ProHoster > Blog > internet nhau > Kirasi nyowani yekusagadzikana muIntel processors yakaunzwa

Kirasi nyowani yekusagadzikana muIntel processors yakaunzwa

Intel yakabudiswa ruzivo nezve itsva kirasi yekusagadzikana muma processors avo - MDS (Microarchitectural Data Sampling). Kufanana neyakapfuura Specter kurwiswa, matambudziko matsva anogona kutungamira kune yakavanzika data kubva kune inoshanda sisitimu, chaiwo michina uye mamwe maitiro. Zvinonzi matambudziko akatanga kuzivikanwa nevashandi veIntel uye vadyidzani panguva yekuongorora kwemukati, mushure mezvo vaongorori vakazvimiririra vakapa ruzivo nezvematambudziko akafanana neIntel. AMD uye ARM processors haina kukanganiswa nedambudziko.

Kubva pamatambudziko akaonekwa nevaongorori kubva kuTechnical University yeGraz (Austria) zvakagadzirwa Zvimwe zvinoshanda zvepadivi chiteshi kurwisa:

  • ZombieLoad (PDF) - inokutendera kuti utore ruzivo rwakavanzika kubva kune mamwe maitiro, iyo inoshanda sisitimu, chaiwo michina uye yakachengetedzwa enclaves (TEE, Yakavimbika Kuurayiwa Kwenzvimbo). Semuenzaniso, kugona kuona nhoroondo yekuvhura mapeji muTor browser inomhanya mune imwe virtual muchina kwakaratidzwa, pamwe nekuona makiyi ekuwana uye mapassword anoshandiswa mumaapplication;


  • RIDL (PDF) - inobvumira kubuda kweruzivo pakati penzvimbo dzakasiyana dzakasarudzika muIntel processors, senge kuzadza buffers, kuchengetedza buffers uye mutoro madoko. Mienzaniso yekurwiswa inoratidzwa kuronga kuvuza kubva kune mamwe maitiro, iyo inoshanda sisitimu, chaiwo muchina uye akachengetedzwa enclaves. Semuenzaniso, inoratidza nzira yekuziva zviri mukati memudzi password hashi kubva /etc/shadow panguva yenguva yekuyedza yechokwadi (kurwisa kwakatora maawa makumi maviri nemana);

    Mukuwedzera, muenzaniso wekurwisa uchishandisa JavaScript uye WebAssembly inoratidzwa pakuzarura peji ine utsinye muSpiderMonkey injini (mumabhurawuza emazuva ano akazara, kurwiswa kwakadaro hakugoneki nekuda kwekugadzirisa nguva uye matanho ekudzivirira kubva kuSpecter);

  • Donha (PDF) - inoita kuti zvikwanise kuverenga data ichangobva kunyorwa neiyo inoshanda sisitimu uye kuona iyo OS memory dhizaini kurerutsa kumwe kurwiswa;
  • Store-To-Leak Forwarding - inoshandisa CPU optimizations yekushanda neyekuchengetedza buffer uye inogona kushandiswa kupfuura iyo kernel kero space randomisation mechanism (KASLR), kutarisa mamiriro eiyo sisitimu yekushandisa, kana ye. sangano inodonhedza musanganiswa nemagetsi zvinoenderana neSpecter nzira.

Identified vulnerabilities:

  • CVE-2018-12126 - MSBDS (Microarchitectural Store Buffer Data Sampling), kudzoreredza zviri mukati mekuchengetedza mabhafa. Inoshandiswa muFallout kurwisa. Iyo dhigirii yengozi inotemerwa kuve 6.5 mapoinzi (CVSS);
  • CVE-2018-12127 - MLPDS (Microarchitectural Load Port Data Sampling), kudzoreredza kwemukati mekutakura zvinhu. Inoshandiswa mukurwisa kweRIDL. CVSS 6.5;
  • CVE-2018-12130 - MFBDS (Microarchitectural Zadza Buffer Data Sampling), kudzoreredza kwekuzadza buffer zviri mukati. Inoshandiswa muZombieLoad uye RIDL kurwisa. CVSS 6.5;
  • CVE-2019-11091 - MDSUM (Microarchitectural Data Sampling Uncacheable Memory), kudzoreredza kwezvisingaverengeki ndangariro zviri mukati. Inoshandiswa mukurwisa kweRIDL. CVSS 3.8.

Essence akacherechedza matambudziko mukukwanisa kushandisa nzira dzekuongorora-parutivi-chiteshi kune data mune zvimiro zvidiki izvo zvikumbiro hazviwane zvakananga kuwana. Tiri kutaura pamusoro pezvivakwa zvakaderera zvakadai sekuzadza buffers (Mutsetse Wazadza Buffer), mabhafa ekuchengetera (Store Buffer) uye mitoro yekutakura (Load Port), ari madiki zvivharo zvekuvaka pane yekutanga nhanho cache (L1D), data load cache ( RDCL ) kana L1TF (L1 Terminal Fault), uye zvinoenderana neruzivo rushoma uye inovandudzwa zvakanyanya.

Kirasi nyowani yekusagadzikana muIntel processors yakaunzwa

Side-channel kurwiswa kweiyo microarchitectural zvimiro zvakanyanya kuoma kuita kana ichienzaniswa nemaitiro ekudzoreredza zvirimo zvecache uye zvinoda kuteedzera uye kuongorora huwandu hwakakosha hwedata kuti uone kubatana kwavo nedzimwe kero mundangariro (chaizvoizvo, munhu anorwisa haakwanise kutora nemaune imwe data. , asi ingangove nguva yekuunganidza kuvuza uye kushandisa nzira dzenhamba yekuvakazve mamwe marudzi edata). Pamusoro pezvo, kurwiswa kwacho kunongobata data pane imwechete yemuviri CPU musimboti sekodhi yeanorwisa.

Nzira dzakarongwa dzekutarisa zviri mukati me microarchitectural zvimiro zvakavakirwa pachokwadi chekuti zvimiro izvi zvinoshandiswa panguva yekufungidzira kubata kunze (kukanganisa) kana kurodha nekuchengetedza mashandiro.
Munguva yekufungidzira kuurayiwa, zviri mukati mezvimiro zvemukati zvinodzoserwa kune marejista kana macache ekugadzirisa. Mashandiro ekufungidzira haapedzi uye mhedzisiro inoraswa, asi zvakadzoserwa zvemukati zvinogona kutariswa pachishandiswa nzira-channel cache yekuongorora matekiniki.

Load ports anoshandiswa ne processor kugamuchira data kubva mundangariro kana I/O subsystem uye kupa ruzivo rwakagamuchirwa kumareji eCPU. Nekuda kwechiitiko chekuita, data kubva kumabasa ekurodha ekare anoramba ari mumachiteshi kusvika anyorwa nedata nyowani, izvo zvinoita kuti zvikwanise kuona zvisina kunanga mamiriro e data muchiteshi chekurodha nekushandisa zvisirizvo (zvikanganiso) uye SSE/AVX/ AVX-512 mirairo inotakura kupfuura 64 bits data. Pasi pemamiriro ezvinhu akadai, mashandiro emutoro anofumura hunhu hwe data kubva kune zvimiro zvemukati kusvika kune zvinoenderana nekushanda. Nenzira imwecheteyo, kuvuza kunorongwa kuburikidza nekuchengetedza buffer, iyo inoshandiswa kukurumidza kunyorera kuCPU cache uye inosanganisira tafura yemakero, kukosha uye mireza, pamwe nekuzadza buffer, iyo ine data iyo. haisati iri muL1 cache (cache-miss), yenguva iri kurodha kubva kune cache yemamwe mazinga.

Kirasi nyowani yekusagadzikana muIntel processors yakaunzwa

dambudziko zvinokanganisa Intel processor mhando dzakagadzirwa kubva 2011 (kubva kuchizvarwa chechitanhatu). Muchiitiko ichi, kusagadzikana kwehardware kwakavharwa kutanga kubva kune mamwe mamodheru echisere uye 6th chizvarwa cheIntel Core uye yechipiri chizvarwa cheIntel Xeon Scalable (unogona kutarisa uchishandisa iyo ARCH_CAP_MDS_NO bit muIA8_ARCH_CAPABILITIES MSR). Vulnerabilities vagarawo kubviswa pamwero we firmware, microcode uye masisitimu anoshanda. Intel inofungidzira kurasikirwa kwekuita mushure mekuita chigamba chevashandisi vazhinji zvishoma pane 3%. Kana tekinoroji yeHyper-Threading yakadzimwa, kushatisa kwekuita kunogona kusvika pa9% muyedzo yeSPECint_rate_base, kusvika 11% mukuverengera kunoshanda, uye kusvika 19% paunenge uchimhanyisa server-side Java application (ine HT yakagoneswa, pane inenge iripo. hapana kuderedzwa kwekuita). Iwo mapeche ane mashoma maitiro paI / O kuita.

Linux kernel inodzivirira kubva kuMDS akawedzera mune zvanhasi updates 5.1.2, 5.0.16,
4.19.43, 4.14.119 uye 4.9.176. Nzira yekudzivirira iri kuvakwa pakuchenesa zviri mukati me microarchitectural buffers panguva yekudzoka kubva ku kernel kuenda kunzvimbo yemushandisi kana pakuendesa kutonga kune yevaenzi system, iyo iyo VERW rairo inoshandiswa. Kuti dziviriro ishande, inoda rutsigiro rweMD_CLEAR modhi, inoshandiswa mune yazvino microcode update. Kuti dzidzivirire zvakakwana, zvinokurudzirwa zvakare kudzima Hyper Threading. Kuti utarise kuratidzwa kweiyo system kune kusagadzikana muLinux kernel akawedzera mubati "/sys/devices/system/cpu/vulnerabilities/mds". Kudzora kusanganisirwa kweakasiyana siyana ekudzivirira maitiro ekudzivirira, iyo "mds =" parameter yakawedzerwa kune kernel, iyo inogona kutora kukosha "izere", "full, nosmt" (kuremadza Hyper-Threads), "vmwerv" uye "kubva".

Package updates akatoburitswa RHEL ΠΈ Ubuntu, asi ramba usingawanikwi parizvino Debian, Fedora ΠΈ suse.
Iyo gadziriso yekuvharira kudonha kwedata kubva kumashini chaiwo zvakare akaumbwa yeXen hypervisor. Kuchengetedza virtualization masisitimu anoburitsa iyo L1D_FLUSH murairo usati waendesa kutonga kune mumwe muchina chaiwo, uye kuchengetedza Intel SGX enclaves, microcode update yakakwana.

Source: opennet.ru

Voeg