Dan Munro - Dev-Sec-Ops Engineer   News  Archives  Recommendations

Foreshadow, Another Echo Of Spectre

A new duo of exploits collectively called Foreshadow-NG were confirmed by Intel on August 14th. In the same family as Spectre and related to an exploit previously reported in January 2018, this new generation allows unauthorized access to the L1 data cache layer inside a processor core. The L1 data cache layer is considered privileged and contains information about the operating system, drivers, userland applications, virtualized resources, and other information stored in the processor core. All an attacker needs is the ability to run code (without root privileges).

Privilege Escalation Via Key Siphoning

One particularly concerning bit of privileged information that can be accessed with these attacks is a cryptographic key called an attestation key. This key is used when generating signatures for Intel’s Secure Guard Extensions (SGX) integrity checks. With a valid attestation key, an attacker can generate SGX signatures that appear valid, but in fact are not. It gets better (read: worse), as due to the difficulty in knowing the source of a signed attestation key, a compromise of one key in an ecosystem will in turn potentially allow the compromise of multiple machines. Read more here.

While the attack itself is fairly technical and requires some conditions to be met in order to execute, the impact on information confidentiality and the lack of required authentication make this a more noteworthy and concerning exploit. An excellent write up with more links can be found at CVE Details.

Speculative Execution

Speculative execution is a strategy modern processors use as a means of optimizing performance in a multi-core environment. By performing calculations in advance of possible usage on underutilized cores, the processor better parallelizes the work it has to do, even if some of that work doesn’t get used. This calculated information is then stored in L1 cache, in case it is needed. Breaking isolation allows an attacker to access this stored cache.

A Fix Is Out, But Don’t Think It’s Over

Intel has released updates to affected processors and is working with vendors to get the fixes deployed. However, due to the complicated nature of speculative execution and modern processor design, don’t expect this to be the last echo of Spectre.

Written on Aug 29, 2018.