
Foreshadow: Extracting the Keys to the Intel SGX Kingdom - pedro84
https://foreshadowattack.eu/
======
lvh
This is _bananas_.

\- Unlike previous speculative execution attacks against SGX, this extracts
memory "in parallel" to SGX, instead of attacking the code running in SGX
directly. It always works: it doesn't require the SGX code to run and it
doesn't require it to have any particular speculative execuction
vulnerability. This also means existing mitigations like retpolines don't
work.

\- It lets you extract the sealing key and remote attestation. That's about as
bad as it gets.

\- The second attack that fell out of this allows you to read arbitrary L1
cache memory, across kernel-userspace or even VM lines (and even reading ring
-2 aka SMM).

If there was any doubt left that speculative execution bugs were an entire new
class and not just a one-off gimmick...

------
lvh
AWS bulletin: [https://aws.amazon.com/security/security-
bulletins/AWS-2018-...](https://aws.amazon.com/security/security-
bulletins/AWS-2018-019/)

Amazon Linux bulletin:
[https://alas.aws.amazon.com/ALAS-2018-1058.html](https://alas.aws.amazon.com/ALAS-2018-1058.html)

TL;DR: AWS is patched. Go update your kernel (especially if you run other
people's code).

~~~
lvh
RHEL patches are out. CentOS after delay, presumably. Nothing yet for
Debian/Ubuntu.

