Specter and Meltdown are no longer the most dangerous attacks on Intel's CPUs. Researchers Report Foreshadow Vulnerability

At the beginning of this year, the information space was shaken by the news about Specter and Meltdown — two vulnerabilities that use speculative code execution to gain access to memory ( articles and translations on this topic on Habré: 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 and in the search you can find a dozen others ). At about the same time, when the technical community was actively discussing the decline in the performance of Intel processors and the architecture problems of modern processors in general, which allow the exploitation of such holes, two groups of researchers independently began to examine the issue of speculative code execution on Intel processors.

As a result, both groups came to the conclusion that the use of this attack vector not only allows access to the processor cache, but also reads / changes the contents of the protected areas of the Intel SGX ( 1 , 2 ), in decryption - Intel Software Guard Extensions. Thus, the latest chips from Intel on the architectures of Sky Lake (sixth generation) and Kaby Lake (seventh and eighth generation) are subject to even more serious attacks. And it would not be so sad if SGX was used only by the system, but these areas are also accessed by user applications.

Immediately it should be noted that all the researchers who publicly reported a new vulnerability - White Hat and previously notified Intel about the problem. Since May, the processor manufacturer, together with Linux developers and Microsoft representatives, contacted the main software developers and roll out mini-patches, which should close the gap found. However, given the speculative nature of the vulnerability (implying the exploitation of speculative code execution), patches may be ineffective.
')

What can Foreshadow

The original report from the researchers themselves can be found on this page . Potentially, the Foreshadow vulnerability (L1 Terminal Fault in the Intel classification) through the exploitation of the execution of a speculative code can access the L1 cache of the processor, as well as the protected SGX area of ​​the three latest generations of Intel processors. At the same time, Foreshadow can retrieve any information from the cache, including information about the mode of operation of the system, to the Kernel core or hypervisor .

Explanatory video from researchers

In the darkest scenario, when attacking the processor, Foreshadow gets access to all the virtual machines associated with it. Thus, Foreshadow is a great danger for modern cloud infrastructure. (Foreshadow PDF report on current opportunities, PDF forecast forecast report).

Demonstration of reading memory through the operation Foreshadow

The following CVE numbers were assigned to the Foreshadow / L1-terminal-fault attack:

• CVE-2018-3615 to attack SGX.
• CVE-2018-3620 to attack the OS kernel and SMM mode.
• CVE-2018-3646 to attack virtual machines.

It should say a few words about SGX. Intel Software Guard Extensions is a technology for creating secure enclaves within the processor's memory for storing and performing operations with the most valuable data. It was implemented in the last three generations of Intel products and was one of the milestones that Specter and Meltdown could not “take”. SGX technology is actively used not only by operating systems for its work, but also by user applications for which data security is important. For example, one of such applications is the 1password client for Windows, as the application developers proudly reported back in 2017. From then on, 1password on Windows stores a master key in the area created by SGX. How many more applications operating with personal data store information in SGX as in “secure storage” is unknown.

Amazon, Google and Microsoft have already announced that they have patched their cloud infrastructure and do not threaten user services, which I really want to believe. Users can only install the latest updates for their OS and hope for the best.