A Foreshadowing of Another Exploit: The Appearance of the Foreshadow Attack
This entry was posted on Thursday, August 30th, 2018.
The year 2018 has been a turbulent year with regards to the semiconductor industry, kicking off with the revelation that modern chips were susceptible to Meltdown and Spectre attacks in January. The two attacks rely on speculative execution, an optimization technique where a chip makes an educated guess about what operation it will be asked to do next, which might mean performing unnecessary tasks. While a correct prediction saves resources, work based on an incorrect prediction simply gets scrapped.
If the processor guesses wrong, it will execute code that was never intended, or even code that should never have been allowed. This can be exploited if an attacker can trick the processor into speculatively computing on data that the attacker doesn’t have permission to access. The CPU soon discovers the error and scraps the results, but it doesn’t undo side effects from the computation, such as changes to the CPU’s memory caches. The attacker can then learn pieces of the secret data by observing those side effects. It should be noted that while speculative execution attacks are complicated and difficult to carry out in practice, these exploits are nevertheless significant, as a motivated attacker could use them to access data and system privileges meant to be off-limits.
What is Foreshadow?
Recently, another speculative execution-based attack was discovered by two teams: one at KU Leuven, and another with members from Technion, University of Michigan, University of Adelaide, and CSIRO’s Data61. Dubbed “Foreshadow,” this speculative execution attack allows an attacker to steal sensitive information stored inside personal computers or third-party clouds. There are two versions: the original attack designed to extract data from Software Guard Extensions (SGX) enclaves and a next-generation version that affects virtual machines (VM), hypervisors, operating system kernel memory, and System Management Mode (SMM) memory. SGX is a new feature in modern CPUs which allows computers to protect users’ data, even if the entire system falls under the attacker’s control.
With the next generation version of Foreshadow, there are two related attacks, which can potentially be used to read any information residing in the L1 cache, including information belonging to the SMM, SGX, the operating system’s kernel, or the hypervisor. Perhaps the most significant part of the attacks, however, is that the next-generation Foreshadow might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. The next generation Foreshadow can bypass previous mitigations against speculative execution attacks, including countermeasures designed to deal with Meltdown and Spectre.
While it was previously believed that SGX is resilient to speculative execution attacks such as Meltdown and Spectre, Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key.
Mike Hamburg, Senior Principle Engineer at Rambus’ Cryptography Research division says that Foreshadow has serious implications for SGX and VM hosts. The attack is a roadblock to SGX on consumer machines, since one cannot ask people to turn off hyperthreading in the BIOS in order to watch movies. It also “introduces two additional performance problems for VM hosts: limited hyperthreading and clearing L1 cache.” Moreover, he goes on to say that “SGX hosts will need to turn off hyperthreading, which is an additional performance hit.”
The Bottom Line
On top of the revelations that modern chips are open to attacks from Meltdown and Spectre, there is an additional exploit that has surfaced called Foreshadow, which targets the SGX feature, virtual machine software, and hyperthreading to boot. The exploit can steal information not just in personal computers, but also from third-party clouds as well. Foreshadow can access SGX-protected memory as well as extract the device’s private attestation key, undoing the security offered by the SGX feature. While no real world examples have appeared using these speculative execution exploits, it could be a matter of time before a determined attacker creates one.