Security vulnerabilities revealed in fingerprint sensors and crypto wallets
Security experts from paluno, the Ruhr Institute for Software Technology at the University of Duisburg-Essen (UDE) have developed a new technique that, for the first time, enables fuzz testing of protected memory areas in modern processors. Their method revealed many vulnerabilities in security-critical software.
Intel's "Software Guard Extension" (SGX) is a widely used technology to protect sensitive data from misuse. It helps developers in shielding a certain memory area from the rest of a computer. A password manager, for example, can be executed safely in such an enclave, even if the rest of the system is corrupted by malware.
However, it is not uncommon for errors to creep in during the programming of the enclaves. Already in 2020, the paluno team from Prof. Dr. Lucas Davi discovered and published several vulnerabilities in SGX enclaves. Now, together with partners form the CASA cluster of excellence, the researchers have achieved another breakthrough in the analysis techniques: Their latest development enables the fuzz testing of enclaves, which is much more effective than the previously used symbolic execution. The idea behind fuzz testing is to feed a large number of inputs into a program in order to gain insights into the structure of the code.
"As enclaves are meant to be non-introspectable, fuzzing cannot easily be applied to them," paluno scientist Tobias Clooster explains the challenge. "Moreover, fuzzing requires nested data structures, which we dynamically reconstruct from the enclave code." His research partner Johannes Willbold from from the research college SecHuman from the Ruhr-Universität Bochum adds: "This way, the shielded regions can be analyzed without accessing the source code."
Thanks to modern fuzzing technology, the researchers were able to detect many previously unknown security problems. All tested fingerprint drivers as well as wallets for storing cryptocurrency were affected. Hackers could exploit these vulnerabilities to read biometric data or steal the entire balance of the stored cryptocurrency. All companies were informed. Three vulnerabilities have been added to the publicly available CVE directory.