Masu bincike a Cibiyar Tsaro ta Helmholtz don Tsaron Bayanai (CISPA) sun buga sabuwar hanyar harin CacheWarp don daidaita tsarin tsaro na AMD SEV (Secure Encrypted Virtualization) da aka yi amfani da shi a cikin tsarin ƙira don kare injunan kama-da-wane daga tsangwama ta hanyar hypervisor ko mai kula da tsarin gudanarwa. Hanyar da aka tsara ta ba da damar mai kai hari tare da samun dama ga hypervisor don aiwatar da lambar ɓangare na uku da haɓaka gata a cikin na'ura mai kama da kariya ta amfani da AMD SEV.
Harin ya dogara ne akan yin amfani da rashin ƙarfi (CVE-2023-20592) wanda ya haifar da kuskuren aiki na cache yayin aiwatar da umarnin sarrafawa na INVD, tare da taimakon wanda zai yuwu a cimma rashin daidaituwar bayanai a cikin ƙwaƙwalwar ajiya da cache. , da hanyoyin wucewa don kiyaye mutuncin ƙwaƙwalwar ajiyar injin kama-da-wane, wanda aka aiwatar akan kari SEV-ES da SEV-SNP. Rashin lahani yana shafar masu sarrafa AMD EPYC daga na farko zuwa na uku.
Don na'urori na AMD EPYC na ƙarni na uku (Zen 3), an warware batun a cikin sabuntawar microcode na Nuwamba wanda AMD ta fitar jiya (gyaran ba ya haifar da lalacewar aiki). Don ƙarni na farko da na biyu na AMD EPYC (Zen 1 da Zen 2), ba a ba da kariya ba, tunda waɗannan CPUs ba sa goyan bayan haɓakar SEV-SNP, wanda ke ba da ikon sarrafa gaskiya ga injunan kama-da-wane. Ƙarni na huɗu na AMD AMD EPYC "Genoa" masu sarrafawa dangane da "Zen 4" microarchitecture ba shi da haɗari.
Ana amfani da fasahar AMD SEV don keɓewar inji ta masu samar da girgije kamar Amazon Web Services (AWS), Google Cloud, Microsoft Azure da Oracle Compute Infrastructure (OCI). Ana aiwatar da kariyar AMD SEV ta hanyar ɓoye matakin-hardware na ƙwaƙwalwar injin kama-da-wane. Bugu da ƙari, SEV-ES (Encrypted State) tsawo yana kare rajistar CPU. Sai kawai tsarin baƙo na yanzu yana da damar yin amfani da bayanan da aka ɓoye, kuma lokacin da wasu injunan kama-da-wane da hypervisor suka yi ƙoƙarin samun damar wannan ƙwaƙwalwar ajiya, suna karɓar ruɓaɓɓen saitin bayanai.
Ƙarni na uku na na'urori masu sarrafawa na AMD EPYC sun gabatar da ƙarin tsawo, SEV-SNP (Secure Nsted Paging), wanda ke tabbatar da amintaccen aiki na teburin shafukan ƙwaƙwalwar ajiya. Baya ga ɓoyayyen ƙwaƙwalwar ajiya na gabaɗaya da keɓewar rajista, SEV-SNP tana aiwatar da ƙarin matakan don kare amincin ƙwaƙwalwar ajiya ta hana canje-canje ga VM ta hypervisor. Ana sarrafa maɓallan ɓoyewa a gefen wani na'ura mai sarrafa PSP (Platform Security Processor) daban wanda aka gina a cikin guntu, wanda aka aiwatar akan tsarin gine-gine na ARM.
Mahimman hanyar kai hari shine a yi amfani da umarnin INVD don ɓata tubalan (launi) a cikin ma'ajin datti na shafukan datti ba tare da zubar da bayanan da aka tara a cikin ma'ajiyar ajiya ba (rubuta baya). Don haka, hanyar tana ba ku damar fitar da bayanan da aka canza daga cache ba tare da canza yanayin ƙwaƙwalwar ajiya ba. Don kai hari, ana ba da shawarar yin amfani da keɓancewar software ( alluran kuskure ) don katse aikin na'urar a wurare biyu: da farko, maharin ya kira umarnin "wbnoinvd" don sake saita duk ayyukan rubuta ƙwaƙwalwar ajiya da aka tara a ciki. cache, kuma a wuri na biyu ya kira umarnin "invd" don dawo da ayyukan rubuta ba a cikin ƙwaƙwalwar ajiya zuwa tsohuwar jihar.
Don bincika tsarin ku don rashin lahani, an buga samfurin yin amfani da ke ba ku damar saka keɓantawa cikin injin kama-da-wane da aka kare ta hanyar AMD SEV da jujjuya canje-canje a cikin VM waɗanda ba a sake saita su zuwa ƙwaƙwalwar ajiya ba. Ana iya amfani da jujjuyawar canji don canza kwararar shirin ta hanyar dawo da tsohon adireshin dawowa akan tari, ko don amfani da sigogin shiga na tsohon zama wanda a baya aka inganta ta hanyar dawo da ƙimar sifa.
Misali, masu bincike sun nuna yiwuwar yin amfani da hanyar CacheWarp don aiwatar da harin Bellcore akan aiwatar da RSA-CRT algorithm a cikin ɗakin karatu na ipp-crypto, wanda ya ba da damar maido da maɓallin keɓaɓɓen ta hanyar maye gurbin kuskure lokacin ƙididdige dijital. sa hannu. Hakanan yana nuna yadda zaku iya canza sigogi na tabbatar da zaman zuwa OpenSSH lokacin haɗawa da nisa zuwa tsarin baƙo, sannan canza yanayin tabbatarwa yayin gudanar da mai amfani sudo don samun haƙƙin tushen a cikin Ubuntu 20.04. An gwada cin gajiyar akan tsarin tare da AMD EPYC 7252, 7313P da 7443 masu sarrafawa.
source: budenet.ru