Intel’s Foreshadow CPU Bug Exposes SGX’s Sensitive Data, Crypto World on Notice
Security Flaw Exposed In Intels Software Guard Extensions
On Tuesday, analysts discovered the Foreshadow vulnerability in Intel’s Software Guard Extensions (SGX). This vulnerability is defined as “a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third-party clouds.” There are two different approaches that this attack takes – either to extract SGX enclaves or to impact virtual machines, operating system kernel memory, and more. This particular attack on was against the SGX enclaves.
The SGX enclaves are supposed to be a type of chip that that is capable of preserving sensitive data. In fact, the developers of this technology have gone as far as to call it tamper-proof. However, with a few researchers, there is a weak point in the technological armor that allows attackers to steal the data that it is supposed to protect.
There have been multiple other attacks that consumers have to worry about. Meltdown and Spectre were two other attacks that managed to somehow affect every Intel chip available, which means that the majority of computer systems around the world were impacted too. However, this attack was more of a concept and was rather difficult to use, so it was determined that it hardly caused a threat.
Consumers may think that the chip that Foreshadow affects is so miniscule that it does not matter. Unfortunately, this is the same chip that many cryptocurrency projects have discussed using within their own platforms, which puts every participating token at risk to a much greater degree than other systems. One of the stars of the crypto industry that stands to lose the most is Signal, which is working on a greener coin that is completely centered around the use of SGX. They even managed to raise $30 million to make it a possibility, so will they have to take the hit? Maybe.
Any company that wants to use these chips will have some major changes to make before the launch, due to the “broad impact” it has on these projects, based on information from Phil Daian. Daian is a security researcher from Cornell University. Still, by testing this weak point out before the technology is launched, researchers have actually saved a lot of time and money for participating cryptocurrency platforms.
Daian discussed how the warning might not be enough to deter customers and companies, and it may take a while to adapt current infrastructure to these needs. He also said, “It would be surprising if at some point this flavor of attack is not used to steal cryptocurrency.”
So far, at least to knowledge of the researchers involved, no high-profile SGX project has actually implemented the system with ties to real money. Despite this problem, there are actually many projects that want to use the enclaves. The ideas of how to integrate it are actually quite inventive, which is what makes this attack even more “devastating,” says Kings College London assistant professor Patrick McCorry. He added, “It can potentially undermine the integrity – and privacy – for any application that is reliant upon trusted hardware. A lot of companies in the cryptocurrency space rely on SGX to support multi-party protocols, but this attack allows any participant to cheat.”
Daian commented on McCorry’s opinion, saying, “Good SGX research and systems should assume hardware can always be broken at some cost, and should, as always, design defensively and include layered security.” He also wanted to offer some guidance to projects that plan to launch their projects. He said, “Projects planning to launch soon that rely on SGX should evaluate the vulnerabilities and any updates from Intel with caution for implications to the security of their systems and should publish such investigations along with their code.”
If hackers find a new way to modify the attack, it can easily get worse from her. In spite of that potential threat, there are many developers that feel justified by how this has played out, saying that it shows why SGX should not be in the center of any crypto project. Neverthelessaccordi, most of the companies that wanted to use it at all have not even started production, which some theorize is due to their terrible reputation. There is plenty of experimentation, but not a lot of actual integration.
According to Daian, more testing is needed. He said, “SGX will need to be repeatedly tested and broken by adversarial researchers until it can claim a strong degree of security, which will take years.” Though it could eventually be a positive part of the crypto community, he added, “Realizing such a technology certainly holds great promise for trust minimization and scalable privacy protection in cryptocurrency and beyond.”