Tag: function | SpinSafe

NTT advances CPU security with new cache random function

August 17, 2023/in Computer Security

Tokyo – August 16, 2023 – NTT Corporation (NTT) in collaboration with the Research Institute of Electrical Communication, Tohoku University and CASA (Cyber Security in the Age of Large-Scale Adversaries) at Ruhr University Bochum has developed a dedicated cache random function to eliminate the vulnerability caused by delay differences with the cache which is generated in the event of acquiring and updating data between CPU memories. This research contributes to the realization of a highly secure CPU that prevents information leakage due to cache attacks.

NTT designed and proposed a Secure Cache Randomization Function (SCARF) for randomization of cache index and formulated what type of function is suitable for randomizing of cache index by providing design guidelines for randomization of cache function which formulated appropriate random function. This paper will be accepted and presented at USENIX Security ’23※ in Anaheim which will be held from August 9th to August 11th, 2023.

Key Points:

Modeling attackers to perform cache attacks
Design of a concrete function SCARF dedicated to cache index randomization
An efficient and secure design theory against modeled attackers is realized using a tweakable block cipher2

Background of Research:

Current CPU introduces cache memory to reduce impact of delay required to transfer data between CPU memories by accelerating on subsequence references by placing used data near the CPU. Although data referred once can be referred at high speed from the next time which also makes it available to attackers. These attacks that exploit information are called a cache attack which causes a real vulnerability and countermeasures are needed. Among other things, contention-typed cache attacks resulting from a cache scramble between the target program and the attack program are recognized as a real threat with fewer prerequisites for attackers.

Randomization of cache index is a promising way for countermeasure of contention-based cache attacks. The randomization is thought to be impossible for an attacker to exploit the cache by not being able to determine the target’s cache index used by an address, but it has not been known what level of implementation is…

Source…

Google Password Manager is taking over this key Chrome security function

December 5, 2022/in Mobile Security

After months of speculation, Chrome 108 looks to be rolling out an updating passwords interface for Android users.

According to 9To5Google (opens in new tab), Google is replacing the Android browser’s native credentials list with its multi-platform Google Password Manager.

Some Chrome 107 users are also seeing the rollout, which sees the company’s own password manager take over responsibility for saved details from the browser itself.

Google Password Manager for Android

Checking up on saved passwords is about to become a lot easier, too, with the new menu found inside the Settings menu of Chrome, rather than in Google > Manage your Google Account > Security > Password Manager, inside the Settings app. This will give the platform an upper-hand over Apple, with passwords accessed via a number of sub-menus within the Settings app.

In an effort to simplify password management and make it easier to highlight compromised passwords, the interface follows a similar route to the passwords.google.com interface, which will be able to be protected by biometrics such as a fingerprint.

The update was first noticed in Chrome 103, however it looks like it will take its full form in version 108 which launched right at the end of November 2022.

Making it easier to locate and change passwords could be a sign that Google is preparing to ramp up its passwordless login feature, which has struggled to gain any momentum as yet.

Major competition has come from Apple, which is also turning its attention to a passwordless future, and while the revolution is built using the same technology, it remains unclear how users will be able to transfer passwords from an iOS device to an Android device (and vice versa), having an effect that’s likely to lock users in to an operating system until a simple solution is detailed.

Source…

IIJ adds “Browser Isolation” function to its zero-trust network access service “Safous”

September 29, 2022/in Mobile Security

AsiaNet 98042

Tokyo, Sept. 28, 2022 (ANTARA/Kyodo JBN-Asianet) -

– This New Function Offers Secure Access to Corporate Applications and External SaaS through Virtual Browser -

Internet Initiative Japan Inc. (hereinafter “IIJ,” TSE Prime: 3774), one of Japan’s leading Internet-access and comprehensive network solutions providers, announced the addition of a new remote browser isolation function, “Browser Isolation,” to its zero-trust network access (ZTNA) (*) service, “Safous,” which is mainly available for users in the U.S. and Asia, starting September 28.

The Safous platform is a zero-trust remote access service that provides application-level control over corporate applications and external “software as a service” (SaaS) access from a remote environment. This optional Browser Isolation function is Safous’ proprietary, sandbox-based virtual browser that allows users to access applications and SaaS virtually, eliminating browser-based threats and providing more secure access.

“Kasm Technologies is honored to provide Kasm Workspaces remote browser isolation, our web-native secure remote access and DevOps-enabled container streaming technology, to Safous’ Browser Isolation function. Browser Isolation is an industry-leading, cost-effective, and secure browser-based remote access solution,” stated Justin Travis, Co-founder and CEO of Kasm Technologies.

(*) ZTNA is a zero-trust solution that provides seamless and secure remote access to internal applications. Instead of authenticating at the boundaries of the enterprise network, authentication is performed through a trusted broker system each time an application is accessed.

Background

More companies have started using SaaS in recent years, including powerhouses like Microsoft 365 and Google Workspace, due to the popularization of hybrid work. Unfortunately, these cloud-based systems are critical targets for attackers. In several reported cases, company networks are infected with malware and ransomware through a remote environment, causing a data breach and the suspension of business operations. Because the browser and network on the terminal side are not secure in remote environments — and are potentially…

Source…

Spring4Shell Zero-Day Vulnerability (CVE-2022-22965) & Spring Cloud Function (CVE-2022-22963) Vulnerability– Do You Need to Worry About Them?

April 1, 2022/in Internet Security

Recently, highly potent zero-day vulnerabilities in Java have come to the fore. They are called the Spring4Shell Zero-Day RCE Vulnerability CVE-2022-22965 and Spring Cloud Function vulnerability (CVE-2022-22963). Before understanding the potency of these vulnerabilities, let’s understand about the Spring- Java application framework.

What is the Java Spring Framework?

Spring is a widely used lightweight Java platform application framework that allows developers to easily develop Java applications with enterprise-level features which are then deployed as an application on servers such as Apache Tomcat or as stand-alone packages with all the required dependencies.

Spring Cloud Function is a function computing framework based on Spring Boot. It allows developers to focus on implementing business logic and improving the efficiency in development. Spring Cloud Function is used by many tech giants including AWS Lambda, Azure, Google Cloud Functions, Apache OpenWhisk, and other serverless service providers.

A Remote Code Execution vulnerability exists in Spring Cloud Function (CVE-2022-22963) versions 3.1.7 & 3.2.3. An unauthenticated attacker can exploit the vulnerability by injecting malicious SpEL (Spring Expression Language) expressions into crafted HTTP request headers by constructing specific data packets leading to arbitrary remote code execution on the target system.

Spring has also confirmed the zero-day vulnerability dubbed Spring4Shell (CVE-2022-22965) in Spring Framework versions below 5.3.18 and 5.2.20 which could be exploited by an attacker to achieve arbitrary code execution. Spring Framework versions 5.3.18 and 5.2.20 have been released to address the vulnerability. The vulnerability affects Spring WebFlux and SpringMVC applications running on JDK 9+.

What Are the Risks?

A remote unauthenticated attacker can easily exploit the vulnerability and successful exploitation can grant full control of the victim’s system. Both vulnerabilities are known to be actively exploited in the wild since the PoCs surfaced online and are available in public.

Severity: Critical

CVSSv3.1: Base Score:9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score:…

Source…

Tag Archive for: function

What is the Java Spring Framework?

What Are the Risks?