Intel has confirmed another Spectre-aligned side-channel attack against its processors' speculative execution functionality, dubbed Foreshadow, which - as is becoming common - allows for access to supposedly-protected memory, including that of its Software Guard Extensions (SGX) enclave.
The latest in a string of publicly-disclosed vulnerabilities traceable back to the original Spectre and Meltdown issues announced in January this year, Foreshadow comes in two variants: Foreshadow itself uses Spectre-style speculative execution to read the contents of the SGX secure enclave and extract the machine's private attestation key; Foreshadow Next Generation (Foreshadow NG), meanwhile, is a pair of related vulnerabilities discovered by Intel itself while investigating the original Foreshadow attack and which allows for malicious applications to read any information residing in the processor's L1 cache, including 'protected' information from the system management mode (SMM), kernel, or hypervisor - and can even stretch beyond virtualised systems to attack other virtual machines running on the same host.
According to the vulnerability's official website and white paper, written by researchers from KU Leuven University, Technion Israel Institute of Technology, University of Michigan, University of Adelaide, and Data61, the flaws appear to be exclusive to Intel processors and affect all SGX-enabled Core-branded processors while, for some reason, not affecting Atom-brand processors with SGX functionality. The researchers have confirmed the flaws as affecting Intel's Kaby Lake and Skylake parts, though Intel's announcement on the matter has clarified it covers Core processors from the second to the eighth generations as well as Xeon chips of a similar vintage.
There is some good news on the horizon, though: The mitigations and protections released earlier this year to protect against Spectre also protect against some aspects of Foreshadow and Foreshadow NG, while the functions of the attack still possible will be mitigated by software patches Intel says will start appearing from affected vendors today. 'L1TF[ [L1 Terminal Fault, Intel's name for Foreshadow NG] is also addressed by changes we are already making at the hardware level,' adds Intel's Leslie Culbertson in an announcement. 'As we announced in March, these changes begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as new client processors expected to launch later this year.'
As with previous patches against speculative execution vulnerabilities, though, Intel admits there may be a price to pay. 'There is a portion of the market – specifically a subset of those running traditional virtualization technology, and primarily in the data centre – where it may be advisable that customers or partners take additional steps to protect their systems. These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios,' Culbertson explains. 'While these additional steps might be applicable to a relatively small portion of the market, we think it’s important to provide solutions for all our customers. For these specific cases, performance or resource utilisation on some specific workloads may be affected and varies accordingly.'
Microcode updates to protect against the Foreshadow vulnerabilities have been supplied to customers, Intel adds, though as of yet have no manufacturers have released firmware updates incorporating the protections.
May 15 2020 | 11:00