Abaphandi abavela kwiWorcester Polytechnic Institute (USA) baye bazisa uhlobo olutsha lohlaselo lweMayhem olusebenzisa indlela yeRowhammer eguqukayo yofikelelo oluguquguqukayo lwenkumbulo yokugqwesa ukuguqula amaxabiso ezinto eziguquguqukayo ezisetyenziswa njengeeflegi kwinkqubo ukugqiba ukuba ubunyani kunye nokutshekishwa kokhuseleko kuye kwangena. idlulile. Imizekelo esebenzayo yohlaselo ibonakaliswe ukudlula ukuqinisekiswa kwe-SUDO, i-OpenSSH kunye ne-MySQL, kunye nokutshintsha umphumo wokuhlolwa okunxulumene nokhuseleko kwilayibrari ye-OpenSSL.
Uhlaselo lunokusetyenziswa kwizicelo ezisebenzisa iitshekhi ukuthelekisa amaxabiso ahlukileyo kwi-zero. Umzekelo wekhowudi esengozini: int auth = 0; ... // ikhowudi yokuqinisekisa etshintsha ixabiso le-auth kwimeko yoqinisekiso oluyimpumelelo ukuba (i-auth != 0) ibuyisela AUTH_SUCCESS; enye ibuye AUTH_FAILURE;
Kumxholo walo mzekelo, kuhlaselo oluphumeleleyo kwanele ukonakalisa nayiphi na isuntswana kwimemori ehambelana ne-32-bit ye-auth variable kwi-stack. Ukuba nayiphi na i-bit ku-variable yonakalisiwe, ixabiso alisayi kuba ngu-zero kwaye umqhubi wemeko uya kumisela ukugqitywa ngempumelelo koqinisekiso. Iipateni ezinjalo zokuqinisekisa ziqhelekile kwizicelo kwaye ziyafumaneka, umzekelo, kwi-SUDO, OpenSSH, MySQL kunye ne-OpenSSL.
Uhlaselo lunokusetyenziswa kwakhona ekuthelekisweni kwefom "ukuba (i-auth == 1)", kodwa kulo mzekelo ukuphunyezwa kwayo kuba nzima ngakumbi, kuba kuyimfuneko ukuphazamisa kungekhona nayiphi na i-32, kodwa i-bit yokugqibela. Indlela inokusetyenziselwa ukuphembelela amaxabiso ezinto eziguquguqukayo kwiirejista zeprosesa, kuba imixholo yeerejista inokukhutshelwa okwethutyana kwisitaki xa kutshiwo umxholo, umnxeba wokusebenza, okanye umqondiso wokubamba umlilo. Ngexesha lexesha ngelixa amaxabiso erejista ekwinkumbulo, ukuphambuka kunokwaziswa kule nkumbulo kwaye ixabiso elitshintshileyo liya kubuyiselwa kwirejista.
Ukuphazamisa i-bits, enye yokuguqulwa kohlaselo lweklasi ye-RowHammer isetyenzisiweyo. Kuba inkumbulo ye-DRAM iluluhlu olunamacala amabini eeseli, nganye ibandakanya i-capacitor kunye ne-transistor, ukwenza ufundo oluqhubekayo lommandla wememori efanayo kubangela ukuguquguquka kombane kunye nokungahambi kakuhle okubangela ilahleko encinci yentlawulo kwiiseli ezingabamelwane. Ukuba ubungakanani bokufunda buphezulu, ke iseli engummelwane inokulahlekelwa inani elikhulu ngokwaneleyo lentlawulo kwaye umjikelo wokuhlaziya olandelayo awuyi kuba nexesha lokubuyisela imeko yayo yangaphambili, eya kubangela utshintsho kwixabiso ledatha egcinwe kwiseli. . Ukukhusela kwi-RowHammer, abavelisi be-chip bongeze i-TRR (i-Target Row Refresh) indlela, evimba ukonakala kweeseli kwiimeko ezikhethekileyo, kodwa ayikhuseli kuzo zonke iinguqu ezinokuthi zihlaselwe.
Ukukhusela ukuhlaselwa kweMayhem, kuyacetyiswa ukuba kusetyenziswe ngokuthelekisa kungekhona ukuvavanywa kokungafani ukusuka kwi-zero okanye ukuhambelana nomnye, kodwa isheke lomdlalo usebenzisa ixabiso lembewu engahleliwe kunye ne-octet engekho zero. Kule meko, ukubeka ixabiso elifunwayo lokuguquguquka, kuyimfuneko ukuphazamisa ngokuchanekileyo inani elibalulekileyo leebhithi, ezingenangqiqo, ngokungafaniyo nokuphazamiseka kwento enye. Umzekelo wekhowudi engahlaseliyo: int auth = 0xbe406d1a; ... // ikhowudi yokuqinisekisa emisela ixabiso le-auth kwi-0x23ab8701 kwimeko yoqinisekiso oluyimpumelelo ukuba (i-auth == 0x23ab8701) ibuyisela AUTH_SUCCESS; enye ibuye AUTH_FAILURE;
Indlela yokukhusela ekhankanyiweyo sele isetyenziswe ngabaphuhlisi be-sudo kwaye ifakwe ekukhutshweni kwe-1.9.15 njengendlela yokulungisa ubungozi be-CVE-2023-42465. Baceba ukupapasha iprototype yekhowudi yokwenza uhlaselo emva kokuba ukulungiswa kwenziwe kwiiprojekthi eziphambili ezisengozini.
umthombo: opennet.ru