Ƙungiyar masu bincike daga Jami'ar Fasaha ta Graz (Ostiraliya), wanda aka sani a baya don haɓaka hare-haren MDS, NetSpectre, Throwhammer da ZombieLoad, sun buga sabon hanyar kai hari ta hanyar tashoshi (CVE-2021-3714) a kan tsarin Ƙwaƙwalwar Ƙwaƙwalwa. , wanda ke ba da damar ƙayyade kasancewar a cikin ƙwaƙwalwar ajiyar wasu bayanai, tsara ɓoyayyen byte-by-byte na abun ciki na ƙwaƙwalwar ajiya, ko ƙayyade tsarin ƙwaƙwalwar ajiya zuwa kariyar bazuwar tushen adireshin (ASLR). Sabuwar hanyar ta bambanta da bambance-bambancen hare-hare da aka nuna a baya akan tsarin cirewa ta hanyar kai hari daga ma'aikacin waje ta amfani da ma'auni canjin lokacin amsa buƙatun da aka aika wa maharin ta hanyar ka'idojin HTTP/1 da HTTP/2. An nuna ikon kai harin don sabobin da ke kan Linux da Windows.
Hare-hare akan tsarin cirewa ƙwaƙwalwar ajiya suna amfani da bambanci a lokacin sarrafa aiki na aikin rubutu azaman tashoshi don zub da bayanai a cikin yanayi inda canjin bayanai ke haifar da cloning na shafin ƙwaƙwalwar ajiya ta amfani da tsarin Kwafi-On-Rubuta (COW). . Yayin aiki, kernel yana gano shafukan ƙwaƙwalwar ajiya iri ɗaya daga matakai daban-daban kuma yana haɗa su, yana tsara shafukan ƙwaƙwalwar ajiya iri ɗaya zuwa yanki guda na ƙwaƙwalwar ajiyar jiki don adana kwafi ɗaya kawai. Lokacin da ɗayan hanyoyin ya yi ƙoƙarin canza bayanan da ke da alaƙa da shafukan da aka keɓe, togiya (laifi shafi) yana faruwa kuma, ta amfani da tsarin Kwafi-On-Rubuta, ana ƙirƙiri keɓantaccen kwafin shafin ƙwaƙwalwar ajiya ta atomatik, wanda aka sanya wa tsarin. Ana kashe ƙarin lokaci don kammala kwafin, wanda zai iya zama alamar canje-canjen bayanai suna tsoma baki tare da wani tsari.
Masu bincike sun nuna cewa jinkirin da aka samu daga hanyar COW za a iya kamawa ba kawai a cikin gida ba, har ma ta hanyar nazarin canje-canje a lokutan bayarwa a kan hanyar sadarwa. An gabatar da hanyoyi da yawa don tantance abubuwan da ke cikin ƙwaƙwalwar ajiya daga mai watsa shiri mai nisa ta hanyar nazarin lokacin aiwatar da buƙatun akan ka'idojin HTTP/1 da HTTP/2. Don ajiye zaɓaɓɓun samfuri, ana amfani da daidaitattun aikace-aikacen gidan yanar gizo waɗanda ke adana bayanan da aka karɓa cikin buƙatun a ƙwaƙwalwar ajiya.
Gabaɗaya ƙa'idar harin ta gangara zuwa cika shafin ƙwaƙwalwar ajiya akan uwar garken tare da bayanai waɗanda mai yuwuwar maimaita abubuwan da ke cikin shafin ƙwaƙwalwar ajiya da ke kan sabar. Daga nan maharin ya jira lokacin da ake buƙata don kernel ɗin don ƙaddamarwa da haɗa shafin ƙwaƙwalwar ajiya, sannan ya canza bayanan kwafin da aka sarrafa kuma ya kimanta lokacin amsawa don tantance ko bugun ya yi nasara.
A yayin gwaje-gwajen, matsakaicin adadin yatsan bayanan ya kasance 34.41 bytes a cikin awa daya lokacin da ake kai hari ta hanyar hanyar sadarwa ta duniya da kuma 302.16 bytes a cikin awa daya lokacin da ake kai hari ta hanyar sadarwar gida, wanda ya fi sauran hanyoyin cire bayanai ta hanyar tashoshi na uku (misali, a cikin harin NetSpecre, adadin canja wurin bayanai shine 7.5 bytes a karfe ɗaya).
An gabatar da zaɓuɓɓukan harin aiki guda uku. Zaɓin farko yana ba ku damar ƙayyade bayanai a cikin ƙwaƙwalwar ajiyar sabar gidan yanar gizon da ke amfani da Memcached. Harin ya taso zuwa loda wasu bayanan bayanai cikin Memcached ma'ajiyar, share shingen da aka cire, sake rubuta nau'in nau'in da kuma samar da yanayin kwafin COW ya faru ta hanyar canza abubuwan da ke cikin toshe. A lokacin gwaji tare da Memcached, yana yiwuwa a tantance a cikin daƙiƙa 166.51 nau'in libc ɗin da aka shigar akan tsarin da ke gudana a cikin injin kama-da-wane.
Zaɓin na biyu ya ba da damar gano abubuwan da ke cikin bayanan a cikin MariaDB DBMS, lokacin amfani da ma'ajin InnoDB, ta hanyar sake ƙirƙirar abun ciki byte byte. Ana kai harin ne ta hanyar aika buƙatun da aka gyara na musamman, wanda ke haifar da rashin daidaituwa-byte guda ɗaya a cikin shafukan ƙwaƙwalwar ajiya da kuma nazarin lokacin amsawa don tantance cewa hasashen abin da ke cikin byte ɗin daidai ne. Adadin irin wannan ɗigo yana da ƙasa kuma ya kai 1.5 bytes a cikin awa ɗaya lokacin da ake kai hari daga cibiyar sadarwar gida. Amfanin hanyar shine ana iya amfani dashi don dawo da abubuwan da ba a san su ba.
Zaɓin na uku ya ba da damar ƙetare tsarin kariyar KASLR gaba ɗaya a cikin mintuna 4 kuma samun bayanai game da kashe ƙwaƙwalwar ajiya na hoton kernel na injin kama-da-wane, a cikin yanayin da adireshin kashewa ya kasance a cikin shafin ƙwaƙwalwar ajiya wanda sauran bayanan ba su canzawa. An kai harin ne daga wani runduna da ke dauke da hops 14 daga tsarin da aka kai harin. Misalai na lamba don aiwatar da hare-haren da aka gabatar an yi alkawarin buga su akan GitHub.
source: budenet.ru