Research teams specialized in the field of information security found three new vulnerabilities in Intel processors. Their common name is L1 Terminal Fault or simply L1TF. A group of specialists who discovered flaws gave them the name “Foreshadow”.
Vulnerabilities affect the mechanism of speculative execution of the CPU and allow for attacks of the Specter class. The speculative execution function allows to improve the performance of modern processors by prematurely performing operations and later dropping unnecessary data. The vulnerabilities are targeted at data that is processed during speculative execution and stored in the CPU cache.
Intel has already released a patch. The weak spots have been eliminated in the last update of the microcode. According to the company, it has absolutely no effect on performance of client devices, but it can reduce efficiency by 7% when working with a virtual machine.
“The SGX attack is devastating. It can potentially undermine the integrity – and privacy – for any application that is reliant upon trusted hardware. A lot of companies in the cryptocurrency space rely on SGX to support multi-party protocols, but this attack allows any participant to cheat," King's College London assistant professor Patrick McCorry said.
WHY IS IT IMPORTANT?
- Foreshadow vulnerability affects the Software Guard Extensions (SGX) enclave. This area of the chip is often used to store sensitive data. Many cryptocurrency projects plan to use this technology. This means that Foreshadow can have serious consequences for the crypto world.
- MobileCoin is one of the projects that wants to use SGX, and, might have even planned to do it in the near future. The project's founders want to create a secure wallet that can be attached to instant messengers. Enigma uses SGX in an attempt to increase confidentiality in smart contracts. The company Lelger is studying SGX as a new way of storing secret keys.
- Experts advise projects that plan to use SGX to start scrupulously assessing vulnerabilities and any updates from Intel. Other researchers argue that most cryptocurrency projects experimented with technology but did not actually use it on real money.