Ofufuza ochokera ku People's Liberation Army Defense Science and Technology University, National University of Singapore ndi ETH Zurich apanga njira yatsopano yowukira ma enclaves akutali Intel SGX (Software Guard eXtensions). Kuwukiraku kumatchedwa SmashEx ndipo kumayamba chifukwa chamavuto obweranso mukamagwira ntchito zina panthawi yogwiritsira ntchito zida za Intel SGX. Njira yowukira yomwe ikufunsidwa imapangitsa kuti, ngati muli ndi mphamvu pa opareshoni, kudziwa zachinsinsi zomwe zili mu enclave, kapena kukonza kukopera kwa code yanu mu kukumbukira kwa enclave ndi kuphedwa kwake.
Ma prototypes a Exploit akonzedwera ma enclaves okhala ndi nthawi yothamanga kutengera Intel SGX SDK (CVE-2021-0186) ndi Microsoft Open Enclave (CVE-2021-33767). Pachiyambi choyamba, kuthekera kochotsa kiyi ya RSA yomwe imagwiritsidwa ntchito pa seva ya HTTPS idawonetsedwa, ndipo chachiwiri, zinali zotheka kudziwa zomwe zidapezedwa ndi cURL utility yomwe ikuyenda mkati mwa enclave. Chiwopsezochi chayankhidwa kale mwadongosolo pakutulutsidwa kwa Intel SGX SDK 2.13 ndi Open Enclave 0.17.1. Kuphatikiza pa Intel SGX SDK ndi Microsoft Open Enclave, kusatetezeka kumawonekeranso mu Google Asylo SDK, EdgelessRT, Apache Teaclave, Rust SGX SDK, SGX-LKL, CoSMIX ndi Veracruz.
Tikumbukire kuti ukadaulo wa SGX (Software Guard Extensions) udawonekera m'badwo wachisanu ndi chimodzi wa Intel Core processors (Skylake) ndipo umapereka malangizo angapo omwe amalola ogwiritsa ntchito kugawa malo okumbukira otsekedwa - ma enclaves, zomwe sizingawerengedwe komanso kusinthidwa ngakhale ndi kernel ndi code yomwe imachitidwa mu ring0, SMM ndi VMM modes. Ndikosatheka kusamutsa kuwongolera ku ma code omwe ali mu enclave pogwiritsa ntchito zida zachikhalidwe zodumphira ndikuwongolera ndi ma registas ndi stack - malangizo atsopano opangidwa mwapadera EENTER, EEXIT ndi ERESUME amagwiritsidwa ntchito kusamutsa ulamuliro ku enclave, yomwe imayang'ana maulamuliro. Pankhaniyi, kachidindo anaika mu enclave angagwiritse ntchito akale kuitana njira kupeza ntchito mkati enclave ndi malangizo apadera kuitana ntchito zakunja. Enclave memory encryption imagwiritsidwa ntchito kuteteza motsutsana ndi zida za Hardware monga kulumikizana ndi gawo la DRAM.
Vuto ndilakuti ukadaulo wa SGX umalola kuti opareshoni achotse chiwongolero poponya chopatula cha Hardware, ndipo ma enclaves sagwiritsa ntchito bwino zoyambira kuti athe kuthana ndi izi. Mosiyana ndi makina ogwiritsira ntchito komanso kugwiritsa ntchito nthawi zonse, code mkati mwa enclaves ilibe mwayi wokonzekera zochitika za atomiki pamene mukugwira ntchito zomwe zimaponyedwa mosagwirizana. Popanda zoyambira za atomiki zomwe zatchulidwa, enclave imatha kusokonezedwa nthawi iliyonse ndikubwezeredwa kuphedwa, ngakhale nthawi zina pomwe enclave ikuchita magawo ovuta ndipo ili pamalo osatetezeka (mwachitsanzo, ma regista a CPU osasungidwa / kubwezeretsedwa).
Kuti mugwiritse ntchito bwino, ukadaulo wa SGX umalola kuti kuphatikizika kwa enclave kusokonezedwe ndi zinthu zina zomwe zingasinthidwe. Izi zimalola kuti nthawi yothamanga ya enclave igwiritse ntchito kasamalidwe kapadera kapena kukonza ma siginecha, koma imatha kuyambitsanso zolakwika zobweranso. Kuwukira kwa SmashEx kumatengera kugwiritsa ntchito zolakwika mu SDK chifukwa chomwe kuyitaniranso wogwirizira sikumayendetsedwa bwino. Ndikofunika kuti agwiritse ntchito chiwopsezocho, wowukirayo ayenera kusokoneza kuphedwa kwa enclave, i.e. ayenera kulamulira ntchito chilengedwe dongosolo.
Pambuyo poponya chosiyana, wowukirayo amalandira zenera laling'ono pomwe ulusi wophera ungathe kulandidwa mwa kuwongolera magawo olowera. Makamaka, ngati muli ndi mwayi wogwiritsa ntchito dongosololi (malo omwe ali kunja kwa enclave), mutha kupanga china chatsopano mutangomaliza kutsatira malangizo a enclave (EENTER), omwe adzabwezeretsa kuwongolera ku dongosolo panthawi yomwe stack khwekhwe la enclave sichinamalizidwe, momwe Ma registry a CPU amasungidwanso.
Dongosololi limatha kubweza kuwongoleranso ku enclave, koma popeza kuchuluka kwa enclave sikunakhazikitsidwe panthawi yosokoneza, enclaveyo idzachita ndi stack yomwe ikukhala mu memory memory, yomwe ingagwiritsidwe ntchito kugwiritsa ntchito mapulogalamu obwerera (ROP). ) kugwiritsa ntchito njira. Pogwiritsa ntchito njira ya ROP, wowukirayo samayesa kuyika nambala yake pamtima, koma amagwiritsa ntchito zidutswa zamakina zomwe zilipo kale m'malaibulale odzaza, kutha ndi malangizo obwerera (monga lamulo, awa ndi malekezero a ntchito za library) . Ntchito yogwiritsa ntchitoyo imatsikira pakumanga ma foni angapo ku midadada yofananira ("zida zamagetsi") kuti mupeze zomwe mukufuna.
Source: opennet.ru