Foreshadow, also known as L1 Terminal Fault, is another problem with speculative execution in Intel’s processors. It lets malicious software break into secure areas that even the Spectre and Meltdown flaws couldn’t crack.
What is Foreshadow?
Specifically, Foreshadow attacks Intel’s Software Guard Extensions (SGX) feature. This is built into Intel chips to let programs create secure “enclaves” that can’t be accessed, even by other programs on the computer. Even if malware were on the computer, it couldn’t access the secure enclave—in theory. When Spectre and Meltdown were announced, security researchers found that SGX-protected memory was mostly immune to Spectre and Meltdown attacks.
There are also two related attacks, which the security researchers are calling “Foreshadow – Next Generation,” or Foreshadow-NG. These allow access to information in System Management Mode (SMM), the operating system kernel, or a virtual machine hypervisor. In theory, code running in one virtual machine on a system could read information stored in another virtual machine on the system, even though those virtual machines are supposed to be completely isolated.
Foreshadow and Foreshadow-NG, like Spectre and Meltdown, use flaws in speculative execution. Modern processors guess the code they think might run next and preemptively execute it to save time. If a program tries to run the code, great—it’s already been done, and the processor knows the results. If not, the processor can throw the results away.
However, this speculative execution leaves some information behind. For example, based on how long a speculative execution process takes to perform certain types of requests, programs can infer what data is in an area of memory—even if they can’t access that area of memory. Because malicious programs can use these techniques to read protected memory, they could even access data stored in the L1 cache. This is the low-level memory on the CPU where secure cryptographic keys are stored. That’s why these attacks are also known as “L1 Terminal Fault” or L1TF.
To take advantage of Foreshadow, the attacker just needs to be able to run code on your computer. The code doesn’t require special permissions—it could be a standard user program with no low-level system access, or even software running inside a virtual machine.
Since the announcement of Spectre and Meltdown, we’ve seen a steady stream of attacks that abuse speculative execution functionality. For example, the Speculative Store Bypass (SSB) attack affected processors from Intel and AMD, as well as some ARM processors. It was announced in May 2018.
Is Foreshadow Being Used in the Wild?
Foreshadow was discovered by security researchers. These researchers have a proof-of-concept—in other words, a functional attack—but they’re not releasing it at this time. This gives everyone time to create, release, and apply patches to protect against the attack.
How You Can Protect Your PC
Note that only PCs with Intel chips are vulnerable to Foreshadow in the first place. AMD chips aren’t vulnerable to this flaw.
Most Windows PCs only need operating system updates to protect themselves from Foreshadow, according to Microsoft’s official security advisory. Just run Windows Update to install the latest patches. Microsoft says it hasn’t noticed any performance loss from installing these patches.
Some PCs may also need new Intel microcode to protect themselves. Intel says these are the same microcode updates that were released earlier this year. You can get new firmware, if it’s available for your PC, by installing the latest UEFI or BIOS updates from your PC or motherboard manufacturer. You can also install microcode updates directly from Microsoft.
What System Administrators Need to Know
PCs running hypervisor software for virtual machines (for example, Hyper-V) will also need updates to that hypervisor software. For example, in addition to a Microsoft update for Hyper-V, VMWare has released an update for its virtual machine software.
Systems using Hyper-V or virtualization-based security may need more drastic changes. This includes disabling hyper-threading, which will slow down the computer. Most people won’t need to do this, but Windows Server administrators running Hyper-V on Intel CPUs will need to seriously consider disabling hyper-threading in the system’s BIOS to keep their virtual machines safe.
Patches may be necessary for other operating systems, too. For example, Ubuntu has released Linux kernel updates to protect against these attacks. Apple has not yet commented on this attack.
Specifically, the CVE numbers that identify these flaws are CVE-2018-3615 for the attack on Intel SGX, CVE-2018-3620 for the attack on the operating system and System Management Mode, and CVE-2018-3646 for the attack on the virtual machine manager.
In a blog post, Intel said it’s working on better solutions to improve performance while blocking L1TF-based exploits. This solution will apply the protection only when necessary, improving performance. Intel says its already provided pre-release CPU microcode with this feature to some partners and is evaluating releasing it.
Finally, Intel notes that “L1TF is also addressed by changes we are making at the hardware level.” In other words, future Intel CPUs will contain hardware improvements to better protect against Spectre, Meltdown, Foreshadow, and other speculative execution-based attacks with less performance loss.