Foreshadow: The Sky Is Falling Again For Intel Chips

It’s been at least a month or two since the last vulnerability in Intel CPUs was released, but this time it’s serious. Foreshadow is the latest speculative execution attack that allows balaclava-wearing hackers to steal your sensitive information. You know it’s a real 0-day because it already has a domain, a logo, and this time, there’s a video explaining in simple terms anyone can understand why the sky is falling. The video uses ukuleles in the sound track, meaning it’s very well produced.

The Foreshadow attack relies on Intel’s Software Guard Extension (SGX) instructions that allow user code to allocate private regions of memory. These private regions of memory, or enclaves, were designed for VMs and DRM.

How Foreshadow Works

The Foreshadow attack utilizes speculative execution, a feature of modern CPUs most recently in the news thanks to the Meltdown and Spectre vulnerabilities. The Foreshadow attack reads the contents of memory protected by SGX, allowing an attacker to copy and read back private keys and other personal information. There is a second Foreshadow attack, called Foreshadow-NG, that is capable of reading anything inside a CPU’s L1 cache (effectively anything in memory with a little bit of work), and might also be used to read information stored in other virtual machines running on a third-party cloud. In the worst case scenario, running your own code on an AWS or Azure box could expose data that isn’t yours on the same AWS or Azure box. Additionally, countermeasures to Meltdown and Spectre attacks might be insufficient to protect from Foreshadown-NG

The researchers behind the Foreshadow attacks have talked with Intel, and the manufacturer has confirmed Foreshadow affects all SGX-enabled Skylake and Kaby Lake Core processors. Atom processors with SGX support remain unaffected. For the Foreshadow-NG attack, many more processors are affected, including second through eighth generation Core processors, and most Xeons. This is a significant percentage of all Intel CPUs currently deployed. Intel has released a security advisory detailing all the affected CPUs.

46 thoughts on “Foreshadow: The Sky Is Falling Again For Intel Chips

  1. “The Foreshadow attack relies on Intel’s Software Guard Extension (SGX) instructions that allow user code to allocate private regions of memory. These private regions of memory, or enclaves, were designed for VMs and DRM.”

    Doesn’t AMD have something similar?

    1. Yes, Though as I recall, as the mechanism describes it, with the shadow copy, it won’t work against AMD, because the data is encrypted, and only decrypted via calls from a process with the right key. … ok, I’m tired and that doesn’t make much sense, but the way this is described it should be Intel only. Let me look it up.

      Ah, found the name: Secure Encrypted Virtualization (SEV) …. AND separate vulnerability: https://www.theregister.co.uk/2018/05/25/amd_epyc_sev_vm_encryption_bypass/

      Not that this is the first issue with Intel’s SGX: https://www.theregister.co.uk/2016/02/01/sgx_secure_until_you_look_at_the_detail/

      Hope that’s helpful.

      1. Yeah, that’s not so bad.

        I’m not really surprised that somebody who owns the box can look at anything in the box, and all these promises by chip makers to the contrary are about as valuable as wet cardboard. At least with AMD’s bug, you can’t see from VM to SMM and everything inbetween from within userspace or inside a VM.

        It might be a dream-come-true for Netflix and Co to have a way around the whole “safe in the bankrobber’s living room problem” with DRM, but I don’t think that’s ever going to be a reasonable expectation, nevermind it’s the fastest route to “I’m sorry Dave. I’m afraid I can’t do that.” It must be such an inconvenience having to send their customer adversary (customersary? adverstomer?) both the encrypted media and the key to decrypt it, just so they can watch TV. Just like how it was inconvenient that people could (still can) type up their own copy of Moby Dick on their typewriter.

    1. I’d say that even the 8085 was a mistake. Intel’s best ever processor was the 8080, a real improvement over the 4004. The 8085 has to much on a single chip, with serial I/O and stuff. Long live the 8080! :)

  2. There’s a good rundown on it here
    https://lwn.net/SubscriberLink/762570/75306c44ec963c8f/

    Interesting portions
    “For non-present pages, none of the other bits in the page-table entry are meant to be used by the processor, so the kernel can use those bits to store useful information; for example, for pages that have been swapped out, the location in the swap area is stored in the PTE. In other cases, the data left in non-present PTEs is essentially random.”

    and

    “If the present bit in a given PTE is not set, the PFN number field of that PTE has no defined meaning and the CPU has no business trying to use it. So, naturally, Intel CPUs do exactly that during speculative execution (it would appear that Intel is the only vendor to make this particular mistake). ”

    It seems like two different assumptions made by Kernel & CPU designers to me rather than an outright mistake by Intel?

    1. Don’t worry, earlier generations have their own critical and unpatchable flaws. It’s about time we abandon this Jenga tower of mistakes and start anew without falling victim to the current networked fads.

  3. Microsoft’s post on this is pretty close to understandable if you want some idea what’s up. Also it’s NOT reliant on SGX, it just can effect it. In general it can read physical addresses from userspace or host addresses from a VM if they happen to be around still but invalid in cache.

  4. Couple years ago I was like, OMG, NSA has some super secret super complex 0-days and backdoors, they can get into everything… nowadays it’s like, meh, every wifi and every cpu is super vulnerable and the details how to do an attack are all out there, so near everybody can get into everything… but, y’know, what else is on?

    1. I know it is a rhetoric question, but that has not stopped me before: Seems like someone recently accessed the PLCs controlling the pumps for drinking water in most of Ukraine. If you can pump sewer water into the drinking water for a whole nation you have a weapon more devastating than nukes.

      It is becoming obvious that people will have to die before computer security really is taken seriously.

      1. On the one side, we have people creating and selling ever newer and more complicated “solutions”. In the middle, the people who are in charge, but don’t have a clue about how the tech’s supposed to work.

        There should be somebody on the other side. Advocating that organisations stay the fuck away from computers, that they keep things simple, that they don’t connect something important to the Internet without a very good reason.

        Of course the people who sell all this crap use their money, in some countries, to lobby the decision-makers. Which should more honestly be called “bribery and corruption”. But because nobody makes much money out of “just keep the old mechanical system”, nobody really argues for it.

        I suppose the summary is that capitalism can’t even HELP destroying democracy and generally fucking things up for the people.

  5. The thing I think is cool.
    To start off with, How many transistors are in any CPU?
    Now for a bit there are GPUs in the mix as well.
    Now how many transistors are in the package.
    Comparing this to a large city like New York. I think a CPU package has 1 to 10 of these cities in them.
    If not more.

    And think it works. Not perfectly, But it works.

    1. Euhm,
      I think your estimate is about 2 orders orders of magnitude to low.

      But some people have slightly more value than a transistor, and I do not know how you want to factor that in.

      1. Yes but some have orders of magnitude less value. Take for example pretty much every one that ever gets elected to our state or national governments… It all balances out really.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.