In cybersecurity circles, this has been the year of Spectre and Meltdown, not only because the chip vulnerabilities—first publicly disclosed in January—were so widespread that they're still being cleaned up, but because they've given rise to the discovery of many related flaws. Now, a team of researchers has found a Spectre-like vulnerability that specifically undermines the most secure element of recent Intel chips—and potentially has even broader implications.

Intel's Software Guard Extensions feature, known as SGX, allows programs to establish so-called secure enclaves on Intel processors. These are regions of a chip that are cordoned off to run code that the computer's operating system can't access or change. The secure enclave creates a safe haven for sensitive data, even if malware or another malady compromises the main computer. But a group of researchers, hailing from five academic institutions around the world, found that although SGX can mostly repel Spectre and Meltdown attacks, a related attack can bypass its defenses. They call it Foreshadow.

"There were certain aspects that were surprising and certain aspects that weren't," says microarchitecture security researcher Yuval Yarom, a member of the team that will present its findings at the Usenix security conference in Baltimore on Thursday. "We thought speculative execution could get some information from SGX, but we weren’t sure how much. The amount of information we actually got out—that took us by surprise."

Wild Speculation

Meltdown, Spectre, and Foreshadow all exploit various flaws in a computing technique known as speculative execution. A processor can run more efficiently by making an educated guess about what operation it will be asked to perform next. A correct prediction saves resources, while work based on an incorrect prediction gets scrapped.

"This is not an attack on a particular user, it’s an attack on infrastructure." Yuval Yarom, University of Adelaide

But the system leaves behind clues—how long it takes a processor to fulfill a certain request, for example—that an attacker can use to find weaknesses, ultimately gaining the ability to manipulate what path the speculation takes, and scooping up data at opportune moments that leaks out of a process's data storage cache. Speculative execution attacks tend to be convoluted and difficult to carry out in practice, and Intel emphasizes that none have been seen in the real world. They are important to guard against, though, because a truly motivated attacker could use them to access data and system privileges meant to be off-limits.

"It's not one thing. There's a lot of speculation going on in any modern computer," hardware security researcher and Foreshadow contributor Jo Van Bulck says. "Spectre is focused on one speculation mechanism, Meltdown is another, and Foreshadow is another."

The researchers say that after the initial discovery of Spectre and Meltdown, the SGX enclave was the obvious next place to look for speculative execution flaws. Some clever Spectre attacks did manage to undermine SGX under the right conditions, but the approaches weren't very effective overall. "When you look at what Spectre and Meltdown did not break, SGX was one of the few things left," says system security researcher Daniel Genkin, who contributed to the Foreshadow work. "SGX was mostly spared by Spectre, so it was the logical next step."

The researchers presenting Foreshadow—Van Bulck, Frank Piessens, and Raoul Strack of KU Leuven in Belgium; Marina Minkin and Mark Silberstein of Technion in Israel; Genkin, Ofir Weisse, Baris Kasikci, and Thomas Wenisch from University of Michigan; and Yarom from University of Adelaide in Australia—had originally worked in two smaller groups that both hunted for an SGX-focused speculative execution flaw. After the two teams separately disclosed Foreshadow to Intel within weeks of each other in January, they started collaborating to refine and expand the research.

Keys to the Kingdom

What they found is deeply problematic. Not only did both teams independently develop the same speculative execution attack that could access SGX-protected memory in a data cache called L1, they also realized that the attack could expose the secret cryptographic keys, known as attestation keys, that enable SGX's crucial integrity checks.