Security

What is Intel doing to address these issues?

Foreshadow attacks are potentially effective against Intel Core Skylake and Kaby Lake processors, both of which incorporate Intel’s SGX technology. Foreshadow attacks can occur from user space.

As a response to Foreshadow and other potential future CPU vulnerabilities, Intel has committed to the following three activities:

  • A pledge to work on a regular and ongoing basis with security researcher and industry partners to identify and address CPU vulnerability issues;
  • A coordinated disclosure policy with thee partners to avoid vulnerabilities being disclosed before mitigation exists, while still maintaining transparency on CPU vulnerability issues; and
  • Working on fixes to CPU vulnerabilities in next-generation Intel CPUs.

Countermeasures to these CPU vulnerabilities includes both short-term workarounds involving OS changes, and longer-term redesign of CPUs to avoid these security holes. While intel maintains that workarounds such as operating system patches will have minimal impacts on performance, it should be noted that the speculative execution mechanism was specifically created to optimize CPU performance. Moreover, the current workarounds are expected to have a 5%-30% impact on performance since they are in the operating system code. PostgreSQL Select 1 benchmarking test by the Register on the KPTI workaround for Intel CPUs showed between a 17% and 23% slowdown.

For now, Intel also is playing down the likelihood of a Foreshadow-based attack, since other attack methods such as phishing, bad websites, and simple malware are “easier” for attackers to utilize. Intel is also taking longer-term measures to address Foreshadow (as well as Spectre and Meltdown) in follow-on versions of Intel processors. While we can that these fixes “close the door” on issues such as Foreshadow, it is sobering to realize that the SGX feature exploited by Foreshadow were specifically designed to identify and avoid the exact issues that Foreshadow causes, meaning that CPU vulnerabilities are probably with us for the long term.