Video: Intel's patches for Spectre variant 4 will slow your CPU
Spectre and Meltdown are more than a new class of security holes. They're deeply embedded in the fundamental design of recent generations of CPUs. So it shouldn't come as any surprise that yet another major Intel chip security problem has been discovered: Foreshadow.
According to the researchers who found it, "Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. Foreshadow has two versions, the original attack designed to extract data from Software Guard Extensions (SGX) enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory."
In a word, this means: "Trouble." Ironically, SGX protected code and data from disclosure, modification, or attack.
So, how bad is this really? Bad. Intel admits the Foreshadow bugs can be used to create:
- Malicious applications, which may be able to infer data in the operating system memory, or data from other applications.
- A malicious guest virtual machine (VM) may infer data in the VM's memory, or data in the memory of other guest VMs.
- Malicious software running outside of SMM may infer data in SMM memory.
- Malicious software running outside of an Intel SGX enclave or within an enclave may infer data from within another Intel SGX enclave.
Or, as Yuval Yarom, a research associate at the University of Adelaide, one of the researchers who discovered Foreshadow, tweeted, the SGX security hole can lead to a "Complete collapse of the SGX ecosystem."
Jon Masters, Red Hat ARM Computer Architect, added that Foreshadow "is a significant threat to virtualized environments, especially those that contain a mixture of trusted and untrusted virtual machines."
Intel was notified of the first bug on Jan. 3, 2018. Intel then identified two closely related variants, Foreshadow-Next Generation (NG). Intel calls this entire new class of speculative execution side channel vulnerabilities "L1 Terminal Fault" (L1TF).
This all springs from Intel's desire to make chips run effectively faster. To do this, Intel, along with ARM and AMD, use a mix of pipelining, out-of-order execution, branch prediction, and speculative execution to run the next branch of a program before it's called on. This way, no time is wasted if your application goes down that path. Unfortunately, chip makers' performance implementations came with fundamental security flaws.
According to Intel, to exploit Foreshadow, the attacker must have the ability to run code on the targeted systems. Nevertheless, CVE-2018-3615, which hits at SGX, has a Common Vulnerability Scoring System (CVSS) Base Score of 7.9 that is ranked as highly dangerous. The other holes include CVE-2018-3620, which impacts operating systems and System Management Mode (SMM) running on Intel processors has a CVSS of 7.1, and CVE-2018-3646, which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS of 7.1. All these scores are high enough that they demand you must patch these holes as soon as possible.
The good news is, Intel's Leslie Culbertson, Intel VP and general manager of Product Assurance and Security, has said, "I will address the mitigation question right up front: Microcode updates (MCUs) we released earlier this year are an important component of the mitigation strategy for all three applications of L1TF."
But, and it's a big one, the microcode update by itself isn't enough. You must also update your operating system and VM hypervisor to be safe. The patches are now available for most operating systems.
Intel claims that for the most part you won't see performance problems from these fixes... for the most part. If, however, you're running VMs without the fixes, on top of platforms with the patches, you will see some slowdowns. This is, also as Masters pointed out, where Foreshadow is the most dangerous.
On the plus side, no one's seen an attack in the wild... yet.
Red Hat strongly recommends to mitigate the problem, you manually enable Linux specific kernel parameters or potentially disabling features like Intel hyperthreading, after the available updates have been applied.
That's drastic. Oracle's directory of security assurance, Eric Maurice, warns disabling hyperthreading alone is insufficient for mitigating all Foreshadow vulnerabilities, while simultaneously disabling HT will result in significant performance degradation.
Also: Security pros: Get ready to patch for 8 new Spectre holes TechRepublic
On a cloud or datacenter with multiple unpatched VMs -- which is pretty much all of them today -- you could have malicious VMs spying on information inside another VM. That's both a technology and legal nightmare scenario. Therefore, performance hit and all, you may want to consider disabling hyperthreading.
The real fix to all these problems, Intel admits, is by replacing today's processors. "These changes begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as new client processors expected to launch later this year."
In the meantime, keep patching and keep a close eye on the balance between security and performance. We're far from done yet with the Spectre, Meltdown, and Foreshadow class of problems.