Wednesday, November 21, 2018

L1 Terminal Fault Vulnerability (L1TF) aka Foreshadow

L1TF Introduction

L1 Terminal Fault (L1TF) is a side-channel vulnerability in the Intel CPUs. This is another speculative execution vulnerability similar to the other ones that have been identified and disclosed in recent months (remember Spectre ?). Later on this vulnerability has been dubbed as Foreshadow.


Modern CPUs have up to 3 levels of cache. L1 cache is the smallest/fastest of them. Each CPU cache has its own L1 cache (while L3 is a larger one, shared by all cores, which leads to other issues and vulnerabilities classes). 

The key reason why such vulnerabilities exist is the speculative (or out of order) code execution. My coffee shop at work has this vulnerability. When a barista sees me in the morning she starts making a small latte BEFORE I even have an opportunity to place and order and pay. They know me so well that they PREDICT that I will be ordering a small latte. They are usually right, so it helps with the overall speed of delivery, which makes me a happy customer. If one day I decide to "troll" them and order something else they will have to discard the cup of small latte and start preparing a new order from scratch.

in the L1TF case the issue is caused by "over-optimization" in the CPU internal logic, when a virtual address translation happens in parallel with cache access to the L1 cache. I highlighted "in parallel" because while one process within CPU still tries to retrieve/figure out the bits related to the present/not present status of a particular Page Table Entry (PTE), the other process "hopes for the best" and assumes that the data/bytes that we are trying to read from that Page do already exist in cache. There are 2 different outcomes. In one case, the page is actually present in memory and the L1 cache contains the same value. This certainly helps with the overall performance since speculative execution has already used this value and moved execution forward. But in another case the needed page will not be in memory (e.g. swapped out to disk). In this case, a "terminal fault" condition will arise (hence the name for this class of vulnerabilities). Once the terminal fault/page not present condition happens the other process (that accessed data from L1 cache) has already progressed and accessed/used data values related to that memory page. An attacker can access/read data from physical addresses if a "not present" page table entry can be created for the addresses the attacker is interested in and if these addresses are present in the L1 cache.

By exploiting this type of vulnerability an attacker can extract various secrets stored in memory - passwords, crypto keys etc - i.e. being able to read privileged data across trust boundaries

Here is the original Intel article that describes the L1TF vulnerability: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html


L1TF vulnerability affects several generations of the Intel CPUs and has 3 CVEs associated with it with the first one carrying a high risk score of 7.3:

CVE-2018-3615 - L1 Terminal Fault: SGX
CVE-2018-3620 - L1 Terminal Fault: OS/SMM
CVE-2018-3646 - L1 Terminal Fault: VMM



Vulnerabilities of this kind affect multiple different companies, so it becomes hard to keep track of various advisories issued by these companies.

In this article I decided to collate knowledge base articles and remediation steps published by various affected vendors - all on one page.

Here is a nice "Spectre Meltdown checker" shell script that can check the status of various vulnerabilities in this family and the mitigation status: https://github.com/speed47/spectre-meltdown-checker

3rd party advisories and mitigation guidance

Cloud hosting providers



AWShttps://aws.amazon.com/security/security-bulletins/AWS-2018-019/
Microsoft Azurehttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se
Google Cloud GCPhttps://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities
Digital Oceanhttps://blog.digitalocean.com/a-message-about-l1tf/
Rackspacehttps://blog.rackspace.com/rackspace-is-tracking-vulnerabilities-affecting-processors-by-intel-amd-and-arm



OEM, hardware vendors, software companies


Microsofthttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018
Microsoft Server and Hyper-Vhttps://support.microsoft.com/en-us/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault
Redhathttps://access.redhat.com/security/vulnerabilities/L1TF
Considerations for OpenStackhttps://access.redhat.com/articles/3569281
Ciscohttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel
Dellhttps://www.dell.com/support/contents/us/en/4/article/product-support/self-support-knowledgebase/software-and-downloads/L1-terminal-fault
HPhttps://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00053708en_us
VMWarehttps://www.vmware.com/security/advisories/VMSA-2018-0020.html and https://www.vmware.com/security/advisories/VMSA-2018-0021.html
VMWare performance impacthttps://kb.vmware.com/s/article/55767
Xenhttps://xenbits.xen.org/xsa/advisory-273.html
Debianhttps://security-tracker.debian.org/tracker/CVE-2018-3646
FreeBSDhttps://www.freebsd.org/security/advisories/FreeBSD-SA-18:09.l1tf.asc
SUSEhttps://www.suse.com/c/suse-addresses-the-l1-terminal-fault-issue/
Ubuntuhttps://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3646.html

Now that we've covered the L1TF vulnerabilities, I have to mention that security research doesn't stop there. Just recently there were 7 (!) new Spectre and Meltdown-like variants published in this article. So there are new waves of patches coming our way ;)

Tuesday, October 9, 2018

My first months in America - Part 3 - automotive edition

I slowed down my blogging activity recently but a few of my ex-colleagues and friends in Melbourne asked me to continue writing about my US experience. So here we go - here is a 3rd blog post about some interesting things I came across here in the US. This is going to be an automotive edition.

I've learnt that if you want to buy a car there are companies that would bring this car to you. From what I've seen, it is more common in a luxury/more expensive price segment. A potential buyer can just express interest, agree on a place and time to meet, and someone will bring this car there for you to perform a test drive. That's pretty cool, especially for busy people when they don't have too much time driving around dealerships around the whole Bay Area.

Continuing on the cars topic - there are 3 passenger car models that are very popular here. In addition to Toyota Camry and Corolla I was surprised to see A LOT more Honda Civic cars compared to Australia. And while Toyota Camry was the best selling car in America in 2016 and 2017, Civic numbers look strong too. In fact, all 3 most popular models showing 30K+ sales figures in March 2018, with Honda Accord not too far away with 24K cars sold in the 5th place. This is a passenger cars segment (measured in units - I have a surprise later in this article in regards to another metric "by revenue"). But what I've discovered is that Americans love their trucks. A (pickup) truck here is not a "large, heavy motor vehicle used to transfer goods". Here it is more akin to a ute but bigger and more brutal/manly. Ford with their F-Series is a clear winner with 73K+ sold in April.

Ford-f150-2015-fx4-por-jesus
Ford F-150, 2015 model year
Source: https://commons.wikimedia.org/wiki/File:Ford-f150-2015-fx4-por-jesus.jpg

There is also a lot of hybrid and fully electric cars (at least here in California). In fact, I came to a conclusion that the Bay Area lives in the future - about 5 years ahead of the rest of the world. Every morning I drive to work passing Fremont (where Teslas are made) and I see trucks loaded with Tesla model 3s taking them all over the country. There were already many Tesla Model S on the road 2 years ago. But since Elon fixed the production issues for Model 3 it's just incredible how many of those "baby Teslas" I see now. Just recently I was chatting with a colleague, who came from LA and he said that they didn't have that many Teslas over there. Another fully electric car that gets very popular is Chevy Bolt EV (not the Volt, which is a hybrid - the naming is quite confusing). 

And speaking about Model 3 - new numbers released for August 2018 indicate that Tesla has become the best selling passenger car in the US (by revenue)

Top US selling cars by revenue.
Image source: https://cleantechnica.com/2018/09/09/tesla-model-3-becomes-1-best-selling-car-in-the-us/

The car charging infrastructure is very well developed too. We have several places on the parking lots equipped with the charging stations. The owners of the electric cars have an internal Slack channel, where they maintain the line to make sure everyone gets a chance to charge their cars. Usually they agree on 2 hour time blocks.

Hybrid cars are very popular here. There are 2 types - one that chargers the battery while coasting or breaking and another (called plug-in hybrid) that has an ability to charge a battery via a charge point station.

The popularity of hybrids is explained by both California being super "green" (ecology topics are huge here) and purely because hybrids are cheaper to run (achieving fuel consumption of 36 MPG and better). Here I need to explain what MPG is: car fuel consumption is measured in miles per gallon (MPG) - a unit not only meaningless for the rest of the world but also being an inverse function (the larger the value - the better)! If litres per 100km was very natural and easy for me to understand, the amount of miles I can drive on a gallon of petrol (it's called gas here) is harder to "feel".

I haven't seen weekly petrol price fluctuations. But petrol prices in San Francisco can be a dollar higher (per gallon) compared to San Jose. To give you an idea, at the time of the writing, petrol prices in SF are around $4. 

I have a soft spot for American muscle cars. They look great, they are powerful (especially in the straight line performance) and they are not that expensive. I see a lot of Mustangs (my favourite), Chargers etc on the road and this brings smiles to my face.

Another novelty was the "Spare the air" campaign. Basically it's an organisation that monitors air quality and issues spare the air alerts encouraging motorists to leave their cars at home and use public transport instead of carpool (when each car has to have more than one occupant).

I'd like to say a few words about the car search web sites. There are generic classifieds web sites (like autotrader, cars.com, CarMax, TrueCar, various dealers' sites etc). They are doing their job, it's a great starting point when you start exploring some options. I see some innovation too. But having worked for Carsales in Australia (which obviously makes me biased) I have to say that Carsales' search is the best I've seen so far. The richness of the search interface is just amazing compared to some other sites that I've used recently.

Craigslist is quite popular too - especially in the cheap used cars segment. But that interface... seriously?!

Thank you for reading! As always, please leave your questions and comments below.