Rukunin masu bincike daga jami'o'in Amurka, Ostireliya da Isra'ila sun ba da shawarar sabuwar dabarar kai hari ta hanyar tasha don yin amfani da raunin yanayin Specter a cikin masu bincike bisa injin Chromium. Harin, mai suna Spook.js, yana ba ku damar keɓance tsarin keɓewar rukunin ta hanyar gudanar da lambar JavaScript kuma karanta abubuwan da ke cikin gabaɗayan sararin adireshi na tsarin yanzu, watau. samun damar bayanai daga shafukan da ke gudana a wasu shafuka, amma ana sarrafa su a cikin tsari iri ɗaya.
Tun da Chrome yana gudanar da shafuka daban-daban a cikin matakai daban-daban, ikon aiwatar da hare-hare masu amfani yana iyakance ga ayyukan da ke ba masu amfani daban-daban damar ɗaukar shafukansu. Hanyar tana ba da damar, daga shafin da maharin ke da damar shigar da lambar JavaScript, don tantance kasancewar sauran shafukan da mai amfani da shi ya buɗe daga wannan rukunin yanar gizon da kuma fitar da bayanan sirri daga gare su, misali, takardun shaida ko bayanan banki da aka maye gurbinsu. ta tsarin filayen cikawa ta atomatik a cikin siffofin yanar gizo. A matsayin nuni, ana nuna yadda zaku iya kai hari ga shafin wani akan sabis na Tumblr idan mai shi ya buɗe shafin maharan da aka shirya akan sabis ɗaya a cikin wani shafin.
Wani zaɓi don amfani da hanyar shine hari akan add-ons, wanda ke ba da damar, lokacin shigar da ƙari wanda maharin ke sarrafawa, don fitar da bayanai daga wasu add-ons. A matsayin misali, muna nuna yadda ta hanyar shigar da ƙari mai cutarwa za ku iya fitar da bayanan sirri daga mai sarrafa kalmar wucewa ta LastPass.
Masu bincike sun buga wani samfuri na amfani da ke aiki a cikin Chrome 89 akan tsarin tare da CPUIntel i7-6700K da i7-7600U. Lokacin ƙirƙirar amfani, samfura na lambar JavaScript da Google ta buga a baya an yi amfani da su don aiwatar da hare-haren Specter-class. An lura cewa masu binciken sun sami damar shirya ayyukan aiki don tsarin da suka dogara da na'urori na Intel da Apple M1, wanda ke ba da damar tsara karatun ƙwaƙwalwar ajiya a cikin saurin 500 bytes a sakan daya da daidaito na 96%. Ana tsammanin cewa hanyar ita ma tana amfani da na'urori na AMD, amma ba zai yiwu a shirya cikakken amfani ba.
Harin ya shafi kowane mai bincike bisa injin Chromium, gami da Google Chrome, Microsoft Edge da Brave. Masu binciken sun kuma yi imanin cewa za a iya daidaita hanyar don yin aiki tare da Firefox, amma tun da injin Firefox ya bambanta da Chrome, aikin ƙirƙirar irin wannan amfani ya bar nan gaba.
Don karewa daga hare-haren da ke tushen burauza da ke da alaƙa da aiwatar da ƙayyadaddun umarni, Chrome yana aiwatar da rarrabuwar sararin adireshi - keɓewar akwatin sandbox yana ba JavaScript damar yin aiki kawai tare da masu nunin 32-bit kuma yana raba ƙwaƙwalwar ma'aikata a cikin tarin 4GB. Don ba da damar yin amfani da sararin adireshin gabaɗayan tsari da ketare iyakokin 32-bit, masu binciken sun yi amfani da wata dabara mai suna Type Confusion, wacce ke tilasta injin JavaScript sarrafa wani abu mai nau'in da ba daidai ba, wanda ke ba da damar samar da 64-bit. mai nuni dangane da haɗewar ƙima biyu 32-bit.
Asalin harin shine lokacin sarrafa wani abu na musamman da aka ƙera a cikin injin JavaScript, an ƙirƙiri yanayi waɗanda ke haifar da hasashe na aiwatar da umarnin da ke shiga jerin gwanon. An zaɓi abu ta hanyar da za a sanya filayen sarrafa maharan a cikin yankin da ake amfani da ma'anar 64-bit. Tun da nau'in abin ƙeta bai yi daidai da nau'in tsararrun da ake sarrafa ba, a ƙarƙashin yanayi na yau da kullun ana toshe irin waɗannan ayyuka a cikin Chrome ta hanyar kawar da lambar da ake amfani da ita don samun damar jeri. Don magance wannan matsala, an sanya lambar don harin rikice-rikice na nau'in a cikin yanayin "idan" toshe, wanda ba a kunna shi a ƙarƙashin yanayin al'ada ba, amma ana aiwatar da shi a cikin yanayin hasashe, idan mai sarrafawa ya yi hasashen ƙarin reshe ba daidai ba.
Sakamakon haka, mai sarrafa na'ura yana samun dama ga ma'aunin 64-bit da aka ƙirƙira kuma ya sake jujjuya jihar bayan tantance hasashen da bai yi nasara ba, amma burbushin aiwatar da hukuncin ya kasance a cikin ma'ajin da aka raba kuma ana iya dawo dasu ta amfani da hanyoyin gano cache ta tashar gefe waɗanda ke nazarin canje-canje a cikin. samun damar lokutan da aka adana da bayanan da ba a adana ba. Don nazarin abubuwan da ke cikin cache a cikin yanayin rashin isasshen lokacin da ake samu a cikin JavaScript, ana amfani da hanyar da Google ya gabatar, wanda ke yaudarar dabarun korar Tree-PLRU da aka yi amfani da shi a cikin na'urori kuma yana ba da izini, ta hanyar haɓaka adadin zagayowar, zuwa yana haɓaka bambance-bambancen lokacin lokacin da ƙima ke nan da babu a cikin cache. .
source: budenet.ru