SoylentNews is people
SoylentNews
Noted security researcher Bruce Schneier brings word of a recent paper noting deficiencies in the idea of a "trusted enclave" that will only run trustworthy code.
From the abstract to the paper on arXiv: "Practical Enclave Malware with Intel SGX."
Abstract: Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.
The full paper is available as a pdf file.
(Score: 0) by Anonymous Coward on Friday August 30 2019, @10:28PM
I have always relied on Microsoft to provide attack vectors at software level.
(Score: 3, Informative) by jmorris on Friday August 30 2019, @11:24PM (3 children)
No software written by mainstream shops is secure. Software written in secret and locked away is even less likely to be secure.
Secure / Trusted computing advocates always leave ambiguity about and deflect attention from what should always be THE question. Who trusts what from who? What is secured against who doing what? And each and every time it is somebody trusting or securing "your" computer from you.
Trusted computing could be done right. Computers could be much more secure. But customers, even corporate and government ones, do not know enough to even ask their sales weasel the right questions. If they got educated and demanded real trustworthy computers we could have much better security. But they won't so it is all going to end in fire.
The end.
(Score: 0) by Anonymous Coward on Saturday August 31 2019, @06:03PM
In fact, most of the big company customers do know on some level, but they are nothing but suited whores who want to be on the winning team. Fuck the country/the rest of humanity, as long as their family stays rich.
(Score: 2) by Pino P on Sunday September 01 2019, @03:56PM (1 child)
The more invasive boot-time measures, such as Secure Boot and TPM, are intended to secure a computer from surreptitious installation of a rootkit in the boot sector [malwarebytes.com]. The assumption is that the vast majority of computing devices sold through the mass market are sold to non-technical users, not to power users such as the ones who frequent SoylentNews, Hacker News, etc.
(Score: 2) by Common Joe on Sunday September 01 2019, @08:24PM
There's an easy solution which can make power users happy and make the computer updateable even by non-power users: install a physical switch if you want the firmware to be updated. Old school computers used jumpers, but there's no reason why an actual physical switch couldn't be used.
(Score: 2) by jmichaelhudsondotnet on Saturday August 31 2019, @11:09AM
This illustrartes the degree of specialized language required to even kindof understand what's going on.
"We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware"
The thing designed to provide security, IS the backdoor.
Who would have thunk it.
Iphone exploits recently revealed show us how it's done, you make a bug at every layer of the device, and then just kindof pass that on to the right people who make the malware for the people whose power you want to amplify. They used the phrase 'chained together zero day's.
Both iphone and intel are made in this country in the middle east, can't think of the name at the moment. It's the same country where the nso group is from, the one whose 'expertise' was making the most 'advanced' malware...
When I can think of this country's name again, I'm going to file a complaint somewhere with the better business burueau about how this country is selling locks that they keep extra secret keys to, which is like really creepy.
Fascists come in all shapes and sizes, you cannot trust them to design your processor or handheld multimedia studio. News you can use.
thesesystemsarefailing.net
(Score: 0) by Anonymous Coward on Saturday August 31 2019, @11:39AM
i hope it helps "fake" DRM crap ... gooo SGX.
(Score: 0) by Anonymous Coward on Saturday August 31 2019, @08:45PM
Lentils have > 100 comments on renaming GIMP and 10 on a release of secure enclave malware primitives. What the?!
Priorities, people! This (publicly available enclave primitives) is big news! We should expect to see actors lower than nation-state deploying with these specific constructions in the next few days...
The work itself is fine. It's no classic textphile - way too academic and longwinded - but the meat is there, this is the real deal.