Foreshadow breaks into Intel SGX security enclave to pilfer data

Intel's new processor generation can't come soon enough. Just when you thought the computing world was more or less over the Meltdown and Spectre scare, a new relative pops up. The name this time is less frightening but more ominous: Foreshadow. It's related to Meltdown in that it exploits speculative execution to illegally read data stored in memory. The difference, and the irony, is that Foreshadow breaks into Intel's SGX, the very feature that's meant to protect data even from wayward operating systems and software.

It might be the whipping boy for recent woes that plague processors but speculative execution is one of the important features of modern silicon. In a nutshell, processors try to guess what path the program's code will take and pre-load the next pieces of code and data into memory. It's a more efficient use of resources compared to waiting for the program to actually reach that point in the code, make a guess, and then take the correct path.

Processors, however, aren't fortunate tellers and they can get things wrong. In that case, they roll back the code and data they speculated would be used and load the correct ones. All this happens in milliseconds, of course, but that's all that it takes for exploits like Foreshadow to do their deeds.

Of course, it's more complicated than that because it involves Intel's Secure Guard eXtensions (SGX). Without going into the gory details, SGX creates enclaves or secure blocks of memory that contain code and data that are always encrypted in RAM. The only one that can decrypt them is the processor and only at the exact moment the data is read and placed in the processor's cache memory. This safeguard was made so that data should be protected even when the operating system or kernel gets compromised.

The operative word here is "should" and, as the Foreshadow researchers discovered, it isn't always the case. In particular, Intel's mechanism when rolling back incorrectly guessed code and data can actually be duped by applications, allowing Foreshadow exploits to discern the now decrypted data stored in the processor's cache.

The good news is that exploits like this are often disclosed to companies before they are made public and Intel has had time to roll out microcode updates to its processors to close off the exploit. The bad news is that hyperthreading features in the processor also open a back door for Foreshadow to potentially get in. The best solution would be on the hardware side, which will only come when Intel launches its Cascade Lake architecture later this year, which would probably see a maddening rush of upgrades from customers.