Son Of Spectre: Intel Discloses Foreshadow Exploit Of Secure Enclave In Skylake And Kaby Lake CPUs
The exploit involves Intel's Software Guard Extensions, which is better known as SGX. SGX is supposed to serve as a secure enclave within memory on the processor to ward off malicious entities accessing private data. SGX has in the past been able to help mitigate Meltdown and Spectre attacks, but Foreshadow has the ability to access the SGX-protected L1 data cache.
Intel describes the attack vector for Foreshadow, writing, "Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault. Once the fault is triggered, there is a gap before resolution where the processor will use speculative execution to try to load data."
When a processor uses speculative execution, a side-channel attack method -- i.e. Foreshadow -- could follow digital bread crumbs to map what paths are taken and find other weaknesses that could lead to compromising data. There's just a brief moment of opportunity where a Foreshadow attack could actually compromise a system, and it's an attack vector that is extremely hard to pull off in the real world. However, if successful, it could give an attacker access to highly sensitive data and system privileges that should otherwise be off limits. We highly recommend watching the video above for a breakdown on how this attack works.
In addition to the mainline Foreshadow exploit, there is also Foreshadow-NG which can affect Virtual Machine Monitors, Hypervisors, System Management Mode and OS kernel memory. Foreshadow SGX attack has a Common Vulnerability Scoring System (CVSS) rating of 7.9, which is designated as severe. The SMM and VMM variants both have CVSS base scores of 7.1.
Researchers from KU Leuven University, Technion – Israel Institute of Technology, University of Michigan, University of Adelaide and Data61 are credited with alerting Intel to these vulnerabilities and working to help mitigate them. All Skylake and Kaby Lake processors are vulnerable to the Foreshadow attacks, and Intel says that it is working to ensure that it is has provided mitigation solutions in the form of both microcode updates and software patches for existing processors.
It should also be pointed out that Intel's future Xeon Scalable processors (Cascade Lake) are fortified against Foreshadow and other side-channel attacks at the hardware level. Cascade Lake-based Xeons will be shipping in late 2018.