Intel Core CPUs.[1][4] The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs[1] and how certain operating systems handle context switching on the floating point unit (FPU).[2] By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.

It was announced by Intel on 13 June 2018, after being discovered by employees at Amazon, Cyberus Technology and SYSGO.[1][a]

Besides being used for floating point arithmetic, the FPU registers are also used for other purposes, including for storing cryptographic data when using the AES instruction set, present in many Intel CPUs.[3] This means that this vulnerability may allow for key material to be compromised.[3]

Mechanism

The floating point and SIMD registers are large, and not used by every task (or thread) in the system. To make context switching faster, most common microprocessors support lazy state switching. Rather than storing the full state during a context switch, the operating system can simply mark the FPU "not available" in the hopes that the switched-to task will not need it. If the operating system has guessed correctly, time is saved. If the guess is wrong, the first FPU or SIMD instruction will cause a trap to the operating system, which can then save the state to the previous task and load the correct state for the current task.

In out-of-order CPUs, the "FPU not available" condition is not detected immediately. (In fact, it almost cannot be detected immediately, as there may be multiple fault-causing instructions executing simultaneously and the processor must take the first fault encountered to preserve the illusion of in-order execution. The information about which is first is not available until the in-order retire stage.) The processor speculatively executes the instruction using the previous task's register contents, and some following instructions, and only later detects the FPU not available condition. Although all architectural state is reverted to the beginning of the faulting instruction, it is possible to use part of the FPU state as the address in a memory load, triggering a load into the processor's cache. Exploitation then follows the same pattern as all Spectre-family vulnerabilities: as the cache state is not architectural state (the cache only affect speed, not correctness), the cache load is not undone and the address, including part of the previous task's register state, can later be detected by measuring the time taken to access different memory addresses.

It is possible to exploit this bug without actually triggering any operating system traps. By placing the FPU access in the shadow of a forced branch misprediction (e.g. using a retpoline) the processor will still speculatively execute the code, but will rewind to the mispredicted branch and never actually execute the operating system trap. This allows the attack to be rapidly repeated, quickly reading out the entire FPU and SIMD register state.

Mitigation

It is possible to mitigate the vulnerability at the operating system and hypervisor levels by always restoring the FPU state when switching process contexts.[6] With such a fix, no firmware upgrade is required. Some operating systems already did not lazily restore the FPU registers by default, protecting those operating systems on affected hardware platforms, even if the underlying hardware issue existed.[6] On Linux operating system using kernel 3.7 or higher, it is possible to force the kernel to eagerly restore the FPU registers by using the eagerfpu=on kernel parameter.[3] Also, many system software vendors and projects, including Linux distributions,[7] OpenBSD,[8] and Xen[4] have released patches to address the vulnerability.

Notes

  1. ^ The OpenBSD project claims to have discovered the vulnerability independently.[5]

See also

References

  1. ^ a b c d "Lazy FP state restore". Intel. 2018-06-13. Retrieved 2018-06-18.
  2. ^ a b Stecklina, Julian; Prescher, Thomas (2018-06-19). "LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels". arXiv:1806.07480 [cs.OS].
  3. ^ a b c d Prescher, Thomas; Stecklina, Julian; Galowicz, Jacek. "Intel LazyFP vulnerability: Exploiting lazy FPU state switching". Cyberus Technology. Retrieved 2018-06-18.
  4. ^ a b "Xen Security Advisory CVE-2018-3665 / XSA-267, version 3". 2018-06-13. Retrieved 2018-06-18.
  5. ^ de Raadt, Theo (2018-06-14). "Inflamation by Bryan Cantrill". openbsd-tech (Mailing list). Retrieved 2018-06-18 – via marc.info.
  6. ^ a b "Lazy FPU Save/Restore (CVE-2018-3665)". RedHat. 2018-06-14. Retrieved 2018-06-18.
  7. ^ "CVE-2018-3665". Debian. Retrieved 2018-06-17.
  8. ^ "OpenBSD 6.3 Errata". OpenBSD. Retrieved 2018-06-18.


Stub icon

This computer security article is a stub. You can help Wikipedia by expanding it.

Read other articles:

ISO 3166-2:BB

Artikel utama: ISO 3166-2 ISO 3166-2:BB adalah sebuah standar ISO yang mendefinisikan kode internasional: kode ini merupakan bagian dari ISO 3166-2 yang ditujukan kepada negara Barbados. Saat ini untuk Barbados, kode ISO 3166-2 yang ditetapkan untuk 11 parishes (paroki). Setiap kode terdiri dari dua bagian, dipisahkan dengan tanda hubung. Bagian pertama adalah BB, kode ISO 3166-1 alpha-2 untuk Barbados. Bagian kedua terdiri dari dua angka (01-11). Kode saat ini Nama sub-bagian tercantum dalam...

 

Mark Salling

Mark SallingSalling pada tahun 2009LahirMark Wayne Salling(1982-08-17)17 Agustus 1982Dallas, Texas, Amerika SerikatMeninggal30 Januari 2018(2018-01-30) (umur 35)Sunland, California, Amerika SerikatSebab meninggalBunuh diriPekerjaanAktor, penyanyi-penulis lagu, komponis, musisiTahun aktif1996–2015Dikenal atasNoah Puck Puckerman dalam GleeSitus webwww.marksallingmusic.com Mark Wayne Salling (17 Agustus 1982 – 30 Januari 2018)[1][2] adalah aktor ...

 

Austin Lin

Austin LinLin pada tahun 2020Lahir27 Januari 1988 (umur 36)Taipei, TaiwanKebangsaanTaiwanAlmamaterUniversitas Normal Nasional TaiwanPekerjaan Pemeran penyanyi pembawa acara Tahun aktif2007–sekarangAgenZhouzi EntertainmentPenghargaanGolden Horse Awards – Best Supporting Actor 2016 At Cafe 6 – Xiao Bozhi Austin Lin Hanzi: 林柏宏 Alih aksara Mandarin - Hanyu Pinyin: Lín Bóhóng Min Nan - Romanisasi POJ: Lîm Pek-hông Austin Lin (Hanzi: 林柏宏; Pe̍h-ōe-jī: Lî...

Charlemagne Péralte

Potret Charlemagne Péralte Charlemagne Masséna Péralte (1886 – 1 November 1919) adalah seorang pemimpin nasionalis Haiti yang menentang pendudukan Haiti oleh Amerika Serikat pada 1915. Memimpin para pejuang gerilya yang disebut Cacos, ia melakukan perlawanan terhadap pasukan AS di Haiti.[1]:213 Péralte masih menjadi pahlawan yang paling dipuji di Haiti. Referensi ^ Musicant, I, The Banana Wars, 1990, New York: MacMillan Publishing Co., ISBN 0025882104 Pengawasan otoritas Umum In...

 

العلاقات الآيسلندية السيراليونية

العلاقات الآيسلندية السيراليونية آيسلندا سيراليون   آيسلندا   سيراليون تعديل مصدري - تعديل   العلاقات الآيسلندية السيراليونية هي العلاقات الثنائية التي تجمع بين آيسلندا وسيراليون.[1][2][3][4][5] مقارنة بين البلدين هذه مقارنة عامة ومرجعية للد�...

 

Teknik telegraf

Artikel ini sebatang kara, artinya tidak ada artikel lain yang memiliki pranala balik ke halaman ini.Bantulah menambah pranala ke artikel ini dari artikel yang berhubungan atau coba peralatan pencari pranala.Tag ini diberikan pada Februari 2023. Teknik telegraf adalah teknik yang mempelajari bagaimana cara kerja suatu telegraf yaitu suatu mesin atau alat yang dapat mengirim dan menerima pesan jarak jauh dalam bentuk kode. Garis Besar Ilmu Telegrap Ilmu Telegrap adalah salah satu metode Teleko...

Tripoli, Lebanon

Untuk kegunaan lainnya, lihat Tripoli (disambiguasi). Pemandangan Kota Tripoli Tripoli (bahasa Arab: طرابلس; Ṭarābulus) merupakan kota terbesar kedua di Lebanon. Penduduknya berjumlah ±500.000 jiwa. Diperkirakan bahwa 80% dari penduduk Tripoli adalah Muslim (Sunni). Wikimedia Commons memiliki media mengenai Tripoli, Lebanon. Artikel bertopik geografi atau tempat Lebanon ini adalah sebuah rintisan. Anda dapat membantu Wikipedia dengan mengembangkannya.lbs

 

Cupar (Saskatchewan)

Pour l’article homonyme, voir Cupar. Cet article est une ébauche concernant la Saskatchewan. Vous pouvez partager vos connaissances en l’améliorant (comment ?) selon les recommandations des projets correspondants. CuparGéographiePays  CanadaProvince SaskatchewanSuperficie 0,8 km2Altitude 610 mCoordonnées 50° 57′ N, 104° 12′ OIdentifiantsCGT 4706094TGN 1015886Indicatif téléphonique 306Site web (en) townofcupar.commodifier - modifier le code -...

 

Hollywood Blonds

Professional wrestling tag team The Hollywood Blonds is a name used by several professional wrestling tag teams over the years. The original Blonds were Buddy Roberts and Jerry Brown, who used the name in the 1970s. Rip Rogers and Ted Oates wrestled as The Hollywood Blonds in the mid-1980s in the National Wrestling Alliance's (NWA) Jim Crockett Promotions (JCP). The name was also adopted by Pretty Boy Larry Sharpe and Dynamite Jack Evans, who had a stint in then World Wide Wrestling Federatio...

Cycle de l'oxygène

Schéma du cycle de l'oxygène (en Gmol/an) : Le cycle comprend quatre réservoirs principaux : la biosphère terrestre (verte), la biosphère marine (bleue), la lithosphère (brune) et l'atmosphère (grise). Les principaux flux entre ces réservoirs sont représentés par des flèches colorées, où les flèches vertes sont liées à la biosphère terrestre, les flèches bleues sont liées à la biosphère marine, les flèches noires sont liées à la lithosphère, la flèche viole...

 

John Michael McNamara

American clergyman This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: John Michael McNamara – news · newspapers · books · scholar · JSTOR (August 2015) (Learn how and when to remove this message) John Michael McNamaraAuxiliary Bishop of WashingtonBishop McNamara High SchoolIn office1947-1960Other post(s)Titular...

 

Aminata Touré (German politician)

German politician For other people named Aminata Touré, see Aminata Touré (disambiguation). Aminata TouréTouré in 2018Minister of Social Affairs, Youth, Family, Senior Citizens, Integration and Equality of Schleswig-HolsteinIncumbentAssumed office 29 June 2022Preceded byHeiner GargMember of the State Parliament of Schleswig-HolsteinIncumbentAssumed office 29 June 2017Vice-President of the State Parliament of Schleswig-HolsteinIn office28 August 2019 – 7 June 2022 Person...

Bihar

State in Eastern India For other uses, see Bihar (disambiguation). This article is about state of India. It is not to be confused with Bihar County or Bihor County. State in East India, IndiaBiharStateState of BiharMahavir Hanuman Temple, PatnaMahabodhi TempleBuddha Smriti ParkDarbhanga FortGolghar Emblem of BiharNickname: Land of MonasteriesMotto: Satyameva Jayate (Truth alone triumphs)Anthem: Mere Bharat Ke Kanth Haar (The Garland of My India)Location of Bihar in IndiaCoordinates:...

 

Constantine Phipps, 1st Marquess of Normanby

English peer, politician and diplomat (1797–1863) The Most HonourableThe Marquess of NormanbyKG GCB GCH PCPortrait by John JacksonLord Lieutenant of IrelandIn office29 April 1835 – 13 March 1839MonarchsWilliam IV VictoriaPrime MinisterThe Viscount MelbournePreceded byThe Earl of HaddingtonSucceeded byViscount EbringtonHome SecretaryIn office30 August 1839 – 30 August 1841MonarchVictoriaPrime MinisterThe Viscount MelbournePreceded byLord John RussellSucceede...

 

Olaf M. Norlie

Part of a series onLutheranism Background Christianity Start of the Reformation Reformation Protestantism Doctrine and theology Bible Old Testament New Testament Creeds Apostles' Creed Nicene Creed Athanasian Creed Book of Concord Augsburg Confession Apology of the Augsburg Confession Luther's Small / Large Catechism Smalcald Articles Treatise on the Power and Primacy of the Pope Formula of Concord Distinctive theological concepts Theology of Martin Luther Justification Law and Gospe...

Balduin Möllhausen

Balduin MöllhausenBalduin Möllhausen, 1883 Heinrich Balduin Möllhausen (27 January 1825—28 May 1905) was a German writer, traveler and artist who visited the United States and participated in three separate expeditions exploring the American frontier. After his travel he became a popular and prolific author of adventure stories based on his experiences in America. It is estimated that he produced at least forty-five large works in 157 volumes (including almost forty novels) and eighty no...

 

St. Benedict's Catholic Church (Honaunau, Hawaii)

Historic Place in Hawaii County, Hawaii United States historic placeSt. Benedict's Catholic ChurchU.S. National Register of Historic PlacesHawai`i Register of Historic Places Saint Benedict's Catholic ChurchLocationHonaunau, HawaiiCoordinates19°26′6.252″N 155°53′17.952″W / 19.43507000°N 155.88832000°W / 19.43507000; -155.88832000Built1899ArchitectVelghe, Fr. John BerchmansArchitectural styleGothicNRHP reference No.79000753[1]HRHP ...

 

Роуг, Николас

Николас Роугангл. Nicolas Roeg[1] Имя при рождении Николас Джек Роуг Дата рождения 15 августа 1928(1928-08-15)[2][3][…] Место рождения Сент-Джонс-Вуд, Вестминстер, Большой Лондон, Англия, Великобритания[1] Дата смерти 23 ноября 2018(2018-11-23)[4][3][…] (90 лет) Место&...

2010 Stanford Cardinal football team

American college football season 2010 Stanford Cardinal footballOrange Bowl championOrange Bowl, W 40–12 vs. Virginia TechConferencePacific-10 ConferenceRankingCoachesNo. 4APNo. 4Record12–1 (8–1 Pac-10)Head coachJim Harbaugh (4th season)Offensive coordinatorDavid Shaw (4th season)Offensive schemePro-styleDefensive coordinatorVic Fangio (1st season)Base defense3–4Home stadiumStanford StadiumUniformSeasons← 20092011 → 2010 Pa...

 

Lincoln Harbor station

Hudson–Bergen Light Rail station in Weehawken, New Jersey Lincoln Harbor StationLincoln Harbor station platform in August 2009General informationLocation1117 Waterfront TerraceWeehawken, New JerseyCoordinates40°45′42″N 74°01′26″W / 40.7616°N 74.0238°W / 40.7616; -74.0238Owned byNew Jersey TransitPlatforms1 island platformTracks2Connections NJ Transit Bus: 23, 64, 67, 68, 156, 158, 159 NY WaterwayConstructionBicycle facilitiesYes[1]AccessibleY...