"Fingerprint Sensors and Crypto Wallets: Security Vulnerabilities Revealed"
A team of security researchers from Paluno, the Ruhr Institute for Software Technology at the University of Duisburg-Essen (UDE), has developed a new technique that allows fuzz testing of protected memory areas in modern processors for the first time. Their method exposed numerous flaws in security-critical software. Intel's Software Guard Extension (SGX) is a widely used technology aimed at preventing the misuse of sensitive data. It aids developers in isolating a specific memory area from the rest of the computer. Even if the rest of the system is corrupted by malware, a password manager, for example, can run safely in such an enclave. However, it is not uncommon for errors to occur during the enclave programming process. The team discovered and published several vulnerabilities in SGX enclaves. They have now achieved another breakthrough in analysis techniques, working with partners from the CASA cluster of excellence. Their most recent innovation allows fuzz testing of enclaves, which is far more effective than the previously used symbolic execution. Fuzz testing involves feeding a large number of inputs into a program in order to gain insight into the code's structure. Because enclaves are designed to be impenetrable, fuzzing cannot be easily applied to them. Furthermore, fuzzing necessitates the use of nested data structures, which the researchers dynamically reconstruct from the enclave code. Through this, the shielded regions can be examined without gaining access to the source code. The researchers were able to detect many previously unknown security issues because of the modern fuzzing technology. All tested fingerprint drivers, as well as cryptocurrency wallets, were affected. Hackers could use these flaws to read biometric data or steal the entire balance of the cryptocurrency stored. This article continues to discuss the team's new method that enables fuzz testing of protected memory areas in modern processors and the discovery of vulnerabilities in fingerprint sensors and cryptocurrency wallets.
UDE reports "Fingerprint Sensors and Crypto Wallets: Security Vulnerabilities Revealed"