Wata ƙungiyar masu bincike daga Jami'ar Fasaha ta Graz (Austria), wacce a da aka san ta da ƙirƙirar hare-haren MDS, NetSpectre, Throwhammer, da ZombieLoad, ta buga sabuwar hanyar kai hari ta gefe (CVE-2021-3714) akan injin Memory-Deduplication. Wannan harin yana ba mutum damar tantance kasancewar takamaiman bayanai a cikin ƙwaƙwalwa, shirya ɓullar ƙwaƙwalwar byte-by-byte, ko ƙayyade tsarin ƙwaƙwalwar ajiya don kauce wa randomization na tushen adireshi (ASLR). Sabuwar hanyar ta bambanta da hare-haren da aka nuna a baya akan injin deduplication saboda harin ana yin shi ne daga mai masaukin waje ta amfani da canje-canje a lokutan amsawa ga buƙatun da maharin ya aika akan ka'idojin HTTP/1 da HTTP/2 a matsayin ma'auni. An nuna yuwuwar harin ga sabar bisa ga Linux и Windows.
Hare-hare akan tsarin cirewar ƙwaƙwalwar ajiya suna amfani da bambanci a lokacin rubutawa azaman tashar don ɗibar bayanai a cikin yanayi inda gyare-gyaren bayanai ke haifar da cloning na shafin ƙwaƙwalwar ajiya ta amfani da injin Kwafi-kan-Rubuta (COW). Yayin aiki, kernel yana gano shafukan ƙwaƙwalwar ajiya iri ɗaya daga matakai daban-daban kuma yana haɗa su, yana tsara shafukan ƙwaƙwalwar ajiya iri ɗaya zuwa yanki guda na ƙwaƙwalwar ajiyar jiki don adana kwafi ɗaya kawai. Lokacin da tsari ɗaya yayi ƙoƙarin canza bayanan da ke da alaƙa da shafukan da aka kwafi, togiya (laifi shafi) yana faruwa, kuma tsarin Kwafi-On-Rubuta yana ƙirƙirar keɓantaccen kwafin shafin ƙwaƙwalwar ajiya ta atomatik kuma ya sanya shi cikin tsari. Tsarin kwafi yana ɗaukar ƙarin lokaci, wanda zai iya nuna canji ga bayanan da suka mamaye wani tsari.
Masu bincike sun nuna cewa jinkirin da aka samu daga hanyar COW za a iya ganowa ba kawai a cikin gida ba har ma ta hanyar nazarin bambance-bambance a lokutan amsawa akan hanyar sadarwa. Hanyoyi da yawa don tantance abubuwan ƙwaƙwalwar ajiya daga mai watsa shiri mai nisa ta hanyar nazarin lokacin aiwatar da buƙatun akan ka'idojin HTTP/1 da HTTP/2 ana samarwa. Don adana samfuran da aka zaɓa, ana amfani da daidaitattun aikace-aikacen gidan yanar gizo, adana bayanan da aka karɓa cikin buƙatun a ƙwaƙwalwar ajiya.
Ka'idar gaba ɗaya ta kai harin ta ta'allaka ne ga cike gurbi uwar garke Shafukan ƙwaƙwalwa masu bayanai waɗanda ke iya kwafi abubuwan da ke cikin shafin ƙwaƙwalwar ajiya da ke akwai a kan sabar. Sai mai kai hari ya jira kernel ya yi kwafi ya haɗa shafin ƙwaƙwalwar ajiya, bayan haka sai su gyara bayanan da aka sarrafa kuma su kimanta lokacin amsawa don tantance nasarar harin.
A lokacin gwaje-gwajen, matsakaicin adadin yayyowar bayanai shine 34.41 bytes a cikin awa daya yayin harin ta hanyar hanyar sadarwa ta duniya da kuma 302.16 bytes a cikin awa daya yayin harin ta hanyar sadarwar gida, wanda ya fi sauri fiye da sauran hanyoyin cire bayanan ta tashoshi na gefe (alal misali, yayin harin NetSpecter, adadin canja wurin bayanai shine 7.5 bytes a awa daya).
An gabatar da bambance-bambancen hare-hare guda uku masu aiki. Bambancin farko yana ba da damar gano bayanai a cikin ƙwaƙwalwa. sabar yanar gizo, wanda ke amfani da Memcached. Harin ya ƙunshi loda takamaiman saitin bayanai a cikin ma'ajiyar Memcached, share toshe mai kwafi, sake rubuta abu ɗaya, da ƙirƙirar yanayi don kwafin COW ta hanyar gyara abubuwan da ke cikin toshe. A lokacin gwajin tare da Memcached, ya yiwu a tantance sigar libc da aka sanya akan tsarin da ke gudana a cikin injin kama-da-wane cikin daƙiƙa 166.51.
Hanya ta biyu ta baiwa masu bincike damar gano abubuwan da ke cikin bayanan da ke cikin tsarin sarrafa bayanai na MariaDB (DBMS), ta yin amfani da ajiyar InnoDB, ta hanyar sake gina abubuwan da ke ciki ta byte. Ana aiwatar da harin ta hanyar aika buƙatun da aka gyara na musamman waɗanda ke haifar da rashin daidaituwa na byte a cikin shafukan ƙwaƙwalwar ajiya da kuma nazarin lokacin amsawa don tantance ko hasashen game da abun ciki na byte daidai ne. Matsakaicin adadin wannan nau'in yana da ƙasa, wanda ya kai 1.5 bytes a cikin awa ɗaya lokacin da ake kai hari daga cibiyar sadarwar gida. Amfanin wannan hanyar shine ana iya amfani dashi don dawo da abubuwan da ba a san su ba.
Bambance-bambancen na uku ya ba maharin damar ketare hanyar kariya ta KASLR gaba daya cikin mintuna hudu kuma ya sami bayanai game da kashe ma'aunin kernel na hoton kwaya, ko da adireshin kashewa yana cikin shafin ƙwaƙwalwar ajiya wanda sauran bayanan ba su canzawa. An kai harin ne daga wani runduna dake da nisan hops 14 nesa da tsarin da aka kai harin. Ana sa ran buga samfuran lambar don hare-haren da aka gabatar akan GitHub.
source: budenet.ru
