Ofufuza ochokera ku Worcester Polytechnic Institute (USA) abweretsa mtundu watsopano wa kuwukira kwa Mayhem komwe kumagwiritsa ntchito njira ya Rowhammer dynamic access memory bit distortion njira yosinthira mayendedwe amitundu yosiyanasiyana omwe amagwiritsidwa ntchito ngati mbendera mu pulogalamuyi kuti asankhe ngati kutsimikizika ndi chitetezo chachitika. zadutsa. Zitsanzo zothandiza za kuukira zikuwonetsedwa kuti zidutse kutsimikizika mu SUDO, OpenSSH ndi MySQL, komanso kusintha zotsatira za macheke okhudzana ndi chitetezo mu laibulale ya OpenSSL.
Kuwukirako kumatha kugwiritsidwa ntchito ku mapulogalamu omwe amagwiritsa ntchito macheke kuti afananize zomwe zimasiyana ndi ziro. Chitsanzo cha code yosatetezeka: int auth = 0; ... // khodi yotsimikizira yomwe imasintha mtengo wake ngati (auth != 0) ibwezera AUTH_SUCCESS; kwina bwererani AUTH_FAILURE;
M'nkhani yachitsanzo ichi, pakuwukira bwino ndikokwanira kuwononga pang'ono pokumbukira zomwe zimagwirizanitsidwa ndi 32-bit auth variable pa stack. Ngati kachidutswa kalikonse kawonongeka, mtengowo sudzakhalanso ziro ndipo wogwiritsa ntchitoyo adzatsimikizira kukwaniritsidwa kotsimikizika kwa kutsimikizika. Njira zovomerezeka zotere ndizofala kwambiri pamapulogalamu ndipo zimapezeka, mwachitsanzo, mu SUDO, OpenSSH, MySQL ndi OpenSSL.
Kuwukirako kungagwiritsidwenso ntchito kufananitsa mawonekedwe "ngati (auth == 1)", koma pakadali pano kukhazikitsa kwake kumakhala kovuta, chifukwa ndikofunikira kupotoza osati pang'ono 32, koma chomaliza. Njirayi itha kugwiritsidwanso ntchito kukopa zosintha zamakaundula a purosesa, chifukwa zomwe zili m'marejista zitha kuponyedwa kwakanthawi pa stack pomwe kusintha kwa mawu, kuyimba ntchito, kapena moto wama siginecha. Munthawi yanthawi pomwe ma registry akukumbukira, zosokoneza zitha kulowetsedwa mu kukumbukira uku ndipo mtengo womwe wasinthidwa udzabwezeretsedwanso ku registry.
Kuti asokoneze ma bits, chimodzi mwazosinthidwa za gulu la RowHammer kalasi chimagwiritsidwa ntchito. Popeza kukumbukira kwa DRAM ndi ma cell amitundu iwiri, iliyonse imakhala ndi capacitor ndi transistor, kuwerengera mosalekeza kwa dera lomwelo la kukumbukira kumabweretsa kusinthasintha kwamagetsi ndi zolakwika zomwe zimapangitsa kutayika pang'ono kwa ma cell oyandikana nawo. Ngati kuchuluka kwa kuwerenga kuli kwakukulu, ndiye kuti selo loyandikana nalo likhoza kutaya ndalama zambiri zokwanira ndipo kusinthika kwina kotsatira sikudzakhala ndi nthawi yobwezeretsa chikhalidwe chake choyambirira, chomwe chidzatsogolera kusintha kwa mtengo wa deta yosungidwa mu selo. . Kuti muteteze ku RowHammer, opanga ma chip awonjezera njira ya TRR (Target Row Refresh), yomwe imaletsa ziphuphu zama cell muzochitika zapadera, koma siziteteza kumitundu yonse yomwe ingachitike.
Kuti muteteze ku kuwukira kwa Mayhem, tikulimbikitsidwa kuti tigwiritse ntchito pofananiza osati kuwunika kwa kusiyana kwa ziro kapena kuphatikizika ndi chimodzi, koma cheke machesi pogwiritsa ntchito mtengo wambewu wopanda ziro ndi ma octets omwe sali ziro. Pankhaniyi, kuti muyike mtengo wofunikira wa zosinthika, m'pofunika kupotoza molondola chiwerengero chachikulu cha bits, zomwe siziri zenizeni, mosiyana ndi kupotoza kwa pang'ono. Chitsanzo cha nambala yosawukira: int auth = 0xbe406d1a; ...... kwina bwererani AUTH_FAILURE;
Njira yodzitchinjiriza yomwe yatchulidwa kale idagwiritsidwa ntchito ndi opanga sudo ndipo idaphatikizidwa pakutulutsidwa kwa 1.9.15 ngati kukonza pachiwopsezo cha CVE-2023-42465. Akukonzekera kusindikiza chizindikiro cha code kuti achite chiwembuchi pambuyo pokonzekera ntchito zazikulu zomwe zili pachiwopsezo.
Source: opennet.ru