Ƙungiyar masu bincike daga Jami'ar Fasaha ta Graz (Ostiraliya) da Cibiyar Tsaron Bayanai ta Helmholtz (CISPA), () sabon vector don amfani da hare-haren tashoshi na gefe (L1TF), wanda ke ba ka damar cire bayanai daga ƙwaƙwalwar ajiyar Intel SGX enclaves, SMM (Yanayin Gudanar da Tsarin), wuraren ƙwaƙwalwar ajiya na kwaya OS da injunan kama-da-wane a cikin tsarin haɓakawa. Sabanin ainihin harin da aka gabatar a cikin 2018 Sabon bambance-bambancen bai keɓance ga masu sarrafa Intel ba kuma yana shafar CPUs daga wasu masana'antun kamar ARM, IBM da AMD. Bugu da kari, sabon bambance-bambancen baya buƙatar babban aiki kuma ana iya aiwatar da harin ko da ta hanyar gudanar da JavaScript da WebAssembly a cikin burauzar gidan yanar gizo.
Harin Foreshadow yana amfani da gaskiyar cewa lokacin da aka sami damar ƙwaƙwalwar ajiya a adireshin kama-da-wane wanda ke haifar da keɓancewa (laifi na shafi na ƙarshe), mai sarrafa na'ura yana ƙididdige adireshin jiki kuma yana ɗaukar bayanan idan yana cikin cache na L1. Ana yin amfani da tsinkaya kafin a kammala binciken tebur ɗin shafi na ƙwaƙwalwar ajiya kuma ba tare da la'akari da yanayin shigarwar teburin shafi na ƙwaƙwalwar ajiya (PTE), watau. kafin a duba kasancewar bayanai a cikin ƙwaƙwalwar ajiyar jiki da kuma iya karantawa. Bayan an kammala binciken samun ƙwaƙwalwar ajiya, in babu Tutar Present a cikin PTE, ana watsar da aikin, amma bayanan sun kasance a cikin cache kuma ana iya dawo da su ta hanyar amfani da hanyoyin tantance abubuwan cache ta tashoshi na gefe (ta hanyar nazarin canje-canje a lokacin samun dama). zuwa cache da bayanan da ba a cache ba).
Masu bincike sun nuna cewa hanyoyin kariya daga Foreshadow ba su da tasiri kuma ana aiwatar da su tare da fassarar matsalar da ba daidai ba. Rashin lahani
Ana iya yin amfani da tsinkayar tsinkaya ba tare da la'akari da hanyoyin tsaro na kernel waɗanda a baya aka yi la'akari da isa ba. Sakamakon haka, masu binciken sun nuna yuwuwar kai harin Foreshadow akan tsarin da ke da tsoffin kernels, wanda a cikinsa aka kunna duk hanyoyin kariya na Foreshadow, da kuma tare da sabbin kernels, wanda kawai Specter-v2 kariya ta naƙasa (ta amfani da shi. Zaɓin Linux kernel nospectre_v2).
An gano cewa bashi da alaƙa da umarnin prefetch na software ko tasirin hardware
prefetch yayin samun damar ƙwaƙwalwar ajiya, amma yana faruwa a lokacin da ƙididdiga masu ƙima na sararin samaniyar mai amfani ya yi rajista a cikin kernel. Wannan mummunar fassarar dalilin raunin da farko ya haifar da tunanin cewa zubar da bayanai a cikin Foreshadow na iya faruwa ta hanyar cache na L1 kawai, yayin da kasancewar wasu snippets na code (na'urorin prefetch) a cikin kernel na iya ba da gudummawa ga zubar da bayanai a waje da cache na L1, misali, a cikin cache L3.
Hakanan fasalin da aka gano yana buɗe yuwuwar ƙirƙirar sabbin hare-hare da nufin hanyoyin fassara adireshi na zahiri zuwa na zahiri a cikin keɓantaccen mahalli da tantance adireshi da bayanan da aka adana a cikin rajistar CPU. A matsayin nuni, masu binciken sun nuna yuwuwar yin amfani da tasirin da aka gano don fitar da bayanai daga wannan tsari zuwa wani tare da aiwatar da kusan 10 ragowa a sakan daya akan tsarin tare da Intel Core i7-6500U CPU. Hakanan ana nuna yuwuwar zubar da abun ciki na rajista daga Intel SGX enclave (an ɗauki mintuna 32 don tantance ƙimar 64-bit da aka rubuta zuwa rijistar 15-bit). Wasu nau'ikan hare-hare sun zama mai yuwuwar aiwatarwa a cikin JavaScript da WebAssembly, alal misali, yana yiwuwa a tantance adireshi na zahiri na madaidaicin JavaScript kuma a cika rajistar 64-bit tare da ƙimar da maharin ke sarrafawa.
Don toshe harin Foreshadow ta hanyar ma'ajin L3, hanyar kariyar Specter-BTB (Branch Target Buffer) da aka aiwatar a cikin saitin facin repoline yana da tasiri. Don haka, masu binciken sun yi imanin cewa ya zama dole a bar retpoline da aka kunna koda akan tsarin tare da sabbin CPUs waɗanda suka riga sun sami kariya daga sanannun lahani a cikin tsarin kisa na CPU. A lokaci guda, wakilan Intel sun bayyana cewa ba sa shirin ƙara ƙarin matakan kariya daga Foreshadow zuwa na'urori masu sarrafawa kuma suna ganin ya isa ya haɗa da kariya daga hare-haren Specter V2 da L1TF (Foreshadow).
source: budenet.ru