Open in app

Sign in

Write

Sign in

Investigating the security impact of Foreshadow/L1TF

Chu Ka-cheong @ Niomon
Niomon Engineering
Published in
7 min readAug 26, 2018

By harrier

This article is a write-up on the Foreshadow attack from the Foreshadow research team and Intel. If there are any mistakes or clarification, please contact me at harrier@blocksq.com

Introduction

Foreshadow (CVE-2018–3615), an Intel SGX hardware level side-channel attack, is recently being responsibly disclosed by two international research teams. It was referred by Intel as L1 Terminal Fault (L1TF) and have multiple variants for attacking OS kernel (CVE-2018–3620) and virtual machines (CVE-2018–3646).

Security vulnerabilities mostly focus on software level security, for example on memory safeness (such as stack and heap exploits), protocols (such as misuse / incorrect implementation of cryptographic protocols), or logic bugs. Some focus on OS level security, such as kernel exploits. However, Foreshadow and the previous Meltdown/Spectre attacks put more emphasis on hardware/CPU level security, using CPU caching mechanism as a side-channel to retrieve SGX data.

As Trusted Execution Environment (TEE) is one of our important technology stack, we took a step to technically analyze the impact of Foreshadow on SGX.

What is Intel SGX?

Intel SGX is the Intel’s approach for TEE. It defines a trust boundary, which includes only the trusted component (the CPU itself), and isolated execution compartments (enclave). All the data in the enclave can only be seen within the trust boundary, and otherwise encrypted in the memory. Therefore, the data cannot be seen by any application, including privileged application and system code.

Moreover, SGX provided local/remote attestation, which allows users to cryptographically verify the integrity of currently running enclave.

With the features that SGX provides, even an attacker gets control of the computer (root privilege in kernel or even lower level privilege like System Management Mode), he (in theory) cannot retrieve any data within the enclave.

Currently, SGX can be used in applications that have a higher level of privacy and secrecy requirements such as cryptocurrency wallets and messaging application like Signal or in Digital Rights Management (DRM).

Background

Foreshadow enables attackers to retrieve data in hardware level by means of side-channel attack. With Foreshadow, attackers can exploit the out-of-order execution feature of Intel CPU and use the FLUSH+RELOAD side-channel technique to get any data in the enclave that lies in the L1D cache.

What Foreshadow use mainly inherits from the Meltdown attack, but exploited on a few CPU mechanisms to make the attack works for SGX.

Meltdown

Meltdown is a hardware-based vulnerability that let an unprivileged attacker to read arbitrary memory, including kernel data. They exploited out-of-order execution and FLUSH+RELOAD to achieve universal memory read.

Out-of-order execution

Out-of-order execution is a mechanism of Intel CPU that increase its throughput. Some CPUs use in-order execution and instruction pipelining to implement instruction-level parallelism as shown in Figure 1. In this way, CPU could parallelize instructions to increase throughput.

Figure 1. Instruction pipelining (from Wikipedia)

However, modern CPUs use out-of-order execution (Figure 2) to improve throughput further.

Figure 2. Out-of-order execution (from Meltdown Paper)

In out-of-order execution, CPU could maximize utilization by reordering instruction for different execution units to work. This way, parallelism level could be increased by increasing execution units, as the instructions execute out of order.

However, this out-of-order execution property gives researchers a new idea. What if we can exploit that and change the microarchitectural states by putting malicious and state-dependent instruction after fault instruction?

For instance, consider the following pseudocode executed in an unprivileged environment:

t = *kernel_addr;
array[t*0x1000] = 0;

As the CPU executes instructions out-of-order, the two lines will be executed at (almost) same time. However, as kernel memory is privileged, dereferencing it in the first instruction will fail and issue a page fault. Meanwhile, the transient second instruction is already executed. Although the execution result is reverted afterward, the address of array[t*0x1000]is already fetched in the cache. The attacker successfully abused the out-of-order execution to change the microarchitectural states.

How is this information retrieved? This would require another technique used in caching side-channel attack — FLUSH+RELOAD.

FLUSH+RELOAD

FLUSH+RELOAD is a time/cache-based side-channel attack. The idea behind this attack is to measure the time difference of accessing the memory probe.

Using the previous example, the attacker initially does clflush on the probe array, then execute the instructions. As the content of array[t*0x1000] is loaded into cache, the memory access time of it will be significantly sped up, as other memory is flushed and do not exist in the cache. By this method, one byte in kernel space is read through this side-channel.

Foreshadow

The research team of Foreshadow tried to use the same bug in out-of-order execution to attack SGX enclaves. However, things aren’t that simple as applying Meltdown to SGX.

First, SGX enforces abort page semantics, so that reading enclaved memory returns 0xFF instead of page faults. With this mechanism, the memory read in variable t (from the code above) will read 0xFF only, failing the attack.

Foreshadow solved this by exploiting the mprotect system call to revoke access to the page where enclaved memory lies in. With that, before aborting page semantics, the memory access will issue a page fault at page walk phase, making the attack works.

Figure 3. Using mprotect to trigger page fault (from Foreshadow Blackhat USA presentation)

The second issue is, in SGX, transient out-of-order execution only works in the L1 data cache (L1D). This is also the reason of Intel calling this bug as the L1 terminal fault (L1TF).

However, SGX data do not always stay in L1D. The research team described a few methods to improve, with optimization techniques for privileged attackers to improve the attack, such as abusing the Intel Hyper-Threading (HT) technology to allow sibling logical core (thread) to read data without interrupt. This is possible as two logical cores within a physical core share the same L1D.

There is even a variant to read the uncached secret, by abusing the elduinstruction to load the enclaved page in L1D.

Breaking SGX Attestation with Foreshadow

In the original SGX design, SGX could use the attestation feature to cryptographically verify the integrity of the enclave code.

Figure 4. Genuine attestation flow (from Foreshadow Blackhat USA presentation)

However, as Foreshadow could allow read arbitrary data inside an enclave, attackers can extract the key from the quoting enclave, thus forging Intel signature and completely break down the SGX attestation mechanism.

Figure 5. Bogus attestation flow (from Forshadow Blackhat USA presentation)

Therefore, this could make any system relying on SGX attestation insecure, as a remote attacker could run arbitrary code in an enclave, and forging signatures to pass remote attestation.

Security Impacts of Foreshadow

Foreshadow completely break the trust mechanism of SGX based on the attestation. Any local attestation on unpatched system is untrusted, and any remote attestation from those affected CPU is untrusted after the release of Foreshadow. This is because of the platform attestation key can be extract by Foreshadow attacker, which allow the attacker to forge remote attestation from the affected CPU.

Moreover, any secrets inside can be seen by local attackers, who do not need to be privileged.

Mitigation

A complete fix would require mitigating the three attack surfaces, with fixing any of the surfaces would mitigate Foreshadow, but likely to induce other security vulnerabilities.

First, CPU-level changes must be done to completely mitigate the Meltdown attack. As Meltdown abuses out-of-order execution of unauthorized data, changes in microarchitectural designs are required.

Secondly, L1D must be flushed on enclave exit, to prevent interrupt-based Foreshadow attack. This can be done by microcode updates and also kernel-level update.

Finally, as Intel HT can be used to attack neighbor logical core enclave, Intel HT feature is advised to be switched off to mitigate this attack surface.

Microcode updates and kernel update is available already for major kernels. Users are advised to update their system as soon as possible to mitigate impacts on SGX.

We hope Intel could fix the CPU-level changes in near-future and re-enable SGX to be a common TEE implementation to use in secure software.

Reference

This article is a write-up on the Foreshadow attack from the Foreshadow research team and Intel. All research credits to the Foreshadow research team and Intel.

Here is a list providing all the reference, and viewers can find more technical details about the attack in the following.

Foreshadow Attack Website
Foreshadow Paper
Foreshadow-NG Paper (Variants of Foreshadow)
Foreshadow USENIX presentation
Meltdown Website
Meltdown Paper
Meltdown Blackhat USA Presentation
Meltdown (Google Project Zero)
FLUSH+RELOAD Paper
VU#982149
Intel L1TF

Security
Sgx
Foreshadow
Meltdown
Spectre

--

--

Chu Ka-cheong @ Niomon
Niomon Engineering

Written by Chu Ka-cheong @ Niomon

13 Followers
Editor for

Chief Software Architect of Niomon

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams