Researchers from KU Leuven, Technion – Israel Institute of Technology, University of Adelaide, and the University of Michigan collaborated to discover the third major vulnerability in Intel CPUs this year. They named it Foreshadow. Foreshadow is similar to two attacks that were discovered earlier this year — Spectre and Meltdown.
To explain briefly, Spectre, Meltdown, and Foreshadow are all vulnerabilities that result from hardware issues. Nearly every processor made by Intel after the year 1995, that utilizes out-of-order execution is vulnerable to Meltdown. Spectre is a vulnerability that is based on exploiting the side effects of speculative execution — an optimization technique which speeds up computer operations by doing tasks in advance that may or may not be necessary. Meltdown looks into memory (L1, L2, L3, RAM) and Spectre tricks programs into leaking information. Patches have been released for these vulnerabilities, but it is not a fix and may (will) decrease system performance. Example of meltdown: https://www.youtube.com/watch?v=RbHbFkh6eeE
Foreshadow is a new vulnerability that affects Intel chips made after 2015. It affects CPUs that have the Software Guard Extensions feature (SGE). SGE allows programs to create “Lock Boxes” in Intel chips that the operating system cannot access. This means that even if your computer is infected with malware, it cannot access information that is guarded by SGE
“But we discovered we could specifically target a lock box within Intel’s processors. It would let you leak any data you want out of these secure enclaves.”
— Prof Thomas Wenisch from the University of Michigan
Intel stated that there have been no reports of these vulnerabilities being used by hackers. There are far more obvious and easier approaches to hacking. Nevertheless, this highlights the importance to stick to safety procedures such as regularly updating and patching. There will always be errors and vulnerabilities in systems, hardware, and initial design. The longer you operate on older versions, the longer the hackers have to discover and make use of those vulnerabilities.
– Cheng Ye