Thursday, February 25, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Facebook awards $100,000 prize for new code isolation technique

August 20, 2019
in Internet Security
Facebook awards $100,000 prize for new code isolation technique
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Facebook has awarded a $100,000 prize to a team of academics from Germany for developing a new code isolation technique that can be used to safeguard sensitive data while it’s being processed inside a computer.

The award is named the Internet Defense Prize, and is a $100,000 cash reward that Facebook has been giving out yearly since 2014 to the most innovative research presented at USENIX, a leading security conference that takes place every year in mid-August in the US.

You might also like

Google funds Linux kernel developers to work exclusively on security

Want to pass on your old PCs to good causes? Here’s how to do it while staying secure

Red Hat closes StackRox Kubernetes security acquisition

This year’s winners are six academics from Germany-based Saarland University and the Max Planck Institute for Software Systems.

The six-man research team developed ERIM, a new technique that combines both hardware and software security features to provide a new way of isolating sensitive data processed inside a computer.

The novelty of this technique is that ERIM does this with little performance overhead, making it ideal for deployment in real-world environments.

The ancient problem of isolating sensitive data — efficiently

Isolating sensitive data during execution has always been a problem. Home computers or servers need to keep an application’s most sensitive data secure while the app is running.

For example, servers need to isolate cryptographic keys in a network-facing service, so an attacker connecting to the server won’t be able to grab encryption or session keys by using vulnerabilities in the server software.

Similarly, attackers can exploit vulnerabilities in an app’s linked components/libraries to extract sensitive user data processed by a different component — for example, a browser’s PDF library can grant attackers access to passwords or cookies.

For these reasons, finding a way to isolate data has always been an ongoing issue. Over the years, several methods have been proposed for dealing with this problem.

At the software level, there’s software fault isolation (SFI), while at the hardware level there’s nested paging, VMFUNC, or MPK. However, both types of protections are known to require modifications to an app’s code and compiler system, or are known to incur performance overheads when executing code from untrusted sources. This overhead has been measured to vary between 10% and 42%, which is quite the performance impact that many companies running production systems aren’t willing to take.

What is ERIM

ERIM was created to address this performance overhead on some CPU architectures, namely on Intel x86 CPUs.

The new technique works by leveraging Intel memory protection keys (MPKs), a new hardware-based security feature added to Intel CPUs since the mid-2010s, which allows data being processed inside an Intel CPU to be split across multiple CPU memory virtual pages.

Each memory page is signed by a 4-bit domain ID, allowing an app’s process space to be split into smaller domains where data can be safely processed (to achieve in-process data isolation).

The problem is that when apps leverage the new Intel MPK security feature, switching between these domains slows down the speed at which an app can read desired data — and, hence, it’s performance.

Furthermore, just using MPK doesn’t guarantee in-process data isolation, as a malicious component can grant itself the ability to modify the PKRU, a register that controls which app components can write to which CPU virtual memory page — effectively neutralizing MPK as a security feature.

What ERIM brings to the table is a near-zero performance overhead while also using a binary inspection technique to watch out for PKRU modifications.

ERIM can determine if these PKRU modifications are “safe” and even rewrite binary code to eliminate “unintentional occurrences of PKRU-updating instructions,” effectively keeping an app’s MPK implementation secure from malicious code attempting to bypass the feature.

Real-world applicability

According to the research team, ERIM tests have revealed performance overheads of under 1% for apps that need to make over 100,000 switches between CPU memory pages — something that happens a lot in web servers.

Tests with ERIM applied to NGINX showed that an ERIM-protected web server had a web requests throughoutput of within 5% of a normal server.

This would make it cost-effective to deploy the technique to protect sensitive data such as encryption or session keys on this type of web server.

erim-on-nginx.png

Image: Vahldiek-Oberwagner et al.

Furthermore, ERIM also outperformed all other code isolation techniques, such as SFI MPX, VMFUNC, or LwC.

erim-on-nginx-vs-others.png

Image: Vahldiek-Oberwagner et al.

In addition, the research team claimed that ERIM can be applied with little effort to new and existing applications, doesn’t require compiler changes, and can run on a stock Linux kernel — eliminating all the other issues that made in-process code isolation a problem for the developer community.

“The authors’ approach stands out because it achieves much better runtime efficiency due to lower overhead, which makes it practical for real-world use in production environments,” said Pieter Hooimeijer, Engineering Manager at Facebook.

“If this type of defense finds widespread use, it will help eliminate an entire class of security exploits.”

Additional details are available in this PDF of the ERIM white paper that was presented at USENIX last week. The paper’s title is “ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK).”

Related cybersecurity coverage:

Credit: Zdnet

Previous Post

Top 6 Expert Tips To Create A Highly Functional Chatbot

Next Post

Reinforcement Learning Improvement - Becoming Human: Artificial Intelligence Magazine

Related Posts

Google funds Linux kernel developers to work exclusively on security
Internet Security

Google funds Linux kernel developers to work exclusively on security

February 25, 2021
Want to pass on your old PCs to good causes? Here’s how to do it while staying secure
Internet Security

Want to pass on your old PCs to good causes? Here’s how to do it while staying secure

February 24, 2021
Red Hat closes StackRox Kubernetes security acquisition
Internet Security

Red Hat closes StackRox Kubernetes security acquisition

February 24, 2021
COVID pandemic causes spike in cyberattacks against hospitals, medical companies
Internet Security

COVID pandemic causes spike in cyberattacks against hospitals, medical companies

February 24, 2021
Bill establishing cyber abuse takedown scheme for adults enters Parliament
Internet Security

Bill establishing cyber abuse takedown scheme for adults enters Parliament

February 24, 2021
Next Post
Reinforcement Learning Improvement – Becoming Human: Artificial Intelligence Magazine

Reinforcement Learning Improvement - Becoming Human: Artificial Intelligence Magazine

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Google funds Linux kernel developers to work exclusively on security
Internet Security

Google funds Linux kernel developers to work exclusively on security

February 25, 2021
Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique
Internet Privacy

Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique

February 25, 2021
Off-chain reporting: Toward a new general purpose secure compute framework by Chainlink
Big Data

Off-chain reporting: Toward a new general purpose secure compute framework by Chainlink

February 25, 2021
Even Small Companies Use AI, Machine Learning
Machine Learning

Even Small Companies Use AI, Machine Learning

February 25, 2021
How Is Machine Learning Revolutionizing Supply Chain Management | by Gina Shaw | Feb, 2021
Neural Networks

How Is Machine Learning Revolutionizing Supply Chain Management | by Gina Shaw | Feb, 2021

February 25, 2021
Reaching customers at scale without losing their trust: Wednesday’s daily brief
Digital Marketing

Reaching customers at scale without losing their trust: Wednesday’s daily brief

February 25, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Google funds Linux kernel developers to work exclusively on security February 25, 2021
  • Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique February 25, 2021
  • Off-chain reporting: Toward a new general purpose secure compute framework by Chainlink February 25, 2021
  • Even Small Companies Use AI, Machine Learning February 25, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates