Intel zambiri zatsopano m'ma processor awo - (Microarchitectural Data Sampling). Monga kuukira kwa Specter m'mbuyomu, mavuto atsopano angayambitse kutayikira kwachinsinsi kuchokera pamakina ogwiritsira ntchito, makina enieni ndi njira zina. Akuti mavutowa adadziwika koyamba ndi ogwira ntchito ku Intel ndi othandizana nawo panthawi yofufuza zamkati, pambuyo pake ofufuza odziyimira pawokha adapereka chidziwitso chokhudzana ndi zovuta zomwezo kwa Intel. Mapurosesa a AMD ndi ARM sakhudzidwa ndi vutoli.
Kutengera zovuta zomwe zadziwika ndi ofufuza ochokera ku Technical University of Graz (Austria) Zina zowopsa za mayendedwe apambali:
- () - amakulolani kuchotsa zinsinsi kuchokera kuzinthu zina, makina ogwiritsira ntchito, makina enieni ndi ma enclaves otetezedwa (TEE, Trusted Execution Environment). Mwachitsanzo, kutha kudziwa mbiri yamasamba otsegulira mu msakatuli wa Tor omwe akuthamanga mu makina ena enieni adawonetsedwa, komanso kudziwa makiyi olowera ndi mapasiwedi omwe amagwiritsidwa ntchito pazofunsira;
- () - imalola kutayikira kwa chidziwitso pakati pa madera osiyanasiyana akutali mu ma processor a Intel, monga ma buffers, ma buffers osungira ndi madoko onyamula katundu. Zitsanzo za kuukira zikuwonetsedwa kukonza kutayikira kuchokera ku njira zina, makina ogwiritsira ntchito, makina enieni ndi ma enclaves otetezedwa. Mwachitsanzo, ikuwonetsa momwe mungadziwire zomwe zili muzu wa password hash kuchokera ku /etc/shadow panthawi yoyesera kutsimikizira nthawi ndi nthawi (kuukiraku kunatenga maola 24);
Kuonjezera apo, chitsanzo cha kuukira pogwiritsa ntchito JavaScript ndi WebAssembly chikuwonetsedwa potsegula tsamba loipa mu injini ya SpiderMonkey (m'masakatuli amakono amakono, kuukira koteroko sikungatheke chifukwa cha kulondola kwa nthawi yochepa komanso njira zotetezera ku Specter);
- () - imapangitsa kuti muwerenge zomwe zalembedwa posachedwa ndi makina ogwiritsira ntchito ndikuzindikira masanjidwe a kukumbukira kwa OS kuti muchepetse zovuta zina;
- - imagwiritsa ntchito kukhathamiritsa kwa CPU kuti igwire ntchito ndi chosungira chosungira ndipo ingagwiritsidwe ntchito kudutsa makina opangira ma kernel adilesi (KASLR), kuyang'anira momwe makina ogwirira ntchito, kapena kuchucha kuphatikiza ndi zida zotengera njira za Specter.
Kuzindikiridwa :
- CVE-2018-12126 - MSBDS (Microarchitectural Store Buffer Data Sampling), kubwezeretsanso zomwe zili muzosungirako. Amagwiritsidwa ntchito mu Fallout attack. Mlingo wangozi umatsimikiziridwa kukhala mfundo za 6.5 (CVSS);
- CVE-2018-12127 - MLPDS (Microarchitectural Load Port Data Sampling), kubwezeretsanso zomwe zili padoko. Amagwiritsidwa ntchito pakuwukira kwa RIDL. CVSS 6.5;
- CVE-2018-12130 - MFBDS (Microarchitectural Fill Buffer Data Sampling), kubwezeretsanso zomwe zili mkati mwa buffer. Amagwiritsidwa ntchito pa ZombieLoad ndi RIDL. CVSS 6.5;
- CVE-2019-11091 - MDSUM (Microarchitectural Data Sampling Uncacheable Memory), kubwezeretsanso zomwe zili mkati mwamakumbukidwe. Amagwiritsidwa ntchito pakuwukira kwa RIDL. CVSS 3.8.
adazindikira zovuta pakutha kugwiritsa ntchito njira zowunikira njira zam'mbali ku data muzomangamanga zazing'ono zomwe mapulogalamu alibe mwachindunji. Tikukamba za zomangira zotsika monga ma buffers odzaza (Line Fill Buffer), ma buffers (Store Buffer) ndi madoko (Load Port), omwe ndi midadada yomangira ting'onoting'ono kuposa cache yoyamba (L1D), cache ya data ( RDCL ) kapena L1TF (L1 Terminal Fault), ndipo motere muphatikizepo zidziwitso zochepa ndipo zimasinthidwa mozama.
Kuukira kwapambali pamapangidwe ang'onoang'ono kumakhala kovuta kwambiri kuyerekeza ndi njira zobwezeretsera zomwe zili mkati mwa cache ndipo zimafunikira kutsata ndikusanthula kuchuluka kwa data kuti mudziwe kulumikizana kwawo ndi ma adilesi ena omwe amakumbukiridwa (kwenikweni, wowukira sangathe kuletsa mwadala zinthu zina. , koma ingakhale nthawi yosonkhanitsa kutayikira ndikugwiritsa ntchito njira zowerengera kuti apangenso mitundu ina ya data). Kuphatikiza apo, kuwukirako kumangokhudza zomwe zili pamtundu womwewo wa CPU monga nambala ya wowukirayo.
Njira zomwe zaperekedwa zodziwira zomwe zili muzomangamanga zazing'ono zimatengera kuti zomangazi zimagwiritsidwa ntchito pakuwongolera mongoyerekeza (zolakwika) kapena katundu ndi sitolo.
Pakuphedwa mongoyerekeza, zomwe zili mkati mwake zimatumizidwa ku registry kapena cache kuti zisinthidwe. Zochitika zongopeka sizitha ndipo zotsatira zake zimatayidwa, koma zomwe zatumizidwanso zitha kuzindikirika pogwiritsa ntchito njira zowunikira posungira m'mbali mwa tchanelo.
Madoko onyamula katundu amagwiritsidwa ntchito ndi purosesa kuti alandire deta kuchokera pamtima kapena kagawo kakang'ono ka I/O ndikupereka zidziwitso zolandilidwa ku ma regista a CPU. Chifukwa cha kukhazikitsidwa, deta yochokera kuzinthu zakale zotsitsa imakhalabe m'madoko mpaka italembedwa ndi deta yatsopano, zomwe zimapangitsa kuti zitheke kudziwa momwe deta iliri mu doko lotsitsa pogwiritsa ntchito zosiyana (zolakwika) ndi SSE / AVX / Malangizo a AVX-512 omwe amanyamula data yopitilira 64 bits. Pazifukwa zotere, ntchito zonyamula katundu zimawulula zidziwitso zakale kuchokera kuzinthu zamkati kupita kuzomwe zimadalira. Momwemonso, kutayikira kumakonzedwa kudzera mu buffer yosungiramo, yomwe imagwiritsidwa ntchito kufulumizitsa kulembera ku cache ya CPU ndipo imaphatikizapo tebulo la ma adilesi, zikhalidwe ndi mbendera, komanso kudzera mu buffer yodzaza, yomwe ili ndi deta yomwe sichinafike ku cache ya L1 (cache-miss), pakadali pano ikutsitsa kuchokera kumagawo ena.
vuto Mitundu ya purosesa ya Intel yopangidwa kuyambira 2011 (kuyambira m'badwo wa 6). Pamenepa, kuwonongeka kwa hardware kumatsekedwa kuyambira pamitundu ina ya 8th ndi 9th mibadwo ya Intel Core ndi 2nd generation ya Intel Xeon Scalable (mutha kuyang'ana pogwiritsa ntchito ARCH_CAP_MDS_NO bit mu IA32_ARCH_CAPABILITIES MSR). Zowopsa ziliponso kale pamlingo wa firmware, microcode ndi machitidwe opangira. Intel imayerekeza kutayika kwa magwiridwe antchito pambuyo poyambitsa chigamba cha ogwiritsa ntchito ambiri 3%. Ukadaulo wa Hyper-Threading ukayimitsidwa, kuwonongeka kwa magwiridwe antchito kumatha kufika mpaka 9% mu mayeso a SPECint_rate_base, mpaka 11% pakuwerengera kokwanira, mpaka 19% mukamagwiritsa ntchito mapulogalamu a Java kumbali ya seva (yokhala ndi HT, pali pafupifupi palibe kuwonongeka kwa ntchito). Zigamba sizimakhudza magwiridwe antchito a I/O.
Linux kernel imateteza ku MDS m'masiku ano 5.1.2, 5.0.16,
4.19.43, 4.14.119 ndi 4.9.176. Njira yachitetezo pochotsa zomwe zili m'mabafa ang'onoang'ono panthawi yobwerera kuchokera ku kernel kupita ku malo ogwiritsira ntchito kapena posamutsa ulamuliro ku dongosolo la alendo, lomwe malangizo a VERW amagwiritsidwa ntchito. Kuti chitetezo chigwire ntchito, pamafunika thandizo la MD_CLEAR, yokhazikitsidwa ndikusintha kwaposachedwa kwa ma microcode. Kuti mutetezedwe kwathunthu, tikulimbikitsidwanso kuletsa Hyper Threading. Kuti muwone momwe dongosololi likuwonetseredwa pachiwopsezo mu Linux kernel chothandizira "/sys/devices/system/cpu/vulnerabilities/mds". Kuti muwongolere kuphatikizika kwa mitundu yosiyanasiyana yotchingira pachiwopsezo, gawo la "mds=" lawonjezedwa ku kernel, lomwe lingatenge "zambiri", "full,nosmt" (kulepheretsa Hyper-Threads), "vmwerv" ndi "kuchoka".
Zosintha zamaphukusi zatulutsidwa kale ΠΈ , koma sichikupezeka pano , ΠΈ .
Kukonzekera kuletsa kutayikira kwa data kuchokera pamakina enieni nawonso kwa Xen hypervisor. Kuteteza machitidwe owonetseratu omwe amapereka lamulo la L1D_FLUSH musanasamutsire ku makina ena enieni, komanso kuteteza ma Intel SGX enclaves, kusintha kwa microcode ndikokwanira.
Source: opennet.ru