.NET Standard 2.1 to be Released

IT giant added a lot of new features and updates to its programming platform standard
07 November 2018   1557

Microsoft developers have updated .NET Standard to version 2.1, adding to it a number of improvements and a large number of APIs. .NET Standard is a set of common interface specifications for the .NET Framework, .NET Core, Mono, Xamarin, and others. A library that meets the specifications of .NET Standard can be used on other .NET platforms.

Main updates:

  • Span data type support for all platforms. Span allows to work with strings, arrays and other types of data, and also introduces an abstraction of access to a certain section of memory for both read and write. This will simplify development. In general, Span is at the heart of most performance improvements in .NET Core 2.1.
  • Foundational-API - updated standard for performance. It, unlike Span, expands the list of program interfaces, and not data types.
  • Updated ValueTask type for high load scripts. ValueTask returns the result if the operation is performed synchronously without creating a new task, which affects the overall software performance. Using ValueTask allows to minimize the overhead of a PC or server. The type itself appeared in .NET Core 2.1, and in the new version it additionally uses such types as Socket and NetworkStream.
  • Reflection emit adds type generation technology 'on the fly'. Separately, it has already been used, but now it is included in the standard. The .NET ecosystem usually makes extensive use of dynamic functions, so Reflection emit allows to optimize system performance.
  • The previously used SIMD API is now included in .NET Standard in the NuGet package.
  • There was a primitive DbProviderFactories. It makes it easier for libraries and applications to use ADO.NET technology. The registered instance of DbProviderFactory is selected by name from the database configuration parameters.
  • Functions System.HashCode and System.String added to base class libraries.

In .NET Standard 2.1, it is planned to add about 3 thousand APIs, some of which will be simply updated, while others will be completely new. This solves the problem of sharing code for .NET developers on all platforms. Learn more at official blog.

Ledger to Discover HSM Vulnerability

HSM is an external device designed to store public and private keys used to generate digital signatures and to encrypt data, used by banks, exchanges, etc
10 June 2019   1639

A group of researchers from Ledger identified several vulnerabilities in the Hardware Security Module (HSM) devices, which can be used to extract keys or perform a remote attack to replace the firmware of an HSM device. The problem report is currently available only in French, the English-language report is scheduled to be published in August during the Blackhat USA 2019 conference. HSM is a specialized external device designed to store public and private keys used to generate digital signatures and to encrypt data.

HSM allows you to significantly increase protection, as it completely isolates keys from the system and applications, only by providing an API to perform basic cryptographic primitives implemented on the device side. Typically, HSM is used in areas where you need to provide the highest protection, for example, in banks, cryptocurrency exchanges, certification centers for checking and generating certificates and digital signatures.

The proposed attack methods allow an unauthenticated user to gain complete control over the contents of the HSM, including extracting all the cryptographic keys and administrative credentials stored on the device. The problems are caused by a buffer overflow in the internal PKCS # 11 command handler and an error in the implementation of the cryptographic protection of the firmware, which bypasses the firmware check using the PKCS # 1v1.5 digital signature and initiates loading the own firmware in the HSM.

The name of the manufacturer, the HSM devices of which have vulnerabilities, has not yet been disclosed, but it is argued that the problem devices are used by some large banks and cloud service providers. At the same time it is reported that information about the problems was previously sent to the manufacturer and it has already eliminated vulnerabilities in the fresh firmware update. Independent researchers suggest that the problem may be in the devices of the company Gemalto, which in May released an update to Sentinel LDK with the elimination of vulnerabilities, access to information about which is still closed.