Some of the boffins who in 2018 disclosed the data-leaking speculative-execution flaws known as Spectre and Meltdown today contend that attempts to extinguish the Foreshadow variant have missed the mark.
In a paper slated to be distributed through ArXiv today, Martin Schwarzl, Thomas Schuster, and Daniel Gruss with Graz University of Technology, and Michael Schwarz, with the Helmholtz Center for Information Security, reveal the computer science world has misunderstood the microarchitectural flaw that enables Foreshadow, which can be exploited by malware or a rogue user on a vulnerable system to extract data from supposedly protected areas of memory – such as Intel SGX enclaves, and operating-system kernel and hypervisor addresses.
The paper, Speculative Dereferencing of Registers: Reviving Foreshadow, details how defenses based on this misunderstanding, such as the Meltdown mitigation known as KAISER, don't really work against Foreshadow. As such, we're told, it's still possible to exploit Foreshadow on older kernels that are supposedly mitigated, or on a fully patched kernel that happens to have Spectre variant two protections removed.
"We discovered that effects reported in several academic papers over the past four years were not correctly understood, leading to incorrect assumptions on countermeasures," said Daniel Grus, assistant professor in the Secure Systems group at the Graz University of Technology, in an email to The Register. "The consequence is that we are able to mount a Foreshadow attack on older kernels patched against Foreshadow with all mitigations enabled and on a fully-patched kernel if only Spectre-v2 mitigations are disabled."
Thus, if you've used the
nospectre_v2 kernel option on your fully-patched Intel-powered Linux server to optimize for speed over security, and think it won't affect your Foreshadow protection, think again: the machine is now vulnerable to Foreshadow.
Foreshadow – an L1 Terminal Fault (L1TF) bug in Intel parlance – involves abusing the processor's speculative execution to discern private data in an Intel SGX enclave's L1 data cache via a side channel. It relies on manipulating how information is prefetched – collected before it's needed – from the cache. This anticipatory data gathering doesn't take place in the way computer scientists had thought.
Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performanceREAD MORE
"We discovered that this prefetching effect is actually unrelated to software prefetch instructions or hardware prefetching effects due to memory accesses and instead is caused by speculative dereferencing of user-space registers in the kernel," the paper explained.
This misinterpretation of the root cause of the vulnerability has several implications. First, the paper explained, the incorrect assumption that Meltdown leaks from the L3 cache or main memory while Foreshadow only leaks from the L1 cache.
For both Meltdown and Foreshadow, the data has to be retrieved from the L1 cache, though the use of prefetch gadgets – snippets of code in memory – allows that restriction to be bypassed. That means, the paper stated, that Foreshadow attacks can be mounted on data outside the L1 cache (e.g. the L3 cache) on kernels with the necessary gadgets.
The good news is that there is a defense against the Foreshadow L3 attack described in the paper: implementing the Spectre-BTB (Branch Target Buffer) countermeasures.
"Our results show that, for now, retpoline [a defense against poisoned branch target buffer entries] must remain enabled even on recent CPU generations to fully mitigate high impact microarchitectural attacks such as Foreshadow," the paper concluded.
It's thus not surprising that Intel isn't planning on releasing further fixes. "The paper refers to specific scenarios in the Kernel-based Virtual Machine (KVM) where there are options on implementing mitigation settings," an Intel spokesperson said in an email. "Intel recommends enabling both the V2 and L1TF mitigations for additional protection. Intel is not planning to release additional mitigations."
AMD, which has said customers shouldn't need to apply Foreshadow defenses, did not respond to requests for comment. ®