A Look Back at Foreshadow
Recently at Duo Tech Talks we hosted Ofir Weisse for a phenomenal presentation on Foreshadow and Foreshadow-NG, the speculative execution side-channel attacks that stole the privileged enclave signing keys from Intel’s SGX platform and can read arbitrary host memory from a compromised VM.
The Foreshadow attack builds on techniques used in the recent Spectre/Meltdown attacks in which speculative instruction execution leaves artifacts in the processor’s L1 cache that can then be detected by an adversary and used to infer the values of specific bytes in protected memory. Foreshadow applies a similar technique to read arbitrary memory across the protection boundaries enforced by Intel SGX, but goes further and even allows an adversary to retrieve any victim memory, even that which the victim process hasn’t loaded in the cache itself.
Because of the low-level technical nature of the research project, Ofir’s talk first covers an introduction to cache side channels, speculative execution, the Meltdown attack and the SGX architecture before explaining how Foreshadow and Foreshadow-NG work. His animated slides break down this complex topic into clear building blocks, upon which we can see how the attack works and the implications for security on future chip designs.