New Versions of Spectre Vulnerability Found

Chrome / Chromium, Edge, Safari and other browsers based on WebKit and Blink are under the thread
13 July 2018   380

The information about new vulnerabilities in the mechanism of work of processors is published. The attack is based on the principles of the Spectre operation and consists in restoring the data in the processor cache when the instructions are speculative. Chrome introduces strict isolation of sites.

How it works

Specter 1.1
It is based on the principles of the Specter 1. Unlike the previously identified vulnerability, the code is executed, not read. This causes the buffer to overflow and cache the results. This method of attacks allow to restore the contents of the cache and send information to third-party channels that analyze the access time to the cached and not pro-cached data.

Specter 1.2.
The principle of operation is similar to the execution of Spectra 1 scenarios, but memory areas with a "read only" flag are used. In doing so, Specter 1.2 only achieves the definition of pointer and metadata values ​​to bypass the constraints of sandbox environments.

Solution

The available methods for eliminating vulnerabilities require further development and modernization. One of the many scenarios involves adding LFENCE instructions to the application compilation process or at the hardware level. In addition, existing buffer overflow modes can also be an effective protection against vulnerabilities.

Browsers

Chrome / Chromium, Edge, Safari and other browsers based on WebKit and Blink are under the thread. It is based on opening a page with a decorated JavaScript code and forms in JIT the necessary set of instructions for the attacker. This code execution script allows to read the contents of the process address space and get information about stored keys and passwords.

In this regard, Google introduces strict isolation of sites for 99% of users of Chrome 67. The mechanism is to place different pages of sites in the memory of different processors using a personal safe execution environment. The introduction of the strict isolation mode will increase the processor's memory consumption by the browser by 10-13%.

BIF-2018 to be Held This Week

Representatives of the IT community will gather again in the Belgorod Philharmonic to discuss prospects for the development of the IT industry and modern trends in digital solutions
10 September 2018   370

On September 15, Belgorod will host the second IT-forum, which will bring together more than a thousand participants from different regions of the country. As in the past year, the central part of the event will be held in the Belgorod Philharmonic.

BIF2017BIF-2017

The primary goal of the forum is to show that it is possible to work in our region and at the same time create products that will be relevant all over the world. And every year it becomes easier. In IT there are no boundaries, they exist only in the minds, but these borders can also be erased, and this is how the forum helps. At such events, teams from different cities are formed and they can create joint products.

 

Yevgeny Miroshnikov

Head of the department of information technologies and communications of the regional governor's administration

The educational program has changed this year regarding the format of the presentation and the time of the speeches. Participants now can dive into the topic in a shorter time. The program is almost formed - representatives of VKontakte, GetTaxi, Sberbank-Technologies, Alfa-Bank, Dodo Pizza, Internet Initiatives Development Fund and many other companies will make presentations.

Last year, the forum participants wondered why there was no design course. Indeed, there were only a couple of reports from designers in the digital section. We heed the wishes of the participants and this year we are preparing a full-fledged direction in design, inviting experts working on projects in Artemiy Lebedev's studio, Alfa Bank and other top technological companies.

 

Dmitry Zadochin

Head of the IT Development Center of the Belgorod Informational Fund

In addition to design, the flexible methodologies of project management - Agile and Scrum, will also be discussed in a separate area. For civil servants, There is also a separate section for civil servants dedicated to smart cities.

There is today much talk about smart cities and how information technologies change different spheres of life. At the same time, "smart city" is a collective concept, because there is no clear definition of what it is. At a particular section of the Smart City Day, we'll talk about what technologies help make the life of the city better. The main areas will be health, transportation, and culture.

 

Yevgeny Miroshnikov

Head of the department of information technologies and communications of the regional governor's administration

Yevgeny also added that there is an ambitious goal regarding smart roads on the state level - the number of road deaths must be zero. The forum is planned to hold a council under the governor for innovative technological development, where application solutions will be presented to make the roads safe. There are already unique developments in Belgorod that will soon be announced.

After the completion of the educational program for the forum participants will perform a concert orchestra of wind instruments under the leadership of Yuri Merkulov. And there will be an afterparty in one of the city’s restaurants after the symphony concert.

The event will begin at 10:00 with a panel discussion, after which the speeches will start in five sections.

More information:

  • Website
  • ‎Vkontakte