Kamar yadda kuka sani, lambar da aka aiwatar a cikin enclave tana da matuƙar iyaka a cikin ayyukanta. Ba zai iya yin kiran tsarin ba. Ba zai iya yin ayyukan I/O ba. Ba ta san asalin adireshin ɓangaren lambar aikace-aikacen mai watsa shiri ba. Ba zai iya jmp ko kiran lambar aikace-aikacen rundunar ba. Ba shi da wani ra'ayi game da tsarin sararin adireshi wanda ke tafiyar da aikace-aikacen mai watsa shiri (misali, waɗanne shafuka ne aka tsara ko wane nau'in bayanai ke cikin waɗannan shafuka). Ba zai iya tambayar tsarin aiki don taswirar yanki na ƙwaƙwalwar aikace-aikacen rundunar zuwa gare shi ba (misali, ta /proc/pid/maps). Ƙoƙarin butulci na karanta yankin ƙwaƙwalwar ajiya na aikace-aikacen runduna a makance, ba tare da ambaton yunƙurin rubutawa ba, ba dade ko ba jima (wataƙila tsohon) zai kai ga dakatarwar da shirin ya tilastawa. Wannan yana faruwa a duk lokacin da yankin sararin adireshi mai kama-da-wane da aka nema wanda keɓaɓɓen ya kasa samun damar aikace-aikacen mai masaukin baki.
Idan aka yi la’akari da irin waɗannan munanan haƙiƙanin, shin marubucin ƙwayar cuta zai iya amfani da ɓangarorin SGX don cimma munanan manufofinsa?
Dangane da duk abubuwan da ke sama, gabaɗaya an yarda cewa ƙaƙƙarfan ƙaƙƙarfan ƙaƙƙarfan ikon yin hidimar aikace-aikacen mai masaukin baki ne kawai, kuma cewa ƙaƙƙarfan ba zai iya aiwatar da nasa shirin ba, gami da na mugunta. Wannan yana nufin cewa ɓarna ba su da wani amfani mai amfani ga marubutan ƙwayoyin cuta. Wannan zato cikin gaggawa yana ɗaya daga cikin dalilan da yasa kariyar SGX ta kasance asymmetrical: lambar aikace-aikacen runduna ba za ta iya samun damar ƙwaƙwalwar ajiya ba, yayin da lambar ɓoye na iya karantawa da rubutawa zuwa kowane adireshin ƙwaƙwalwar ajiyar aikace-aikacen runduna.
Don haka, idan malicious enclave code ya sami damar yin kira na tsari na sabani a madadin aikace-aikacen mai watsa shiri, aiwatar da lambar sabani a madadinsa, bincika ƙwaƙwalwar ajiyar aikace-aikacen kuma nemo sarƙoƙin ROP na zagi a ciki, zai iya kama cikakken ikon aikace-aikacen runduna, a ciki. yanayin sirri. Ba zai iya sata da ɓoye fayilolin mai amfani kawai ba, amma kuma yana aiki a madadin mai amfani. Misali, aika saƙon imel a madadinsa ko gudanar da hare-haren DoS. Ba tare da fargabar ko da mafi kyawun hanyoyin kariya na zamani ba, kamar tari kanari da magance tsaftar muhalli.
Za mu nuna muku ƴan hacks da maharan ke amfani da su don shawo kan iyakokin da aka kwatanta a sama don cin gajiyar SGX don dalilai na mugunta: hare-haren ROP. Ko dai don aiwatar da code na sabani wanda aka canza azaman tsarin aikace-aikacen mai watsa shiri (mai kama da aiwatar da hollowing, wanda malware ke amfani da shi sau da yawa), ko don ɓarna malware da aka yi (don ceton malware ɗinsa daga tsanantawa ta hanyar riga-kafi da sauran hanyoyin tsaro).
Hack don bincika adiresoshin don ganin ko za a iya karanta su
Tun da ƙwanƙolin bai san waɗanne jeri na sararin adireshin kama-da-wane ke samun damar aikace-aikacen mai watsa shiri ba, kuma tun lokacin da aka tilasta wa shingen ƙarewa lokacin da ake ƙoƙarin karanta adireshin da ba zai iya isa ba, maharin yana fuskantar aikin nemo hanyar yin kuskure- a haƙuri bincika sararin adireshin. Nemo hanyar yin taswirar adiresoshin kama-da-wane da ake da su. Mugu yana magance wannan matsala ta hanyar yin amfani da fasahar TSX ta Intel. Yana amfani da ɗayan illolin TSX: idan aikin samun damar ƙwaƙwalwar ajiya an sanya shi a cikin ma'amala ta TSX, to, keɓancewar da suka taso daga samun damar adiresoshin da ba daidai ba suna danne ta TSX ba tare da isa ga tsarin aiki ba. Idan an yi ƙoƙarin samun dama ga adireshin ƙwaƙwalwar ajiya mara inganci, ma'amala ta yanzu kawai ta ƙare, ba duka shirin ɓoyewa ba. Wannan. TSX yana ba da damar ɓoye don samun damar shiga kowane adireshi amintacce daga cikin ma'amala - ba tare da haɗarin rushewa ba.
idan adireshin da aka ƙayyade yana samuwa aikace-aikacen mai watsa shiri, ma'amalar TSX galibi tana samun nasara. A lokuta da ba kasafai ba, yana iya gazawa saboda tasirin waje kamar katsewa (kamar katsewar mai tsarawa), korar cache, ko sauya wurin ƙwaƙwalwar ajiya lokaci guda ta matakai da yawa. A cikin waɗannan lokuta da ba kasafai ba, TSX tana dawo da lambar kuskure da ke nuna cewa gazawar ɗan lokaci ne. A cikin waɗannan lokuta, kawai kuna buƙatar sake farawa ciniki.
idan babu takamaiman adireshin aikace-aikacen mai watsa shiri, TSX yana hana keɓancewar abin da ya faru (ba a sanar da OS ba) kuma ya lalata ma'amala. Ana mayar da lambar kuskure zuwa lambar ɓoye don ta iya mayar da martani ga gaskiyar cewa an soke cinikin. Waɗannan lambobin kuskure suna nuna cewa adireshin da ake tambaya baya samuwa ga aikace-aikacen rundunar.
Wannan magudi na TSX daga ciki yana da kyakkyawan fasali ga mugu: tunda yawancin ƙididdiga na kayan aikin ba a sabunta su ba a lokacin da aka aiwatar da code ɗin, ba shi yiwuwa a bi diddigin ma'amalar TSX da aka kashe a cikin ɓarna. Don haka, magudin magudi na TSX ya kasance gaba ɗaya ganuwa ga tsarin aiki.
Bugu da ƙari, tun da hack ɗin da ke sama baya dogara ga kowane kira na tsarin, ba za a iya gano shi ko hana shi ta hanyar toshe kiran tsarin kawai; wanda yawanci yana ba da sakamako mai kyau a cikin yaki da farautar kwai.
Mugu yana amfani da hack ɗin da aka kwatanta a sama don bincika lambar aikace-aikacen rundunar don na'urorin da suka dace don ƙirƙirar sarkar ROP. A lokaci guda kuma, baya buƙatar bincika kowane adireshin. Ya isa a bincika adireshi ɗaya daga kowane shafi na sararin adireshin kama-da-wane. Binciken duk gigabytes 16 na ƙwaƙwalwar ajiya yana ɗaukar kusan mintuna 45 (akan Intel i7-6700K). A sakamakon haka, mugu yana karɓar jerin shafukan da za a iya aiwatarwa waɗanda suka dace don gina sarkar ROP.
Hack don bincika adiresoshin don rubutawa
Don aiwatar da nau'in harin ROP, maharin yana buƙatar samun damar bincika wuraren ƙwaƙwalwar ajiyar da ba a yi amfani da su ba na aikace-aikacen runduna. Maharin yana amfani da waɗannan wuraren ƙwaƙwalwar ajiya don allurar firam ɗin tari na karya da kuma allurar abin biya (shellcode). Maganar ƙasa ita ce ƙetaren ɓarna baya iya buƙatar aikace-aikacen mai watsa shiri don ware ƙwaƙwalwar ajiya don kansa, amma a maimakon haka yana iya yin amfani da ƙwaƙwalwar ajiya wanda aikace-aikacen mai watsa shiri ya riga ya keɓe. Idan, ba shakka, ya sami nasarar nemo irin waɗannan wuraren ba tare da rugujewa ba.
Mugu yana yin wannan bincike ta hanyar amfani da wani sakamako na TSX. Da farko, kamar yadda ya faru a baya, yana bincika adireshin don wanzuwarsa, sannan ya bincika ko shafin da ya dace da wannan adireshi na iya rubutawa. Don yin wannan, mugu yana amfani da hack mai zuwa: ya sanya aikin rubutawa a cikin ciniki na TSX, kuma bayan ya gama, amma kafin ya ƙare, ya tilasta wa ma'amala (zubar da ciki a bayyane).
Ta hanyar duba lambar dawowa daga ma'amalar TSX, maharin ya fahimci ko ana iya rubutawa. Idan "zubar da ciki a bayyane" ne, mugu ya fahimci cewa rikodin zai yi nasara idan ya bi ta. Idan shafin yana karantawa-kawai, to cinikin ya ƙare da kuskuren ban da "zubar da ciki bayyane".
Wannan magudi na TSX yana da wani fasalin da ke da kyau ga mugu (ban da rashin yiwuwar sa ido ta hanyar ƙididdiga na kayan aiki): tunda duk umarnin rubuta ƙwaƙwalwar ajiya ana yin su ne kawai idan ma'amala ta yi nasara, tilasta ma'amala don kammala yana tabbatar da cewa tantanin ƙwaƙwalwar ajiya da aka bincika. ya kasance baya canzawa.
Hack don karkatar da kwararar sarrafawa
Lokacin yin harin ROP daga wani yanki - sabanin hare-haren ROP na al'ada - maharin na iya samun ikon sarrafa rajistar RIP ba tare da yin amfani da kowane kwari a cikin shirin da aka kai harin ba (buffer overflow ko wani abu makamancin haka). Mai kai hari zai iya sake rubuta darajar rajistar RIP kai tsaye a kan tari. Musamman ma, yana iya maye gurbin darajar wannan rajista tare da sarkar ROP ta kansa.
Koyaya, idan sarkar ROP ta daɗe, to sake rubuta babban gungu na tarin aikace-aikacen runduna na iya haifar da ɓarna bayanai da halayen shirin ba zato ba tsammani. Mugun da ke neman kai harin nasa a boye bai gamsu da wannan halin da ake ciki ba. Don haka, yana ƙirƙira wa kanta juzu'in tari na ɗan lokaci kuma yana adana sarkar ROP a ciki. An sanya firam ɗin tari na karya a cikin wurin da ba za a iya rubutawa ba, yana barin ainihin tari.
Menene hacks guda uku da aka lissafa a sama suke ba wa mugu?
(1) Na farko, ƙeta ya ɓoye ta hack don bincika adiresoshin don ganin ko za a iya karanta su, - yana bincika aikace-aikacen mai watsa shiri don na'urorin ROP masu zagi.
(2) Sannan ta hanyar hack don bincika adiresoshin don rubutawa, - ɓarna mai ɓarna yana gano wuraren da ke cikin ƙwaƙwalwar ajiyar aikace-aikacen mai watsa shiri wanda ya dace da allurar da aka biya.
(3) Bayan haka, ƙugiya ta ƙirƙiri sarkar ROP daga na'urorin da aka gano a mataki na (1) kuma suna shigar da wannan sarkar cikin tarin aikace-aikacen runduna.
(4) A ƙarshe, lokacin da aikace-aikacen mai watsa shiri ya ci karo da sarkar ROP da aka ƙirƙira a matakin da ya gabata, nauyin ƙeta yana fara aiwatarwa - tare da damar aikace-aikacen mai watsa shiri da ikon yin kiran tsarin.
Yadda mugu yake amfani da waɗannan hacks don ƙirƙirar ranzowari
Bayan aikace-aikacen mai watsa shiri ya canja wurin sarrafawa zuwa gaɓoɓin ta hanyar ɗaya daga cikin ECALLs (ba tare da zargin cewa wannan ɓoyayyen ɓoyayyen ɓoyayyen abu ba ne), ɓoyayyiyar ɓarna tana neman sarari kyauta a cikin ƙwaƙwalwar ajiyar aikace-aikacen rundunar don shigar da lambar (ɗaukarwa kyauta ga jerin sel. wanda ya cika da sifili). Sannan ta hanyar hack don bincika adiresoshin don ganin ko za a iya karanta su, - enclave yana bincika shafukan da za'a iya aiwatarwa a cikin aikace-aikacen mai watsa shiri kuma ya haifar da sarkar ROP wanda ke haifar da sabon fayil mai suna "RANSOM" a cikin kundin adireshi na yanzu (a cikin ainihin harin, ɓoye yana ɓoye fayilolin mai amfani da ke akwai) kuma yana nuna saƙon fansa. A lokaci guda, aikace-aikacen mai watsa shiri ya yi imani da cewa ƙaƙƙarfan yana ƙara lambobi biyu kawai. Menene wannan yayi kama a cikin code?
Don sauƙin fahimta, bari mu gabatar da wasu mnemonics ta ma'anar:
Muna adana ƙimar asali na RSP da RBP rajista don dawo da aiki na yau da kullun na aikace-aikacen mai watsa shiri bayan aiwatar da kaya:
Muna neman firam ɗin tari mai dacewa (duba lambar daga sashin "hack don turawa iko").
Nemo na'urorin ROP masu dacewa:
Nemo wurin yin allurar abin biya:
Muna gina sarkar ROP:
Wannan shine yadda fasahar SGX ta Intel, wacce aka ƙera don magance munanan shirye-shirye, ke amfani da miyagu don cimma maƙasudai dabam dabam.
source: www.habr.com