Masu bincike daga Jami'ar Fasaha ta Graz (Ostiraliya) bayani game da sabuwar hanyar kai hari ta hanyar tashoshi na ɓangare na uku (), wanda ke ba ku damar fitar da bayanan sirri daga wasu matakai, tsarin aiki, injunan kama-da-wane da kariyar kariya (TEE, Amintaccen Muhalli na Kisa). Matsalar tana shafar masu sarrafa Intel kawai. Abubuwan da za a toshe matsalar a jiya .
Matsalar ta MDS (Microarchitectural Data Sampling) ce kuma sigar zamani ce. a cikin May ZombieLoad harin. ZombieLoad 2.0, kamar sauran hare-haren MDS, ya dogara da aikace-aikacen dabarun bincike na tashoshi na gefe zuwa bayanai a cikin tsarin microarchitectural (misali, Line Fill Buffer da Store Buffer), wanda ke adana bayanan da aka yi amfani da shi na ɗan lokaci. Yin Load da Store ayyuka) .
Sabon bambance-bambancen harin Zombieload a kan leak da ke faruwa a lokacin aiki na inji don asynchronous katsewa na ayyuka (TAA, TSX Asynchronous Abort), aiwatar a cikin TSX (Transctional Synchronization Extensions) tsawo, wanda ke ba da kayan aiki don aiki tare da ƙwaƙwalwar ajiyar ma'amala, wanda ke ba da damar haɓaka aikin haɓakawa. aikace-aikace masu zare da yawa ta hanyar kawar da ayyukan daidaitawa mara amfani (ma'amalolin atomic masu goyan bayan waɗanda za'a iya karɓa ko sokewa). Idan an katse, ayyukan da aka yi akan yankin ƙwaƙwalwar ajiyar ma'amala ana juyawa baya.
Ma'amalar zubar da ciki tana faruwa ba tare da an daidaita shi ba, a lokacin da wasu zaren za su iya shiga wurin cache, wanda kuma ake amfani da shi a yankin ƙwaƙwalwar ajiyar ma'amala da aka jefar. A lokacin daga farkon zuwa ainihin ƙarshen ma'amala asynchronous zubar da ciki, yanayi na iya tasowa inda mai sarrafawa, yayin aiwatar da hasashe na aiki, zai iya karanta bayanai daga buffers microarchitectural na ciki kuma canza shi zuwa aikin hasashe. Za a gano rikicin kuma a watsar da aikin hasashe, amma bayanan za su kasance a cikin ma'ajin kuma za'a iya dawo dasu ta amfani da dabarun dawo da cache ta tashar ta gefe.
Harin ya tashi zuwa buɗe ma'amaloli na TSX da ƙirƙirar yanayi don katsewar su asynchronous, yayin da yanayi ke tasowa don zubar da abubuwan da ke cikin buffers na ciki da ƙima cike da bayanai daga ayyukan karanta ƙwaƙwalwar ajiya da aka yi akan ainihin CPU iri ɗaya. Leak ɗin yana iyakance ga ainihin CPU na zahiri na yanzu (wanda lambar maharin ke gudana), amma tunda ana raba abubuwan buƙatun microarchitectural tsakanin zaren daban-daban a cikin yanayin Hyper-Threading, yana yiwuwa a zubar da ayyukan ƙwaƙwalwar ajiya da aka yi a cikin sauran zaren CPU.
Kai hari wasu samfura na ƙarni na takwas, na tara da na goma na Intel Core processors, da kuma Intel Pentium Gold, Intel Celeron 5000, Intel Xeon E, Intel Xeon W da na biyu Intel Xeon Scalable. Sabbin na'urori na Intel da suka dogara da microarchitecture na Cascade Lake da aka gabatar a watan Afrilu, wanda da farko ba shi da saukin kamuwa da hare-haren RIDL da Fallout, suma suna da saukin kai hari. Baya ga Zombieload 2.0, masu binciken sun kuma gano yuwuwar ketare hanyoyin kariya daga hare-haren MDS, dangane da yin amfani da umarnin VERW don share abubuwan da ke cikin microarchitectural buffers lokacin dawowa daga kernel zuwa sararin mai amfani ko lokacin canja wurin sarrafawa zuwa. tsarin baƙo.
Rahoton Intel ya bayyana cewa a cikin tsarin da ake samu tare da heterogeneous yana da wahala, tunda kuma wanda ya haifar da tsallakewa ya rufe dukkan abubuwan da aka fitar da bayanan, I.e. kawai zai iya tara bayanan da ke fitowa a sakamakon yatsa da kuma ƙoƙarin gano bayanai masu amfani a tsakanin waɗannan bayanan, ba tare da ikon yin kutse da gangan bayanai masu alaƙa da takamaiman adiresoshin ƙwaƙwalwar ajiya ba. Duk da haka, masu bincike sun buga , yana aiki akan Linux da Windows, kuma ya nuna ikon yin amfani da hari don tantance hash ɗin kalmar sirri na tushen mai amfani.
aiwatar da wani hari daga tsarin baƙo don tara bayanan da ke bayyana a cikin ayyukan sauran tsarin baƙo, mahallin mahalli, hypervisor da Intel SGX enclaves.
Gyara don toshe raunin a cikin Linux kernel codebase kuma an haɗa shi cikin sakewa . An riga an fitar da sabuntawar Kernel da microcode don manyan rarrabawa (, , , , , ). An gano matsalar a watan Afrilu kuma an daidaita gyara tsakanin Intel da masu haɓaka tsarin aiki.
Hanya mafi sauƙi na toshe Zombieload 2.0 ita ce kashe tallafin TSX a cikin CPU. Gyaran da aka tsara don kernel na Linux ya ƙunshi zaɓuɓɓukan kariya da yawa. Zaɓin farko yana ba da siga "tsx = kunnawa / kashe / auto", wanda ke ba ku damar sarrafa ko an kunna haɓaka TSX akan CPU (ƙimar ta atomatik tana kashe TSX kawai don CPUs masu rauni). Zaɓin kariya na biyu yana kunna ma'aunin "tsx_async_abort= kashe/cikakken/cikakken, nosmt" kuma yana dogara ne akan share abubuwan buffer microarchitectural yayin sauya mahallin (tutar nosmt kuma tana hana SMT/Hyper-Threads). Don bincika ko tsarin yana da saukin kamuwa da rauni, sysfs yana ba da ma'aunin "/ sys/na'urori/system/cpu/vulnerabilities/tsx_async_abort".
Hakanan a ciki microcode wani kuma () a cikin na'urorin sarrafa Intel, wanda kuma aka toshe a cikin na baya-bayan nan Linux kernels. Rashin lahani maharin mara gata don fara hana sabis, yana haifar da tsarin rataya a cikin "Kuskuren Duba Injin".
Harin ya hada da daga tsarin baƙo.
source: budenet.ru