Discovery casts dark shadow on computer security

August 14, 2018

Two international teams of security researchers have uncovered Foreshadow, a new variant of the hardware vulnerability Meltdown announced earlier in the year, that can be exploited to bypass Intel Processors' secure regions to access memory and data.

The vulnerability affects Intel's Software Guard Extension (SGX) technology, a new feature in modern Intel CPUs which allows computers to protect users' data in a secure 'fortress' even if the entire system falls under an attacker's control.

The two teams that independently and concurrently discovered Foreshadow have published a report on the vulnerability, which causes the complete collapse of the SGX ecosystem and compromises users' data.

"SGX can be used by developers to enable secure browsing to protect fingerprints used in biometric authentication, or to prevent content being downloaded from video streaming services," Dr Yuval Yarom from CSIRO's Data61 and the University of Adelaide's School of Computer Science said.

"Foreshadow compromises the confidentiality of the 'fortresses', where this sensitive information is stored and once a single fortress is breached, the whole system becomes vulnerable."

The researchers reported these findings to Intel earlier this year, and the company's own analysis into the causes of the vulnerability led to the discovery of a new variant of Foreshadow, called Foreshadow-NG which affects nearly all Intel servers used in cloud computing.

Foreshadow-NG is theoretically capable of bypassing the earlier fixes introduced to mitigate against Meltdown and Spectre, potentially re-exposing millions of computers globally to attacks.

"The SGX feature is widely used by developers and businesses globally, and this opens them up to a data breach that can potentially affect their customers as well," Dr Yarom said.

"Intel will need to revoke the encryption keys used for authentication in millions of computers worldwide to mitigate the impact of Foreshadow.

"Intel's discovery of the Foreshadow-NG variant is even more severe but will require further research to gauge the full impact of the vulnerability."

Intel has since released patches, updates and guidelines to resolve both Foreshadow and Foreshadow-NG.

Researchers have not yet tested if similar flaws exist in processors of other manufacturers.

Adrian Turner, CEO of CSIRO's Data61 said this is a significant discovery that shows the far-reaching impact of Meltdown and Spectre and reinforces the role of research for discovering and preventing flaws.

"Experts like Dr Yarom play a vital role in finding vulnerabilities, responsibly disclosing them and developing trustworthy systems to keep critical infrastructure secure," Mr Turner said.

"Data61 has also joined the RISC-V Foundation's security task group which aims to prevent the likes of Meltdown and Spectre from occurring again."
-end-
The two teams that discovered Foreshadow include:For more information, visit: https://foreshadowattack.com

News release contact

US

Dr Yuval Yarom, CSIRO's Data61 and University of Adelaide
(currently in the US)
WhatsApp only: +61 400 100 515
Skype: javali7

Australia

Chris Chelvan, Media Relations Advisor, CSIRO's Data61
E: chris.chelvan@csiro.au
M: +61 436 672 668 Ph: +61 2 9490 5808

Robyn Mills, Media Officer, University of Adelaide
E: robyn.mills@adelaide.edu.au
M: +61 410 689 084 Ph: +61 8 8313 6341

About Data61

CSIRO's Data61 is Australia's data innovation network that transforms existing industries and creates new ones through the application of science and technology. As an applied R&D partner, Data61's capabilities range from cybersecurity, confidential computing, IoT, robotics, machine learning and analytics, software and programming to behavioural sciences and more.

About the University of Adelaide

The University of Adelaide is a world-class research and teaching institution. We are centred on discovering new knowledge, pursuing innovation and preparing the educated leaders of tomorrow. As Australia's third oldest university, we have a well-established reputation for excellence and progressive thinking. This continues today, with the University proudly ranked in the top one percent, among the world's elite.

University of Adelaide

Related Data Articles from Brightsurf:

Keep the data coming
A continuous data supply ensures data-intensive simulations can run at maximum speed.

Astronomers are bulging with data
For the first time, over 250 million stars in our galaxy's bulge have been surveyed in near-ultraviolet, optical, and near-infrared light, opening the door for astronomers to reexamine key questions about the Milky Way's formation and history.

Novel method for measuring spatial dependencies turns less data into more data
Researcher makes 'little data' act big through, the application of mathematical techniques normally used for time-series, to spatial processes.

Ups and downs in COVID-19 data may be caused by data reporting practices
As data accumulates on COVID-19 cases and deaths, researchers have observed patterns of peaks and valleys that repeat on a near-weekly basis.

Data centers use less energy than you think
Using the most detailed model to date of global data center energy use, researchers found that massive efficiency gains by data centers have kept energy use roughly flat over the past decade.

Storing data in music
Researchers at ETH Zurich have developed a technique for embedding data in music and transmitting it to a smartphone.

Life data economics: calling for new models to assess the value of human data
After the collapse of the blockchain bubble a number of research organisations are developing platforms to enable individual ownership of life data and establish the data valuation and pricing models.

Geoscience data group urges all scientific disciplines to make data open and accessible
Institutions, science funders, data repositories, publishers, researchers and scientific societies from all scientific disciplines must work together to ensure all scientific data are easy to find, access and use, according to a new commentary in Nature by members of the Enabling FAIR Data Steering Committee.

Democratizing data science
MIT researchers are hoping to advance the democratization of data science with a new tool for nonstatisticians that automatically generates models for analyzing raw data.

Getting the most out of atmospheric data analysis
An international team including researchers from Kanazawa University used a new approach to analyze an atmospheric data set spanning 18 years for the investigation of new-particle formation.

Read More: Data News and Data Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.