UPDATE (August 16, 1911 BST): Updated to include a statement sent by email from Enigma to the launch of cryptocurrency.
Yet another dreadful security flaw was unveiled on Tuesday with potential knock-on effects across the technology world, including cryptocurrency projects seeking to exploit certain hardware devices.
Following a couple of bugs unveiled at the beginning of this year, Foreshadow's vulnerability affects all of Intel's SGX (Software Guard Extensions) enclaves, a special, presumably extra-secure chip region, often used to store sensitive data.
In short, while the enclave should be tamper-proof, a group of researchers has found a way for an attacker to steal the information he stores.
For many, Meltdown and Specter were quite ghostly. The bugs have hit every single Intel chip, the hardware that powers most of the computers in the world. But since it was not so easy to perform, there were not many attacks in the real world.
Foreshadow may not seem so bad because it has an impact on a more specific type of Intel hardware: SGX. However, as many cryptocurrency projects plan to use this technology, Foreshadow could have even worse consequences for the cryptocurrency world.
Perhaps the most important, the creator of Signal Moxie Marlinspike is about to recommend a new, presumably greener coin, called MobileCoin that puts SGX in the middle, even collecting $ 30 million to do so.
As a result, these projects will need to be restructured before they are actually launched.
"The results published today have a broad impact on cryptocurrency projects," Cornell University security researcher Phil Daian told CoinDesk.
The good news, however, is that the researchers followed the "responsible disclosure process" of the security world to detect bugs, alerting Intel before showing it so the technology giant could find a solution (which was implemented a few months ago ).
But the security world is making a lot of noise because it may not be enough yet.
"It is likely that because many of these systems are slow to update and because many of these fixes require either hardware updates or involved, the infrastructure will remain vulnerable to this class of attacks for a long time," Daian said, adding :
"It would be surprising if at some point this flavor of attack is not used to steal cryptocurrency".
The good and the bad
But there are both good and bad news.
For one, it seems that none of the high-profile SGX projects in cryptocurrency are still used to guarantee real money. "As far as I know, today there is no SGX system in production or widespread use in space," said Daian.
The bad news is that there are a lot of projects want use SGX, and maybe even have plans to do it soon. And the ideas are quite interesting.
The MobileCoin is perhaps the most ambitious since the project's developers want to replace the miners, a crucial part of the security of any cryptocurrency, with these enclaves to build a more energy efficient cryptocurrency.
But there are many others who want to use SGX for its security and privacy gains.
Enigma is using it in a single app to increase privacy in smart contracts, while Ledger's hardware company has come to work with the Intel technology giant to explore the use of SGX as a new road to ; storage of private keys. And the list could continue indefinitely.
Enigma has argued, however, that the impact of the bug has been exaggerated.
"Like any other software or hardware, the discovery and resolution of potential vulnerabilities is a normal and expected part of the development process, in which case the vulnerability has already been addressed by Intel and does not diminish the potential of SGX technology in any way. "said Enigma CEO and co-founder Guy Zyskind in a statement.
Zyskind added that Enigma is "proud" to work with Intel and believes that their work with SGX is crucial to the future of cryptocurrency, as they are creating "solid privacy solutions that will eventually enable decentralized applications to function and be adopted. on a large scale".
However, these huge benefits do not prevent some researchers from worrying about its impact.
"The SGX attack is devastating," Kings College London college assistant Patrick McCorry told CoinDesk, adding that research groups have been arguing for some time how it can be implemented to add additional security to data.
"It can potentially compromise the integrity and privacy of any application that depends on reliable hardware." Many companies in the cryptocurrency space rely on SGX to support multiparty protocols, but this attack allows any participant to cheat ", he added.
"In my opinion, good research and SGX systems should assume that hardware can always be broken at a cost, and should, as always, design defensively and include levels of security," said Daian.
He continued to give some advice to companies planning to launch soon.
"Early plans that are based on SGX should evaluate vulnerabilities and any updates from Intel with caution for the security implications of their systems and should publish these surveys along with their code," he said.
The other bad news, however, is that hackers can find a new variant of the bug, similarly affecting all the SGX chips.
"But as the preface shows, attacks improve," McCorry noted.
Sweet claim
Meanwhile, the bug is leaving some developers feeling justified.
Because Intel has a backdoor in all SGX devices, it has long been a controversial technology for cryptocurrency projects, with enthusiasts often claiming that the use of technology puts too much energy or trust in the hands of a company.
In a nutshell, Foreshadow's vulnerability is a good example of why not putting SGX behind a cryptocurrency project.
"Fortunately we did not adopt a SGX-based bitcoin scaling solution for a certain professor!" tweeted Friend pseudonym of bitcoin Grubles.
"Although * if * was somehow perfect, it has never been a good idea to root bitcoin security in the secret technology of a chip supplier's sauce," replied Bitcoin Core maintainer Wladimir van der Laan.
But again, most of the projects that use SGX have not actually been launched into production.
Some researchers went so far as to discuss most of the cryptocurrency projects that explore SGX did not actually use them for real money because Intel has a bad reputation. The industry has experimented with technology – but it is too cautious to actually launch it.
Some security researchers recommend continuing with this trend – not to use SGX.
But other researchers are more optimistic that SGX, or something like that, could one day play an important role in cryptocurrency, seeing Foreshadow as a positive sign that trusted hardware is tested in battle.
"SGX will have to be repeatedly tested and broken by the adversarial researchers until it is able to claim a strong degree of security, which will take years," said Daian, adding that he believes that trustworthy hardware along the lines of SGX may one day play an important (and positive) role in the cryptocurrency.
In short, it could take some time, he said, adding:
"The realization of a technology of this type certainly represents a great promise for the minimization of trust and a protection of privacy that is scalable in cryptocurrency and beyond".
Laptop through Shutterstock
[ad_2]Source link