Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Wednesday August 15 2018, @02:02AM   Printer-friendly
from the [sigh] dept.

Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Another day, another speculative execution-based attack. Data protected by Intel's SGX—data that's meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks enabled by speculative execution.

Since publication of the Spectre and Meltdown attacks in January this year, security researchers have been taking a close look at speculative execution and the implications it has for security. All high-speed processors today perform speculative execution: they assume certain things (a register will contain a particular value, a branch will go a particular way) and perform calculations on the basis of those assumptions. It's an important design feature of these chips that's essential to their performance, and it has been for 20 years.

[...] What's in store today? A new Meltdown-inspired attack on Intel's SGX, given the name Foreshadow by the researchers who found it. Two groups of researchers found the vulnerability independently: a team from KU Leuven in Belgium reported it to Intel in early January—just before Meltdown and Spectre went public—and a second team from the University of Michigan, University of Adelaide, and Technion reported it three weeks later.

SGX, standing for Software Guard eXtensions, is a new feature that Intel introduced with its Skylake processors that enables the creation of Trusted Execution Environments (TEEs). TEEs are secure environments where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). SGX is used to create what are called enclaves: secure blocks of memory containing code and data. The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted on being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from outside the enclave should be blocked.

[...] As with many of the other speculative execution issues, a large part of the fix comes in the form of microcode updates, and in this case, the microcode updates are already released and in the wild and have been for some weeks. With the updated microcode, every time the processor leaves execution of an enclave, it also flushes the level 1 cache. With no data in level 1 cache, there's no scope for the L1TF to take effect. Similarly, with the new microcode leaving, management mode flushes the level 1 cache, protecting SMM data.

Also at Engadget and Wired.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Arik on Wednesday August 15 2018, @05:00AM (1 child)

    by Arik (4543) on Wednesday August 15 2018, @05:00AM (#721681) Journal
    The problem is it's unfree, heck, positively opaque.

    Who knows how many other bugs are waiting to be discovered?
    --
    If laughter is the best medicine, who are the best doctors?
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by HiThere on Wednesday August 15 2018, @05:48PM

    by HiThere (866) Subscriber Badge on Wednesday August 15 2018, @05:48PM (#721863) Journal

    Try both. The microcode is buggy, and needs to be fixed, and the microcode is not going to be subject to "many eyes" because it's quite difficult to understand compared to assembler code. Open Source would help, because then a few more people would have an idea of just how trustworthy the code was, and they could help the less informed. And they could also comment about ways the manufacturer was "gaming the system", which, of course, is the main reason they aren't about to reveal the code.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.