Foreshadow, the new data-stealing vulnerabilities impacting Intel chips

Also known as the L1 Terminal Fault, this flaw is the latest round of attacks stemming from exploitation of speculative execution.
(Daniel Oines / Flickr)

Three new Spectre-class vulnerabilities that impact how Intel chips process information were revealed on Tuesday.

The bugs mean data meant to be protected can be accessed by a hackers due to speculative execution leaks — a problem that’s plagued all modern processors since the beginning of the year.

The problem — which ironically lies within Intel’s security technology SGX — may allow hackers to access private data including passwords and other files. The data can be stolen across virtual machines or applications on the same device.


Speculative execution works like this: All modern chips make educated assumptions — the speculation — about what will happen next in order to speed up performance — the execution.

The original class of attack included the Spectre (Variants 1 and 2) and Meltdown (Variant 3) vulnerabilities, discovered by Google’s Project Zero and made public in January. Virtually all modern computer chips are affected. There have been several variants of the attack released since January and the issue shows no sign of disappearing.

Foreshadow, as the attack released on Tuesday is called, were discovered independently by a team in Belgium’s KU Leuven and then a team from the University of Michigan, University of Adelaide and Technion.

Also known as the L1 Terminal Fault (or L1TF), this flaw is the latest round of attacks stemming from exploitation of speculative execution. The L1 Cache is the fastest memory bank built onto a CPU chip.

“L1TF is a highly sophisticated attack method, and today, Intel is not aware of any reported real-world exploits,” Intel said in a statement in Tuesday.


“As long as users install the update, they’ll be fine. And in fact, the vast majority of PC owners don’t use SGX, so it’s not likely to become a major problem right now,” said Thomas Wenisch, a University of Michigan computer science and engineering associate professor and an author on the paper. “The real danger lies in the future, if SGX becomes more popular and there are still large numbers of machines that haven’t been updated. That’s why this update is so important.”

Detection of Foreshadow is unlikely, but no exploitation has been found in the wild, a testament to both the industry’s fixes as well as the fact that easier avenues of attack remain open.

But the researchers are careful to add no guarantees when it comes to detection.

“Foreshadow does not leave traces in typical log files,” the researchers said. “While installing a new (malicious) driver may leave traces in the system log, the attacker can probably alter the log buffer, since she has root privileges. A kernel-level attacker using a Foreshadow attack may apply tricks to significantly increase her chances of success. While installing a new (malicious) driver may leave traces in the system log, such a privileged attacker can probably alter the log afterwards.”

Patches are available and, Intel says, shouldn’t result in any performance hit for most customers — which was a major issue in the aftermath of the original publication of Meltdown and Spectre.


Some Intel customers like cloud companies running numerous virtual machines on singl devices may suffer a performance hit from patches.

The vulnerabilities are classified as CVE-2018-3620, CVE-2018-3646 and CVE-2018-3615.

New Intel chips that don’t suffer from these flaws are still yet to ship. They will be included in new hardware by the end of the year.

“SGX, virtualization environments and other similar technologies are changing the world by enabling us to use computing resources in new ways, and to put very sensitive data on the cloud—medical records, cryptocurrency, biometric information like fingerprints,” said Ofir Weisse, an author on the paper. “Those are important goals, but vulnerabilities like this show how important it is to proceed carefully.”

Latest Podcasts