UGoogle upapashe iiprototypes ezininzi ezibonisa ukuba nokwenzeka kokuxhaphaza ubuthathaka beklasi yeSpecter xa usenza ikhowudi yeJavaScript kwisikhangeli, ugqitha iindlela zokhuseleko ezongeziweyo ngaphambili. Ukuxhaphaza kungasetyenziselwa ukufikelela kwimemori yenkqubo yokucubungula umxholo wewebhu kwithebhu yangoku. Ukuvavanya ukusebenza kwe-exploit, i-website leaky.page yasungulwa, kwaye ikhowudi echaza ingqiqo yomsebenzi yathunyelwa kwi-GitHub.
Iprototype ecetywayo yenzelwe ukuhlasela iinkqubo kunye neeprosesa ze-Intel Core i7-6500U kwindawo ene-Linux kunye ne-Chrome 88. Ukusebenzisa i-exploit kwezinye iindawo, ukuguqulwa kuyafuneka. Indlela yokuxhaphaza ayithethi ngokuthe ngqo kwiiprosesa ze-Intel - emva kokulungelelaniswa okufanelekileyo, ukuxhaphazwa kwaqinisekiswa ukuba kusebenze kwiinkqubo kunye nee-CPU zabanye abavelisi, kuquka i-Apple M1 esekelwe kwi-architecture ye-ARM. Emva kohlengahlengiso oluncinci, ukuxhaphaza kuyasebenza nakwezinye iisistim ezisebenzayo nakwezinye izikhangeli ezisekwe kwinjini yeChromium.
Kwimeko esekelwe kwi-standard ye-Chrome 88 kunye ne-Intel Skylake processors, kwakunokwenzeka ukuvuza idatha kwinkqubo ejongene nokucubungula umxholo wewebhu kwithebhu ye-Chrome yangoku (inkqubo ye-renderer) ngesantya se-kilobyte eyi-1 ngesekhondi. Ukongezelela, ezinye iiprototypes ziye zaphuhliswa, umzekelo, i-exploit evumela, ngeendleko zokunciphisa ukuzinza, ukwandisa izinga lokuvuza ukuya kwi-8kB / s xa usebenzisa i-performance.now () i-timer ngokuchaneka kwe-5 microseconds (0.005 milliseconds). ). Kwakhona kwalungiselelwa inguqulelo esebenza ngokuchaneka kwe-timer ye-millisecond enye, engasetyenziselwa ukulungelelanisa ukufikelela kwimemori yenye inkqubo ngesantya esimalunga ne-60 bytes ngomzuzwana.
Ikhowudi yedemo epapashiweyo iqukethe iinxalenye ezintathu. Inxalenye yokuqala ilinganisa isibali-xesha ukuqikelela ixesha lokwenziwa kwemisebenzi efunekayo ukubuyisela idatha eseleyo kwicache yeprosesa njengesiphumo sokuqikelela ukuphunyezwa kwemiyalelo ye-CPU. Iqela lesibini limisela ubume bememori obusetyenziswa xa kwabiwa uluhlu lweJavaScript.
Inxalenye yesithathu isebenzisa ngokuthe ngqo ukuba semngciphekweni kweSpecter ukumisela imixholo yememori yenkqubo yangoku njengesiphumo sokudala iimeko zokwenziwa okuqikelelwayo kwemisebenzi ethile, isiphumo sayo esilahliweyo yiprosesa emva kokumisela uqikelelo olungaphumelelanga, kodwa umkhondo we ukubulawa kufakwe kwi-cache jikelele kwaye kunokubuyiselwa ngokusebenzisa iindlela zokumisela imixholo ye-cache ngamajelo angaphandle ahlalutya utshintsho kwixesha lokufikelela kwi-cache kunye nedatha engabonakaliyo.
Indlela ecetywayo yoxhatshazo yenza kube nokwenzeka ukwenza ngaphandle kwezibali-xesha ezichanekileyo ezifumanekayo ngokusebenza.now() API, kwaye ngaphandle kwenkxaso yohlobo lweSharedArrayBuffer, evumela ukudala uluhlu kwinkumbulo ekwabelwanayo ngayo. I-exploit iquka i-Specter gadget, ebangela ukuphunyezwa okuqikelelwayo okulawulwayo kwekhowudi, kunye ne-cache-channel leak analyzer, efumanisa idatha egciniweyo efunyenwe ngexesha lokwenziwa koqikelelo.
Igajethi iphunyezwa kusetyenziswa uluhlu lwe-JavaScript, apho umzamo wenziwayo ukufikelela kwindawo engaphandle kwemida yebuffer, echaphazela imeko yebhloko yoqikelelo lwesebe ngenxa yobukho bobungakanani besixhobo sokukhangela esidityaniswe ngumqokeleli (umqhubekekisi wenza ngokuqikelelwa). ukufikelela, ujonge phambili, kodwa ubuyisela umva imeko emva kokujonga). Ukuhlalutya imixholo ye-cache phantsi kweemeko zokuchaneka kwe-timer eyaneleyo, indlela iye yacetywayo ekhohlisa iqhinga lokukhutshwa kwe-Tree-PLRU esetyenziswa kwiiprosesa kwaye ivumela, ngokunyusa inani lemijikelezo, ukwandisa kakhulu umahluko ngexesha xa ubuya. ixabiso elivela kwi-cache kwaye xa kungekho xabiso kwindawo yokugcina.
Kuyaqatshelwa ukuba uGoogle upapashe iprototype yokuxhaphaza ukuze abonise ukubanakho kohlaselo kusetyenziswa ubuthathaka beklasi yeSpecter kunye nokukhuthaza abaphuhlisi bewebhu ukuba basebenzise iindlela zokunciphisa umngcipheko kuhlaselo olunjalo. Kwangaxeshanye, uGoogle ukholelwa ukuba ngaphandle kokuphinda kusetyenzwe ngokutsha kweprototype ecetywayo, akunakwenzeka ukwenza izinto ezixhaphakileyo ezilungele kungekuphela nje ukuboniswa, kodwa zilungele ukusetyenziswa ngokubanzi.
Ukunciphisa umngcipheko, abanini besiza bayakhuthazwa ukuba basebenzise iiheader ezisanda kuphunyezwa Cross-Origin Opener Policy (COOP), Cross-Origin Embedder Policy (COEP), Cross-Origin Resource Policy (CORP), Fetch Metadata Request, X-Frame- Iinketho, X -Umxholo-uKhetho-Uhlobo-Ukhetho kunye ne-SameSite Cookie. Ezi ndlela azikhuseli ngokuthe ngqo ekuhlaselweni, kodwa zikuvumela ukuba uhlukanise idatha yendawo ekuvuzeni kwiinkqubo apho umhlaseli weJavaScript ikhowudi inokuphunyezwa khona (ukuvuza kwenzeka kwimemori yenkqubo yangoku, leyo, ngaphezu kwekhowudi yomhlaseli. , ingaqhubekekisa idatha kwenye indawo evulwe kwaloo thebhu inye). Ingcamango ephambili kukuhlula ukuphunyezwa kwekhowudi yesayithi kwiinkqubo ezahlukeneyo kwikhowudi yomntu wesithathu efunyenwe kwimithombo engathembekiyo, umzekelo, ifakwe nge-iframe.
umthombo: opennet.ru