Masu bincike a Cibiyar Tsaro ta Helmholtz don Tsaron Bayanai (CISPA) sun buga sabuwar hanyar harin CacheWarp don daidaita tsarin tsaro na AMD SEV (Secure Encrypted Virtualization) da aka yi amfani da shi a cikin tsarin ƙira don kare injunan kama-da-wane daga tsangwama ta hanyar hypervisor ko mai kula da tsarin gudanarwa. Hanyar da aka tsara ta ba da damar mai kai hari tare da samun dama ga hypervisor don aiwatar da lambar ɓangare na uku da haɓaka gata a cikin na'ura mai kama da kariya ta amfani da AMD SEV.
Harin ya dogara ne akan yin amfani da rashin ƙarfi (CVE-2023-20592) wanda ya haifar da kuskuren aiki na cache yayin aiwatar da umarnin sarrafawa na INVD, tare da taimakon wanda zai yuwu a cimma rashin daidaituwar bayanai a cikin ƙwaƙwalwar ajiya da cache. , da hanyoyin wucewa don kiyaye mutuncin ƙwaƙwalwar ajiyar injin kama-da-wane, wanda aka aiwatar akan kari SEV-ES da SEV-SNP. Rashin lahani yana shafar masu sarrafa AMD EPYC daga na farko zuwa na uku.
Ga masu sarrafa AMD EPYC na ƙarni na uku (Zen 3), an gyara matsalar a cikin sabuntawar microcode na Nuwamba da AMD ta fitar jiya (gyaran ba ya haifar da hukuncin aiki). Ga masu sarrafa AMD EPYC na ƙarni na farko da na biyu (Zen 1 da Zen 2), ba a samar da kariyar ba, saboda waɗannan CPUs ba su da goyon baya ga faɗaɗa SEV-SNP, wanda ke ba da sa ido kan inganci. injunan kama-da-waneTsarin ƙarni na huɗu na na'urori masu sarrafawa na AMD EPYC "Genoa" waɗanda aka gina bisa ga tsarin "Zen 4" ba su da rauni.
Ana amfani da fasahar AMD SEV don keɓance na'urorin kama-da-wane ta hanyar masu samar da girgije kamar Amazon Web Services (AWS), Google Cloud, Microsoft Azure, da Oracle Compute Infrastructure (OCI). Ana aiwatar da kariyar AMD SEV ta hanyar ɓoye bayanan matakin hardware na ƙwaƙwalwar na'urar kama-da-wane. Bugu da ƙari, faɗaɗawar SEV-ES (Encrypted State) tana kare rajistar CPU. Tsarin baƙo na yanzu ne kawai ke da damar shiga bayanan da aka ɓoye, yayin da sauran tsarin za su iya shiga ta. injunan kama-da-wane kuma mai nuna girman, lokacin da yake ƙoƙarin shiga wannan ƙwaƙwalwar ajiya, yana karɓar saitin bayanai da aka ɓoye.
Ƙarni na uku na na'urori masu sarrafawa na AMD EPYC sun gabatar da ƙarin tsawo, SEV-SNP (Secure Nsted Paging), wanda ke tabbatar da amintaccen aiki na teburin shafukan ƙwaƙwalwar ajiya. Baya ga ɓoyayyen ƙwaƙwalwar ajiya na gabaɗaya da keɓewar rajista, SEV-SNP tana aiwatar da ƙarin matakan don kare amincin ƙwaƙwalwar ajiya ta hana canje-canje ga VM ta hypervisor. Ana sarrafa maɓallan ɓoyewa a gefen wani na'ura mai sarrafa PSP (Platform Security Processor) daban wanda aka gina a cikin guntu, wanda aka aiwatar akan tsarin gine-gine na ARM.
Mahimman hanyar kai hari shine a yi amfani da umarnin INVD don ɓata tubalan (launi) a cikin ma'ajin datti na shafukan datti ba tare da zubar da bayanan da aka tara a cikin ma'ajiyar ajiya ba (rubuta baya). Don haka, hanyar tana ba ku damar fitar da bayanan da aka canza daga cache ba tare da canza yanayin ƙwaƙwalwar ajiya ba. Don kai hari, ana ba da shawarar yin amfani da keɓancewar software ( alluran kuskure ) don katse aikin na'urar a wurare biyu: da farko, maharin ya kira umarnin "wbnoinvd" don sake saita duk ayyukan rubuta ƙwaƙwalwar ajiya da aka tara a ciki. cache, kuma a wuri na biyu ya kira umarnin "invd" don dawo da ayyukan rubuta ba a cikin ƙwaƙwalwar ajiya zuwa tsohuwar jihar.
Don bincika tsarin ku don rashin lahani, an buga samfurin yin amfani da ke ba ku damar saka keɓantawa cikin injin kama-da-wane da aka kare ta hanyar AMD SEV da jujjuya canje-canje a cikin VM waɗanda ba a sake saita su zuwa ƙwaƙwalwar ajiya ba. Ana iya amfani da jujjuyawar canji don canza kwararar shirin ta hanyar dawo da tsohon adireshin dawowa akan tari, ko don amfani da sigogin shiga na tsohon zama wanda a baya aka inganta ta hanyar dawo da ƙimar sifa.
Misali, masu bincike sun nuna yuwuwar amfani da hanyar CacheWarp don kai hari kan aiwatar da tsarin RSA-CRT a cikin ɗakin karatu na ipp-crypto, wanda ya ba da damar dawo da maɓalli na sirri ta hanyar maye gurbin kurakurai yayin lissafin sa hannu na dijital. Sun kuma nuna yadda ake yin amfani da sigogin tabbatar da zaman OpenSSH yayin haɗin nesa zuwa tsarin baƙo, sannan a canza yanayin tabbatarwa lokacin gudanar da kayan aikin sudo don samun gata na tushen Ubuntu 20.04 ga Afrilu. An gwada amfani da na'urar a kan tsarin da ke da na'urori masu sarrafawa na AMD EPYC 7252, 7313P, da 7443.
source: budenet.ru
