Here we go again… Only 8 months after the Spectre and Meltdown CPU vulnerabilities were disclosed, researchers have published Foreshadow, another related attack vector that exploits “Speculative Execution”. This one goes after the “SGX” (Software Guard Extensions) secure enclave feature built into newer Intel processors since the Skylake series. This is very serious, as it strikes at the very feature that is designed to protect highly sensitive data and security code. It’s yet another reason to consider ameliorating host-based security vulnerabilities using SmartNICs and distributed security.
Researchers will be presenting their Foreshadow exploit paper this month (Aug 2018) at the Usenix Security conference. A notable excerpt from their abstract: “We present Foreshadow, a practical software-only microarchitectural attack that decisively dismantles the security objectives of current SGX implementations”.
SGX was designed to allow user-level programs to create secure enclaves on the x86 processor with protected memory regions for executing security-related functions and storing crypto keys and other secret information. To date, it has been used for Digital Rights Management (DRM), secure web browsing, at least one password manager tool and remote computation applications related to cloud computing.
So far SGX has been able to resist Spectre and Meltdown attacks, but the Foreshadow attack can access SGX-protected memory in the L1 cache. Even worse, it can expose the secret, cryptographic attestation keys used by SGX for checking the integrity of each SGX memory enclave. Once an attestation key is compromised, Foreshadow can copy the memory enclave to a non-protected area or even create fake enclaves that appear legitimate to applications even though they are running outside the SGX enclave.
There will be much “gnashing of teeth” by business and users alike while we wait for the patches to roll out and to learn about the costs incurred.
These latest 3 security vulnerabilities, combined with previous Intel processor security flaws disclosed in 2017, give any serious security professional good reason to consider whether they can rely on the protections offered by their server processor.
Fighting Attackers with a SmartNIC-Based True Enclave
We’ve previously highlighted the risks with hosting all of your security measures on the same system as you are trying to protect. This is just a bad idea. For over 30 years, high-security Department of Defense (DoD) systems have employed “red-black separation” where secure information is carefully segregated – physically and electrically – from the non-secure domain. Obviously, Intel’s attempts at separation of functions in a single processor domain have been spectacularly unsuccessful, suggesting that the security nerds were probably right all along in insisting on physical domain separation for the best security.
It’s time to re-think the approach to server security and return to the fundamentals… Create a barrier between the server processor – which often runs both trusted and untrusted applications – and the enclave where security functions can run in a protected environment. The perfect opportunity is presented with the new generation of “SmartNIC” network adapters. They create a physically isolated security domain separate from the main CPU and allow a distributed security model, instead of concentrating all security and normal functions in the main CPU.
The Mellanox BlueField™ SmartNIC incorporates a powerful RISC CPU running Linux and is equipped with a variety of security features that make it ideal for hosting trusted functions to protect the server environment. Examples of security services include:
- Stateful Next Gen Firewall (NGFW)
- IPsec, SSL/TLS, Data-at-Rest encryption protocols
- Intrusion detection and prevention (IDS/IPS)
- Host “introspection” – scans the server for authorized applications and detects malware
With the co-mingling of users and applications in enterprise and cloud servers, the older model where attacks are assumed to all originate from “out there”–on the other side of the firewall—s breaking down. We now see that a significant percentage of threats originate inside the data center so the model of protection has to change as well. Using SmartNICs protecting each server at its network port, threats can be stopped before they even enter the server, and the SmartNIC provides a trusted island from which to monitor applications and network transactions.
SmartNIC server security highlights:
- Protects each server at its connection into the data center network
- Distributed security scales as more servers are added… no appliance “choke points”
- Enables per-node customized rules/filters based on the protected assets
- “Secure Boot” of the SmartNIC uses digital signatures to authenticate the OS and all security applications running on the device.
With information security concerns ranking as one of the top concerns of CSOs and over 20% of companies reporting a breach of data or applications in 2017, it is more critical than ever to have confidence in the security tools protecting your data center. The Foreshadow vulnerability is yet another reminder that it’s dangerous to rely on software-based tools running on the computer you are trying to protect. BlueField SmartNICs close the gaps exposed with host-based security.
- Security blog: Mellanox Mitigates Meltdown Mess, Stops Spectre Slowdown
- Security blog: Rethinking Data Center Security, From an M&M to a Jawbreaker Model
- Mellanox Security Solutions
- Mellanox video on BlueField SmartNIC Security Isolation [YouTube]