Intel SGX Breached by New Speculative Execution Exploit

/ 6 years ago

Intel SGX Foreshadow

Foreshadow Hits Secure SGX Secure Enclaves

With the release of Spectre and Meltdown, the floodgates have opened. Since the reveal of the two speculative exploits last year, more bugs have come out of the woodwork. One recent release was a variant of Spectre targettable over networks. Today, we have a new bug that hits Intel right in the jaw. Dubbed Foreshadow by researchers, the new exploit targets the supposedly secure SGX function on Intel CPUs.

SGX or Software Guard eXtensions is a new feature Intel introduced with Skylake and Kaby Lake. SGX allows the creation of Trusted Execution Environments or TEEs. These TTEs are created using SGX to create a secure enclave. Due to this secure enclave, blocks of memory or code is supposed to be protected from everything. Furthermore, this includes protection from a hostile kernel, hypervisor or operating system. Foreshadow circumvents this and ploughs right on through into the secure enclave. This feature is great for cloud virtual machines because it protects against hostile hosts and neighbours.

Intel Microcode Fix Mostly Patches the Exploit

Foreshadow works in a similar fashion to Meltdown. In fact, it builds on the speculative nature of the original attack. Normally, SGX protects the enclave data with encryption. However, the CPU decrypts protected data in the L1 cache. Once there, Intel CPUs do not perform any further protection checks. This allows the attacker to exploit the speculative execution behaviour of the CPU, like in Meltdown to read the data. The attacker can also create malicious enclaves to more easily attack other enclaves on the same core. This only works on CPUs with Hyper-Threading since they share the same logical core. All said and done though, SGX still makes the attacker’s job more difficult as Intel wants it to do.

Luckily for users, Intel has already rolled out a fix. Updated microcode has been provided to change CPU SGX function. After using the data, the CPU will flush the L1 Data cache immediately. Unfortunately, this does not fully fix the flaw with Hyper-Threading. This is because the 2 enclaves on each virtual core share the L1. This is problematic for cloud servers which now have to worry about shared Hyper-Threaded cores. Finally, Intel plans to provide a hardware fix to this issue in Cascade Lake. Given the state of things though, only more attacks are likely to come out in the meanwhile.

Topics: , , , ,


By supporting eTeknix, you help us grow and continue to bring you the latest newsreviews, and competitions. Follow us on FacebookTwitter and Instagram to keep up with the latest technology news, reviews and more. Share your favourite articles, chat with the team and more. Also check out eTeknix YouTube, where you'll find our latest video reviews, event coverage and features in 4K!

Looking for more exciting features on the latest technology? Check out our What We Know So Far section or our Fun Reads for some interesting original features.

eTeknix Facebook eTeknix Twitter eTeknix Instagram eTeknix Instagram
  • Be Social With eTeknix

    Facebook Twitter YouTube Instagram Reddit RSS Discord Patreon TikTok Twitch
  • Features

Send this to a friend