Specter and Meltdown are no longer the most dangerous attacks on Intel's CPUs. Researchers Report Foreshadow Vulnerability
At the beginning of this year, the information space was shaken by the news about Specter and Meltdown — two vulnerabilities that use speculative code execution to gain access to memory ( articles and translations on this topic on Habré: 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 and in the search you can find a dozen others). At about the same time, when the technical community was actively discussing the decline in the performance of Intel processors and the problems of the architecture of modern processors in general, which allow the exploitation of such holes, two groups of researchers independently began to study the issue of speculative code execution on Intel processors.
As a result, both groups came to the conclusion that the use of this attack vector not only allows access to the processor cache, but also reads / changes the contents of the protected areas of the Intel SGX ( 1 , 2 ), and in decryption, Intel Software Guard Extensions. Thus, the latest chips from Intel on the architectures of Sky Lake (sixth generation) andKaby Lake (seventh and eighth generation). And it would not be so sad if SGX was used only by the system, but these areas are also accessed by user applications.
Immediately it should be noted that all the researchers who publicly reported a new vulnerability - White Hat and previously notified Intel about the problem. Since May, the processor manufacturer together with Linux developers and Microsoft representatives have contacted the main software developers and rolled out mini-patches, which should close the gap found. However, given the speculative nature of the vulnerability (implying the exploitation of speculative code execution), patches may be ineffective.
What can Foreshadow
The original report from the researchers themselves can be found on this page . Potentially, the Foreshadow vulnerability (L1 Terminal Fault in the Intel classification), through the exploitation of the execution of a speculative code, can access the L1 cache of the processor, as well as the SGX protected area of the three latest generations of Intel processors. At the same time, Foreshadow can retrieve any information from the cache, including information about the mode of operation of the system, to the Kernel core or hypervisor .
Explaining video from researchers
In the darkest scenario, when attacking the processor, Foreshadow gets access to all the virtual machines associated with it. Thus, Foreshadow represents a great danger to modern cloud infrastructure. (report on current opportunities foreshadow a PDF , the report forecast of operating scenarios, a PDF ).
A demonstration of memory reading through the operation of Foreshadow
Attack Foreshadow / L1-terminal-fault has been assigned the following CVE numbers:
- CVE-2018-3615 to attack SGX.
- CVE-2018-3620 to attack the OS kernel and SMM mode.
- CVE-2018-3646 to attack virtual machines.
It should say a few words about SGX. Intel Software Guard Extensions is a technology for creating secure enclaves within the processor's memory for storing and performing operations with the most valuable data. It was implemented in the last three generations of Intel products and was one of the milestones that Specter and Meltdown could not “take”. SGX technology is actively used not only by operating systems for its work, but also by user applications for which data security is important. For example, one of such applications is the 1password client for Windows, as the application developers proudly reported back in 2017. From then on, 1password on Windows stores the master key in the area created by SGX.. How many more applications operating with personal data store information in SGX as in “secure storage” is unknown.
Amazon, Google, and Microsoft have already announced that they have patched their cloud infrastructure and do not threaten user services, which I really want to believe. Users can only install the latest updates for their operating systems and hope for the best.