Intel Has a New Speculative Execution Issue: ForeshadowVulnerability Poses Special Risks For Virtualized Environments
The Meltdown and Spectre vulnerabilities revealed earlier this year showed how the quest to make CPUs run faster inadvertently introduced serious security vulnerabilities that could be used to access sensitive data (see Meltdown and Spectre Forecast: Patch Now and Keep Patching).
See Also: Zero Trust: A Global Perspective
Now, researchers have unveiled a new attack called Foreshadow that builds on those speculative execution flaws, affecting millions of Intel processors made over the past five years. It's particularly dangerous because Foreshadow can be triggered from the user space and does not require a privileged attacker with root access.
Two teams of researchers independently discovered Foreshadow, but began working together after informing Intel in January. Their joint research paper is due to be presented at the 27th Usenix Security Symposium that starts in Baltimore on Wednesday.
In the seven months since, the vulnerability has been kept under wraps as Intel has developed mitigations. Intel also found two variants of the Foreshadow attack, one of which could affect cloud-computing environments.
While Foreshadow is serious, Intel says it expects its impact on consumers and enterprises in non-virtualized environments to be low. The chip manufacturer has issued microcode fixes all three variations of the vulnerability, two of which it believes have been sufficiently mitigated.
But organizations using virtualization technologies in data centers may need to take more steps to protect their systems, writes Leslie Culbertson, executive vice president and Intel's general manager for product assurance and security.
Tapping SGX Enclaves
The researchers found that Foreshadow (CVE-2018-3615) can be used to target Intel's Software Guard Extensions. Intel announced SGX in 2013. SGX creates safe places in memory, called enclaves, where code can't be either disclosed or modified even if an attacker has kernel-level access.
SGX can in part can repel the Meltdown and Spectre speculative execution-related attacks. Speculative execution is a feature in which the CPU does some advance work that may help speed up processing.
The researchers say if an attacker can't get into the SGX, the attacker still controls of surroundings around the SGX, which is where Foreshadow comes into play.
An attacker can create shadow copy of the SGX data and move that copy into an unprotected space, according to a video from the researchers. The data within the SGX can then be read using the speculative execution flaws.
Attackers can also create fake SGXs that would be trusted. That's because the researchers pulled the cryptographic keys from Intel's vetted architectural enclaves. The keys, which are stored by Intel, verify that whatever data inside a SGX hasn't been tampered with.
"The extracted remote attestation keys affect millions of devices," according to the research paper.
If Intel's microcode patches aren't applied, the researchers write that SGX "cannot even safeguard enclave secrets in the presence of unprivileged user space attackers."
A second Foreshadow variant, CVE-2018-3620, affects operating systems and system management modes, which Intel has also issue microcode fixes.
Another variant of Foreshadow found by Intel, CVE-2018-3646, affects virtualized environments, which may pose risks for organizations relying on cloud infrastructure.
Intel, operating system and hypervisor vendors have issued update to mitigate this aspect of Foreshadow, but Intel says in some cases, more defensive steps may need to be taken.
Virtualized systems sometimes use a hardware feature called simultaneous multithreading (SMT), which Intel refers to as hyperthreading. It allows one CPU core to act as two separate virtual processors and support two "sibling" threads, which then interface with the hypervisor.
Processors that support hyperthreading share a small pool of memory called the L1 cache. If an attacker controls one of the sibling threads, it may be possible to trigger a speculative operation that grabs data without permission from other sibling, Intel says in explainer video.
"Even though the system recognizes this isn't allowed and denies the bad actor's request, if the information they were looking for is coincidentally in the L1 cache, they may get a glimpse of that information," Intel says.
There are other steps organizations can take if administrators or cloud providers can't guarantee if all virtualized systems have been updated, Culbertson writes.
For example, some hypervisors support core scheduling, which ensures that only trusted siblings have access to the same processor code. If core scheduling isn't available within the hypervisor, it may wise to only allow one thread to run per core if there's a chance a sibling thread may be untrusted, Intel says.
Intel's microcode fixes also include flushing data out of the L1 cache, reducing the window of opportunity for an attacker to scoop up data.
"While these additional steps might be applicable to a relatively small portion of the market, we think it's important to provide solutions for all our customers," Culbertson writes.