CPU Vulnerabilities Disclosed
This month Intel released a security advisory stating there were new variants on a recent vulnerability. We asked The IT Company’s expert, James Harrell, to expand on the information from the recent guide to L1TF and Foreshadow.
What are L1TF and Foreshadow?
L1TF and Foreshadow are variants of a vulnerability discovered in 2017. The previous discovery was known by two names, Spectre and Meltdown. The initial discoveries were found, due to a security flaw in the L3 cache of multi-core processors. A bad actor (someone with malicious intent) could use these vulnerabilities in a virtualized environment, to gain access to information, that they didn’t have permission to access. It is important to point out, these new vulnerabilities are not the same.
How are they different?
In many ways these two vulnerabilities are very similar. Before a bad actor can exploit these flaws, certain conditions must be met. They must be, or have full access to, a tenant in a virtualized environment (much like a data center), the datacenter must be sharing resources between its tenants (as most do), and the hardware these environments use must be vulnerable to attack (as most were). From there we start seeing some differences. Spectre and Meltdown utilized access to the L3 cache on a CPU (Central Processing Unit), where L1TF and Foreshadow utilize the L1 cache. This is an important distinction.
Why is this any different?
The L1 cache and the L3 cache are different sections of the CPU, and they have different “permissions” inside the CPU architecture. The L3 cache was exploited due to communication techniques between multiple cores inside the same CPU. These cores can only communicate via the L3 cache and not the L1/L2 caches. Since other cores can’t communicate on the L1 cache, you may be wondering how they are able to obtain data from another tenant.
This is where a process called SMT comes into play. SMT first became available to the public in 2002 with Intel’s unveiling of HTT (Hyper-Threading Technology). “Hyper-Threading” is something almost all processors are capable of now days. With this feature enabled, there are two “Virtual Cores” connected to each physical core. These virtual cores do have access to the L1 cache. If a virtual core of a CPU is controlled by a bad actor, it can view data of the other virtual core on the L1 cache.
How can I protect myself?
We want to state as clearly as possible, this is a non-issue. The likely-hood of this technique being exploited against an IT Company customer is unimaginably small. This attack is far more complex and would require near “Nation State” level resources to successfully pull off. OS and Firmware updates have also been implemented to make it even more difficult to successfully exploit (L1 Cache Flushing). Also, don’t forget that a bad actor must have some foothold in the virtual environment to begin with. For our AWS customers, there are also ways to segment hardware (called Core Scheduling).
We’ve said it once, we will say it again- Our job at The IT Company is to keep our customers safe. As we receive information such as this, we will continue to share it with you. For more information on this topic, click here!