Intel’s SGX blown wide open by, you guessed it, a speculative execution attack

  News, Security
image_pdfimage_print

Foreshadow explained in a video.

Another day, another speculative execution-based attack. Data protected by Intel’s SGX—data that’s meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks enabled by speculative execution.

Since publication of the Spectre and Meltdown attacks in January this year, security researchers have been taking a close look at speculative execution and the implications it has for security. All high-speed processors today perform speculative execution: they assume certain things (a register will contain a particular value, a branch will go a particular way) and perform calculations on the basis of those assumptions. It’s an important design feature of these chips that’s essential to their performance, and it has been for 20 years.

But Meltdown and Spectre showed that speculative execution has security implications. Meltdown (on most Intel and some ARM processors) allows user applications to read the contents of kernel memory. Spectre (on most Intel, AMD, and ARM chips) can be used to attack software sandboxes used for JavaScript in browsers and, under the right conditions, can allow kernel memory or hypervisor memory to be read. In the months since they were first publicized, we’ve seen new variants: speculative store bypass, speculative buffer overflows, and even a remotely exploitable version of Spectre.

Read 22 remaining paragraphs | Comments

https://arstechnica.com/?p=1358223