1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Foreshadow: the fifth major CPU security flaw discovered in 2018

By Cal Jeffrey · 20 replies
Aug 14, 2018
Post New Reply
  1. SGX allows programs to set up secure areas, also called enclaves, in the processor for the handling of sensitive data. These areas are restricted and are somewhat like a sandbox in that code is not allowed to be executed within. So even in the event of a virus or malware the data can remain safe. However, researchers from five different institutions have discovered that while SGX can repel Spectre and Meltdown attacks, Foreshadow has the ability to bypass the security measures.

    Foreshadow has two versions: the original attack designed to extract data from SGX enclaves and Foreshadow NG (Next Generation) that can be used to extract any information residing in the L1 cache. NG affects virtual machines, hypervisors, OS kernel memory, and system management mode memory, potentially threatening entire cloud platform’s infrastructure.

    “There were certain aspects that were surprising and certain aspects that weren't,” said microarchitecture security researcher Yuval Yarom. “We thought speculative execution could get some information from SGX, but we weren’t sure how much. The amount of information we actually got out—that took us by surprise.”

    Yarom and his team are preparing to present their findings at the Usenix security conference in Baltimore, Maryland this Wednesday.

    Working in two separate groups the researchers “independently developed the same speculative execution attack that could access SGX-protected memory in a data cache called ‘L1.’” They also found that the attack could reveal secret cryptographic keys called “attestation keys," which enable SGX to perform integrity checks.

    “A fundamental concept underlying SGX is that an enclave's contents are signed with a key that Intel holds as a third party,” reports Wired. “An outside system can check the legitimacy of an enclave by reviewing its signature.”

    Furthermore, once attackers have a set of attestation keys, they can generate SGX signatures that look genuine in any context. This mitigates another security measure that Intel uses called “group signatures.” This security measure helps to ensure the anonymity of enclaves -- the partitions in the processor that SGX uses to hold the sensitive data. Group signatures essentially separate the enclave from its unique signature thus making it difficult to compromise an enclave or create a fake one.

    “The root of trust in SGX is that the attestation key has never seen the light of day outside SGX,” says Daniel Genkin, another researcher on the Foreshadow project. “As soon as the attestation key sees the light of day, then everything kind of crumbles.”

    Meltdown, the different variants of Spectre, and now Foreshadow exploit vulnerabilities related to speculative execution, a technique used by most modern CPUs to optimize performance. By making an educated guess about the next task to be performed by the processor, work is done before it’s known if it’s actually needed. If the CPU guesses right, then there is no delay in getting the results of such operation, but if the task is not needed, it’s simply discarded.

    While most modern CPUs implement speculative execution, Intel’s have been the most severely affected by the flaws so far. Before Meltdown and Spectre flaws were disclosed last January, it’d seem like no one was looking for this kind of low-level vulnerability, but once the cat was let out of the bag, a fourth variant was discovered in May and now Foreshadow would be the fifth major hole that exposes x86 microprocessors.

    “We are seeing an unprecedented focus on microprocessors as a threat vector for malicious activities; as software and hardware advance at a rapid rate, previously ‘impossible’ attacks are now becoming achievable by skilled actors. Spectre and Meltdown have formed a new class of vulnerabilities that enterprise IT must be ready to address, at both the organizational level and at the software level” said Jon Masters, Chief Microarchitecture Architect at Red Hat.

    Intel has rated Foreshadow as 'high severity' and confirmed that the flaw affects all SGX-enabled Core processors, while Intel Atom CPUs are unaffected. The list below comes straight from the CPU maker who has opened a security advisory page with additional technical details:

    • Intel Core i3/i5/i7/M processor (45nm and 32nm)
    • 2nd/3rd/4th/5th/6th/7th/8th generation Intel Core processors
    • Intel Core X-series Processor Family for Intel X99 and X299 platforms
    • Intel Xeon processor 3400/3600/5500/5600/6500/7500 series
    • Intel Xeon Processor E3 v1/v2/v3/v4/v5/v6 Family
    • Intel Xeon Processor E5 v1/v2/v3/v4 Family
    • Intel Xeon Processor E7 v1/v2/v3/v4 Family
    • Intel Xeon Processor Scalable Family
    • Intel Xeon Processor D (1500, 2100)

    As of writing, only Intel CPUs have been confirmed to be vulnerable to Foreshadow. In order to secure systems against the two Foreshadow variants, mitigations will be required at both the software level (OS, VM, VMM, etc.) and microcode level (hardware firmware, BIOS).

    Intel, who refers to Foreshadow as "L1 Terminal Fault," has stated that they started distributing microcode updates to partners around May/June and are in the process of releasing mitigations for all affected processors. They anticipate no meaningful performance impact will be observed as the result of patching. System manufacturers and system software vendors provide these microcode changes via BIOS updates. Foreshadow also requires patching at the OS and VMM level for successful mitigation.

    Permalink to story.

  2. Vrmithrax

    Vrmithrax TechSpot Paladin Posts: 1,434   +413

    Oh yay! Another security flaw!

    Now there will be another rush to push security updates that will endlessly loop BSODs for a bunch of us running Ryzen processors, just like it did when Meltdown and Spectre hit initially. Can't wait.
    Jamlad and Reehahs like this.
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 5,022   +3,426

    It would be nice to see AT LEAST a Federal Law on the books that required the Mfg. to refund entirely the amount paid for any chip found with such a flaw, that cannot be corrected. It is too much like the lemon laws and could be equally applied for the benefit of the consumer as well as stop these multitude of generations of chips from coming out each year ......
    Charles Olson likes this.
  4. jobeard

    jobeard TS Ambassador Posts: 12,671   +1,478

    For ANY form of encryption, once the keys have been compromised, it's GAME OVER. The usually recovery is to decrypt existing data and reencrypt with a new key.
    TempleOrion likes this.
  5. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,208   +4,876

    That is a bit harsh. I'd agree to refunding based on a depreciation value each year. After 10 years the product should hold no refund value. Its not like returning a car on recall and have a specific part replaced.
    TempleOrion and Jamlad like this.
  6. CaptainTom

    CaptainTom TS Maniac Posts: 403   +211

    Hope thise 9900K's can hit 5.5GHz lol. Thats eventually what it will take to tread the IPC water above AMD.
    Reehahs likes this.
  7. Evernessince

    Evernessince TS Evangelist Posts: 3,661   +2,982

    CTS labs could learn allot from these guys, assuming they weren't just manipulating stock prices for financial gain. Ironically I can't even access the AMDFlaws.com website anymore, it seems to be down.
    TempleOrion and Charles Olson like this.
  8. Damnit, Intel.

    Looks like another reason to move to AMD now that Ryzen can actually compete.

    My inner conspiracy theorist says that the alphabet soup agencies have known about these flaws for a decade and either strong-armed or discouraged their mitigation. I'm sure at least one engineer in Intel's ranks must have realized a potential flaw and was told to drop it due to the performance/PR hit in fixing it.
  9. Burty117

    Burty117 TechSpot Chancellor Posts: 3,445   +1,215

    This sounds like good news to me, It's annoying not being able to rip UHD Blu-rays, If we can get the AACS keys from the SGX enclave, I hope developers have a chance of breaking the encryption.
    HyPeroxya likes this.
  10. Dimitrios

    Dimitrios TS Maniac Posts: 345   +238

    If you own INTEL stock, SELL IT ASAP!
  11. gamerk2

    gamerk2 TS Addict Posts: 203   +126

    Nah, do the opposite and buy it on the downswing. That's how you make money.
    ZackL04, Drew Valadez and jobeard like this.
  12. knight0334

    knight0334 TS Rookie

    I'd rather see a federal law requiring the execution of people that write scripts/code for malicious purposes.
    ZackL04 likes this.
  13. pcnthuziast

    pcnthuziast TS Evangelist Posts: 513   +136

    Intel to AMD, literally holier than thou.
  14. Sausagemeat

    Sausagemeat TS Maniac Posts: 409   +202

    You have to look st this with context, Intel sell the vast majority of X86 silicon, these security groups focus their attention on finding flaws in silicon used by most companies. All chips including chips from AMD and chips that have yet to be released from any manufacturer definitely have vulnerabilities, we just haven’t found them yet. We also have to remember that whilst most of these vulnerabilities are confirmed there are practically no proven attacks using them, this is because not only do you need huge resources, professionals and money to execute such attacks but also that in most cases the end users would not even be aware that its happened. At the end of the day, unless you have data that’s incredibly valuable it’s simply not worth the cost of someone performing an attack on your system, even for a company holding thousands of customer bank account details. Which keeps this fundamentally a concern of a very small group of companies around the world.

    These vulnerabilities date back to older CPUs and are only just being found now, or rather only just being made public now. They will continue to find more and more as time goes on. And more than likely there are some vulnerabilities found that these groups have yet to go public on. Right now there are probably only a small handful of computer scientists who have the ability to execute an attack of this nature, which is a good thing as it allows the manufacturers inoculate their systems. Really, news like this is good for Intel, a security group found these flaws before a criminal with bad intentions did, this will potentially save them money in PR and lawsuits as actual attacks on systems that the manufacturer is unaware of is far more damaging. This makes this less likely to happen and exactly why security groups like this exist.

    Now I’m not saying don’t buy AMD over Intel, there are plenty of compelling reasons to do so. But to make that decision purely on these newly discovered flaws is an overreaction to the max. Same goes for demanding a refund. There might be a case for a company who has recently invested a large amount of cash into an Intel based solution for a highly secure data center to seek compensation for the silicon cost this will inevitably create from Intel, something that would more than certainly be settled on an individual basis or in a court. Home users don’t really have a leg to stand on when it comes to demanding a refund. I’m willing to bet most peoples home systems are already vulnerable to much easier exploits than these. The chances are the company you bank with won’t even have completely invulnerable systems.

    These stories are interesting, I’m not criticising TechSpot at all for publishing it. But in the world of computer security - something I have to deal with in my job, this is pretty normal stuff, articles like this do seem to be generating traction however, so expect more and more to arrive. The more people like read about these things, the more journalists will continue to publish the stories.
    Burty117 likes this.
  15. andy06shake

    andy06shake TS Evangelist Posts: 489   +159


    Sounds like a fps horror game. LoL
    Charles Olson likes this.
  16. ZackL04

    ZackL04 TS Maniac Posts: 497   +242

    MAYBE if a computer was as important as food or water, but its not. It is a tool for most people ir a toy for others
    TempleOrion likes this.
  17. noname

    noname TS Enthusiast Posts: 22   +29

    Theo de Raadt is the founder and leader of the OpenBSD and OpenSSH projects, and was also a founding member of the NetBSD project : https://marc.info/?l=openbsd-tech&m=153431475429367&w=2

    Full quote :
    Eugenia and TempleOrion like this.
  18. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,746   +1,144

    Are you living in the 1800s???

    I mean... just imagine for a fraction of a second how the world would fare now if computers were gone.
  19. ZackL04

    ZackL04 TS Maniac Posts: 497   +242

    Im talking as an end user
  20. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,746   +1,144

    Even if you make an extremely weird and arbitrary definition of end user, it's still the same scenario.
  21. JTHyperV

    JTHyperV TS Rookie

    There are many sides to this. A law might not be put in place to stop it. Both corporate and government are aware. By the end, it boils down to privacy issue.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...