This affects recent Intel CPUs. It might affect non-Intel CPUs but I have no evidence of that. It is an information leak caused by speculative execution, affecting operating systems which use "lazy FPU context switching".
Show this thread
So about that "Lazy FPU" vulnerability (CVE-2018-3665)... this probably ought to be a blog post, but the embargo just ended and I think it's important to get some details out quickly.
-
-
-
The impact of this bug is disclosure of the contents of FPU/MMX/SSE/AVX registers. This is very bad because AES encryption keys almost always end up in SSE registers.
Show this thread -
You need to be able to execute code on the same CPU as the target process in order to steal cryptographic keys this way. You also need to perform a specific sequence of operations before the CPU pipeline completes, so there's a narrow window for execution.
Show this thread -
I'm not going to say that it's *impossible* that this could be executed via a web browser or a similarly "quasi-remote" attack, but it's much harder than Meltdown was.
Show this thread -
I was not part of the coordinated disclosure process for this vulnerability. I became aware of this issue after attending a session organized by Theo de Raadt at
@BSDCan. It took me about 5 hours to write a working exploit based on the details he announced.Show this thread -
Theo says that he was not under NDA and was not part of the coordinated disclosure process. I believe him. However, there were details which he knew and attributed to "rumours" which very clearly came from someone who was part of the embargo.
Show this thread -
My understanding is that the original disclosure date for this was some time in late July or early August. After I wrote an exploit for this, I contacted the embargoed people to say "look, if I can do this in five hours, other people can too; you can't wait that long".
Show this thread -
While I have exploit code and it is being circulated among some of the relevant security teams, I'm not going to publish it yet; the purpose was to convince the relevant people that they couldn't afford to wait, and that purpose has been achieved.
Show this thread -
I know from the years that I spent as FreeBSD security officer that it takes some time to get patches out, and my goal is to make the world more secure, not less. But after everybody has had time to push their patches out I'll release the exploit code to help future researchers.
Show this thread -
I think that's everything I need to say about this vulnerability right now. Happy to answer questions, but I'm not part of the FreeBSD security team and don't have any inside knowledge here -- FreeBSD takes embargoes seriously and they didn't share anything with me. </thread>
Show this thread -
One more thing, some advisories are going out giving me credit for co-discovering this. I didn't; I just reproduced it and wrote exploit code after all the important details leaked.
Show this thread
End of conversation
New conversation -
-
-
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html … Intel says you Reported the issue ?
-
Wires got crossed somewhere. Probably the FreeBSD security officer passed along "Colin has written exploit code for this" and it got interpreted as "Colin independently discovered this" rather than "Colin was paying attention in Theo's talk".
-
Fair enough thanks Colin for the clarification... and thanks for contributing to Theos Talk in BSDCAN :) Keep up the good work
End of conversation
New conversation -
-
-
Is there any reason about the existence of the sysctl setting ?
-
My understanding is that it was there for testing purposes, when the relevant people thought they had several more weeks available to test this before it became public.
End of conversation
New conversation -
-
-
It was pretty hinted at in https://marc.info/?l=openbsd-cvs&m=152818076013158&w=2 …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks for sharing with us!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
still no reply from Intel when I cc'ed then: http://seclists.org/oss-sec/2018/q2/184 …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.