Tawagar masu bincike daga ETH Zurich, Vrije Universiteit Amsterdam, da Qualcomm sun buga sabuwar hanyar kai hari a aji na RowHammer wanda ke ba da damar gyare-gyaren abubuwan da ke cikin ragowa guda ɗaya a cikin ƙwaƙwalwar damar shiga bazuwar (DRAM). An sanya harin lambar sunan Blacksmith da mai gano CVE-2021-42114. Yawancin kwakwalwan kwamfuta na DDR4 da aka kiyaye su daga hanyoyin ajin RowHammer da aka sani a baya suna da rauni ga wannan batun. An buga kayan aiki don tsarin gwaji don rauni akan GitHub.
A matsayin tunatarwa, hare-haren RowHammer yana lalata abubuwan da ke cikin raƙuman ƙwaƙwalwar ajiya ɗaya ta hanyar karatun cyclically daga sel ƙwaƙwalwar da ke kusa. Tunda ƙwaƙwalwar DRAM tsari ne mai girma biyu na sel, kowanne ya ƙunshi capacitor da transistor, ci gaba da karanta yankin ƙwaƙwalwar ajiya iri ɗaya yana haifar da jujjuyawar wutar lantarki da abubuwan da ba su da kyau, yana haifar da ɗan asarar caji a cikin sel masu kusa. Idan ƙarfin karantawa ya yi girma, tantanin halitta da ke kusa zai iya rasa adadi mai yawa na caji, kuma sake sakewa na gaba ba zai sami lokaci don mayar da ainihin yanayinsa ba, wanda zai canza darajar bayanan da aka adana a cikin tantanin halitta.
Don kare kariya daga RowHammer, masana'antun guntu sun ba da shawarar tsarin TRR (Target Row Refresh), wanda ke ba da kariya daga lalata ƙwayoyin sel a cikin layuka masu kusa. Duk da haka, tun da wannan kariyar ta dogara ne akan ka'idar "tsaro ta cikin duhu," ba ta magance tushen matsalar ba, amma kawai an kare shi daga sanannun, takamaiman lokuta, yana mai sauƙi nemo hanyoyin da ke kewaye da kariya. Misali, a watan Mayu, Google ya ba da shawarar hanyar Half-Double, wacce ba ta shafi kariyar TRR ba saboda harin ya shafi sel ba kusa da abin da ake hari kai tsaye ba.
Sabuwar hanyar Blacksmith tana ba da wata hanya ta daban don ketare kariyar TRR, dangane da rashin daidaiton samun damar shiga layuka biyu ko fiye da masu tada hankali a mitoci daban-daban don haifar da zubewar caji. Don ƙayyadadden tsarin samun damar ƙwaƙwalwar ajiya wanda ke haifar da caji, an ƙirƙiri fuzzer na musamman wanda ke zaɓar sigogin hari ta atomatik don takamaiman guntu, yana bambanta tsari, ƙarfi, da tsarin isa ga tantanin halitta.
Wannan hanyar, wacce ba ta kai hari ga sel iri ɗaya ba, yana sa hanyoyin kariya na TRR na yanzu ba su da tasiri. Waɗannan hanyoyin, a cikin nau'i ɗaya ko wani, suna dogara ne akan ƙidayar yawan adadin shiga tantanin halitta da aka maimaita kuma, lokacin da aka kai wasu ƙididdiga, fara cajin sel masu kusa. A cikin Blacksmith, tsarin shiga yana bazuwa a cikin sel da yawa a ɓangarori daban-daban na tantanin halitta, yana ba da damar yin caji ba tare da kai ga kofa ba.
Hanyar ta tabbatar da tasiri sosai fiye da hanyoyin wucewar TRR da aka gabatar a baya-masu binciken sun yi nasarar karkatar da ragi a cikin duk 40 da aka saya kwanan nan DDR4 kwakwalwan ƙwaƙwalwar ajiya daga Samsung, Micron, SK Hynix, da masana'anta da ba a san su ba (ba a nuna masana'anta akan guntu huɗu ba). Ta hanyar kwatanta, hanyar TRRespass, wanda masu bincike iri ɗaya suka gabatar a baya, yana da tasiri don kawai 13 daga cikin kwakwalwan kwamfuta 42 da aka gwada a lokacin.
Duk da yake ana tsammanin hanyar Blacksmith gabaɗaya za ta iya amfani da kashi 94% na dukkan kwakwalwan kwamfuta na DRAM a kasuwa, masu bincike sun ce wasu kwakwalwan kwamfuta sun fi rauni kuma suna da sauƙin kai hari fiye da sauran. Amfani da lambobi masu gyara kuskure (ECC) da ƙwaƙwalwar wartsakewa sau biyu a cikin waɗannan kwakwalwan kwamfuta ba su ba da cikakkiyar kariya ba amma yana dagula cin zarafi. Musamman ma, ba za a iya toshe raunin a cikin kwakwalwan kwamfuta da ake da su ba kuma yana buƙatar sabbin kariyar kayan masarufi, ma'ana harin zai ci gaba da kasancewa cikin shekaru masu zuwa.
An bayar da misalai masu amfani game da yadda ake amfani da Blacksmith don gyara abubuwan da ke cikin shigarwar a cikin teburin shafin ƙwaƙwalwa (PTE) don samun gata na kernel, lalata maɓallin RSA-2048 na jama'a da aka adana a cikin OpenSSH (za ku iya shigar da maɓallin jama'a cikin na wani injin kama-da-wane (daidai da maɓallin sirri na maharin don haɗawa da VM na wanda aka azabtar) da kuma kauce wa duba gata ta hanyar gyara ƙwaƙwalwar tsarin sudo don samun gata na tushen. Dangane da guntu, canza bit ɗin manufa ɗaya na iya ɗaukar ko'ina daga daƙiƙa 3 zuwa awanni da yawa don kammalawa.
Bugu da ƙari, tsarin buɗe tushen tushen LiteX Row Hammer Tester don gwada hanyoyin kariyar ƙwaƙwalwar ajiya akan harin RowHammer, wanda Antmicro ya haɓaka don Google, abin lura ne. Tsarin yana amfani da FPGA don cikakken sarrafa umarnin da aka aika kai tsaye zuwa guntu DRAM, kawar da tasirin mai sarrafa ƙwaƙwalwar ajiya. Akwai kayan aikin Python don hulɗa tare da FPGA. Ƙofar tushen FPGA ta haɗa da tsarin fakitin bayanai (yana ƙayyade tsarin samun damar ƙwaƙwalwar ajiya), Mai aiwatar da Payload, mai sarrafa tushen LiteDRAM (yana ɗaukar duk dabaru masu alaƙa da DRAM, gami da kunna layi da sabunta ƙwaƙwalwar ajiya), da VexRiscv CPU. Aikin aikin yana da lasisi ƙarƙashin lasisin Apache 2.0. Ana tallafawa dandamali daban-daban na FPGA, gami da Lattice ECP5, Xilinx Series 6, 7, UltraScale, da UltraScale+.
source: budenet.ru
