A Foreshadow of security: What you need to know about new Intel chip flaws

15 Aug 2018

Image: PongMoji/Shutterstock

Researchers have revealed Foreshadow or L1TF, a set of vulnerabilities in secure enclaves on Intel processors.

A new vulnerability codenamed Foreshadow has been discovered in Intel processors.

The vulnerability can be exploited to read data from the chip giant’s security guard extensions (SGX) technology while variants can break protections that run on operating systems and in virtual machines in data centres.

Foreshadow is the third major vulnerability discovered in the past year and builds on research related to the Meltdown and Spectre flaws revealed earlier this year.

What is Foreshadow?

Also known as L1 Terminal Fault (L1TF), the vulnerability selects processors that support Intel’s SGX technology and can be used to impact operating systems, system management mode and virtualisation software.

The vulnerability affects Intel’s commonly used Core and Xeon processors.

It was first reported earlier in the summer to Intel by researchers at KU Leuven University, Israel Institute of Technology, the University of Michigan, the University of Adelaide and Data61.

Further research by Intel’s security team identified a number of applications of L1TF that could impact other processors, operating systems and virtualisation software.

These have been assigned CVE-2018-3615 (for SGX), CVE-2018-3620 (for operating systems) and CVE-2018-3646 (for virtualisation).

Have systems been hacked as a result?

Highly unlikely at this point. Intel is basically saying that a flaw has been brought to its attention. It is saying that it has been dealt with and that software companies have begun rolling out patches so CIOs and IT managers can shore up their defences before hackers prey on systems.

Intel said that the vulnerabilities were mitigated by May/June microcode fixes while cloud giants including Amazon, Microsoft, Google, VMware and Red Hat, to name a few, have begun issuing patches for the vulnerability from today (15 August).

“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” Intel said in a blogpost.

“This includes keeping systems up to date and taking steps to prevent malware.”

What is SGX technology?

Intel’s SGX technology creates virtual fortresses to protect your data inside systems. Each enclave is designed to be protected from attacks from malware, and up to now have been deemed the ideal way to protect sensitive information such as credit card details within computers.

However, the latest vulnerability means that these virtual fortresses are not as impenetrable as previously thought.

Through a process called speculative execution – a performance-boosting feature found on most chips – security researchers discovered a way to bypass the safeguards and create a shadow copy of an SGX enclave in an unprotected area of the computer’s processor, rendering the virtual fortress’ defences useless.

What’s the worst that can happen?

Once these vulnerabilities are made public, it is usually a race against time before hackers figure out how to exploit vulnerabilities such as Foreshadow or Meltdown and Spectre.

If CIOs and IT managers don’t patch their systems, then it is only a matter of time before hackers armed with what they know now can start to probe computers for unprotected enclaves or data fortresses. This can range from personal computers right up to virtualised computers stored inside data centres.

“Directly exploiting these vulnerabilities requires control of hardware resources that are accessible only with operating system-level control of the underlying physical or virtual processors,” Google Cloud said in a blog.

“Unpatched operating systems may also permit indirect exploitation, dependent on their handling of operations that manipulate memory mappings.

“We have deployed mitigations to Google’s infrastructure, including the infrastructure that underpins Google Cloud, which prevents the creation of vulnerable page-table entries within our host OS,” Google said.

What were Meltdown and Spectre?

Meltdown concerned laptops, desktop computers and internet servers that have Intel chips, and could have allowed a rogue program to access the memory and other secrets of programs and the operating system contained in the central processing unit (CPU).

Spectre was an exploit that broke the isolation between different applications on chips from Intel, AMD and ARM, potentially allowing hackers to ‘trick’ error-free programs that normally follow best practices into ‘leaking’ their secrets.

Discovered by Google’s Project Zero team in 2017, the tech industry performed a coordinated response to the Meltdown and Spectre vulnerabilities in January of this year.

If systems are updated, will performance be affected?

Yes and no. According to Leslie Culbertson, general manager of product assurance and security at Intel, most systems should be fine but extra precautions might be required at data centre level.

“Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualised operating systems will be low. This includes most of the data centre installed base and the vast majority of PC clients. In these cases, we haven’t seen any meaningful performance impact from the above mitigations based on the benchmarks we’ve run on our test systems.

“There is a portion of the market – specifically a subset of those running traditional virtualisation technology, and primarily in the data centre – where it may be advisable that customers or partners take additional steps to protect their systems.

“This is principally to safeguard against situations where the IT administrator or cloud provider cannot guarantee that all virtualised operating systems have been updated.

“These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios. While these additional steps might be applicable to a relatively small portion of the market, we think it’s important to provide solutions for all our customers.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years