Intel processors are vulnerable to one or more L1 data cache information disclosure and terminal fault attacks via a speculative execution side channel. These attacks are known as L1 Terminal Fault: SGX, L1 Terminal Fault: OS/SMM, and L1 Terminal Fault: VMM.
Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. When a program attempts to access data in memory, the logical memory address is translated to a physical address by the hardware. Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault. Once the fault is triggered, there is a gap before resolution where the processor will use speculative execution to try to load data. During this time, the processor could speculatively access the level 1 data cache, potentially allowing side-channel methods to infer information that would otherwise be protected. More information about L1 terminal fault can be found here.
CWE-208: Information Exposure Through Timing Discrepancy
An attacker with the ability to execute arbitrary code, with or without root privileges, can infer the contents of operating system, application, or SMM memory (CVE-2018-3620), secure SGX enclave memory (CVE-2018-3615), or memory used by virtual machines on the same host as the attacker (CVE-2018-3646).
Apply BIOS and OS updates
Credit goes to the following researchers for L1TF SGX:Jo Van Bulck of imec-DistriNet,KU Leuven,Marina Minkin of Technion,Ofir Weisse,Daniel Genkin,and Baris Kasikci of the University of Michigan,Frank Piessens of imec-DistriNet,KU Leuven,Mark Silberstein of Technion,Thomas F. Wenisch of the University of Michigan,Yuval Yarom of University of Adelaide and Data61,and Raoul Strackx of imec-DistriNet,KU Leuven. L1TF OS/SMM and L1TF VMM were found internally by Intel researchers after expanding on the research of L1TF SGX.
This document was written by Madison Oliver.