ruzivo nezve kirasi itsva yekurwisa (Load Value jekiseni, ) pane yekufungidzira nzira yekuuraya muIntel CPUs, inogona kushandiswa kuburitsa makiyi uye yakavanzika data kubva kuIntel SGX enclaves uye mamwe maitiro.
Kirasi nyowani yekurwiswa yakavakirwa pakunyengera kweiyo yakafanana microarchitectural zvimiro zvinoshandiswa mukurwiswa (Microarchitectural Data Sampling), . Panguva imwecheteyo, kurwiswa kutsva hakuna kuvharwa nenzira dziripo dzekudzivirira kubva kuMeltdown, Specter, MDS uye kumwe kurwiswa kwakafanana. Inoshanda LVI dziviriro inoda shanduko yehardware kuCPU. Paunenge uchironga dziviriro zvakarongeka, nekuwedzera iyo LFENCE rairo nemugadziri mushure mekuita basa remutoro kubva kundangariro uye kutsiva iyo RET rairo nePOP, LFENCE uye JMP, yakawandisa pamusoro inorekodhwa - sekureva kwevaongorori, kuzara kwesoftware kudzivirira kuchaita kuti kuderera kuita ne2-19 nguva.
Chikamu chekuomerwa mukuvharisa dambudziko chinodzikiswa nenyaya yekuti kurwiswa kwacho parizvino kwanyanya dzidziso pane kuita (kurwisa kwacho kunogoneka, asi kwakaoma kwazvo kuita uye kunongodzokororwa mune zvekugadzira bvunzo).
Intel dambudziko rine mwero wepakati wengozi (5.6 kunze kwe10) uye kuvandudza iyo firmware uye SDK yeSGX nharaunda, umo yakaedza kuvharira kurwisa uchishandisa workaround. Nzira dzekurwisa dzakarongwa parizvino dzinongoshanda kuIntel processors, asi mukana wekugadzirisa LVI kune mamwe ma processor ayo Meltdown-kirasi kurwisa kunoshanda haugone kubviswa.
Dambudziko rakaonekwa muna Kubvumbi apfuura nemuongorori Jo Van Bulck kubva kuYunivhesiti yeLeuven, mushure mezvo, nekubatanidzwa kwevatsvakurudzi ve9 kubva kune mamwe mayunivhesiti, nzira shanu dzekurwisa dzakagadzirwa, imwe neimwe inobvumira kuvapo kwezvimwe zvakananga. . Kuzvimiririra, muna Kukadzi wegore rino, vaongorori kubva kuBitdefender zvakare imwe yeLVI kurwisa kwakasiyana ndokuiudza kuIntel. Misiyano yekurwisa inosiyaniswa nekushandiswa kweakasiyana microarchitectural zvimiro, senge yekuchengetedza buffer (SB, Store Buffer), zadza buffer (LFB, Mutsetse Zadza Buffer), FPU mamiriro ekuchinja buffer uye yekutanga-level cache (L1D), yakamboshandiswa. mukurwisa kwakadai , , , , ΠΈ .
Iyo huru Iyo LVI inopesana neMDS kurwiswa ndeyekuti MDS inoshandura kugadzwa kwezviri mukati meiyo microarchitectural zvimiro zvakasara mucache mushure mekufungidzira kukanganisa kubata kana kurodha uye chitoro mabasa, uku.
Kurwiswa kweLVI kunobvumira data reanorwisa kuti iiswe muzvimiro zvidiki zvekukurudzira kunotevera kufungidzira kuurayiwa kwekodhi yeakabatwa. Uchishandisa aya manipulations, anorwisa anogona kubvisa zviri mukati meyakavanzika data zvimiro mune mamwe maitiro paunenge uchiita imwe kodhi pane yakananga CPU musimboti.
nokuti mukodhi yemaitiro ekubatwa kutevedzana kwakakosha kwekodhi (magajeti) umo murwi anodzorwa kukosha anoiswa, uye kurodha kukosha uku kunokonzeresa kusarudzika (kukanganisa, kubvisa kana kubatsira) kukandwa, kurasa mhedzisiro uye kuita zvakare rairo. Kana kusarudzika kuchigadziriswa, hwindo rekufungidzira rinoonekwa panguva iyo data yakagadziriswa mugadget inodonha. Kunyanya, processor inotanga kuita chidimbu chekodhi (gadget) nenzira yekufungidzira, yobva yaona kuti kufanotaura hakuna kurongeka uye kudzosera mashandiro kumamiriro avo ekutanga, asi iyo data yakagadziriswa panguva yekufungidzira inoiswa muL1D cache. uye microarchitectural buffers uye inowanikwa kuti itore kubva kwavari uchishandisa nzira dzinozivikanwa dzekutarisa data rasara kuburikidza nechechitatu-bato nzira.
Iyo "rubatsiro" yakasarudzika, kusiyana neye "kukanganisa" kusarudzika, inobatwa nemukati ne processor pasina kudaidza software vanobata. Kubatsira kunogona kuitika, semuenzaniso, kana iyo A (Yakasvika) kana D (Yakasviba) bhiti iri mundangariro peji tafura inoda kuvandudzwa. Dambudziko guru mukuita kurwisa kune mamwe maitiro nderekutanga kuitika kwekubatsira nekushandisa nzira yemunhu anenge abatwa. Ikozvino hapana nzira dzakavimbika dzekuita izvi, asi zvinogoneka kuti dzichawanikwa mune ramangwana. Iko mukana wekuita kurwiswa kusvika parizvino wakasimbiswa chete kune Intel SGX enclaves, mamwe mamiriro ekufungidzira kana kudhindwa mumamiriro ekugadzira (zvinoda kuwedzera mamwe magajeti kukodhi)
Zvinogoneka kurwisa mavector:
- Dhata kuvuza kubva kukernel zvimiro kuita mushandisi-nhanho maitiro. Dziviriro yeLinux kernel kubva kuSpecter 1 kurwiswa, pamwe neSMAP (Supervisor Mode Access Prevention) nzira yekudzivirira, inoderedza zvakanyanya mukana wekurwiswa kweLVI. Kuwedzera dziviriro kune kernel kungave kuri madikanwa kana nzira dzakareruka dzekurwisa dzeLVI dzikaonekwa mune ramangwana.
- Data leakage pakati akasiyana maitiro. Kurwiswa kunoda kuvepo kwezvimwe zvimedu zvekodhi mukushandisa uye tsananguro yenzira yekukanda yakasarudzika mune inotangwa maitiro.
- Kuburitswa kwedata kubva kunharaunda yevaenzi kuenda kune yevaenzi system. Kurwiswa kwacho kunorondedzerwa sekunyanya kuomarara, kunoda nhanho dzakasiyana-siyana dzakaoma-kuita uye kufanotaura kwechiitiko muhurongwa.
- Kudonha kwedata pakati pemaitiro mune akasiyana masisitimu evaenzi. Iyo yekurwisa vector iri padhuze nekuronga kubuda kwedata pakati pemaitiro akasiyana, asi zvakare inoda mamanipulations akaoma kunzvenga kuzviparadzanisa pakati pevaenzi masisitimu.
Rakabudiswa nevatsvakurudzi nekuratidzwa kwenheyo dzekuita kurwisa, asi havasati vakakodzera kuita kurwisa chaiko. Muenzaniso wekutanga unokutendera kuti udzokorore kufungidzira kodhi kuuraya mukuita kwemunhu anenge abatwa, yakafanana neyekudzoserwa-inotungamirwa hurongwa (,Return-Oriented Programming). Mumuenzaniso uyu, munhu akabatwa chirongwa chakanyatsogadzirirwa chine majeti anodiwa (kushandisa kurwisa kune chaiwo echitatu-bato maitiro kwakaoma). Muenzaniso wechipiri unotitendera kuti tizvipinze mukuverenga panguva yeAES encryption mukati meIntel SGX enclave uye kuronga kuburitswa kwedhata panguva yekufungidzira kwekuita kwemirairo kudzoreredza kukosha kwekiyi yakashandiswa encryption.
Source: opennet.ru