Gulu la ofufuza ochokera ku Vrije Universiteit Amsterdam lazindikira chiwopsezo chatsopano m'mapangidwe ang'onoang'ono a ma processor a Intel ndi ARM, omwe ndi mtundu wokulirapo wa Specter-v2 vulnerability, womwe umalola munthu kudutsa njira zotetezera za eIBRS ndi CSV2 zomwe zimawonjezeredwa kwa mapurosesa. . Chiwopsezo chapatsidwa mayina angapo: BHI (Branch History Injection, CVE-2022-0001), BHB (Branch History Buffer, CVE-2022-0002) ndi Specter-BHB (CVE-2022-23960), omwe amafotokoza mawonetseredwe osiyanasiyana a vuto lomwelo (BHI - kuukira kumakhudza magawo osiyanasiyana a mwayi, mwachitsanzo, njira yogwiritsira ntchito ndi kernel, BHB - kuwukira pamlingo womwewo wa mwayi, mwachitsanzo, eBPF JIT ndi kernel).
Ofufuza awonetsa kugwiritsa ntchito komwe kumalola kuti deta yosasunthika ichotsedwe ku kernel memory kuchokera kumalo ogwiritsa ntchito. Mwachitsanzo, zikuwonetsedwa m'mene, pogwiritsa ntchito njira yokonzekera, ndizotheka kuchotsa chingwe kuchokera ku kernel buffers ndi hash ya root user password yotengedwa kuchokera pa /etc/shadow file. Kuchitapo kanthu kukuwonetsa kuthekera kogwiritsa ntchito chiwopsezo mkati mwa mwayi umodzi (kernel-to-kernel attack) pogwiritsa ntchito pulogalamu ya eBPF yodzaza ndi ogwiritsa ntchito. Ndizothekanso kugwiritsa ntchito m'malo mwa eBPF zida za Specter zomwe zilipo mu kernel code, kutsatizana kwa malamulo omwe amatsogolera kukuphatikizika kwa malangizo.
Chiwopsezochi chikuwoneka mu ma processor a Intel apano, kupatula ma processor a banja la Atom. Pakati pa mapurosesa a ARM, Cortex-A15, Cortex-A57, Cortex-A7*, Cortex-X1, Cortex-X2, Cortex-A710, Neoverse N1, Neoverse N2, Neoverse V1 ndipo mwina tchipisi ta Cortex-R zimakhudzidwa ndi vutoli. Malinga ndi kafukufuku, chiwopsezocho sichimawonekera mu mapurosesa a AMD. Kuti athetse vutoli, njira zingapo zamapulogalamu zaperekedwa kuti ziletse kuwonongeka, zomwe zingagwiritsidwe ntchito pamaso pa mawonekedwe a chitetezo cha hardware m'ma CPU amtsogolo.
Kuti mulepheretse kuwukira kudzera mu gawo laling'ono la eBPF, tikulimbikitsidwa kuletsa mwachisawawa kuthekera kwa ogwiritsa ntchito opanda mwayi kutsitsa mapulogalamu a eBPF polemba 1 ku fayilo "/proc/sys/kernel/unprivileged_bpf_disabled" kapena kuyendetsa lamulo "sysctl -w kernel. unprivileged_bpf_disabled=1β. Kuti mulepheretse kuukira kwa zida, tikulimbikitsidwa kugwiritsa ntchito malangizo a LFENCE m'malo a code omwe angayambitse kuphedwa mongoyerekeza. Ndizofunikira kudziwa kuti kusasinthika kosasinthika kwa magawo ambiri a Linux kuli kale ndi njira zodzitetezera zokwanira kuletsa kuwukira kwa eBPF komwe ofufuza akuwonetsa. Malingaliro a Intel olepheretsa mwayi wopezeka ku eBPF ndiwosasinthika kuyambira Linux kernel 5.16 ndipo atumizidwa kunthambi zakale.
Mwachidziwitso, BHI ndi mtundu wokulirapo wa kuukira kwa Specter-v2, momwe, kupatsira chitetezo chowonjezera (Intel eIBRS ndi Arm CSV2) ndikukonza kutayikira kwa data, kusintha kwamtengo kumagwiritsidwa ntchito mu Nthambi ya Mbiri ya Nthambi, yomwe imagwiritsidwa ntchito mu CPU kukulitsa kulosera. kulondola nthambi potengera mbiri yakale yakusintha. Panthawi yachiwonongeko, kupyolera muzosintha ndi mbiri ya kusintha, mikhalidwe imapangidwira kulosera kolakwika kwa kusintha ndi kuchitidwa mongopeka kwa malangizo ofunikira, zotsatira zake zomwe zimathera mu cache.
Kupatulapo kugwiritsa ntchito Buffer ya Mbiri ya Nthambi m'malo mwa Branch Target Buffer, kuwukira kwatsopanoku ndi kofanana ndi Specter-v2. Ntchito ya wowukirayo ndikupanga mikhalidwe yoti adilesi, ikamagwira ntchito yongopeka, imachotsedwa m'dera la zomwe zafotokozedwa. Pambuyo pochita kulumpha mongoyerekeza, adilesi yodumphira yomwe idawerengedwa kuchokera pamtima imakhalabe mu cache, pambuyo pake njira imodzi yodziwira zomwe zili mu cache ingagwiritsidwe ntchito kuti mutengere kutengera kusanthula kwa kusintha kwa nthawi yofikira ku cached ndi kusungidwa. deta.
Source: opennet.ru