ulwazi malunga neklasi entsha yohlaselo (Isitofu sexabiso lomthwalo, ) kwindlela eqikelelwayo yokubulawa kwi-Intel CPUs, enokusetyenziswa ukuvuza izitshixo kunye nedatha eyimfihlo evela kwi-Intel SGX enclaves kunye nezinye iinkqubo.
Iklasi entsha yohlaselo isekelwe ekusetyenzisweni kwezakhiwo ze-microarchitectural ezifanayo ezisetyenziselwa ukuhlaselwa (Ukwenziwa kweSampulu yedatha yeMicroarchitectural), . Ngexesha elifanayo, ukuhlaselwa okutsha akuvinjwanga ngeendlela ezikhoyo zokukhusela kwi-Meltdown, i-Specter, i-MDS kunye nolunye uhlaselo olufanayo. Ukukhuselwa okusebenzayo kwe-LVI kufuna utshintsho lwe-hardware kwi-CPU. Xa uququzelela ukhuseleko lwenkqubo, ngokongeza umyalelo we-LFENCE ngumqambi emva komsebenzi ngamnye womthwalo osuka kwimemori kunye nokutshintsha umyalelo we-RET kunye ne-POP, i-LFENCE kunye ne-JMP, i-overhead eninzi irekhodwa - ngokutsho kwabaphandi, ukhuseleko olupheleleyo lwesofthiwe luya kukhokelela ekunciphiseni ukusebenza ngamaxesha 2-19.
Inxalenye yobunzima ekuthinteleni ingxaki ihlaselwe yinto yokuba uhlaselo okwangoku luyithiyori ngakumbi kunento eyenziwayo (uhlaselo lunokwenzeka ngokwethiyori, kodwa kunzima kakhulu ukuphumeza kwaye luphinda luveliswe kwiimvavanyo zokwenziwa).
Intel ingxaki inomlinganiselo ophakathi wengozi (5.6 ngaphandle kwe-10) kunye ukuhlaziya i-firmware kunye ne-SDK yendawo ye-SGX, apho izame ukuvimba uhlaselo usebenzisa i-workaround. Iindlela zohlaselo ezicetywayo okwangoku zisebenza kuphela kwiiprosesa ze-Intel, kodwa ukubanakho ukulungelelanisa i-LVI kwezinye iiprosesa apho uhlaselo lwe-Meltdown-class lusebenza khona alunakukhutshelwa ngaphandle.
Ingxaki ichongiwe ngo-Apreli odlulileyo ngumphandi uJo Van Bulck waseYunivesithi yaseLeuven, emva koko, ngokuthatha inxaxheba kwabaphandi be-9 abavela kwezinye iiyunivesithi, iindlela ezintlanu zokuhlaselwa ezisisiseko zaphuhliswa, nganye evumela ukuba kubekho ubukho obucacileyo ngakumbi. . Ngokuzimeleyo, ngoFebruwari walo nyaka, abaphandi abavela kwiBitdefender nabo enye yeendlela zohlaselo lwe-LVI kwaye wayixela kwi-Intel. Ulwahlulo lohlaselo lwahlulahlulwe ngokusetyenziswa kwezakhiwo ezincinci ze-microarchitectural, ezifana ne-buffer yokugcina (i-SB, i-Store Buffer), i-buffer yokugcwalisa (LFB, i-Fill Fill Buffer), i-FPU yokutshintsha i-buffer kunye ne-cache yezinga lokuqala (L1D), isetyenziswe ngaphambili. ekuhlaselweni ezifana , , , , ΠΈ .
Eyona I-LVI echasene nokuhlaselwa kwe-MDS kukuba i-MDS ilawula ukumiselwa kwemixholo yezakhiwo ezincinci zezakhiwo ezisele kwi-cache emva kokuphathwa kwempazamo okanye ukulayisha kunye nokugcina imisebenzi, ngelixa.
Ukuhlaselwa kwe-LVI kuvumela idatha yomhlaseli ukuba ifakwe kwizakhiwo ezincinci ze-microarchitectural ukuphembelela ukuphunyezwa okuqikelelwayo okulandelayo kwekhowudi yexhoba. Ukusebenzisa oku kuguqulwa, umhlaseli unokukhupha imixholo yezakhiwo zedatha yangasese kwezinye iinkqubo xa eqhuba ikhowudi ethile kwi-CPU ekujoliswe kuyo.
kuba kwikhowudi yenkqubo yexhoba Ulandelelwano olukhethekileyo lwekhowudi (izixhobo) apho ixabiso elilawulwa ngumhlaseli lilayishiwe, kwaye ukulayisha eli xabiso kubangela ukuba okungaphandle (impazamo, ukulahla okanye ukuncedisa) kuphoswe, ukulahla isiphumo kunye nokuphinda kuqhutywe umyalelo. Xa okushiyiweyo kucutshungulwa, iwindow eqikelelwayo ivela ngexesha apho idatha eqhutywe kwigajethi ivuza. Ngokukodwa, iprosesa iqala ukwenza isiqwenga sekhowudi (igajethi) kwimowudi yokuqikelela, emva koko igqibe ekubeni ingqikelelo ayilunganga kwaye ibuyisela umva imisebenzi kwimeko yayo yangaphambili, kodwa idatha ecutshungulweyo ngexesha lokwenziwa kwentelekelelo ifakwe kwi-cache ye-L1D. kunye ne-microarchitectural buffers kwaye iyafumaneka ukuze ifunyanwe kuzo ngokusebenzisa iindlela ezaziwayo zokumisela idatha eshiyekileyo ngokusebenzisa amajelo omntu wesithathu.
"Uncedo" ngaphandle, ngokungafaniyo "nempazamo" ngaphandle, iphathwa ngaphakathi yiprosesa ngaphandle kokubiza abaphathi besoftware. Uncedo lungenzeka, umzekelo, xa i-A (Ifikeleleke) okanye i-D (Emdaka) kwitheyibhile yephepha lememori kufuneka ihlaziywe. Obona bunzima bokwenza uhlaselo kwezinye iinkqubo yindlela yokuqalisa ukwenzeka koncedo ngokulawula inkqubo yexhoba. Okwangoku akukho ndlela zithembekileyo zokwenza oku, kodwa kunokwenzeka ukuba ziya kufumaneka kwixesha elizayo. Ukukwazi ukwenza uhlaselo kude kube ngoku kuqinisekisiwe kuphela kwi-Intel SGX enclaves, ezinye iimeko ziyithiyori okanye ziphinda ziphinde zenziwe kwiimeko zokwenziwa (zifuna ukongeza izixhobo ezithile kwikhowudi)
Amaxhoba anokuthi ahlasele:
- Ukuvuza kwedatha kulwakhiwo lwekernel ukuya kwinkqubo yenqanaba lomsebenzisi. Ukhuseleko lwe-Linux kernel ngokuchasene nohlaselo lweSpecter 1, kunye ne-SMAP (uThintelo loFikelelo lweNdlela yoMphathi) ukhuseleko, kunciphisa kakhulu ukubakho kohlaselo lwe-LVI. Ukongeza ukhuseleko olongezelelweyo kwi-kernel kunokufuneka ukuba iindlela ezilula zokuhlaselwa kwe-LVI zichongiwe kwixesha elizayo.
- Ukuvuza kwedatha phakathi kweenkqubo ezahlukeneyo. Uhlaselo lufuna ubukho beengcezu ezithile zekhowudi kwisicelo kunye nenkcazo yendlela yokuphosa ngaphandle kwenkqubo ekujoliswe kuyo.
- Ukuvuza kwedatha ukusuka kwindawo yokusingatha ukuya kwisistim yeendwendwe. Uhlaselo luhlelwa njengoluntsonkothileyo kakhulu, lufuna amanyathelo ahlukeneyo okunzima ukuwenza kunye nokuqikelelwa komsebenzi kwinkqubo.
- Ukuvuza kwedatha phakathi kweenkqubo kwiinkqubo ezahlukeneyo zeendwendwe. I-vector yohlaselo isondele ekulungiseleleni ukuvuza kwedatha phakathi kweenkqubo ezahlukeneyo, kodwa ukongezelela ifuna ubuqhetseba obuntsonkothileyo ukudlula ukwahlula phakathi kweenkqubo zeendwendwe.
Ipapashwe ngabaphandi ngokubonisa imigaqo-siseko yokwenza uhlaselo, kodwa abakakulungeli ukwenza uhlaselo lwangempela. Umzekelo wokuqala ikuvumela ukuba uqondise ngokutsha ukuphunyezwa kwekhowudi eqikelelwayo kwinkqubo yexhoba, efana nenkqubo ejolise ekubuyiseleni (,Inkqubo eJongene neReturn-Oriented). Kulo mzekelo, ixhoba yinkqubo elungiselelwe ngokukodwa equlethe izixhobo eziyimfuneko (ukusebenzisa ukuhlaselwa kwiinkqubo zangempela zenkampani yesithathu kunzima). Umzekelo wesibini usivumela ukuba siphazamise ukubala ngexesha lokubethelwa kwe-AES ngaphakathi kwe-Intel SGX enclave kwaye siququzelele ukuvuza kwedatha ngexesha lokuphunyezwa kwemiyalelo yokubuyisela ixabiso leqhosha elisetyenziselwa ukubethela.
umthombo: opennet.ru