Greetings! As usual on Sundays, this is a weekly cybersecurity news round-up, covering the articles published between November 9 and 15, 2020.
Hackers can use just-fixed Intel bugs to install malicious firmware on PCs
"Since CVE-2020-8705 requires physical access, it is harder for an attacker to use than a remote exploit. However, there are a few realistic attack scenarios where it could be used.
One example is when clearing customs at an airport. Most travellers close their laptop during descent and allow it to enter S3 sleep. If the device is taken by the adversarial agency upon landing, the disk encryption keys are still in memory. The adversary can remove the bottom cover and attach an in-system flash emulator like the spispy to the flash chip. They can wake the machine and provide it with their firmware via the spispy. This firmware can scan memory to locate the OS lock screen process and disable it, and then allow the system to resume normally. Now they have access to the unlocked device and its secrets, with no need to compel the owner to provide a password."
Routing on multiple optimality criteria
"Our idea is to abstain from the selection between any two paths whenever such a selection would violate isotonicity, trading singleness of path selection at nodes for isotonicity. In the example of the shortest of widest paths, nodes refrain from selecting between two paths if, and only if, one of them has greater width and the other has smaller length."
ACM publication: https://dl.acm.org/doi/abs/10.1145/3387514.3405864
How Netflix Scales its API with GraphQL Federation (Part 1)
"Netflix is known for its loosely coupled and highly scalable microservice architecture. Independent services allow for evolving at different paces and scaling independently. Yet they add complexity for use cases that span multiple services. Rather than exposing 100s of microservices to UI developers, Netflix offers a unified API aggregation layer at the edge."
PLATYPUS attack
"With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor's power consumption to infer data and extract cryptographic keys."
A Bottom-Up Investigation of the Transport-Layer Ossification
"Among the 52.8 million paths probed by our algorithm, our detection method discovered that 20.5 million (38.9%) paths are crossing at least one middlebox. More precisely:
32.4% of these paths include a benign middlebox.
6.5% of these paths are potentially impaired.
0.1% of these paths involve a middlebox that blocks traffic, which in the absence of a fallback mechanism, results in a connectivity failure.
0.8% of these paths are broken as they include multiple impairments, that is, they have two or more disabled features disrupting traffic and negotiation. Finally, 5.6% of paths are affected by traffic disruption middleboxes."
PCF: Provably Resilient Flexible Routing
"Recently, traffic engineering mechanisms have been developed that guarantee that a network (cloud provider WAN, or ISP) does not experience congestion under failures. In this paper, we show that existing congestion-free mechanisms, notably FFC, achieve performance far short of the network’s intrinsic capability. We propose PCF, a set of novel congestion-free mechanisms to bridge this gap. PCF achieves these goals by better modeling network structure, and by carefully enhancing the flexibility of network response while ensuring that the performance under failures can be tractably modeled. All of PCF’s schemes involve relatively light-weight operations on failures, and many of them can be realized using a local proportional routing scheme similar to FFC. We show PCF’s effectiveness through formal theoretical results, and empirical experiments over 21 Internet topologies. PCF’s schemes provably out-perform FFC, and in practice, can sustain higher throughput than FFC by a factor of 1.11X to 1.5X on average across the topologies, while providing a benefit of 2.6X in some cases."
Maglev: A Fast and Reliable Software Network Load Balancer
"Maglev is Google’s network load balancer. It is a large distributed software system that runs on commodity Linux servers. Unlike traditional hardware network load balancers, it does not require a specialized physical rack deployment, and its capacity can be easily adjusted by adding or removing servers. Network routers distribute packets evenly to the Maglev machines via Equal Cost Multipath (ECMP); each Maglev machine then matches the packets to their corresponding services and spreads them evenly to the service endpoints. To accommodate high and ever-increasing traffic, Maglev is specifically optimized for packet processing performance. A single Maglev machine is able to saturate a 10Gbps link with small packets. Maglev is also equipped with consistent hashing and connection tracking features, to minimize the negative impact of unexpected faults and failures on connection-oriented protocols. Maglev has been serving Google’s traffic since 2008. It has sustained the rapid global growth of Google services, and it also provides network load balancing for Google Cloud Platform."
SAD DNS
"SAD DNS is a revival of the classic DNS cache poisoning attack (which no longer works since 2008) leveraging novel network side channels that exist in all modern operating systems, including Linux, Windows, macOS, and FreeBSD. This represents an important milestone --- the first weaponizable network side channel attack that has serious security impacts. The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache (e.g., in BIND, Unbound, dnsmasq)."
Repository of the week - FlashRoute: Efficient Traceroute on Massive Scale
ACM publication: https://dl.acm.org/doi/pdf/10.1145/3419394.3423619
Thanks for being a great subscriber!
For feedback or any suggestions, please write to us at cybersec@qrator.net.