Security vulnerabilities revealed in fingerprint sensors and crypto wallets

Credit: CC0 Public Domain

Security experts from paluno, the Ruhr Institute for Software Technology at the University of Duisburg-Essen (UDE) have developed a new technique that, for the first time, enables fuzz testing of protected memory areas in modern processors. Their method revealed many vulnerabilities in security-critical software.

Intel’s “Software Guard Extension” (SGX) is a widely used technology to protect sensitive data from misuse. It helps developers in shielding a certain memory area from the rest of a computer. A password manager, for example, can be executed safely in such an enclave, even if the rest of the system is corrupted by malware.

However, it is not uncommon for errors to creep in during the programming of the enclaves. Already in 2020, the paluno team from Prof. Dr. Lucas Davi discovered and published several vulnerabilities in SGX enclaves. Now, together with partners form the CASA cluster of excellence, the researchers have achieved another breakthrough in the analysis techniques: Their latest development enables the fuzz testing of enclaves, which is much more effective than the previously used symbolic execution. The idea behind fuzz testing is to feed a large number of inputs into a program in order to gain insights into the structure of the code.

“As enclaves are meant to be non-introspectable, fuzzing cannot easily be applied to them,” paluno scientist Tobias Clooster explains the challenge. “Moreover, fuzzing requires nested data structures, which we dynamically reconstruct from the enclave code.” His research partner Johannes Willbold from from the research college SecHuman from the Ruhr-Universität Bochum adds: “This way, the shielded regions can be analyzed without accessing the source code.”

Thanks to modern fuzzing technology, the researchers were able to detect many previously unknown security problems. All tested fingerprint drivers as well as wallets for storing cryptocurrency were affected. Hackers could exploit these vulnerabilities to read biometric data or steal the entire balance of the stored cryptocurrency. All companies were informed. Three vulnerabilities have been added to the publicly available CVE directory.


LVI: Intel processors still vulnerable to attack, study finds


Provided by
Universität Duisburg-Essen

Citation:
Security vulnerabilities revealed in fingerprint sensors and crypto wallets (2022, July 15)
retrieved 15 July 2022
from https://techxplore.com/news/2022-07-vulnerabilities-revealed-fingerprint-sensors-crypto.html

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.