Wata ƙungiyar masu bincike daga Jami'ar Texas, Jami'ar Illinois, da Jami'ar Washington sun bayyana bayanai game da sabon iyali na hare-haren tashoshi (CVE-2022-23823, CVE-2022-24436), mai suna Hertzbleed. Hanyar kai hari da aka tsara ta dogara ne akan fasalulluka na sarrafa mitoci masu ƙarfi a cikin na'urori na zamani kuma suna shafar duk CPUs na Intel da AMD na yanzu. Mai yiwuwa, matsalar na iya bayyana kanta a cikin na'urori masu sarrafawa daga wasu masana'antun da ke goyan bayan sauye-sauyen mitoci masu ƙarfi, alal misali, a cikin tsarin ARM, amma binciken ya iyakance ga gwada kwakwalwan Intel da AMD. Ana buga rubutun tushen tare da aiwatar da hanyar kai hari akan GitHub (an gwada aiwatarwa akan kwamfuta tare da Intel i7-9700 CPU).
Don haɓaka amfani da wutar lantarki da hana zafi mai zafi, masu sarrafawa suna canza mitar da ƙarfi dangane da nauyi, wanda ke haifar da canje-canje a cikin aiki kuma yana shafar lokacin aiwatarwa (canjin mitar ta 1 Hz yana haifar da canji a cikin aiki ta sake zagayowar agogo 1 a kowane lokaci). na biyu). A lokacin binciken, an gano cewa a ƙarƙashin wasu sharuɗɗa akan na'urori masu sarrafawa na AMD da Intel, canjin mitar ya dace kai tsaye tare da bayanan da ake sarrafa, wanda, alal misali, yana haifar da gaskiyar cewa lokacin lissafin ayyukan "2022 + 23823" kuma "2022 + 24436" zai bambanta. Dangane da nazarin bambance-bambance a cikin lokacin aiwatar da ayyuka tare da bayanai daban-daban, yana yiwuwa a kaikaice dawo da bayanan da aka yi amfani da su a cikin ƙididdiga. A lokaci guda, a cikin cibiyoyin sadarwa masu sauri tare da jinkirin da ake iya faɗi akai-akai, ana iya kai hari daga nesa ta hanyar ƙididdige lokacin aiwatar da buƙatun.
Idan harin ya yi nasara, matsalolin da aka gano suna ba da damar tantance maɓallai masu zaman kansu bisa nazarin lokacin ƙididdigewa a cikin ɗakunan karatu na cryptographic waɗanda ke amfani da algorithms waɗanda ake yin lissafin lissafi koyaushe a cikin lokaci akai-akai, ba tare da la’akari da yanayin bayanan da ake sarrafa su ba. . Irin waɗannan ɗakunan karatu an yi la'akari da su an kare su daga hare-haren tashoshi na gefe, amma kamar yadda ya juya, an ƙayyade lokacin lissafin ba kawai ta hanyar algorithm ba, har ma da halaye na mai sarrafawa.
A matsayin misali mai amfani da ke nuna yuwuwar yin amfani da hanyar da aka tsara, an nuna wani hari kan aiwatar da tsarin SIKE (Supersingular Isogeny Key Encapsulation) maɓalli na ɓoyewa, wanda aka haɗa a cikin wasan ƙarshe na gasar cryptosystems na bayan-kumburi da Amurka ta gudanar. Cibiyar Ƙididdiga da Fasaha ta Ƙasa (NIST), kuma an sanya shi azaman kariya daga hare-haren tashoshi na gefe. A yayin gwajin, ta yin amfani da sabon bambance-bambancen harin dangane da zaɓaɓɓen rubutun (zaɓi a hankali a kan sarrafa rubutun da samun ɓoyayyen sa), yana yiwuwa a dawo da mabuɗin da aka yi amfani da shi don ɓoyewa gaba ɗaya ta hanyar ɗaukar ma'auni daga tsarin nesa, duk da haka. amfani da aiwatar da SIKE tare da lokacin ƙididdigewa akai-akai. Ƙayyade maɓallin 364-bit ta amfani da aiwatar da CIRCL ya ɗauki sa'o'i 36, kuma PQCrypto-SIDH ya ɗauki sa'o'i 89.
Intel da AMD sun yarda da raunin na'urori masu sarrafa su ga matsalar, amma ba su yi shirin toshe raunin ta hanyar sabunta microcode ba, tun da ba zai yiwu a kawar da raunin da ke cikin hardware ba tare da tasiri mai mahimmanci ga aikin hardware ba. Madadin haka, ana ba masu haɓaka ɗakunan karatu na sirri shawarwari kan yadda za a toshe ɓarnawar bayanai cikin tsari da tsari yayin yin lissafin sirri. Cloudflare da Microsoft sun riga sun ƙara irin wannan kariya ga aiwatar da SIKE ɗin su, wanda ya haifar da nasarar aikin 5% na CIRCL da 11% na wasan kwaikwayon PQCrypto-SIDH. Wata hanyar da za a bi don toshe raunin shine a kashe Turbo Boost, Turbo Core, ko Madaidaicin Yanayin Boost a cikin BIOS ko direba, amma wannan canjin zai haifar da raguwar aiki.
An sanar da Intel, Cloudflare da Microsoft game da batun a cikin kwata na uku na 2021, da AMD a cikin kwata na farko na 2022, amma an jinkirta bayyanawa jama'a batun har zuwa 14 ga Yuni, 2022 bisa buƙatar Intel. An tabbatar da kasancewar matsalar a cikin na'urori masu sarrafa tebur da kwamfutar tafi-da-gidanka dangane da ƙarni na 8-11 na Intel Core microarchitecture, da kuma na'urori daban-daban na tebur, wayar hannu da uwar garken AMD Ryzen, Athlon, A-Series da EPYC (masu bincike sun nuna hanyar. akan Ryzen CPUs tare da Zen microarchitecture 2 da Zen 3).
source: budenet.ru