Foreshadow - Extracting the Keys to the Intel SGX Kingdom
The controlled channel attack paper points out a vulnerability not with SGX itself, but more about the design of shielded execution and how an OS can circumvent such protections. On the other hand, Foreshadow is a more direct exploit that compromises an Intel SGX enclave’s security. This particular method exploits SGX secure hardware that comes with all Intel chips after 2013. Similar to the motivation behind controlled channel attacks, this paper is important because it points out a clear vulnerability with Intel SGX that can be exposed. The attack was severe enough that it was officially described by Intel as the L1 Terminal Fault vulnerability and was demonstrated to result in disclosures of sensitive data stored in personal computers or public cloud service providers. This paper primarily focuses on the version that targets SGX enclaves. The Foreshadow attack is similar in nature to Spectre and Meltdown, although the latter two also affect AMD chips. While the exploit is widespread, the authors also show that it is difficult to use in practice, and thankfully there hasn’t been any evidence of its use to the knowledge of the research community.
As the authors describe in the beginning of the paper, the SGX enclave has tremendously reduced the TCB of computer hardware to just the CPU. However, if the CPU itself has a bug, then SGX is compromised. The Foreshadow bug causes this complete collapse in the system. The main technique behind this attack is the use of speculative execution. In this approach, commands are executed out of order, and this leads to indirect memory accesses by unauthenticated users. This leads to potential data extractions such as retrieving key data. These vulnerabilities exist at the microarchitecture level of the CHIP, making it difficult to patch. More specifically, Foreshadow can be broken down into three steps. First, the attack only works if enclave loads are served from the L1 cache. Then, an unmapped page table entry allows for arbitrarily cached physical memory to be read. Finally, the Meltdown vulnerability is executed. What’s notable about this attack is that root access is not required at all for cryptographic keys to be fully extracted. The authors also demonstrated how in theory, this could be a very lucrative exploit for cloud attacks on “co-residing cloud tenants”.
As pointed out by the authors, the practical use of this attack is quite limited because of the specific circumstances that must be in place for success, along with the actual act of carrying out an attack being quite tedious. Despite the vulnerability being widespread, there’s no evidence that the exploit was used in practice. I personally felt like the paper made some assumptions about the reader’s knowledge. Without reading the optional SGX paper, I don’t believe I would’ve understood the sealing and attestation mechanisms. Speculative execution also took some time to wrap my head around. I think more visuals accompanied by code could’ve given the idea a more practical feel (but I also understand why they might not want to do that). Other than that, I felt like this paper was very well written.
The mitigations section of this paper states that preventing any of the three steps of the Foreshadow vulnerability should prevent the attack entirely. Therefore, production of new CPUs that are immune to the Meltdown and Spectre is a good first step. OS kernel updates that sanitize page frame bits should take care of unmapped page table entries, while revisions to Intel microcode that runs on the chip can solve the extraction of L1 cache secrets with a simple protocol based on flushing and disabling hyperthreading. Taking a step back, I think the Controlled Channel Attacks paper and Foreshadow attack indicate that there should be a greater investment in researching the viability and prevention of side channel attacks in system architectures. The reliance of SGX on the now debunked invincibility of the CPU suggests that in future systems, it’s probably best to avoid a single point of failure in system design. Foreshadow points out how any vulnerabilities with the CPU causes a domino effect of problems that leave secure enclaves open to attack.