Checkpoint anaganiza njira yoteteza Safe-Linking, zomwe zimapangitsa kuti zikhale zovuta kugwiritsa ntchito zomwe zili pachiwopsezo

Kampani ya Checkpoint представила Chitetezo cha Safe-Linking, chomwe chimapangitsa kuti zikhale zovuta kupanga zida zomwe zimasinthira kutanthauzira kapena kusinthidwa kwa zolozera ku ma buffers omwe amaperekedwa poyimba malloc. Safe-Linking sichimalepheretsa kuthekera kogwiritsa ntchito ziwopsezo, koma ndi kungoyang'ana pang'ono kumapangitsa kuti pakhale magulu ena azinthu, chifukwa kuphatikiza pakusefukira kwa buffer, ndikofunikira kupeza chiwopsezo china chomwe chimayambitsa kutayikira kwa chidziwitso chambiri. kuyika kwa mulu mu kukumbukira.

Zigamba zomwe zikugwiritsa ntchito Safe-Linking zakonzedwa ku Glibc (ptmalloc), uClibc-NG (dlmalloc), gperftools (tcmalloc) ndi Google TCMalloc, ndipo akufunsidwanso kuti apititse patsogolo chitetezo ku Chromium (mu.
Kuyambira 2012, Chromium yamanga kale mu njira yachitetezo ya MaskPtr yomwe cholinga chake ndi kuthetsa vuto lomwelo, koma yankho lochokera ku Checkpoint likuwonetsa magwiridwe antchito apamwamba).
Zigamba zomwe zaperekedwa zavomerezedwa kale kuti ziperekedwe pakutulutsidwa kwa Ogasiti Glibc 3.32 ndipo Safe-Linking idzayatsidwa mwachisawawa. uClibc-NG imathandizira Safe-Linking adalowa ikuphatikizidwa mu kumasulidwa 1.0.33 ndipo imayatsidwa mwachisawawa. Kusintha kwa gperftools (tcmalloc yakale) kuvomereza, koma idzaperekedwa ngati njira yomwe idzatulutsidwe mtsogolo.

Madivelopa TCMalloc (tcmalloc yatsopano) anakana kuvomereza kusintha, kutchula kuwonongeka kwakukulu kwa magwiridwe antchito komanso kufunikira kowonjezera mayeso ochulukirapo kuti muwonetsetse kuti zonse zikuyenda momwe zimayembekezeredwa. Kuyesedwa ndi akatswiri a Checkpoint kunawonetsa kuti njira ya Safe-Linking sipangitsa kuti pakhale kukumbukira kowonjezera, ndipo magwiridwe antchito akamagwira ntchito mulu amachepetsedwa ndi 0.02% yokha, ndipo poyipa kwambiri ndi 1.5% (poyerekeza, kupitilira apo njira yomwe imagwiritsidwa ntchito mu Chromium ikuyerekezeredwa kukhala "yochepera 2%)). Kuphatikiza
Safe-Linking imabweretsa 2-3 malangizo owonjezera a msonkhano omwe amaperekedwa nthawi iliyonse yaulere () itayitanidwa, ndi malangizo 3-4 nthawi iliyonse malloc () imatchedwa. Kuthamangitsa magawo oyambira komanso osinthika mwachisawawa sikofunikira.

Safe-Linking itha kugwiritsidwa ntchito osati kupititsa patsogolo chitetezo cha milu yosiyanasiyana, komanso kuwonjezera kuwongolera kukhulupirika kuzinthu zilizonse zomwe zimagwiritsa ntchito mindandanda yolumikizirana yokhayo yomwe imayikidwa pafupi ndi ma buffer okha. Njirayi ndiyosavuta kugwiritsa ntchito ndipo imangofunika kuwonjezera macro amodzi ndikuyiyika pazolozera ku block yotsatira mu code (mwachitsanzo, ya Glibc). kusintha mizere yochepa chabe). Njirayi imachokera ku zosintha zotsatirazi:

+#define PROTECT_PTR(pos, ptr) \
+ ((__typeof (ptr)) (((((size_t) pos) >> 12) ^ ((size_t) ptr)))

+#define REVEAL_PTR(ptr) PROTECT_PTR (&ptr, ptr)

- nextp = p->fd;
+ nextp = REVEAL_PTR (p->fd);
...

Chofunika kwambiri cha njirayi ndikugwiritsa ntchito deta mwachisawawa kuchokera ku ASLR adilesi yosasinthika (mmap_base) kuteteza mindandanda yolumikizidwa yokha monga Fast-Bins ndi TCache. Mtengo usanagwiritsidwe ntchito pa cholozera ku chinthu chotsatira pamndandanda, imatembenuza chigoba ndikuwunika momwe tsamba limayendera. Cholozeracho chimasinthidwa ndi zotsatira za ntchito "(L >> PAGE_SHIFT) XOR (P)", pomwe P ndi mtengo wa pointer ndi L ndi malo okumbukira kumene pointer imasungidwa.

Pamene ntchito mu ndondomeko ASLR (Address Space Layout Randomization) gawo la L bits lomwe lili ndi adilesi yoyambira mulu ili ndi zikhalidwe zomwe zimagwiritsidwa ntchito ngati kiyi polemba P (yotengedwa ndi kusintha kwa 12-bit kwamasamba 4096-byte). Kunyengerera uku kumachepetsa chiwopsezo cha kubedwa kwa pointer pakubedwa, chifukwa cholozeracho sichimasungidwa mumkhalidwe wake woyambirira ndipo m'malo mwake chimafunika kudziwa momwe mulu wagawidwira. Kuphatikiza apo, nambala yachigamba ilinso ndi cheke chowonjezera pamakina a block, omwe salola wowukira kuti alowe m'malo mwa pointer ndi mtengo wosagwirizana ndipo amafuna kudziwa kuchuluka kwa ma bits omwe amalumikizidwa, omwe pamakina a 64-bit amalolanso kutsekereza. 15 mwa 16 kuyesa kuukira komwe sikumaganizira.

Njirayi ndiyothandiza podzitchinjiriza ku ziwopsezo zomwe zimagwiritsa ntchito kuloza pang'ono (kusintha ma byte otsika), kulembanso cholozera chathunthu (kulowera ku code ya wowukirayo) ndikusintha mndandanda pa adilesi yosagwirizana. Mwachitsanzo, zikuwonetsedwa kuti kugwiritsa ntchito Safe-Linking mu malloc kungalole kutsekereza kugwiritsidwa ntchito posachedwa. kudziwika ndi ofufuza omwe ali pachiwopsezo CVE-2020-6007 mu kuwala kwanzeru kwa Philips Hue Bridge, komwe kumachitika chifukwa cha kusefukira kwa bafa ndikukulolani kuti muwongolere chipangizocho.

Source: opennet.ru