'전체 글'에 해당되는 글 472건

https://securityaffairs.co/wordpress/94089/hacking/cve-2019-2234-android-camera-apps-flaws.html?fbclid=IwAR0tjThpkEnxEgEum9RVgqoz41egBSwBneoMb9BtnjhbH1LoKMEhPFcmPyI

Below the video PoC of the attack:

https://youtu.be/XJAMJOVoVyw

The researchers reported the flaws to Google in early July and the company confirmed that a security patch addressed them was released in the same month. Samsung also confirmed to have addressed the issue.

“This type of research activity is part of the Checkmarx Security Research Team’s ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based smartphones and IoT devices, while bringing more security awareness amid the consumers who purchase and use them. Protecting privacy of consumers must be a priority for all of us in today’s increasingly connected world”

https://thehackernews.com/2019/11/zombieload-cpu-vulnerability.html?fbclid=IwAR37AZD8rQ5ZbbUMXadMyekGZeuB4fEilrPcOmcmm_wZwDw0dPzkCUR-2qo

ZombieLoad v2 Affects Latest Intel CPUs

Now, the same group of researchers has disclosed details of a second variant of the vulnerability, dubbed ZombieLoad v2 and tracked as CVE-2019-11135, that resides in Intel's Transactional Synchronization Extensions (TSX).

Intel TSX provides transactional memory support in hardware, aiming to improve the performance of the CPU by speeding up the execution of multi-threaded software and aborting a transaction when a conflict memory access was found.

Intel has referred ZombieLoad v2 as "Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)" vulnerability because the exploitation of this flaw requires a local attacker, with the ability to monitor execution time of TSX regions, to infer memory state by comparing abort execution times.

https://hakin9.org/sgx-step-a-practical-attack-framework-for-precise-enclave-execution-control/

Overview

Crucial to the design of SGX-Step, as opposed to previous enclave preemption proposals, is the creation of user-space virtual memory mappings for physical memory locations holding page table entries, as well as for the local APIC memory-mapped I/O configuration registers and the x86 Interrupt Descriptor Table (IDT). This allows an untrusted, attacker-controlled host process to easily (i) track or modify enclave page table entries, (ii) configure the APIC timer one-shot/periodic interrupt source, (iii) trigger inter-processor interrupts, and (iv) register custom interrupt handlers completely within user space.

The above figure summarizes the sequence of hardware and software steps when interrupting and resuming an SGX enclave through our framework.

1. The local APIC timer interrupt arrives within an enclaved instruction.
2. The processor executes the AEX procedure that securely stores execution context in the enclave’s SSA frame, initializes CPU registers, and vectors to the (user space) interrupt handler registered in the IDT.
3. At this point, any attack-specific, spy code can easily be plugged in.
4. The library returns to the user space AEP trampoline. We modified the untrusted runtime of the official SGX SDK to allow easy registration of a custom AEP stub. Furthermore, to enable precise evaluation of our approach on attacker-controlled benchmark debug enclaves, SGX-Step can optionally be instrumented to retrieve the stored instruction pointer from the interrupted enclave’s SSA frame. For this, our /dev/sgx-step driver offers an optional IOCTL call for the privileged EDBGRD instruction.
5. Thereafter, we configure the local APIC timer for the next interrupt by writing into the initial-count MMIO register, just before executing (6) ERESUME.