A group of researchers from the Graz University of Technology in Austria and the Helmholtz Center for Information Security (CISPA), have identified a new Foreshadow attack vector (L1TF), which allows you to extract data from the memory of Intel SGX enclaves, SMMs, operating system kernel memory areas, and virtual machines in virtualization systems.
Unlike the original Foreshadow attack, The new variant is not specific to Intel processors and affects CPUs from other manufacturers such as ARM, IBM and AMD. Also, the new option does not require high performance and the attack can be carried out even by running JavaScript and WebAssembly in a web browser.
Foreshadow takes advantage of the fact that when memory is accessed at a virtual address, which generates an exception (terminal page failure), the processor speculatively calculates the physical address and loads the data if it is in the L1 cache.
Speculative access is done before the iteration is complete of the memory page table and regardless of the state of the memory page table (PTE) entry, that is, before verifying that the data is in physical memory and is readable.
After completing the memory availability check, in the absence of the indicator Present in the PTE, the operation is discarded, but the data is cached and can be retrieved using methods to determine cache content through side channels (by analyzing changes in access time to cached and non-cached data).
Researchers have shown which existing methods of protection against Foreshadow are ineffective and they are implemented with an incorrect interpretation of the problem.
The Foreshadow vulnerability can be leveraged regardless of the use of protection mechanisms in the kernel that were previously considered sufficient.
As a result, The researchers demonstrated the possibility of performing a Foreshadow attack on systems with relatively old kernels, in which all available Foreshadow protection modes are enabled, as well as with newer kernels, in which only Specter-v2 protection is disabled (using the nospectre_v2 Linux kernel option).
The prefetch effect has been found to be unrelated to software prefetch instructions or hardware prefetch effect during memory access, but rather arises from speculative dereference of user space registers in the kernel.
This misinterpretation of the cause of the vulnerability initially led to the assumption that data leakage in Foreshadow can only occur through the L1 cache, while the presence of certain code snippets (prefetch devices) in the kernel it can contribute to data leakage out of the L1 cache, for example in L3 Cache.
The revealed feature also opens up opportunities to create new attacks. intended to translate virtual addresses to physical addresses in sandbox environments and determine addresses and data stored in CPU registers.
As demos, the researchers showed the ability to use the revealed effect to extract data from one process to another with a throughput of approximately 10 bits per second on a system with an Intel Core i7-6500U CPU.
The possibility of filtering the content of the records is also shown from the Intel SGX enclave (it took 15 minutes to determine a 32-bit value written to a 64-bit register).
To block Foreshadow's attack via L3 cache, the Specter-BTB protection method (Branch Target Buffer) implemented in the retpoline patch set is effective.
Therefore, researchers believe it is necessary to leave retpoline enabled even on systems with newer CPUs, which already have protection against known vulnerabilities in the speculative execution mechanism of CPU instructions.
For its part, Intel representatives said they do not plan to add additional protection measures against Foreshadow to the processors and consider it sufficient to enable protection against Specter V2 and L1TF (Foreshadow) attacks.
Source: https://arxiv.org