'Foreshadow' Flaw Undermines the Intel CPU Secure Enclave
In cybersecurity circles, this has been the year of Spectre and Meltdown, not only because the chip vulnerabilities—first publicly disclosed in January—were so widespread that they’re still being cleaned up, but because they’ve given rise to the discovery of many related flaws. Now, a team of researchers has found a Spectre-like vulnerability that specifically undermines the most secure element of recent Intel chips—and potentially has even broader implications.
Intel’s Software Guard Extensions feature, known as SGX, allows programs to establish so-called secure enclaves on Intel processors. These are regions of a chip that are cordoned off to run code that the computer’s operating system can’t access or change. The secure enclave creates a safe haven for sensitive data, even if malware or another malady compromises the main computer. But a group of researchers, hailing from five academic institutions around the world, found that although SGX can mostly repel Spectre and Meltdown attacks, a related attack can bypass its defenses. They call it Foreshadow.
“There were certain aspects that were surprising and certain aspects that weren’t,” says microarchitecture security researcher Yuval Yarom, a member of the team that will present its findings at the Usenix security conference in Baltimore on Wednesday.”We thought speculative execution could get some information from SGX, but we weren’t sure how much. The amount of information we actually got out—that took us by surprise.”
Meltdown, Spectre, and Foreshadow all exploit various flaws in a computing technique known as speculative execution. A processor can run more efficiently by making an educated guess about what operation it will be asked to perform next. A correct prediction saves resources, while work based on an incorrect prediction gets scrapped.
But the system leaves behind clues—how long it takes a processor to fulfill a certain request, for example—that an attacker can use to find weaknesses, ultimately gaining the ability to manipulate what path the speculation takes, and scooping up data at opportune moments that leaks out of a process’s data storage cache. Speculative execution attacks tend to be convoluted and difficult to carry out in practice, and Intel emphasizes that none have been seen in the real world. They are important to guard against, though, because a truly motivated attacker could use them to access data and system privileges meant to be off limits.
“It’s not one thing. There’s a lot of speculation going on in any modern computer,” hardware security researcher and Foreshadow contributor Jo Van Bulck says. “Spectre is focused on one speculation mechanism, Meltdown is another, and Foreshadow is another.”
The researchers say that after the initial discovery of Spectre and Meltdown, the SGX enclave was the obvious next place to look for speculative execution flaws. Some clever Spectre attacks did manage to undermine SGX under the right conditions, but the approaches weren’t very effective overall. “When you look at what Spectre and Meltdown did not break, SGX was one of the few things left,” says system security researcher Daniel Genkin, who contributed to the Foreshadow work. “SGX was mostly spared by Spectre, so it was the logical next step.”
The researchers presenting Foreshadow—Van Bulck, Frank Piessens, and Raoul Strack of KU Leuven in Belgium; Marina Minkin and Mark Silberstein of Technion in Israel; Genkin, Ofir Weisse, Baris Kasikci, and Thomas Wenisch from University of Michigan; and Yarom from University of Adelaide in Australia—had originally worked in two smaller groups that both hunted for an SGX-focused speculative execution flaw. After the two teams separately disclosed Foreshadow to Intel within weeks of each other in January, they started collaborating to refine and expand the research.
Keys to the Kingdom
What they found is deeply problematic. Not only did both teams independently develop the same speculative execution attack that could access SGX-protected memory in a data cache called “L1,” they also realized that the attack could expose the secret cryptographic keys, known as attestation keys, that enable SGX’s crucial integrity checks.
A fundamental concept underlying SGX is that an enclave’s contents are signed with a key that Intel holds as a third party. An outside system can check the legitimacy of an enclave by reviewing its signature. You probably see the inherent danger in Foreshadow exposing these keys, but it actually gets even worse.
A privacy protection built into SGX, one that Foreshadow researchers applaud, is an anonymity feature called group signatures. Think of it like this: If you signed public guestbooks everywhere you went, someone could learn a lot about you by tracking all of the places you signed in, even if they didn’t know detailed specifics of what you did at each stop. SGX uses group signatures to solve this problem, making it impossible to identify specific enclaves from their signatures. But once a set of attestation keys are compromised, they can be used to generate SGX signatures that will look legitimate in any context—even as attackers compromise an enclave, or set up a fake one.
“The root of trust in SGX is that the attestation key has never seen the light of day outside SGX,” Genkin says. “As soon as the attestation key sees the light of day, then everything kind of crumbles.”
Foreshadow attacks are effective against all Intel Core Skylake and Kaby Lake processors, which incorporate SGX, and the research is tailored specifically to Intel chips. The attacks are stealthy, leaving few traces in a computer’s logs. And they can be launched from “user space,” meaning an attacker doesn’t need to have deep access to a system to launch the assault.
The Foreshadow researchers stress the limitations and challenges of actually carrying out the attack in the wild, though. They say that cheap, easy, and effective techniques like phishing and malware distribution are still the obvious and most cost-effective choice for targeting individuals. Compared to those, Foreshadow would be impractical. Plus, SGX is a specialized feature that most people don’t use. In other words, don’t freak out.
But the findings still speak to longstanding questions and concerns about reliance on SGX—and whether for all its benefits it also has the downside of becoming a single point of failure for everyone’s most sensitive software and data.
Meanwhile, though not every user relies on SGX, more and more secure services are exploring the possibility of using it in their consumer products—like the password manager 1Password and the end-to-end encrypted messaging app Signal. “This is not an attack on a particular user, it’s an attack on infrastructure,” Yarom says.
Intel is in the process of releasing mitigations for Foreshadow, which it calls L1 Terminal Fault, that address both the software and microcode (hardware) issues. The company started distributing microcode fixes as part of a May/June release, and coordinated across the software ecosystem with numerous key developers, including Microsoft, to begin distributing patches today. Linux is also expected to begin receiving fixes. And Intel maintains that the research, while important, represents risks that are extremely limited in practice.
“L1 Terminal Fault is addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software that are available starting today,” Intel said in a statement. “We’d like to extend our thanks to the researchers…and our industry partners for their collaboration in helping us identify and address this issue.”
One reason Intel needs to patch things quickly and thoroughly is that the company discovered that even more processor systems are susceptible to Foreshadow-type attacks than just SGX. Secure enclaves act as a sort of computer within a computer, so it stands to reason that Foreshadow attacks actually apply to other features with similar traits. For example, Foreshadow could potentially erode the isolation between virtual machines—distinct computing environments that can all share the same hardware. That could pose a serious risk to cloud companies, which use VMs to let customers share their infrastructure.
Similarly, Foreshadow attacks may threaten “hypervisors,” which underly and monitor virtual machines. There’s even some evidence that Foreshadow could be used to attack a computer’s fundamental coordinating layers that hold up the operating system, like the kernel and System Management Mode. The researchers themselves haven’t empirically demonstrated these possible attacks, as they did with SGX, but Intel says that a big portion of its mitigation efforts are targeting toward ensuring that cloud providers and their users have the mitigations and guidance they need to fully implement protections.
And though the researchers applaud Intel’s extensive efforts, they note that they can’t know for sure that the defenses mitigate every possible permutation of a Foreshadow attack. “It’s a very hard question,” Genkin says. “We ran our code with the mitigations in place, and the attack didn’t work. But what does it mean? It’s good for our set of tricks, but we cannot attest to something else.”
The researchers and Intel both highly recommend that individuals and enterprises all keep their devices up to date, and note that major cloud companies are already working on mitigating Foreshadow. The research “further underscores the need for everyone to adhere to security best practices,” Intel executive vice president of product assurance and security Leslie Culbertson wrote in a blog post Tuesday.
Chip architecture continues to evolve to head off future speculative execution flaws; Intel says it has improvements in its pipeline that will come to market at the end of the year. But for now the parade of new, nasty attacks isn’t over. Foreshadow may be a dramatic name, but in this case it’s also apt.