LazyFP: Why discovering side channels is not a beach vacation

Thomas Prescher and Julian Stecklina

30 April 2019 | 16:00 - 18:00
HS i7, Inffeldgasse 25d/I

Abstract

In 2018, we jointly discovered and responsibly disclosed the LazyFP microarchitectural side-channel vulnerability (CVE-2018-3665). LazyFP is a Meltdown-type attack on hypervisors and operating systems that use lazy FPU context switching and allows recovery of FPU/SSE/AVX register sets across process boundaries. The underlying microarchitectural flaw is present in modern Intel Core-based processors.

In this talk, we look at this vulnerability from two sides. On the technical side, we review the different register sets on an x86 CPU and how operating system kernels and hypervisors manage them. We describe how the obscure Lazy FPU context switching optimization together with a microarchitectural weakness form an information disclosure vulnerability. We explain why FPU registers can even contain interesting secrets and how this vulnerability was mitigated.

On the non-technical side, we tell the story of two systems developers working for different companies, one at a small German cyber-security company and one at an American trillion-dollar corporation, finding a security issue in Intel's main product. Looking back on these turbulent events, we detail our personal lessons learned and how we would approach an event like this in the future.

Short Bio | Thomas Prescher

Thomas Prescher co-discovered the "Meltdown" and "LazyFP" microprocessor side-channel vulnerabilities. He specializes in operating system and hypervisor development and is closely familiar with programming at the boundary of software and hardware. He gained his first work experience at Intel's Security and Privacy Research Lab, which analyzes attack scenarios and develops countermeasures. Afterwards, he worked for the American cybersecurity company FireEye, where he developed virtualization-based security measures for corporate endpoint systems. Currently, Thomas architects high-security security platforms at Cyberus Technology, a company he co-founded. In this position, he's also responsible for mitigating side-channel vulnerabilities.

Short Bio | Julian Stecklina

Julian Stecklina personally witnessed the effects of microprocessor side-channel vulnerabilities as a Senior Kernel/Hypervisor Engineer at Amazon Web Services. He developed proof-of-concept attack code, e.g. for the L1TF/Foreshadow vulnerabily, and was responsible for developing mitigations. In his spare time, he, together with Thomas Prescher, found the LazyFP side-channel vulnerability. Virtualization technology is a 10 year thread in Julians professional career. This thread was started at the TU Dresden operating systems group and an internship at the Intel's Virtualization Research Lab. After leaving the University, he worked together with Thomas at FireEye on innovative virtualization-based security solutions and went on to work on the Nitro hypervisor at Amazon Web Services. In his current position at Cyberus Technology, he is continuing to work on secure virtualization products.