Foreshadow
Breaking the Virtual Memory Abstraction with Transient
Out-of-Order Execution
Read the paper
Cite
Watch a demo
@inproceedings{vanbulck2018foreshadow,
author = {Van Bulck, Jo and Minkin, Marina and Weisse, Ofir and Genkin, Daniel and Kasikci, Baris and
Piessens, Frank and Silberstein, Mark and Wenisch, Thomas F. and Yarom, Yuval and Strackx, Raoul},
title = {Foreshadow: Extracting the Keys to the {Intel SGX} Kingdom with Transient Out-of-Order Execution},
booktitle = {Proceedings of the 27th {USENIX} Security Symposium},
year = {2018},
year = {2018},
month = {August},
publisher = {{USENIX} Association},
note={See also Technical Report Forshadow-NG~\cite{weisse2018forshadowNG}. \url{http://ForeshadowAttack.com}}
}
@article{weisse2018forshadowNG,
title={Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution},
author={Weisse, Ofir and Van Bulck, Jo and Minkin, Marina and Genkin, Daniel and Kasikci, Baris and
Piessens, Frank and Silberstein, Mark and Strackx, Raoul and Wenisch, Thomas F. and Yarom, Yuval},
journal={Technical Report},
year={2018},
note={See also USENIX Security paper Foreshadow~\cite{vanbulck2018foreshadow}. \url{http://ForeshadowAttack.com}}
}
Foreshadow is a speculative execution attack on Intel processors
which allows an attacker to steal sensitive information stored inside personal computers or third party
clouds. Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects
Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.
At a high level, SGX
is a new feature in modern Intel CPUs which
allows computers to protect users’ data even if the entire system falls under
the attacker’s control. While it was previously believed that SGX is resilient
to speculative execution attacks (such as Meltdown and Spectre), Foreshadow
demonstrates how speculative execution can be exploited for reading the
contents of SGX-protected memory as well as extracting the machine’s private attestation key. Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the
entire SGX ecosystem.
Read the Original Foreshadow Paper
While investigating the vulnerability that causes Foreshadow, which
Intel refers to as "L1 Terminal Fault",
Intel identified two related
attacks, which we call Foreshadow-NG.
These attacks can potentially be used to read any
information residing in the L1 cache, including
information belonging to the System Management Mode (SMM), the
Operating System's Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre.
Read the Foreshadow-NG Technical report
Who reported this vulnerability?
Foreshadow was independently and concurrently discovered by two teams:
- The KU Leuven authors discovered the vulnerability, independently
developed the attack, and first notified Intel on January 3, 2018.
Their work was done independently from and concurrently to other recent
x86 speculative execution vulnerabilities, notably Meltdown and
Spectre.
-
The authors from Technion, University of Michigan, the
University of Adelaide and CSIRO's Data61 independently discovered and reported the
vulnerability and associated attack to Intel during the embargo period on
January 23, 2018.
Following our discovery of Foreshadow (CVE-2018-3615), Intel identified two closely related variants, potentially affecting additional microprocessors, SMM code, Operating system and Hypervisor software. We collectively refer to these Intel-discovered variants as Foreshadow-NG (Next Generation, CVE-2018-3620 and CVE-2018-3646), whereas Intel refers to this entire class of speculative execution side channel vulnerabilities as “L1 Terminal Fault" (L1TF). More information on L1TF can be found here.
What technologies are affected by Foreshadow?
The researchers who discovered Foreshadow demonstrated the
vulnerability on SGX
enclaves, extracting any data protected via SGX secure memory.
What technologies are affected by Foreshadow-NG?
Foreshadow-NG can be used for extracting any information
residing in the L1 cache, including information belonging to the System Management
Mode (SMM), the
Operating System's (OS) Kernel, or other Virtual Machines (VMs) running on third-party clouds. More technically, Foreshadow-NG allows the following:
A user processes can potentially read kernel memory belonging to the OS.
A malicious guest VM (running on the cloud) can potentially read memory belonging to the VM's hypervisor or memory belonging to another guest VM running on the cloud.
A malicious OS to read memory protected by the SMM.
Where can I find more information about Foreshadow and Foreshadow-NG?
For more information about how the attack works see our academic paper.
Intel's security advisory and whitepaper, describing Foreshadow as 'L1 Terminal Fault', are also available. The Foreshadow / L1-terminal-fault attack were assigned the following CVE numbers:
CVE-2018-3615 for attacking SGX.
CVE-2018-3620 for attacking the OS Kernel and SMM mode.
CVE-2018-3646 for attacking virtual machines.
What is a virtual machine?
A
Virtual Machine is a software emulator of a physical computer. Virtual machines are often used in compute clouds (such as Amazon's AWS or Microsoft's Azure) where, instead of maintaining their own infrastructure, customers can pay for the time the cloud infrastructure spends on running the customer's machine (and the computations within it). As clouds typically run more than one virtual machine on the same physical hardware, it is important that the cloud's Virtual Machine Manager (VMM) or hypervisor prevents information leakage across VM boundaries by ensuring complete isolation between two virtual machines and between the virtual machines and the hypervisor.
So how does Foreshadow-NG affect VMs?
Foreshadow-NG breaks the above mentioned isolation. Thus, a malicious virtual machine running inside the cloud can potentially read data belonging to other virtual machines as well as data belonging to the cloud's hypervisor.
What is an operating system kernel?
The operating
system kernel is the core of the operating system, and is
responsible for managing most of the operations that a computer performs.
In particular, the kernel manages the computer's memory and CPU time as
well as ensures isolation between two programs running on the same
computer. Given its important role, the kernel has access to all the data
stored in the computer's memory, including data belonging to other
programs.
So how does Foreshadow-NG affect the kernel?
Using Foreshadow-NG, a malicious program running on the computer might be able to read some parts of the kernel's data. As the kernel has access to data stored by other programs, a malicious program might be able
to exploit Foreshadow-NG to access data belonging to other programs.
What is Intel SGX?
Intel Software Guard eXtensions (SGX)
is a Trusted Execution Environment
(TEE) that enables secure program execution in untrusted environments. The program
and the data it operates on, are placed inside a secure enclave. There they are protected from modification or inspection, even
in the presence of a highly-privileged adversary corrupting the operating system, hypervisor, or firmware (BIOS). SGX also provides a remote attestation protocol that allows software to prove to a remote party that it is running on a genuine SGX-enabled Intel processor, as opposed to a (potentially malicious) simulator.
Was the confidentiality of SGX enclaves affected by Foreshadow?
Yes. Foreshadow enables an attacker to read the entire SGX enclave's memory contents.
This includes architectural enclaves provided
by Intel such as the Quoting and Launch Enclaves.
Was the remote attestation protocol affected by Foreshadow?
Yes. Using Foreshadow we have successfully extracted the attestation keys, used by the Intel
Quoting Enclave to vouch for the authenticity of enclaves. As a result, we
were able to generate "valid" attestation quotes. Using these counterfeit quotes,
successfully "proved" to a remote party that a "genuine" enclave was running while, in fact,
the code was running outside of SGX, under our complete control.
Is SGX long-term storage affected by Foreshadow?
Yes. As Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-sealed. With the extracted sealing key, an attacker can trivially calculate a valid Message Authentication Code (MAC), thus depriving the data owner from the ability to detect the modification.
Can I detect if someone has exploited Foreshadow to read my data?
Not likely. Foreshadow does not leave traces in typical log files.
While installing a new (malicious) driver may leave traces in the system log,
the attacker can probably alter the log buffer, since she has root privileges.
A kernel-level attacker using a Foreshadow attack may apply tricks to significantly increase her chances of success.
While installing a new (malicious) driver may leave traces in the system log,
such a privileged attacker can probably alter the log afterwards.
What about other processors (AMD/ARM)?
The original Foreshadow attack affects most SGX-enabled Intel processors. As SGX is currently
present only in Intel CPUs, we are unaware of Foreshadow affecting other CPU
vendors. To the best of our understanding, Foreshadow-NG only affects Intel processors. However, we are still working to better understand the implications of Foreshadow-NG and this answer might change as the situation develops.
Did you release the source code of your exploits?
As to allow for additional time for system updates, we will not release a
proof-of-concept at this time. Proof-of-concept code might be released at a
later time.
Are there mitigations against Foreshadow?
Foreshadow and Foreshadow-NG require mitigations at the both software and microcode level. This includes updates to most operating systems, hypervisors as well as CPU microcode updates. See
Intel's security advisory and our technical report for additional details.
Have you evaluated any software or microcode updates?
We are currently still evaluating microcode and software patches but have not discovered any vulnerabilities. For technical experts, our technical report discusses our view on these mitigations in more detail.
Do Spectre and Meltdown mitigations such as Retpoline,
KPTI,
IBRS,
STIBP, or
IBPB
mitigate Foreshadow?
No. The mitigations against Meltdown and Spectre are not effective against Foreshadow and Foreshadow-NG.
How is Foreshadow different from Meltdown?
Foreshadow is different from Meltdown as it targets virtual machines and SGX in addition to data stored in the operating system's kernel (which was targeted by Meltdown). While harder to exploit, Foreshadow is effective against systems deploying Kernel Page Table Isolation (KPTI), which stops Meltdown attacks.
How is Foreshadow different from prior Spectre-like attacks on SGX?
Concurrent speculative execution attacks on SGX, e.g., SGXPectre,
rely on the code of the affected enclave to contain gadgets vulnerable to
Spectre. Thus, such attacks can be theoretically mitigated
by removing these gadgets from the affected enclave. In contrast, Foreshadow
extracts enclave memory without relying on any code vulnerability in
the victim enclave or even without requiring the affected enclave to execute.
As such, Foreshadow can be used even in the case where the code of the affected
enclave is "perfect", i.e., does not contain any side-channel vulnerability.
What CPUs are affected by Foreshadow and Foreshadow-NG?
Intel confirmed that Foreshadow affects all SGX-enabled Core processors
(Skylake and Kaby Lake), while Atom family processors with SGX support
remain unaffected. Intel confirmed that Foreshadow-NG affects the following processes:
Intel Core™ i3/i5/i7/M processor (45nm and 32nm)
2nd/3rd/4th/5th/6th/7th/8th generation Intel Core processors
Intel Core X-series Processor Family for Intel X99 and X299 platforms
Intel Xeon processor 3400/3600/5500/5600/6500/7500 series
Intel Xeon Processor E3 v1/v2/v3/v4/v5/v6 Family
Intel® Xeon® Processor E5 v1/v2/v3/v4 Family
Intel® Xeon® Processor E7 v1/v2/v3/v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor D (1500, 2100)
See
Intel's security advisory for additional details.
Why is it called Foreshadow?
In literature, "foreshadowing"
is used to indicate a trick where a writer provides a subtle hint of
what is to come later in the story. Analogous to how a good story teller
tries to keep the outcome of the story (mostly) secret, the speculative
execution mechanisms found in modern processors, do not directly
leak secrets. In the storytelling analogy,
the Foreshadow attack shows, however, that
clever adversaries can abuse subtle hints in the present to reconstruct
secrets from future instructions.
Can I use the logo?
The logo is free to use, rights waived via CC0.
Logos are designed by Natascha Eibl.
This research was partially supported by the
Research Fund KU Leuven, the Technion Hiroshi
Fujiwara cyber security research center, the Israel cyber bureau, by
NSF awards #1514261 and #1652259, the financial assistance award
70NANB15H328 from the U.S. Department of Commerce, National
Institute of Standards and Technology, the 2017-2018 Rothschild
Postdoctoral Fellowship, and the Defense Advanced Research
Project Agency (DARPA) under Contract #FA8650-16-C-7622.
Jo Van Bulck and Raoul Strackx are supported by
a grant of the Research Foundation - Flanders (FWO).
