More Speculative Execution Exploits – Meet Foreshadow / L1 Terminal Fault

Orange Pi Development Boards

Speculative execution is a feature to speed up performance of recent processors which works by predicting and loading likely future instructions ahead of time.  The features became somewhat famous a few months ago with Meltdown and Spectre vulnerabilities exploiting the features.

The exploits impact Intel, AMD, Arm, and other processors to various degrees, and since the feature is built-in into the hardware, there’s no easy fix, and instead operating systems vendors, cloud service providers, hosting services and other stakeholders implemented mitigations. While a lot of progress has been made, work is still going on with the just released Linux 4.18 still getting some code changes related to the exploits.

Foreshadow / L1 Terminal Fault

But just as solutions were found for Spectre and Meltdown, a new speculative execution exploitation has raised its ugly head: L1 Terminal Fault also known as Foreshadow.  The new flaw appears to be just as serious, and a dedicated website has been setup. Two versions of the exploit have been announced so far:

  • Foreshadow attack designed to extract data from SGX enclaves. Ironically SGX is a new feature in modern Intel CPUs which allows computers to protect users’ data even if the entire system falls under the attacker’s control. It was though to be immune from speculative attacks until recently.
  • Foreshadow Next-Generation attack which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.

The name L1 Terminal Fault comes from the fact of the attacker being able to access data stored in L1 cache.

While Spectre & Meltdown announcement was a quite messy, with the press revealing it before companies where ready to announce mitigation solutions, Foreshadow was kept secret until today, and some involved companies have released statements and solutions:

I’m sure other companies will post the way it affects – if at all – their products. I’ve not seen any info from Arm or AMD so far, and it looks like they may not be impacted (TBC). Intel has a video explaining how it all work.

As noted in Phoronix, the CVE are CVEs are CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 but  the details have not been made public just yet.  The pull request in Linux is an interesting read with reference to the new exploit(s) being a trainwreck:

L1TF, aka L1 Terminal Fault, is yet another speculative hardware engineering trainwreck. It’s a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry controlling the virtual address, which is used for the access, has the Present bit cleared or other reserved bits set.

If an instruction accesses a virtual address for which the relevant page table entry (PTE) has the Present bit cleared or other reserved bits set, then speculative execution ignores the invalid PTE and loads the referenced data if it is present in the Level 1 Data Cache, as if the page referenced by the address bits in the PTE was still present and accessible.

While this is a purely speculative mechanism and the instruction will raise a page fault when it is retired eventually, the pure act of loading the data and making it available to other speculative instructions opens up the opportunity for side channel attacks to unprivileged malicious code, similar to the Meltdown attack.

While Meltdown breaks the user space to kernel space protection, L1TF allows to attack any physical memory address in the system and the attack works across all protection domains. It allows an attack of SGX and also works from inside virtual machines because the speculation bypasses the extended page table (EPT) protection mechanism.

The mitigations below do work, but developers are working on improvements as they are currently “horrible performance wise”:

* Host side protection by inverting the upper address bits of a non present page table entry so the entry points to uncacheable memory.

* Hypervisor protection by flushing L1 Data Cache on VMENTER.

* SMT (HyperThreading) control knobs, which allow to ‘turn off’ SMT by offlining the sibling CPU threads. The knobs are available on the kernel command line and at runtime via sysfs

* Control knobs for the hypervisor mitigation, related to L1D flush and SMT control. The knobs are available on the kernel command line and at runtime via sysfs

* Extensive documentation about L1TF including various degrees of mitigations.

The important part is that should check whether updates are available. It seems particularly critical for people using virtualization and cloud based services.

Support CNX Software - Donate via PayPal or become a Patron on Patreon

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
MHSadri Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
MHSadri
Guest
MHSadri

Spectre & Meltdown vulnerability/mitigation checker for Linux
AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable, except some specific/old models, such as some early Atoms. Please also note that for Spectre vulnerabilities, all software can possibly be exploited …
https://github.com/speed47/spectre-meltdown-checker/