Researchers Make More Discoveries Around L1TF/Foreshadow - It's Not Good

Security researchers from Graz University of Technology and CISPA Helmholtz are out with their latest findings on CPU speculative execution vulnerabilities, namely taking another look at L1TF/Foreshadow. Their findings are bad news not only for Intel but potentially other CPU vendors as well.

Their interesting research most recently has been looking at the prefetching effect observed in previous micro-architectural attacks only to find that the attribution to the CPU prefetching mechanism is incorrect. Instead the issue turns out to be speculative dereferencing of user-space registers in the kernel, according to this latest research.

In turn this research means that existing mitigation techniques may not be enough, there are other new vectors discovered as a result, and ARM/IBM/AMD CPUs may also be affected by Foreshadow.

The new vulnerability outlined in the paper is "Dereference Trap" for leaking registers from an SGX enclave in the presence of only a speculative register dereference.

The discovery of speculative dereferencing of a user-space register in the kernel as opposed to the prefetcher not only means that some mitigations may be inadequate, but they can improve the performance of the original attack and reportedly produce similar behavior on non-Intel CPUs.

As part of their conclusion, they recommend Retpolines (return trampolines) be enabled even on recent generations of CPUs for full mitigation to these microarchitectural attacks like Foreshadow.

Still going through all their research but it can be found via arxiv.org. As of writing the Linux kernel hasn't yet made any changes to their default mitigation handling and also haven't heard anything from Intel or the other CPU vendors.