Another dreadful security flaw was unveiled on Tuesday with potential knock-on effects across the technology world, including cryptocurrency projects seeking to exploit certain hardware devices.
Following a couple of bugs unveiled at the beginning of this year, Foreshadow's vulnerability affects all Intel Enclave Software Guard Extensions (SGX), a special chip region, presumably extra – security, often used for storing sensitive data.
In short, while the enclave should be tamper-proof, a group of researchers found a way for an attacker to steal the information it retains.
For many, Meltdown and Specter were quite ghostly. The bugs have hit every single Intel chip, the hardware that powers most of the computers in the world. But since it was not so easy to perform, there were not many attacks in the real world.
The prefix effect may not seem so serious because it affects a more specific type of Intel hardware: SGX. However, given that many cryptocurrency projects are planning to use this technology, Foreshadow could have even worse consequences for the world of cryptocurrency.
Perhaps in particular, the creator of Signal Moxie Marlinspike is about to recommend a new supposedly greener coin called MobileCoin that puts SGX in the middle, even collecting $ 30 million to do so.
As a result, these projects will have to restructure before launching them for the real.
"The results published today have a broad impact on cryptocurrency projects," Cornell University security researcher Phil Daian told CoinDesk.
The good news, however, is that the researchers followed the "responsible disclosure process" of the security world to detect bugs, alerting Intel before showing it so that the tech giant could come off a fix (implemented a few months does).
But the security world is making a lot of noise because it may not be enough yet.
"It is likely that, b because many of these systems are slow to update and because many of these fixes require either hardware updates or involved, the infrastructure will remain vulnerable to this class of attacks for a long time ", said Daian, adding:
" It would be surprising if at some point this flavor of attack is not used to steal cryptocurrency. "
The good and the bad
But there are both good and bad news .
For one, it seems that none of the profiles SGX projects in cryptocurrency are still used to guarantee real money. "As far as I know, there is no SGX system in production or widespread use in space today," Daian said.
The bad news is that there are many projects that want to use SGX, and perhaps even intend to do it soon. And the ideas are quite interesting.
MobileCoin is perhaps the most ambitious since project developers want to replace miners, a crucial part to protect any cryptocurrency, with these enclaves to build a more energy efficient cryptocurrency.
there are many others who want to use SGX for their security and privacy gains.
Enigma is using it in a single app to increase privacy in smart contracts, while Ledger's hardware company has come to work with Intel technology giant to explore using SGX as a new way to store private keys. And the list could continue indefinitely.
"The SGX attack is devastating," Kings College London college assistant Patrick McCorry told CoinDesk, adding that research groups are already discussing how it can be implemented to add more. data security  "It can potentially compromise the integrity and privacy of any application that depends on trusted hardware. A lot of companies in the cryptocurrency space rely on SGX to support multiparty protocols, but this attack allows to any participant to cheat, "In my opinion, good research and SGX systems should assume that hardware can always be broken at a cost, and should, as always, design defensively and include multi-layered security ", said Daian
to give some advice to companies that plan to launch early.
" Projects that plan to launch early based on SGX should evaluate and vulnerabilities and any updates from Intel with caution for the security implications of their systems, and should publish these investigations along with their code, "he said.
The other bad news, however, is that hackers can find a new variant of the bug, similarly affecting all the SGX chips.
"But as foreshadows demonstrations, attacks only improve," noted McCorry
Meanwhile, the bug leaves some justified developers.
Because Intel has a backdoor in all SGX devices, it has long been a controversial technology avenue for cryptocurrency projects, with enthusiasts who often claim that using technology puts too much energy or trust in the hands of a company.
Put simply, Foreshadow's vulnerability is a good example of why not putting SGX behind a cryptocurrency project.
"Fortunately we did not adopt a SGX-based bitcoin scaling solution for a certain professor!" tweeted pseudonym fond of bitcoins Grubles.
"Although * if * was somehow perfect, it was never a good idea to root the bitcoin's security in the secret technology of a chip supplier's sauce" Bitcoin Core the maintainer Wladimir van der Laan replied.
But again, most of the projects that use SGX have not actually been launched into production.
Some researchers have gone so far as to discuss cryptocurrency projects that explore SGX in reality they have not used them for real money because Intel has such a bad reputation. The industry has experimented with technology – but it is too prudent to actually launch it.
Some security researchers recommend continuing with this trend – not to use SGX.
But other researchers are more optimistic about whether SGX or something, one day could play an important role in cryptocurrency, since Foreshadow is a positive sign. Trusted hardware is tested in battle.
"SGX will have to be repeatedly tested and broken by the adversarial researchers until it can claim a strong degree of security, which will take years," Daian said, adding that he believes reliable hardware along the lines of SGX may one day play an important (and positive) role in the cryptocurrency.
In short, it may take some time, he said, adding:
"Making such a technology is certainly a great promise for trust minimization and scalable privacy protection in cryptocurrency. and beyond. "
Laptop via Shutterstock