Attack of the Speculators
Since the revelation of a new class of vulnerabilities inherent in the speculative execution technology in Intel and other manufacturers CPUs (named ‘Meltdown’ and ‘Spectre’ by their discoverers), Intel has published three new variants of these vulnerabilities; known as ‘L1 Terminal Faults’ (or L1TF), these are so-called because they affect CPU’s Level-one (L1) data cache, or primary cache, which is a physical component of the processor. In cloud computing or other multi-tenanted environments, the L1 cache can be shared between different clients and users.
Each L1 memory block has both a physical and virtual address space, mapped by page tables. The processor spends a lot of time reviewing the page tables during operations. Again, instead of ‘wasting’ CPU cycles, the processor pre-emptively retrieves information from these tables before checking the information is required by the running thread. Should the information not be required, the processor will discard it. However, the temporary presence of this information in the L1 cache provides an attacker with a window of opportunity to access data it should not have access to, potentially resulting in a breakdown of security boundaries. These actions are the result of legacy chip architecture designs which prioritised performance over security.
There are actually three ‘flavours’ of this vulnerability; the first, Foreshadow, affects Intel’s Software Guard Extensions (SGX); the second and third flavours, collectively known as Foreshadow Next Generation, affect operating systems, System Management Mode (SMM), virtual machines (VM) and hypervisors (VMMs).
The fact that Foreshadow NG affects hypervisor software, the bedrock of virtualized cloud computing environments and other multi-tenanted platforms, is particularly troublesome. Should different clients share the same CPU resource running simultaneous multi-threading (SMT), there could be a breakdown of the expected security boundaries between clients and their processes.
SMT – or Intel’s implementation, hyper-threading – is a technology that allows a single CPU core to be presented as two virtual processors to improve efficiency. When the CPU, and thus the L1 cache, is shared, an attacker as an unprivileged client (process) may retrieve information from another client (process) which the attacker should not have access to. To be successful, the attack must be extremely sophisticated, so these are no low-hanging fruit, and there will almost certainly be easier targets. Nevertheless, the impact from the new speculation variants will be severe and remediation, where possible, is recommended. Risk mitigation measures include software patching, disabling SMT and/or only allowing only one client per single CPU core. These measures will have an impact on performance; although unlikely to be noticeable on personal devices, there could have a significant impact within cloud computing environments. As with Spectre and Meltdown, the true mitigation lies with the next generation of CPU architecture design. Until then, the speculators strike again!