A new class of hardware vulnerabilities have been discovered in Intel processors. Upon exploitation a malicious code can achieve information disclosure that can be used for further exploitation .This vulnerability affects Intel Core processors and Intel Xeon processors, please check here for a complete list of affected processors . Intel has addressed this issue in INTEL-SA-00161. Three CVEs have been assigned to track these vulnerabilities.
|CVE-2018-3615||Information disclosure via Terminal fault and a side-channel analysis. On Intel processors with software guard extensions (Intel SGX)|
|CVE-2018-3620||Information disclosure via Terminal fault and a side-channel analysis. Operating systems and SMM related.|
|CVE-2018-3646||Information disclosure via Terminal fault and a side-channel analysis in Virtual environment.|
Physical memory is logically divided in the chunks called pages. The page size is typically 4KB. When a process is trying to access a memory location it does so by referring its virtual address. Its the processors job to translate this address to a physical address by looking up (page table walk) the PTE table. A hierarchy is maintained among these tables to improve performance. Translation Look-aside Buffer (TLB) is implemented to cache recent address translation to avoid walking the PTE table again and again. So before initiating a page walk the processor will check the TLB first.
Page fault is an exception raised by the processor to indicate that the page in question does not have an entry in PTE . An entry in the page table support various bits to describe its status. One such bit is called Present/Absent bit. If this bit is set to zero then the corresponding page is not present in memory and needs to be fetched from the disk. A terminal fault is raised if Present/Absent bit is not set or the reserved bit is set.
During speculative execution the processor will considers the possibility of a page to be “present” more than “not present”. And based on this paradigm the processor will delay this check and forward the corresponding PTE entries for cache coherency.
If we account for this during speculative execution we need to consider a scenario where a “terminal fault” is raised as the page in question is “not present”. Due to the paradigm described earlier the processor will speculate in to the current process further till and computes the corresponding physical address from the PTE entry, simultaneously the processor resolves the page fault and ultimately back tracks. During this time window between these events the contents of L1 may be forwarded to the corresponding dependent instructions. This makes it susceptible to Meltdown type side channel attacks, if the data present at the target physical address is present the L1 cache. This method of leaking data is called L1TF attack. L1TF is extended to different execution scopes like virtualization,SGX and SMM.
For virtual environments Intel has implemented Extended Page Tables(EPT) that is managed by Hypervisor and the guest operating system. The virtual address translation in this case occurs multiple times
Guest virtual address -> Guest physical address -> Host machine physical address.
A terminal fault in scenario can result in the guest physical address being treated as host machine physical address. If a malicious guest machine cause the Hypervisor to load confidential data in to the L1 cache. This data is susceptible to Meltdown type attacks and leads to information disclosure from host machine o guest machine.
Software Guard Extensions (SGX)
SGX is an Intel technology aka secure enclave. Application can execute secure software code in a special protected “enclave” that is not visible even to the operating system. Intel has provided microcode updates to protect SGX from L1TF attacks. The L1TF attack can used to expose memory of a SGX enclave to a process in a different SGX enclave. This sub variant of L1TF is called enclave-to-enclave(E2E). If the code running in an enclave tries to access a linear address, the processor translates said address to physical address.
The processor uses Enclave Page Cache (EPC) to verify that the resolved physical address is part of the enclave. Enclave Page Cache Map (EPCM) is used for access checks. If EPCM check shows an access violation the operation is not committed to architecture and usually results in page fault. If the resolved physical address is present in L1 and the access type is load then the data in the secure enclave may be leaked to another enclave via L1TF attack. The limitation here is the target enclaves memory must mapped into ELRANGE (enclave linear address range) of the second/attacker enclave. ELRANGE is the virtual address space assigned to an secure enclave.
System Management Mode (SMM)
It is a processor mode used by BIOS. SMM can be invoked only by a System Management Interrupt (SMI) and exited only by the RSM instruction. It is intended to provide an isolated operating environment for any privileged code that not to be interrupted. When RMS is executed the L1 cache is flushed, the issue occurs when the sibling LPs (Logical processor) try to reload data in to L1. To prevent this SMM rallies all the LPs on SMM mode entry and exit, this ensures that non-SMM code does operate in L1 while SMM LP us operating at the same time. Any implementation that does not follow this paradigm is susceptible to L1TF attack from the non-SMM LP.
We suggest our clients to apply the latest patches and workarounds provider the respective vendors to address this issue. Qualys customers can scan their network with QIDs relating to this vulnerability to detect vulnerable machines.
Please continue follow Qualys Threat Protection for more information on various vulnerabilities
Understanding L1 Terminal Fault aka Foreshadow: What you need to know
Analysis and mitigation of L1 Terminal Fault (L1TF)
INTEL-SA-00161: Software Guidance
Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution
ADV180018 | Microsoft Guidance to mitigate L1TF variant
Deep Dive: Intel Analysis of L1 Terminal Fault