Njengoko usazi, ikhowudi eyenziwe kwi-enclave ilinganiselwe kakhulu ekusebenzeni kwayo. Ayinakwenza iifowuni zesistim. Ayinakukwazi ukwenza imisebenzi ye-I/O. Ayiyazi idilesi yesiseko yecandelo lekhowudi yomamkeli. Ayina jmp okanye ibize ikhowudi yesicelo somninimzi. Ayinambono malunga nesakhiwo sendawo yedilesi elawula usetyenziso lwenginginya (umzekelo, ngawaphi amaphepha afakwe kwimephu okanye luhlobo luni lwedatha ebekwe kuloo maphepha). Ayinakucela inkqubo yokusebenza ukwenza imephu yeqhekeza lememori yesicelo somnini kuyo (umzekelo, nge/proc/pid/maps). Iinzame ezingenangqondo zokufunda ngokufihlakeleyo ummandla wenkumbulo engafanelekanga yesicelo somninimzi, singasathethi ke ngeenzame zokubhala, ziya kuthi kungekudala okanye kamva (kunokwenzeka ukuba ibe yeyokuqala) kukhokelela ekuyekisweni ngenkani kwenkqubo enclave. Oku kwenzeka nanini na xa isithuba sedilesi yenyani esicelwe yi-enclave singafikeleleki kwisicelo senginginya.
Ngokujonga izinto ezinje ngoburhalarhume, ngaba umbhali wentsholongwane uya kukwazi ukusebenzisa i-SGX enclaves ukufezekisa iinjongo zakhe ezikhohlakeleyo?
Ngokusekwe kuko konke oku kungasentla, kuyavunywa ngokubanzi ukuba i-enclave iyakwazi ukukhonza isicelo somninimzi kuphela, kwaye i-enclave ayikwazi ukusebenzisa inyathelo layo, kuquka nenkohlakalo. Oku kuthetha ukuba i-enclaves ayinaxabiso elisebenzayo kubabhali bentsholongwane. Le ngcinga engxamisekileyo yenye yezizathu zokuba ukukhuselwa kwe-SGX ku-asymmetrical: ikhowudi yesicelo somninimzi ayikwazi ukufikelela kwimemori ye-enclave, ngelixa ikhowudi ye-enclave inokufunda nokubhala kuyo nayiphi na idilesi yememori yesicelo.
Ke ngoko, ukuba ikhowudi yokufaka ekhohlakeleyo ikwazile ukwenza iminxeba engalunganga egameni lenginginya yesicelo, yenza ikhowudi engafanelekanga egameni layo, ihlole inkumbulo yesicelo senginginya kwaye ifumane amatyathanga eROP axhatshazwayo kuyo, inokuthimba ulawulo olupheleleyo lwesicelo somninimzi, imowudi efihlakeleyo. Ayinakuba kwaye iguqulelwe ngokufihlakeleyo iifayile zomsebenzisi, kodwa yenza egameni lomsebenzisi. Umzekelo, thumela ii-imeyile zokukhohlisa egameni lakhe okanye wenze uhlaselo lwe-DoS. Ngaphandle koloyiko lwezona ndlela zale mihla zokukhusela, ezinje ngee-canaries ezipakishiweyo kunye nococeko lweedilesi.
Siza kukubonisa iihacks ezimbalwa ezisetyenziswa ngabahlaseli ukoyisa imida echazwe ngasentla ukuze bathathe ithuba le-SGX ngeenjongo zabo ezikhohlakeleyo: uhlaselo lwe-ROP. Ukwenza ikhowudi engafanelekanga eguqulwe njengenkqubo yesicelo somnini (efana nenkqubo yokugrumba, ehlala isetyenziswa yi-malware), okanye ukufihla i-malware esele yenziwe (ukugcina i-malware yayo ekutshutshisweni yi-antivirus kunye nezinye iindlela zokukhusela).
I-Hack yokuphonononga iidilesi ukubona ukuba zinokufundwa na
Ekubeni i-enclave ingazi ukuba zeziphi izintlu zesithuba sedilesi yenyani ezifikelelekayo kwisicelo somninimzi, kwaye ekubeni i-enclave inyanzelekile ukuba iphelise xa izama ukufunda idilesi engafikelelekiyo, umhlaseli ujongene nomsebenzi wokufumana indlela yokuphosakela- scan ngokunyamezela isithuba sedilesi. Fumana indlela yokwenza imaphu yeedilesi ezikhoyo. I-villain isombulula le ngxaki ngokusebenzisa kakubi iteknoloji ye-Intel ye-TSX. Isebenzisa enye yeziphumo zecala ze-TSX: ukuba umsebenzi wokufikelela kwimemori ubekwe kwi-transaction ye-TSX, ke iimeko ezingaphandle ezivela ekufikeleleni kwiidilesi ezingasebenziyo zicinezelwe yi-TSX ngaphandle kokufikelela kwinkqubo yokusebenza. Ukuba umzamo wenziwa wokufikelela kwidilesi yememori engasebenziyo, kuphela utshintshiselwano lwangoku luphelisiwe, hayi inkqubo yonke ye-enclave. Oko. I-TSX ivumela i-enclave ukuba ifikelele ngokukhuselekileyo nayiphi na idilesi ukusuka ngaphakathi kwentengiselwano - ngaphandle komngcipheko wokuwa.
ukuba idilesi ekhankanyiweyo iyafumaneka isicelo senginginya, intengiselwano ye-TSX idla ngokuphumelela. Kwiimeko ezinqabileyo, inokusilela ngenxa yeempembelelo zangaphandle ezifana neziphazamiso (ezifana nokuphazamiseka komcwangcisi), ukukhutshwa kwecache, okanye ukulungiswa kwangaxeshanye kwendawo yememori ngeenkqubo ezininzi. Kule meko inqabileyo, i-TSX ibuyisela ikhowudi yephutha ebonisa ukuba ukungaphumeleli okwethutyana. Kwezi meko, kufuneka uqale ngokutsha intengiselwano.
ukuba idilesi ekhankanyiweyo ayifumaneki isicelo senginginya, i-TSX icinezela okushiyiweyo okwenzekileyo (i-OS ayaziswa) kwaye iyalandula intengiselwano. Ikhowudi yephutha ibuyiselwa kwikhowudi ye-enclave ukuze ikwazi ukusabela kwinto yokuba ukuthengiselana kukhanseliwe. Ezi khowudi zempazamo zibonisa ukuba idilesi ekuthethwa ngayo ayifumaneki kwisicelo somninimzi.
Oku kukhohlisa kwe-TSX ukusuka ngaphakathi kwi-enclave kunento entle kwi-villain: kuba uninzi lwezinto zokubala ze-hardware azihlaziywanga ngexesha lekhowudi ye-enclave isenziwa, akunakwenzeka ukulandelela ukuthengiselana kwe-TSX okwenziwa ngaphakathi kwi-enclave. Ke, ukukhohlisa okukhohlakeleyo kwe-TSX kuhlala kungabonakali ngokupheleleyo kwinkqubo yokusebenza.
Ukongeza, ekubeni le hack ingentla ayithembeli kuyo nayiphi na iminxeba yenkqubo, ayinakubhaqwa okanye ithintelwe ngokuvala nje iifowuni zesistim; edla ngokunika isiphumo esihle ekulweni nokuzingela amaqanda.
I-villain isebenzisa i-hack echazwe ngasentla ukukhangela ikhowudi yesicelo somninimzi kwiigajethi ezifanelekileyo ukwenza ikhonkco le-ROP. Kwangaxeshanye, akuyomfuneko ukuba aphande yonke idilesi. Kwanele ukuphonononga idilesi enye kwiphepha ngalinye lesithuba sedilesi yenyani. Ukuhlola zonke iigigabhayithi ezili-16 zememori kuthatha malunga nemizuzu engama-45 (kwi-Intel i7-6700K). Ngenxa yoko, i-villain ifumana uluhlu lwamaphepha aphunyeziweyo alungele ukwakha ikhonkco le-ROP.
I-Hack yokujonga iidilesi ukuze zibhaleke
Ukwenza inguqulelo ye-enclave yohlaselo lwe-ROP, umhlaseli kufuneka akwazi ukukhangela iindawo zememori ezibhalekayo ezingasetyenziswanga zesicelo senginginya. Umhlaseli usebenzisa ezi ndawo zememori ukufaka isakhelo sesitaki sobuxoki kunye nokutofa umthwalo wokuhlawula (ikhowudi yegobolondo). Undoqo kukuba i-enclave eyingozi ayikwazi ukufuna isicelo somninimzi ukuba sinikezele imemori ngokwayo, kodwa endaweni yoko inokusebenzisa kakubi imemori esele yabelwe isicelo senginginya. Ukuba, ngokuqinisekileyo, uyakwazi ukufumana iindawo ezinjalo ngaphandle kokuwa kwe-enclave.
I-villain iqhuba olu phendlo ngokusebenzisa enye impembelelo ye-TSX. Okokuqala, njengakwimeko yangaphambili, iphonononga idilesi yobukho bayo, ize ijonge ukuba ngaba iphepha elihambelana nale dilesi liyabhaleka. Ukwenza oku, i-villain isebenzisa i-hack ilandelayo: ubeka umsebenzi wokubhala kwi-transaction ye-TSX, kwaye emva kokuba igqityiwe, kodwa ngaphambi kokuba igqitywe, uyayikhupha ngenkani i-transaction (i-abortion ecacileyo).
Ngokujonga ikhowudi yokubuyisela kwi-TSX transaction, umhlaseli uyayiqonda ukuba ingaba iyabhalwa. Ukuba "isisu esicacileyo", i-villain iyaqonda ukuba ukurekhoda kuya kuba yimpumelelo ukuba wayeyilandele ngayo. Ukuba iphepha lifundeka kuphela, itransekshini iphela ngempazamo ngaphandle kokuthi "ukulahla okucacileyo".
Olu qheliso lwe TSX lunolunye uphawu olulunge kumoni (ngaphandle kokungenzeki kokulandelela ngokusebenzisa izixhobo zokubala zokusebenza kwehardware): ukusukela ukuba yonke imiyalelo yokubhala inkumbulo ibotshelelwa kuphela ukuba utshintshiselwano luphumelele, ukunyanzelisa intengiselwano ukugqibezela iqinisekisa ukuba iseli yememori ephononongwayo. ihlala ingatshintshi.
I-Hack ukuqondisa kwakhona ulawulo lokuhamba
Xa wenza uhlaselo lwe-ROP ukusuka kwi-enclave - ngokungafaniyo nokuhlaselwa kwe-ROP yendabuko - umhlaseli unokufumana ulawulo lwerejista ye-RIP ngaphandle kokuxhaphaza nayiphi na i-bugs kwiprogram ehlaselweyo (i-buffer overflow okanye into enjalo). Umhlaseli unokubhala ngaphezulu ixabiso lerejista ye-RIP egcinwe kwi-stack. Ngokukodwa, inokutshintsha ixabiso lale rejista kunye nekhonkco layo le-ROP.
Nangona kunjalo, ukuba ikhonkco le-ROP lide, ngoko ukubhala ngaphezulu kwe-chunk enkulu ye-stack yesicelo senginginya kunokukhokelela kurhwaphilizo lwedatha kunye nokuziphatha kwenkqubo engalindelekanga. Umntu okhohlakeleyo, ofuna ukwenza uhlaselo lwakhe ngokufihlakeleyo, awanelisekanga yile meko. Ke ngoko, izenzela isakhelo sesitaki sexeshana esingeyonyani kwaye igcina ikhonkco layo leROP kuyo. Isakhelo sesitaki somgunyathi sibekwe kwindawo yenkumbulo ebhalwe ngokungakhethiyo, sishiya isitaki sokwenyani sinjalo.
Ezi hacks zintathu zidweliswe ngasentla zimnika ntoni umchasi-mthetho?
(1) Okokuqala, ugonyamelo luphumela ngaphandle ukukhangela iidilesi ukubona ukuba zinokufundwa na, β ikhangela usetyenziso lwezixhobo zeROP ezixhatshazwayo.
(2) Emva koko I-hack yokujonga iidilesi zokubhaleka, - i-enclave ekhohlakeleyo ichonga iindawo kwimemori yesicelo somninimzi ezifanelekileyo ukujova umthwalo wokuhlawula.
3
4
Umenzi wobubi uzisebenzisa njani ezi hacks ukwenza ranzowari
Emva kokuba isicelo senginginya sigqithisele ulawulo kwi-enclave ngenye yee-ECALLs (ngaphandle kokukrokra ukuba le ndawo inobungozi), i-enclave ekhohlakeleyo ikhangela indawo ekhululekileyo kwimemori yesicelo senginginya sekhowudi yokutofa (ithatha njengezithuba ezikhululekileyo olo landelelwano lweeseli. ezaliswe ngoziro). Emva koko ukukhangela iidilesi ukubona ukuba zinokufundwa na, - i-enclave ifuna amaphepha aphunyeziweyo kwisicelo somninimzi kwaye ivelise ikhonkco ye-ROP eyenza ifayile entsha ebizwa ngokuba yi "RANSOM" kuluhlu lwangoku (kwintlaselo yokwenene, i-enclave encrypts ekhoyo iifayile zomsebenzisi) kwaye ibonisa umyalezo wentlawulelo. Kwangaxeshanye, isicelo somninimzi ngokungenangqondo sikholelwa ukuba i-enclave yongeza amanani amabini. Ijongeka njani le khowudi?
Ukuze kube lula ukuqonda, makhe sazise i-mnemonics ngeenkcazo:
Sigcina amaxabiso okuqala e-RSP kunye neerejista ze-RBP ukuze sibuyisele ukusebenza okuqhelekileyo kwesicelo somsingathi emva kokwenza umthwalo wokuhlawula:
Sijonge isakhelo sesitaki esifanelekileyo (jonga ikhowudi evela kwicandelo "i-hack yokuqondisa kwakhona ulawulo lokuhamba").
Ukufumana izixhobo ezifanelekileyo ze-ROP:
Ukufumana indawo yokutofa umthwalo womvuzo:
Sakha ikhonkco le-ROP:
Yile ndlela itekhnoloji ye-Intel's SGX, eyilelwe ukuchasana neenkqubo ezikhohlakeleyo, ixhatshazwa ngabangendawo ukufezekisa iinjongo ezichaseneyo.
umthombo: www.habr.com