Security News

Known as Control Flow Enforcement Technology, or CET, the protections are designed to prevent miscreants from exploiting certain programming bugs to execute malicious code that infects systems with malware, steals data, spies on victims, and so on. There are various mitigations in place on modern systems, such as Data Execution Prevention, that stop hackers from injecting and executing malicious code into a program when a victim opens a specially crafted document or connects to a remote service.

If, for example, your program is reading through an array of data to perform a complex calculation based on all the values in it, the processor needs to make sure that you don't read past the end of your memory buffer, because that could allow someone else's private data to leak into your computation. The theory is that if the checks fail, the chip can just discard the internal data that it now knows is tainted by insecurity, so there's a possible performance boost without a security risk given that the security checks will ultimately prevent secret data being disclosed anyway.

Samsung on Tuesday unveiled a new security solution - composed of a secure element chip and security software - designed to enhance data protection on mobile devices. Samsung has described it as a "Standalone turnkey security solution" that provides protection for the booting process, isolated storage, mobile payments and other applications.

Samsung Electronics introduced a standalone turnkey security solution comprised of a Secure Element chip and enhanced security software that offers protection for tasks such as booting, isolated storage, mobile payment and other applications. Samsung's new security solution is an enhanced turnkey that follows the first-generation solution announced in February.

US officials moved Friday to cut off Chinese tech giant Huawei from global chipmakers, ramping up sanctions on the company seen by Washington as a national security risk. Officials said Huawei had been circumventing sanctions by obtaining chips and components that are produced around the world based on US technology.

The details of the attacks against Xilinx 7-Series and Virtex-6 Field Programmable Gate Arrays have been covered in a paper titled "The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs" by a group of academics from the Horst Goertz Institute for IT Security and Max Planck Institute for Cyber Security and Privacy. In contrast to other known side-channel and probing attacks against Xilinx and Altera FPGAs, the novel "Low-cost" attack aims to recover and manipulate the bitstream by leveraging the configuration interface to read back data from the FPGA device.

A potentially serious vulnerability discovered by researchers in Field Programmable Gate Array chips can expose many mission- and safety-critical devices to attacks. A team of researchers from Germany's Horst Görtz Institute for IT Security at Ruhr-Universität Bochum and the Max Planck Institute for Security and Privacy discovered that FPGA chips are affected by a critical vulnerability - they have named it Starbleed - that can be exploited to take complete control of the chips.

Most computer systems are still very easy to hack, due to a vulnerability in memory chips produced by Samsung, Micron and Hynix, according to a study by researchers from VUSec of the Vrije Universiteit Amsterdam. The vulnerability in question is called Rowhammer, a design flaw in the internal memory chips of a device that creates the vulnerability.

Intel has posted a fresh crop of firmware updates for security flaws in its chipsets. An information-disclosure flaw in data forwarding for Intel processors prompted an advisory and firmware update, as did the already disclosed LVI design flaw.

Chipzilla's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x. That's because LVI protection involves compiler and assembler updates that insert extra x86 instructions and replace problematic instructions with functionally equivalent but more verbose instruction sequences. "Being essentially a 'reverse Meltdown'-type attack, LVI abuses that a faulting or assisted load instruction executed within a victim domain does not always yield the expected result, but may instead transiently forward dummy values or data from various microarchitectural buffers."