- Title: Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution
- Authors: Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, Raoul Strackx
- Venue: USENIX Security 2018
- Keyword: SGX, L1TF, Out-of-Order Execution, Side-channel, Meltdown
The trusted execution environment on Intel’s x86 processor (Software Guard Extensions or SGX) was previously thought to be unaffected under Meltdown and Spectre attacks. The main reason is that SGX will prevent page faults when facing Meltdown-like attacks. This paper introduced Foreshadow, a speculative execution-based attack on SGX-protected memory. The Foreshadow attack clears the present bit of SGX enclave pages, making it possible to trigger page faults. So Foreshadow attack can allow malicious applications in the userspace to read decrypted data from SGX-protected enclave memory, which breaks the security guarantees of SGX.
First, the author introduced the basic Foreshadow attack which allows userspace programs to read one byte from SGX:
- Caching Enclave Secrets: The enclave secrets are plaintext in cache (only encrypt/decrypt when move in/out of DRAM), which is the prerequisite for transient extraction. There is an instruction
elduthat can copy data from enclave to Enclave Page Cache (EPC), which will also load plaintext of data into the cache.
- Transient Execution: The most significant impediment to building transient execution is the abort page semantics of SGX. It will prevent the page fault on dereferencing unauthorized enclave memory, then the the result of data read with be replaced with a dummy value by SGX. But the abort page semantics only take effect after the page table permission check. So unprivileged process can bypass some permission restrictions on enclave memory. The Foreshadow attack clear the present bit in PTE by executing unprivileged system call
mprotect, then explicitly re-establishing the TLB, marking enclave page as not existing. SGX’s abort page semantics will not work in such a situation, the transient instructions will be executed.
- Receiving the Secret: There is an user-space program called “user-level exception handler”. The handler will be called when the page fault was caught by the OS. Because the oracle slot (cacheline-to-be-probed) at the secret index was in L1 cache, it will have shorter access time, so the handler can tell the secret when reloading each oracle slots.
In the remaining part of Foreshadow paper, the author introduced some further operations like keeping the secret in cache, page aliasing and isolating cores. Basic Foreshadow attacks can be constructed to a more powerful attack to read full cache lines. The author also evaluated the success rate from a microarchitecture perspective and showed some practicable attacks using Foreshadow such as attacks on Intel Quoting Enclave and Intel Launch Enclave.
In Foreshadow-NG paper, other two types of attacks were discussed and analyzed:
- Foreshadow-OS: The metadata left by OS in PTE (page table entry) may still refer to valid data in memory. Although terminal fault will be triggered on dereference, out-of-order execution may bring data into L1 cache, so that unprivileged user space applications may access the memory up to one-page size.
- Foreshadow-VMM: The Extended Page Table (EPT) is a hardware-assisted address translation feature of Intel processors. When EPT is enabled, the guest physical addresses are translated to host physical addresses by traversing the EPT page table. In such translation, the guest physical addresses are directly compared in L1 tag-comparison. Malicious VM can control physical address (to access L1 cache) in transient instructions. The malicious VM can modify its PTE pointing to any guest physical address so that the malicious VM can read arbitrarily within the VMs on the same physical core of the host.
After this paper was published, following researchs exposed more types of attacks (Foreshadow-NG), the Intel researchers called all these types of attack L1TF (L1 Terminal Fault). These attacks can be used to read any information in the L1 cache, including OS kernel (Foreshadow-OS) and hypervisor (Foreshadow-VMM). The L1TF can bypass the enclave memory protection of SGX (the first pure-software attack on SGX without relying on code vulnerability), memory protection of SMM (system manage mode), and Intel EPT (useful in memory isolation between VMs).
The author also encourages all users to update their system / follow Intel’s guidance to mitigate the L1TF.
The authors and Intel have introduced several kinds of mitigations against L1TF:
- OS: The page table permission model is not trusted, the OS should make sure there is no unintended mapping, mainly by two approaches: direct the Foreshadow attack to a special page which contains no secret, or ensure no physical memory would be referenced during the attack.
- Microcode (protect SGX enclaves): Ensure no SGX secrets in L1 cache, or derive different keys in different logical cores.
- Hypervisor: Flush the L1 cache prior to executing
VMENTER. On machines with SMT/HyperThreading enabled, it’s also nessecery to make sure there is no hypervisor thread running on the same core of untrusted VMs.
Notice that in many cases the system is vulnerable because data in L1 cache was shared between logic cores, simply disabling HyperThreading can mitigate L1TF (but may lead to performance degrade by 30%).
- Introduced the first attack on SGX without relying on code vulnerability.
- Extended the border of Meltdown attack (not only the kernel memory but the SGX and EPT can also be attacked, etc.).
- The success rate analysis is provided, which is very rigorous.
- There are not much new ideas compared to the original Meltdown, just an expansion or variety.
- It takes time to traverse all oracle slots when finding the secret. L1 cache is small so the secret data may be replaced out of the cache during the traversing.
- Generally speaking, the paper was well-arranged and easy to find the part which is wanted by the reader.
- The paper explained a lot of background of Foreshadow attack, such as SGX, cache, address translation, OoO and instruction pipeline on x86, transient execution attack including Spectre and Meltdown. Although L1TF is a little sophisticated but not so hard to understand with comprehensive explanations.
- Usages of some terms are not clear (such as “oracle slots” or “transient extraction”).
- Some important informations was in the appendix (made me nearly miss them), not sure why the author put them here.
- The original Foreshadow paper mainly focused on attacks on SGX, but other L1TF attacks on OS and VMM attract me more. The other types of L1TF were described on Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. Since the Foreshadow-NG paper was not published at any venue. I simply regard the Foreshadow-NG paper as a supplement to the original paper and didn’t tell the difference between Foreshadow and Foreshadow-NG when writing this assignment.
- Intel even urged the users not to run SGX on processors with HyperThreading enabled. How dare you!
- It’s really hard to tell a weakness of security paper, especially a practical attack on existing products.
- According to the appendix, the L1TF was named by the Foreshadow-VMM and Foreshadow-SGX only feasible when data in L1 cache. The question is: Foreshadow-NG paper didn’t mention whether Foreshadow-OS is practical only when data is in L1.
本站基于 Creactive Commons BY-NC-SA 4.0 License 允许并欢迎您在注明来源和非商业使用前提下自由地对本文进行复制、分享或基于本文进行创作。