Masu bincike daga Jami'ar Tsaron Kimiyya da Fasaha ta Jama'ar Liberation Army Defence Science and Technology, Jami'ar Kasa ta Singapore da ETH Zurich sun kirkiro wata sabuwar hanya ta kai hari ga keɓaɓɓen enclaves Intel SGX (Software Guard eXtensions). Ana kiran harin SmashEx kuma yana haifar da matsaloli tare da dawowa lokacin da ake sarrafa yanayin keɓantawa yayin aikin abubuwan lokaci na Intel SGX. Hanyar kai hari da aka tsara yana ba da damar, idan kuna da iko akan tsarin aiki, don tantance bayanan sirri da ke cikin ƙaƙƙarfan, ko tsara kwafin lambar ku cikin ƙwaƙwalwar ajiyar ɓoye da aiwatar da shi.
An shirya samfurori masu amfani don ƙayyadaddun lokaci tare da lokacin aiki bisa Intel SGX SDK (CVE-2021-0186) da Microsoft Open Enclave (CVE-2021-33767). A cikin shari'ar farko, an nuna ikon cire maɓallin RSA da aka yi amfani da shi akan sabar gidan yanar gizo don HTTPS, kuma a cikin na biyu, yana yiwuwa a tantance abubuwan da aka samu ta hanyar amfani da cURL da ke gudana a ciki. An riga an magance rashin lafiyar ta hanyar shirye-shirye a cikin sakin Intel SGX SDK 2.13 da Buɗe Enclave 0.17.1. Baya ga Intel SGX SDK da Microsoft Open Enclave, raunin kuma yana bayyana a cikin Google Asylo SDK, EdgelessRT, Apache Teaclave, Rust SGX SDK, SGX-LKL, CoSMIX da Veracruz.
Bari mu tuna cewa fasahar SGX (Software Guard Extensions) ta bayyana a cikin na'urori na Intel Core na ƙarni na shida (Skylake) kuma suna ba da jerin umarni waɗanda ke ba da izinin aikace-aikacen matakin mai amfani don ware wuraren ƙwaƙwalwar ajiyar rufaffiyar - enclaves, abubuwan da ba za a iya karanta su ba kuma wanda aka gyara koda ta kernel da lambar da aka aiwatar a cikin yanayin ring0, SMM da VMM. Ba shi yiwuwa a canja wurin sarrafawa zuwa lambar a cikin ƙaƙƙarfan ta amfani da ayyukan tsalle na gargajiya da manipulations tare da rajista da tari - musamman ƙirƙira sabon umarni EENTER, EEXIT da ERESUME ana amfani da su don canja wurin sarrafawa zuwa ƙaƙƙarfan, waɗanda ke yin rajistar hukuma. A wannan yanayin, lambar da aka sanya a cikin maƙarƙashiya na iya amfani da hanyoyin kira na gargajiya don samun damar ayyuka a ciki da umarni na musamman don kiran ayyukan waje. Ana amfani da ɓoye ɓoyayyen ƙwaƙwalwar ajiya don kariya daga harin kayan masarufi kamar haɗawa zuwa tsarin DRAM.
Matsalar ita ce fasahar SGX ta ba da damar tsarin aiki don zubar da shinge ta hanyar jifar keɓan kayan masarufi, kuma ƙaƙƙarfan ba sa aiwatar da abubuwan da suka dace don sarrafa irin waɗannan keɓancewa ta atomatik. Ba kamar tsarin aiki da kernel da aikace-aikace na yau da kullun ba, lambar a cikin enclaves ba ta da damar yin amfani da abubuwan da suka dace don tsara ayyukan atomic yayin aiwatar da keɓancewar jifa asynchronously. Ba tare da ƙayyadadden ƙayyadaddun ƙayyadaddun ƙwayoyin cuta ba, za a iya katse ɓarnar a kowane lokaci kuma a dawo da shi zuwa aiwatar da shi, ko da a lokutan da ɓoyayyen ke aiwatar da sassa masu mahimmanci kuma yana cikin yanayi mara aminci (misali, lokacin da ba a adana rijistar CPU/dawo).
Don aiki na yau da kullun, fasahar SGX tana ba da damar aiwatar da ƙaƙƙarfan ƙaƙƙarfan ƙaƙƙarfan kayan masarufi. Wannan fasalin yana ba da damar mahalli na lokacin aiki don aiwatar da intra-enclave ban da sarrafa sigina ko sarrafa sigina, amma kuma yana iya haifar da kurakurai masu sake shigowa. Harin SmashEx ya dogara ne akan amfani da lahani a cikin SDK saboda ba a kula da yanayin sake kiran mai keɓantawa da kyau. Yana da mahimmanci cewa don yin amfani da raunin da ya faru, dole ne maharin ya iya katse aiwatar da ƙaddamarwa, watau. dole ne ya sarrafa aikin yanayin tsarin.
Bayan jefar da keɓancewa, maharin yana karɓar ɗan ƙaramin taga lokacin da za a iya katse zaren aiwatarwa ta hanyar amfani da sigogin shigarwa. Musamman, idan kuna da damar yin amfani da tsarin (muhalli a waje da ƙaƙƙarfan), zaku iya ƙirƙirar sabon togi nan da nan bayan aiwatar da umarnin shigarwar enclave (EENTER), wanda zai dawo da sarrafawa zuwa tsarin a matakin lokacin da saitin tari don Har yanzu ba a gama gamawa ba, wanda kuma an adana yanayin rajistar CPU.
Tsarin zai iya dawo da sarrafawa zuwa ga maɓalli, amma tun da ba a saita tari a lokacin katsewa ba, za a aiwatar da tari tare da tarin da ke zaune a cikin ƙwaƙwalwar tsarin, wanda za'a iya amfani dashi don yin amfani da shirye-shiryen dawo da dawowa (ROP). ) Dabarun amfani. Lokacin amfani da dabarar ROP, maharin baya ƙoƙarin sanya lambar sa cikin ƙwaƙwalwar ajiya, amma yana aiki akan guntun umarnin injin da aka riga aka samu a cikin ɗakunan karatu masu ɗorewa, yana ƙarewa tare da umarnin dawo da sarrafawa (a matsayin mai mulkin, waɗannan ƙarshen ayyukan ɗakin karatu) . Ayyukan da ake amfani da su sun zo ne don gina jerin kira zuwa ga tubalan irin wannan ("na'urori") don samun aikin da ake so.
source: budenet.ru