Researchers found new vulnerabilities in Intel products that are similar to the Spectre vulnerabilities. How are the L1TF vulnerabilities similar to Spectre and how are they different?
A third critical security vulnerability in Intel processors was discovered in 2018. This time the vulnerability was discovered by two research groups working independently: the imec-DistriNet Research Group at KU Leuven, an international research group, and a group from Technion, the University of Michigan, the University of Adelaide, and CSIRO’s Data61.
Called Foreshadow by the security researchers, Intel named the initial vulnerability and two variations they discovered L1 Terminal Fault (L1TF), as these flaws target data processed during speculative execution that is stored inside a processor’s L1 cache — the fastest memory in a computer and the closest memory to the processor core.
Speculative execution is a feature found in all modern CPUs, and it improves performance by speculatively computing operations in advance and later discarding any unneeded data. Like Spectre, L1TF is a speculative execution side-channel cache timing vulnerability.
L1TF only affects microprocessors that implement Intel’s Software Guard Extensions (SGX), a trusted execution environment or enclave for applications. However, while Spectre targets program instructions, the L1TF vulnerabilities target program data.
The L1TF vulnerabilities appear when the CPU raises a terminal exception during virtual memory address translation — for example, when a page not present in memory is accessed. When the exception is raised and data from previous code execution remains in the L1 cache, instead of returning the value -1, it returns the content of the cache, which can be read as part of the speculation code window.
The three variations of L1TF are:
- Foreshadow/L1 Terminal Fault: SGX may allow unauthorized disclosure of information residing in the L1 data cache from an Intel SGX Enclave — assigned CVE-2018-3615 by NIST.
- Foreshadow-NG/L1 Terminal Fault: OS/System Management Mode may allow unauthorized disclosure of information residing in the L1 data cache — assigned CVE-2018-3620 by NIST.
- Foreshadow-NG/L1 Terminal Fault: Virtual Machine Monitor (VMM) may allow the unauthorized disclosure of information residing in the L1 data cache from a virtualized guest in VMM — assigned CVE-2018-3646 by NIST.
The security researchers who discovered the vulnerabilities also demonstrated ways to increase the speed and reliability of extracted data by exploiting another weakness in the CPU architecture. By using Transactional Synchronization Extensions instructions, they achieved over 98% probability of extracting SGX-protected data, such as passwords and encryption keys stored in the CPU’s enclaves. However, to exploit L1TF, an attacker would need control over hardware resources that are accessible only with operating system-level control over the underlying physical or virtual processors.
Administrators should ensure that fixes released by Intel and Microsoft and patches for the Linux kernel are installed, including earlier updates in response to the Meltdown and Spectre vulnerabilities. Those using cloud services should check their providers’ own advisories, and the National Cybersecurity and Communications Integration Center encourages users and administrators to review Intel’s Security Advisory INTEL-SA-00161 and apply the necessary mitigations.
Once the systems are updated, the expected risk to consumer and enterprise users running non-virtualized operating systems should be low, with no meaningful performance impact. Intel’s Security First site provides detailed information about the L1TF vulnerabilities, as does the website set up by the security researchers who uncovered the vulnerabilities.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)