Abaphandi abavela kwi-People's Liberation Army Defense Science and Technology University, iYunivesithi yeSizwe yaseSingapore kunye ne-ETH Zurich baye baqulunqa indlela entsha yokuhlasela i-Intel SGX (i-Software Guard eXtensions). Uhlaselo lubizwa ngokuba yi-SmashEx kwaye lubangelwa ziingxaki zokuphinda ungene xa ujongana neemeko ezikhethekileyo ngexesha lokusebenza kwamacandelo exesha le-Intel SGX. Indlela yokuhlaselwa ecetywayo yenza ukuba, ukuba unolawulo lwenkqubo yokusebenza, ukumisela idatha eyimfihlo ebekwe kwi-enclave, okanye ukulungelelanisa ukukopishwa kwekhowudi yakho kwimemori ye-enclave kunye nokwenziwa kwayo.
Iiprototypes zokuxhaphaza zilungiselelwe i-enclaves kunye nexesha lokubaleka ngokusekelwe kwi-Intel SGX SDK (CVE-2021-0186) kunye ne-Microsoft Open Enclave (CVE-2021-33767). Kwimeko yokuqala, ukukwazi ukukhupha isitshixo se-RSA esisetyenziswe kwi-server yewebhu ye-HTTPS kubonisiwe, kwaye okwesibini, kwakunokwenzeka ukugqiba umxholo ofunyenwe yi-cURL utility esebenza ngaphakathi kwe-enclave. Ubuthathaka sele buqwalaselwe ngokwenkqubo ekukhutshweni kwe-Intel SGX SDK 2.13 kunye ne-Open Enclave 0.17.1. Ukongeza kwi-Intel SGX SDK kunye ne-Microsoft Open Enclave, ubuthathaka buvela kwi-Google Asylo SDK, EdgelessRT, Apache Teaclave, Rust SGX SDK, SGX-LKL, CoSMIX kunye neVeracruz.
Masikhumbule ukuba iteknoloji ye-SGX (i-Software Guard Extensions) yavela kwisizukulwana sesithandathu se-Intel Core processors (i-Skylake) kwaye inika uluhlu lwemiyalelo evumela usetyenziso lwenqanaba lomsebenzisi ukuba lube neendawo zememori evaliweyo - i-enclaves, imixholo engenakufundeka kwaye ilungiswe nayi-kernel kunye nekhowudi eyenziwa kwi-ring0, i-SMM kunye neendlela ze-VMM. Akunakwenzeka ukudlulisa ulawulo kwikhowudi kwi-enclave usebenzisa imisebenzi yokuxhuma yendabuko kunye nokukhwabanisa kunye neerejista kunye ne-stack - imiyalelo emitsha eyenziwe ngokukhethekileyo EENTER, EEXIT kunye ne-ERESUME isetyenziselwa ukudlulisa ulawulo kwi-enclave, eyenza ukuhlolwa kwamagunya. Kule meko, ikhowudi ebekwe kwi-enclave inokusebenzisa iindlela zokufowuna zakudala ukufikelela kwimisebenzi ngaphakathi kwe-enclave kunye nemiyalelo ekhethekileyo yokubiza imisebenzi yangaphandle. I-Enclave memory encryption isetyenziselwa ukukhusela kuhlaselo lwe-hardware olufana nokudibanisa kwimodyuli ye-DRAM.
Ingxaki kukuba iteknoloji ye-SGX ivumela inkqubo yokusebenza ukuba ikhuphe i-enclave ngokuphosa ngaphandle kwe-hardware, kwaye i-enclaves ayisebenzisi ngokufanelekileyo i-primitives yokuphatha i-athomu enjalo ngaphandle. Ngokungafaniyo ne-kernel yenkqubo yokusebenza kunye nosetyenziso oluqhelekileyo, ikhowudi engaphakathi kwee-enclaves ayinakufikelela kwi-primitives yokulungelelanisa izenzo ze-atom xa kusingathwa ngaphandle kokuphoswa ngokulinganayo. Ngaphandle kwe-atomic primitives echaziweyo, i-enclave inokuphazamiseka nangaliphi na ixesha kwaye ibuyiselwe ekubulaweni, nangamaxesha apho i-enclave isenza amacandelo abalulekileyo kwaye ikwimeko engakhuselekanga (umzekelo, xa iirejista ze-CPU zingagcinwanga / zibuyiselwe).
Ukusebenza okuqhelekileyo, iteknoloji ye-SGX ivumela ukuphunyezwa kwe-enclave ukuba kuphazamiseke ngokungafaniyo ne-hardware eqwalaselweyo. Olu phawu luvumela iimeko zexesha lokusebenza enclave ukuba ziphumeze ukuphatha ngaphandle kwe-intra-enclave okanye ukusetyenzwa komqondiso, kodwa kunokubangela iimpazamo zabangenayo. Uhlaselo lwe-SmashEx lusekwe ekuxhaphazeni iziphene kwi-SDK ngenxa yokuba imeko yokuphinda ubize umphathi wangaphandle ayiphathwanga kakuhle. Kubalulekile ukuba ukuxhaphaza ubuthathaka, umhlaseli kufuneka akwazi ukuphazamisa ukuphunyezwa kwe-enclave, okt. kufuneka ilawule ukusebenza kwendawo yenkqubo.
Emva kokuphosa okungafaniyo, umhlaseli ufumana iwindow encinci yexesha apho umsonto wokubulawa unokubanjwa ngokusetyenziswa kweeparamitha zokufaka. Ngokukodwa, ukuba unofikelelo kwisixokelelwano (indalo engaphandle kwendawo ebiyelweyo), unokwenza into entsha ngaphandle kwangoko emva kokuphumeza umyalelo wokungena kwi-enclave (EENTER), eya kubuyisela ulawulo kwisistim kwinqanaba xa ukucwangciswa kwesitaki i-enclave ayikagqitywa, apho Imo yeerejista ze-CPU nazo zigcinwe.
Inkqubo inokuphinda ibuyisele ulawulo kumqolo, kodwa njengoko isitaki se-enclave asikhange siqwalaselwe ngexesha lokuphazamiseka, i-enclave iya kuphunyezwa kunye nestake esihlala kwimemori yenkqubo, enokusetyenziswa ukuqesha inkqubo ejolise ekubuyiseleni (ROP). ) iindlela zokuxhaphaza. Xa usebenzisa ubuchule be-ROP, umhlaseli akazami ukubeka ikhowudi yakhe kwimemori, kodwa usebenza kwiziqwenga zemiyalelo yomatshini esele ikhona kwiilayibrari ezilayishiweyo, ephela ngomyalelo wokubuyisela ulawulo (njengomthetho, ezi ziphelo zemisebenzi yethala leencwadi) . Umsebenzi we-exploit wehla ekwakhiweni kwekhonkco leefowuni kwiibhloko ezifanayo ("igajethi") ukufumana umsebenzi ofunekayo.
umthombo: opennet.ru