Intel Chips' List of Security Flaws Grows (Updated)

Update, 8/15/18, 1:40 p.m. PT: Intel sent Tom's Hardware a statement, clarifying that the microcode update was sent to manufacturers earlier this year. 

“L1 Terminal Fault is addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software that are available starting today. We’ve provided more information on our website and continue to encourage everyone to keep their systems up to date, as its one of the best ways to stay protected. We’d like to extend our thanks to the researchers at imec-DistriNet, KU Leuven, Technion- Israel Institute of Technology, University of Michigan, University of Adelaide and Data61 and our industry partners for their collaboration in helping us identify and address this issue.”

Original, 8/15/18, 9:38 a.m. PT:

Intel chips have been marred by another series of security flaws dubbed Foreshadow-NG. Researchers discovered the vulnerabilities, which primarily affect Intel’s Software Guard Extensions (SGX) and the security of virtualized environments.

What Is the Foreshadow Attack?

Foreshadow is yet another speculative execution flaw (much like Meltdown and Spectre) in Intel’s processors that allows attackers to steal sensitive contents stored in computers' or virtual machines' memory. Most modern processors utilize speculative execution to improve performance. As the name suggests, the chips will speculate or assume the instructions they need to execute next, instead of waiting around for the previous instructions to complete their execution. When the prediction is correct, this saves overall execution time, while the incorrect predictions are scrapped.

Researchers discovered the first Foreshadow flaw earlier this year. This flaw also affected Intel's SGX, which is a security feature that allows app developers to store sensitive information, such as encryption keys, in hardware-protected virtual enclaves.

Now, Intel's own security team has identified two more variants, which they're calling Foreshadow-NG (next-generation). We also know from earlier reports that Intel was supposed to release patches on August 14 for some unknown “Spectre-NG” flaws. The Foreshadow flaws seems to be the last of the group of Intel chip flaws nicknamed Spectre-NG earlier this year.

Intel SGX Under Attack

SGX, the secure enclave technology Intel introduced with the Skylake generation of its processors, encrypts blocks of memory so that malware that may have infected an operating system can’t get to the sensitive data stored in the SGX enclaves. The processor itself validates the integrity of the enclaves, so as long as the processor is trusted, the enclaves can also be trusted.

Because processors are typically much more secure than operating systems and applications, the SGX enclaves are attractive to certain app developers concerned about their users’ security. The Signal private messenger, for instance, is one of the apps that has started using Intel’s SGX to protect the privacy of its users.

However, the Foreshadow attack has found a way around the SGX protections, which normally don’t allow attackers to penetrate the enclaves with speculative execution attacks. According to the researchers that found the flaw, attackers could create shadow-copies of the secure enclave-protected data and then read the contents of those copies. They can later also trick users into trusting and sending their private data to the new fake enclaves.

Virtual Machines Vulnerable to Foreshadow-NG

Intel’s researchers found two Foreshadow-related attacks that would allow attackers to read any of the contents of the CPU chip's L1 cache. This is also why Intel calls this new family of flaws “L1 Terminal Fault” or L1TF.  

Foreshadow-NG could:

  • allow a malicious user application to read kernel memory
  • allow a malicious guest virtual machine to read the hypervisor’s memory or the memory of another guest virtual machine (especially dangerous in the cloud/web hosting scenario)
  • allow a malicious OS to read memory protected by the SMM

Affected CPUs and Mitigation

The researchers said that the original Foreshadow variant only affects Intel’s SGX-capable chips, which includes the Skylake generation and newer.

Meanwhile, the two Foreshadow-NG variants don’t seem to affect other chip providers so far and affect the following Intel chips:

  • Intel Core i3/i5/i7/M processor (45nm and 32nm)
  • 2nd/3rd/4th/5th/6th/7th/8th generation Intel Core processors
  • Intel Core X-series processor family for Intel X99 and X299 platforms
  • Intel Xeon processor 3400/3600/5500/5600/6500/7500 series
  • Intel Xeon Processor E3 v1/v2/v3/v4/v5/v6 family
  • Intel Xeon Processor E5 v1/v2/v3/v4 family
  • Intel Xeon Processor E7 v1/v2/v3/v4 family
  • Intel Xeon Processor Scalable family
  • Intel Xeon Processor D (1500, 2100)

Previous countermeasures implemented against Spectre and Meltdown can't protect against Foreshadow attacks, according to the security researchers that uncovered the Foreshadow flaws. Mitigation against the Foreshadow flaws require updates to operating systems, hypervisors and Intel chips microcode. Intel's own benchmarks showed that the performance impact of the patches is negligible. 

Although getting the operating system and hypervisor updates should be easier, getting the microcode updates will be trickier for the many users who fully depend on manufacturers to send them the updates. That means most older PCs and laptops may not be fully protected against the Foreshadow attacks.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • leoscott
    Great. More slowdowns.
    Reply
  • SkyBill40
    21234284 said:
    Great. More slowdowns.

    You did see this line as the last sentence in the second to last paragraph, right?

    "Intel's own benchmarks showed that the performance impact of the patches is negligible."

    Reply
  • valeman2012
    21234333 said:
    21234284 said:
    Great. More slowdowns.

    You did see this line as the last sentence in the second to last paragraph, right?

    "Intel's own benchmarks showed that the performance impact of the patches is negligible."


    I seen these kind of Benchmarks from the Own companies, but we have try it yourself to see how many fps we lost.
    By the looks of these Endless Spectre bugs,,,lets say you security all spectre patched your Intel i5 7600K (stock) it will perfrom weaker than a i5 6600K (Unpatched)
    Reply
  • rantoc
    Great, spectre patches set back perfrmance about 1 year due to intels low performance gains with its low competition then IE it was in milking mode... what will happen this time when patched? Another year of performance loss equivalent when "patched"?

    Where is my refund?
    Reply
  • Dantte
    21234333 said:
    21234284 said:
    Great. More slowdowns.

    You did see this line as the last sentence in the second to last paragraph, right?

    "Intel's own benchmarks showed that the performance impact of the patches is negligible."


    "...negligible" is a relative term; negligible for you, or Intel, may not necessarily be negligible for leoscott, he may value a 1-FPS lost. Needless to say, there are "more slowdowns", these slowdowns are just "negligible" in the eyes of Intel.
    Reply
  • popatim
    I agree. Who knows what "Negligible" means to them. Did they test this on a 32 Core Xeon or an i5 ??? It's already like being down 1 core :(
    Reply
  • stdragon
    Speculative Execution - the gift that keeps on giving.
    Reply
  • wownwow
    The "Meltdown" and now "Foreshadow" triplets, these "repeatedly not following the specs" instances are now unlikely typical design bugs but the well-planned, INTENDED (as the ex-CEO said "the intended designs") cheating for performance!!!

    All the sellers selling the products with the known INTENDED flaws should be subjected to the fraud in a criminal court for selling such products!

    FTC employees are still hibernating with paycheck auto-and-direct deposit? The organizations of consumer's rights are also still hibernation?

    Intel is now upgraded to "Cheating Inside" from "Bug Inside"!

    Buy Intel "Cheating Inside" products and get unlimited all-you-can-have patches for free!
    Reply
  • alextheblue
    21234922 said:
    Speculative Execution - the gift that keeps on giving.
    The alternative isn't great either, FYI. Would you like a Bonnell-derived chip with complete garbage performance?
    Reply
  • Sam Hain
    21234922 said:
    Speculative Execution - the gift that keeps on giving.

    That last part of your statement, instantly put Cousin Eddie (from N'tl Lampoon's X-mas Vacation) in my head... Are we getting cousin Eddie (perpetually) as Intel customers???
    Reply