Read the paper Cite Watch a demo
@inproceedings{vanbulck2018foreshadow, author = {Van Bulck, Jo and Minkin, Marina and Weisse, Ofir and Genkin, Daniel and Kasikci, Baris and Piessens, Frank and Silberstein, Mark and Wenisch, Thomas F. and Yarom, Yuval and Strackx, Raoul}, title = {Foreshadow: Extracting the Keys to the {Intel SGX} Kingdom with Transient Out-of-Order Execution}, booktitle = {Proceedings of the 27th {USENIX} Security Symposium}, year = {2018}, month = {August}, publisher = {{USENIX} Association}, note={See also technical report Foreshadow-NG~\cite{weisse2018foreshadowNG}} } @article{weisse2018foreshadowNG, title={{Foreshadow-NG}: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution}, author={Weisse, Ofir and Van Bulck, Jo and Minkin, Marina and Genkin, Daniel and Kasikci, Baris and Piessens, Frank and Silberstein, Mark and Strackx, Raoul and Wenisch, Thomas F. and Yarom, Yuval}, journal={Technical report}, year={2018}, note={See also {USENIX} Security paper Foreshadow~\cite{vanbulck2018foreshadow}} }
Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.
At a high level, SGX is a new feature in modern Intel CPUs which allows computers to protect users’ data even if the entire system falls under the attacker’s control. While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key. Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem.
While investigating the vulnerability that causes Foreshadow, which Intel refers to as "L1 Terminal Fault", Intel identified two related attacks, which we call Foreshadow-NG. These attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System's Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures for Meltdown and Spectre.
Who reported this vulnerability?
Foreshadow was independently and concurrently discovered by two teams:
The KU Leuven authors discovered the vulnerability, independently developed the attack, and first notified Intel on January 3, 2018. Their work was done independently from and concurrently to other recent x86 speculative execution vulnerabilities, notably Meltdown and Spectre.
The authors from Technion, University of Michigan, the University of Adelaide and CSIRO's Data61 independently discovered and reported the vulnerability and associated attack to Intel during the embargo period on January 23, 2018.
Following our discovery of Foreshadow (CVE-2018-3615), Intel identified two closely related variants, potentially affecting additional microprocessors, SMM code, Operating system and Hypervisor software. We collectively refer to these Intel-discovered variants as Foreshadow-NG (Next Generation, CVE-2018-3620 and CVE-2018-3646), whereas Intel refers to this entire class of speculative execution side channel vulnerabilities as “L1 Terminal Fault" (L1TF). More information on L1TF can be found here.
What technologies are affected by Foreshadow?
The researchers who discovered Foreshadow demonstrated the vulnerability on SGX enclaves, extracting any data protected via SGX secure memory.
What technologies are affected by Foreshadow-NG?
Foreshadow-NG can be used for extracting any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System's (OS) Kernel, or other Virtual Machines (VMs) running on third-party clouds. More technically, Foreshadow-NG allows the following:
Where can I find more information about Foreshadow and Foreshadow-NG?
For more information about how the attack works see our academic paper. Intel's security advisory and whitepaper, describing Foreshadow as 'L1 Terminal Fault', are also available. The Foreshadow / L1-terminal-fault attack were assigned the following CVE numbers:
What is a virtual machine?
A Virtual Machine is a software emulator of a physical computer. Virtual machines are often used in compute clouds (such as Amazon's AWS or Microsoft's Azure) where, instead of maintaining their own infrastructure, customers can pay for the time the cloud infrastructure spends on running the customer's machine (and the computations within it). As clouds typically run more than one virtual machine on the same physical hardware, it is important that the cloud's Virtual Machine Manager (VMM) or hypervisor prevents information leakage across VM boundaries by ensuring complete isolation between two virtual machines and between the virtual machines and the hypervisor.
So how does Foreshadow-NG affect VMs?
Foreshadow-NG breaks the above mentioned isolation. Thus, a malicious virtual machine running inside the cloud can potentially read data belonging to other virtual machines as well as data belonging to the cloud's hypervisor.
What is an operating system kernel?
The operating system kernel is the core of the operating system, and is responsible for managing most of the operations that a computer performs. In particular, the kernel manages the computer's memory and CPU time as well as ensures isolation between two programs running on the same computer. Given its important role, the kernel has access to all the data stored in the computer's memory, including data belonging to other programs.
So how does Foreshadow-NG affect the kernel?
Using Foreshadow-NG, a malicious program running on the computer might be able to read some parts of the kernel's data. As the kernel has access to data stored by other programs, a malicious program might be able to exploit Foreshadow-NG to access data belonging to other programs.
What is Intel SGX?
Intel Software Guard eXtensions (SGX) is a Trusted Execution Environment (TEE) that enables secure program execution in untrusted environments. The program and the data it operates on, are placed inside a secure enclave. There they are protected from modification or inspection, even in the presence of a highly-privileged adversary corrupting the operating system, hypervisor, or firmware (BIOS). SGX also provides a remote attestation protocol that allows software to prove to a remote party that it is running on a genuine SGX-enabled Intel processor, as opposed to a (potentially malicious) simulator.
Was the confidentiality of SGX enclaves affected by Foreshadow?
Yes. Foreshadow enables an attacker to read the entire SGX enclave's memory contents. This includes architectural enclaves provided by Intel such as the Quoting and Launch Enclaves.
Was the remote attestation protocol affected by Foreshadow?
Yes. Using Foreshadow we have successfully extracted the attestation keys, used by the Intel Quoting Enclave to vouch for the authenticity of enclaves. As a result, we were able to generate "valid" attestation quotes. Using these counterfeit quotes, successfully "proved" to a remote party that a "genuine" enclave was running while, in fact, the code was running outside of SGX, under our complete control.
Is SGX long-term storage affected by Foreshadow?
Yes. As Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-sealed. With the extracted sealing key, an attacker can trivially calculate a valid Message Authentication Code (MAC), thus depriving the data owner from the ability to detect the modification.
Can I detect if someone has exploited Foreshadow to read my data?
Not likely. Foreshadow does not leave traces in typical log files.
While installing a new (malicious) driver may leave traces in the system log,
the attacker can probably alter the log buffer, since she has root privileges.
A kernel-level attacker using a Foreshadow attack may apply tricks to significantly increase her chances of success.
While installing a new (malicious) driver may leave traces in the system log,
such a privileged attacker can probably alter the log afterwards.
What about other processors (AMD/ARM)?
The original Foreshadow attack affects most SGX-enabled Intel processors. As SGX is currently present only in Intel CPUs, we are unaware of Foreshadow affecting other CPU vendors. To the best of our understanding, Foreshadow-NG only affects Intel processors. However, we are still working to better understand the implications of Foreshadow-NG and this answer might change as the situation develops.
Did you release the source code of your exploits?
For educational purposes, we integrated basic support for Foreshadow-type transient execution attacks into the open-source SGX-Step enclave side-channel attack framework available on GitHub.
Are there mitigations against Foreshadow?
Foreshadow and Foreshadow-NG require mitigations at the both software and microcode level. This includes updates to most operating systems, hypervisors as well as CPU microcode updates. See Intel's security advisory and our technical report for additional details.
Have you evaluated any software or microcode updates?
We are currently still evaluating microcode and software patches but have not discovered any vulnerabilities. For technical experts, our technical report discusses our view on these mitigations in more detail.
Do Spectre and Meltdown mitigations such as Retpoline, KPTI, IBRS, STIBP, or IBPB mitigate Foreshadow?
No. The mitigations against Meltdown and Spectre are not effective against Foreshadow and Foreshadow-NG.
How is Foreshadow different from Meltdown?
Foreshadow is different from Meltdown as it targets virtual machines and SGX in addition to data stored in the operating system's kernel (which was targeted by Meltdown). While harder to exploit, Foreshadow is effective against systems deploying Kernel Page Table Isolation (KPTI), which stops Meltdown attacks.
How is Foreshadow different from prior Spectre-like attacks on SGX?
Concurrent speculative execution attacks on SGX, e.g., SGXPectre, rely on the code of the affected enclave to contain gadgets vulnerable to Spectre. Thus, such attacks can be theoretically mitigated by removing these gadgets from the affected enclave. In contrast, Foreshadow extracts enclave memory without relying on any code vulnerability in the victim enclave or even without requiring the affected enclave to execute. As such, Foreshadow can be used even in the case where the code of the affected enclave is "perfect", i.e., does not contain any side-channel vulnerability.
What CPUs are affected by Foreshadow and Foreshadow-NG?
Intel confirmed that Foreshadow affects all SGX-enabled Core processors (Skylake and Kaby Lake), while Atom family processors with SGX support remain unaffected. Intel confirmed that Foreshadow-NG affects the following processes:
See Intel's security advisory for additional details.
Why is it called Foreshadow?
In literature, "foreshadowing" is used to indicate a trick where a writer provides a subtle hint of what is to come later in the story. Analogous to how a good story teller tries to keep the outcome of the story (mostly) secret, the speculative execution mechanisms found in modern processors, do not directly leak secrets. In the storytelling analogy, the Foreshadow attack shows, however, that clever adversaries can abuse subtle hints in the present to reconstruct secrets from future instructions.
Can I use the logo?
The logo is free to use, rights waived via CC0. Logos are designed by Natascha Eibl.
Logo | Logo with narrow text | Logo with wide text |
---|---|---|
PNG / SVG | PNG / SVG | PNG / SVG |
This research was partially supported by the Research Fund KU Leuven, the Technion Hiroshi Fujiwara cyber security research center, the Israel cyber bureau, by NSF awards #1514261 and #1652259, the financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology, the 2017-2018 Rothschild Postdoctoral Fellowship, and the Defense Advanced Research Project Agency (DARPA) under Contract #FA8650-16-C-7622. Jo Van Bulck and Raoul Strackx are supported by a grant of the Research Foundation - Flanders (FWO).