Vatsvagiri kubva kuPeople's Liberation Army Defense Science uye Technology University, iyo National University yeSingapore neETH Zurich vakagadzira nzira nyowani yekurwisa enclaves ari ega Intel SGX (Software Guard eXtensions). Kurwiswa uku kunonzi SmashEx uye kunokonzerwa nematambudziko ekudzokazve kana uchibata mamiriro ekunze panguva yekushanda kwezvinhu zvekumhanya zveIntel SGX. Iyo yakarongwa nzira yekurwisa inoita kuti zvibvire, kana iwe uine kutonga pamusoro peiyo sisitimu yekushandisa, kuona chakavanzika data chiri mu enclave, kana kuronga kukopa kwekodhi yako mundangariro ye enclave uye mashandiro ayo.
Exploit prototypes akagadzirirwa enclaves ane runtime yakavakirwa paIntel SGX SDK (CVE-2021-0186) uye Microsoft Open Enclave (CVE-2021-33767). Muchiitiko chekutanga, kugona kuburitsa kiyi yeRSA inoshandiswa pawebhu server yeHTTPS yakaratidzwa, uye mune yechipiri, zvaigoneka kuona izvo zvakawanikwa ne cURL utility inomhanya mukati meiyo enclave. Kusagadzikana kwacho kwakatogadziriswa zvakarongwa mukuburitswa kweIntel SGX SDK 2.13 uye Vhura Enclave 0.17.1. Pamusoro peIntel SGX SDK uye Microsoft Open Enclave, kusagadzikana kunoonekwawo muGoogle Asylo SDK, EdgelessRT, Apache Teaclave, Rust SGX SDK, SGX-LKL, CoSMIX uye Veracruz.
Ngatiyeukei kuti tekinoroji yeSGX (Software Guard Extensions) yakaonekwa muchizvarwa chechitanhatu Intel Core processors (Skylake) uye inopa nhevedzano yemirairo inobvumira mushandisi-chikamu maapplication kugovera yakavharika ndangariro nzvimbo - enclaves, izvo zviri mukati hazvigone kuverengwa uye. yakagadziridzwa kunyangwe nekernel uye kodhi yakaitwa mumhete0, SMM uye VMM modes. Izvo hazvigoneke kuendesa kutonga kune kodhi mune enclave uchishandisa echinyakare kusvetuka mabasa uye manipulations ane marejista uye stack - yakanyatsogadzirwa mirairo mitsva EENTER, EEXIT uye ERESUME inoshandiswa kuendesa kutonga kune enclave, iyo inoita macheki echiremera. Mune ino kesi, iyo kodhi yakaiswa mune enclave inogona kushandisa classical yekufona nzira kuti uwane mabasa mukati meiyo enclave uye yakakosha mirairo yekudaidza ekunze mabasa. Enclave memory encryption inoshandiswa kudzivirira kubva kune hardware kurwisa sekubatanidza kune DRAM module.
Dambudziko nderekuti tekinoroji yeSGX inobvumira sisitimu yekushandisa kubvisa enclave nekukanda kunze kwehardware, uye enclaves haaite nemazvo maprimitives ekubata maatomu akadaro. Kusiyana neiyo inoshanda sisitimu kernel uye yakajairwa maapplication, kodhi mukati me enclaves haigone kuwana primitives yekuronga zviito zveatomu kana uchibata asynchronously kukandwa kunze. Pasina iyo yakatsanangurwa maatomu ekutanga, iyo enclave inogona kuvhiringwa chero nguva uye kudzoserwa kunourayiwa, kunyangwe dzimwe nguva iyo enclave iri kuita zvikamu zvakakosha uye iri munzvimbo isina kuchengetedzeka (semuenzaniso, kana CPU marejista asina kuchengetwa / kudzoserwa).
Nekushanda kwakajairwa, tekinoroji yeSGX inobvumira kuurayiwa kweiyo enclave kuvhiringwa nekusarudzika kwehardware. Iyi ficha inobvumira enclave runtime nharaunda kuti ishandise intra-enclave kunze kwekubata kana masaini kugadzirisa, asi inogona zvakare kukonzera zvikanganiso zvekudzoka. Kurwiswa kweSmashEx kwakavakirwa pakushandisa zvikanganiso muSDK nekuda kwekuti mamiriro ekudaidza zvakare mubati wekusarudzika haana kubatwa nemazvo. Zvakakosha kuti kushandisa kushaya simba, munhu anorwisa anofanira kukwanisa kuvhiringidza kuurayiwa kwe enclave, i.e. inofanirwa kudzora kushanda kwemamiriro ehurongwa.
Mushure mekukanda zvakasara, munhu anorwisa anogamuchira diki nguva hwindo panguva iyo tambo yekuuraya inogona kubvumwa kuburikidza nekugadzirisa kwekuisa paramita. Kunyanya, kana iwe uchikwanisa kuwana iyo sisitimu (zvakatipoteredza kunze kweiyo enclave), iwe unogona kugadzira imwe yakasarudzika mushure mekuita enclave yekupinda rairo (EENTER), iyo inodzoreredza kutonga kune sisitimu panguva iyo stack setup ye enclave haisati yapedzwa, umo Iyo mamiriro eCPU marejista anochengetwa zvakare.
Iyo sisitimu inogona kuzodzosera kutonga kumashure kune enclave, asi sezvo iyo enclave yakange isina kugadzirwa panguva yekuvhiringidza, iyo enclave ichaita ne stack inogara mune system memory, iyo inogona kushandiswa kushandisa kudzoka-yakatarisana programming (ROP). ) maitiro ekushandisa. Oriented Programming). Paunenge uchishandisa iyo ROP tekinoroji, anorwisa haaedze kuisa kodhi yake mundangariro, asi anoshanda pane zvidimbu zvemichina mirairo yatovepo mumaraibhurari akaremerwa, ichipera nekuraira kudzoka kwekutonga (semutemo, aya ndiwo magumo emabasa eraibhurari) . Basa rekushandisa rinouya pasi pakuvaka ketani yemafoni kune akafanana mabhuroko ("magajeti") kuti uwane iyo inodiwa kushanda.
Source: opennet.ru