Sezvaunoziva, iyo kodhi yakaitwa mune enclave yakaganhurwa zvakanyanya mukushanda kwayo. Haikwanise kufona system. Haikwanise kuita mabasa eI/O. Iyo haizive iyo base kero yeiyo host application's code segment. Haikwanise jmp kana kufonera host host kodhi. Iyo haina ruzivo nezve kero nzvimbo chimiro chinotonga iyo host application (semuenzaniso, mapeji akamepurwa kana rudzi rwe data riri pamapeji iwayo). Iyo haigone kubvunza iyo inoshanda sisitimu kumepu chidimbu chemuenzi application ndangariro kwairi (semuenzaniso, kuburikidza / proc/pid/mepu). Naive kuyedza kuverenga neupofu nzvimbo yekurangarira yeanotambira application, tisingarevi kuedza kunyora, munguva pfupi kana gare gare (zvingangoita yekutanga) inotungamira kumisa kwekumanikidzwa kwechirongwa che enclave. Izvi zvinoitika pese kana iyo chaiyo kero nzvimbo nzvimbo yakakumbirwa neiyo enclave isingasvikike kune iyo host application.
Tichifunga nezvezvinhu zvakaoma kudaro, munyori wehutachiona achakwanisa kushandisa SGX enclaves kuzadzisa zvinangwa zvake zvakaipa?
Kubva pane zvese zviri pamusoro, zvinogaro gamuchirwa kuti enclave inokwanisa chete kusevenzesa chikumbiro chemuenzi, uye kuti enclave haigone kuita hurongwa hwayo, kusanganisira dzakaipa. Izvi zvinoreva kuti enclaves haina kukosha kune vanyori vehutachiona. Uku kufungidzira kwekukasira ndechimwe chezvikonzero nei dziviriro yeSGX isingaenzaniswi: kodhi yekushandisa application haigone kuwana enclave ndangariro, nepo enclave kodhi inogona kuverenga nekunyora kune chero host yekurangarira application kero.
Naizvozvo, kana yakashata enclave kodhi yakakwanisa kuita zvekupokana nharembozha pachinzvimbo cheanotambira chikumbiro, kuita zvekupotera kodhi panzvimbo yayo, kuongorora ndangariro yemugadziri uye kuwana zvinoshungurudza ROP cheni mairi, inogona kubata kutonga kwakazara kwemuenzi application, mu stealth mode. Haikwanise kungoba uye encrypt mafaira emushandisi, asi zvakare kuita wakamiririra mushandisi. Semuyenzaniso, tumira maemail ephishing panzvimbo yake kana kuitisa DoS kurwisa. Pasina kutya kunyangwe nzira dzemazuvano dzekudzivirira, senge stack canaries uye kero sanitization.
Isu tinokuratidza ma hacks mashoma anoshandiswa nevanorwisa kukunda zvipimo zvinotsanangurwa pamusoro kutora mukana weSGX nekuda kwavo kwakashata zvinangwa: ROP kurwiswa. Kungave kuita zvekupokana kodhi yakavharwa seyekugamuchira application maitiro (yakafanana nekugadzirisa hollowing, iyo inowanzo shandiswa nemalware), kana kuvanza yakagadzirira-yakagadzirwa malware (kuchengetedza malware ayo kubva mukutambudzwa nemaantivirus uye dzimwe nzira dzekudzivirira).
Hack yekuongorora kero kuti uone kana inogona kuverengwa
Sezvo iyo enclave isingazive kuti ndeapi masara eiyo chaiyo kero nzvimbo anowanikwa kune anogamuchira application, uye sezvo enclave ichimanikidzwa kumisa kana ichiedza kuverenga kero isingasvikiki, anorwisa akatarisana nebasa rekutsvaga nzira yekukanganisa- tolerantly scan kero nzvimbo. Tsvaga nzira yekumepu maadhiresi aripo. Iyo villain inogadzirisa dambudziko iri nekushandisa zvisirizvo tekinoroji yeIntel's TSX. Inoshandisa imwe yemhedzisiro yeTSX: kana ndangariro yekuwana basa ikaiswa muTSX transaction, izvo zvinosarudzika zvinobva pakuwana kero isingaite zvinodzvanywa neTSX pasina kusvika kune inoshanda sisitimu. Kana kuyedza kukaitwa kuti uwane kero yekurangarira isingaite, chete kutengeserana kwazvino kunobviswa, kwete chirongwa chese enclave. Izvozvo. TSX inobvumira enclave kuwana zvakachengeteka chero kero kubva mukati mekutengesa - pasina njodzi yekudonha.
kana kero yakataurwa iripo host application, iyo TSX transaction inowanzobudirira. Muzviitiko zvisingawanzoitiki, zvinogona kutadza nekuda kwekukanganisa kwekunze sekuvhiringidza (sekukanganisa kuronga), kudzingwa kwecache, kana kuchinjwa kwenzvimbo yendangariro panguva imwe chete nemaitiro akawanda. Muzviitiko zvisingawanzoitiki, TSX inodzorera kodhi yekukanganisa inoratidza kuti kukundikana ndekwenguva pfupi. Muzviitiko izvi, iwe unongoda kutangazve kutengeserana.
kana kero yataurwa haipo host application, TSX inodzvinyirira iyo yakaitika (iyo OS haina kuziviswa) uye inobvisa kutengeserana. Kodhi yekukanganisa inodzoserwa kune enclave kodhi kuitira kuti iite kune chokwadi chekuti kutengeserana kwakadzimwa. Aya macode ekukanganisa anoratidza kuti kero iri mubvunzo haisi kuwanikwa kune iyo host application.
Uku kunyengedzwa kweTSX kubva mukati meiyo enclave kune yakanaka ficha kune iyo villain: sezvo akawanda emahara ekugadzirisa macounter asina kuvandudzwa panguva iyo enclave kodhi inoitwa, hazvigoneke kuteedzera TSX kutengeserana kunoitwa mukati meiyo enclave. Nekudaro, kunyengedza kwakashata kweTSX kunoramba kusingaonekwe zvachose kune inoshanda sisitimu.
Pamusoro pezvo, sezvo hack iri pamusoro isingavimbi nechero nharembozha, haigone kuonekwa kana kudzivirirwa nekungovharisa masystem mafoni; iyo inowanzopa chigumisiro chakanaka mukurwisana nekuvhima mazai.
Iyo villain inoshandisa hack yakatsanangurwa pamusoro kutsvaga iyo host application kodhi yezvigajeti zvakakodzera kugadzira ROP cheni. Panguva imwecheteyo, haafanire kuongorora kero yese. Zvakakwana kuongorora kero imwe kubva papeji yega yega yenzvimbo yekero chaiyo. Kuongorora ese gumi nematanhatu gigabytes yendangariro kunotora anenge 16 maminetsi (pane Intel i45-7K). Nekuda kweizvozvo, iyo villain inogamuchira runyorwa rwemapeji anogoneka akakodzera kuvaka ROP cheni.
Hack yekuongorora kero yekunyora
Kuita enclave vhezheni yeROP kurwiswa, munhu anorwisa anofanirwa kukwanisa kutsvaga anonyoreka asina kushandiswa ndangariro nzvimbo dzemugamuchiri application. Anorwisa anoshandisa idzi nzvimbo dzekurangarira kubaya fake stack furemu uye kubaya mubhadharo (shellcode). Chinonyanya kukosha ndechekuti hutsinye hunovharirwa hahukwanisi kuda iyo host application kuti igovere ndangariro pachayo, asi panzvimbo pacho inogona kushandisa zvisirizvo memory yakatopihwa neyemuenzi application. Kana, chokwadi, anokwanisa kuwana nzvimbo dzakadaro pasina kuputsa enclave.
Iyo villain inoita iyi yekutsvaga nekushandisa imwe mhedzisiro yeTSX. Kutanga, sezvakaitika kare, inoongorora kero yekuvapo kwayo, uye yotarisa kana peji inoenderana nekero iyi inonyorwa. Kuti aite izvi, munhu akaipa anoshandisa iyo inotevera hack: anoisa basa rekunyora mune TSX transaction, uye mushure mekunge yapedza, asi isati yapera, anobvisa nechisimba kutengeserana (kubvisa mimba).
Nekutarisa kodhi yekudzoka kubva kuTSX transaction, anorwisa anonzwisisa kana ichinyorwa. Kana iri "kubvisa pamuviri kwakajeka", villain anonzwisisa kuti kurekodha kwaizove kwakabudirira dai akatevedzera nazvo. Kana peji ichiverengwa-chete, kutengeserana kunopera nemhosho kunze kwe "kubvisa mimba pachena".
Uku kunyengedza kweTSX kune chimwe chinhu chakanaka kune villain (kunze kwekutadza kwekutevera kuburikidza nehardware performance counters): sezvo yese ndangariro kunyora mirairo inongoitwa chete kana kutengeserana kwacho kuchinge kwabudirira, kumanikidza kutengeserana kupedzisa kunovimbisa kuti iyo probed memory sero. inoramba isina kuchinjwa.
Hack kuti redirect control kuyerera
Paunenge uchiita ROP kurwisa kubva kune yakavharirwa - kusiyana neyakajairwa ROP kurwiswa - anorwisa anogona kuwana kutonga kweRIP rejista pasina kushandisa chero bugs muchirongwa chakarwiswa (buffer mafashama kana chimwe chinhu chakadaro). Anorwisa anogona kunyora zvakananga kukosha kweRIP rejista yakachengetwa pachitunha. Kunyanya, inogona kutsiva kukosha kwerejista iyi neyayo ROP cheni.
Nekudaro, kana iyo ROP cheni yakarebesa, ipapo kudzoreredza chunk hombe yeanotambira application stack kunogona kutungamira kuhuori hwedata uye maitiro asingatarisirwe echirongwa. Munhu akaipa, anotsvaka kuita kurwisa kwake pachivande, haagutsikane nemamiriro ezvinhu aya. Naizvozvo, inogadzira fake yenguva pfupi stack furemu uye inochengeta yayo ROP cheni mairi. Iyo fake stack furemu inoiswa munzvimbo isingaverengeke inonyorwa ndangariro, ichisiya chaiyo stack yakasimba.
Ko ma hacks matatu akanyorwa pamusoro anopei villain?
(1) Kutanga, ruvengo rwunopinda Hack yekuongorora kero kuti uone kana inogona kuverengwa, - inotsvaga iyo host application yezvinoshungurudza ROP gadget.
(2) Zvadaro by Hack yekuongorora kero yekunyora, - a enclave ane hutsinye inozivisa nzvimbo mundangariro yemugamuchiri inokodzera kubaya mubhadharo.
(3) Tevere, iyo enclave inogadzira cheni yeROP kubva kumagajeti akawanikwa mudanho (1) uye inobaya cheni iyi mudhishi rekushandisa.
(4) Chekupedzisira, kana iyo host application ikasangana neROP cheni yakagadzirwa munhanho yapfuura, iyo yakashata payload inotanga kuita - neropafadzo dzemugamuchiri application uye kugona kufona system.
Mashandisiro anoita villain aya hacks kugadzira ranzowari
Mushure memugadziri wekushandisa anotamisa kutonga kune enclave kuburikidza neimwe yeECALLs (pasina kufungidzira kuti iyi enclave ine hutsinye), iyo ine hutsinye enclave inotsvaga nzvimbo yemahara mundangariro yeanotambira application yejekiseni kodhi (inotora senzvimbo dzemahara iwo akateedzana maseru. iyo izere nemaziro). Zvadaro kuburikidza Hack yekuongorora kero kuti uone kana inogona kuverengwa, - iyo enclave inotsvaga mapeji anogoneka muchirongwa chemugadziri uye inogadzira ROP cheni inogadzira faira idzva rakanzi "RANSOM" mune yazvino dhairekitori (mukurwisa chaiko, iyo enclave inovhara mafaira emushandisi aripo) uye inoratidza meseji yerudzikinuro. Panguva imwecheteyo, iyo host application naively inotenda kuti enclave iri kungowedzera nhamba mbiri. Izvi zvinotaridzika sei mukodhi?
Kuti zvive nyore kuona, ngatiunze mamwe manemonics kuburikidza netsananguro:
Isu tinochengetedza hunhu hwepakutanga hweRSP neRBP marejista kuitira kudzoreredza mashandiro akajairika eiyo host application mushure mekuita mubhadharo:
Isu tiri kutsvaga yakakodzera stack furemu (ona iyo kodhi kubva muchikamu "hack yekudzoreredza kudzora kuyerera").
Kutsvaga akakodzera ROP gadget:
Kutsvaga nzvimbo yekubaya mubhadharo:
Isu tinovaka ROP ketani:
Aya ndiwo maitiro eIntel's SGX tekinoroji, yakagadzirirwa kurwisa zvirongwa zvakashata, inoshandiswa nevakaipa kuti vazadzise zvinangwa zvakapesana.
Source: www.habr.com