Njengoba wazi, ikhodi ekhiqizwe ku-enclave ilinganiselwe kakhulu ekusebenzeni kwayo. Ayikwazi ukwenza amakholi esistimu. Ayikwazi ukwenza imisebenzi ye-I/O. Ayilazi ikheli eliyisisekelo lesegimenti yekhodi yohlelo lokusebenza. Ayikwazi ukwenza i-jmp noma ishayele ikhodi yesicelo somsingathi. Ayinalwazi mayelana nesakhiwo sesikhala sekheli esilawula uhlelo lokusebenza lomsingathi (isibonelo, imaphi amakhasi afakwe imephu noma ukuthi hlobo luni lwedatha etholakala kulawo makhasi). Ayikwazi ukucela isistimu yokusebenza ukuthi ifake imephu ingxenye yenkumbulo yohlelo lokusebenza kuyo (isibonelo, ngokusebenzisa /proc/pid/maps). Imizamo yokungazifundi ngokuphuphutheka isifunda senkumbulo engafanele yohlelo lokusebenza, ingasaphathwa imizamo yokubhala, maduze noma kamuva (okungenzeka ukuthi eyokuqala) izoholela ekunqanyulweni okuphoqelelwe kohlelo lwe-enclave. Lokhu kwenzeka noma nini lapho indawo yekheli elibonakalayo elicelwe yi-enclave ingafinyeleleki kuhlelo lokusebenza lomsingathi.
Uma kubhekwa amaqiniso anjalo anonya, ingabe umbhali wegciwane uzokwazi ukusebenzisa i-SGX enclaves ukufeza izinhloso zakhe ezinonya?
Ngokusekelwe kukho konke okungenhla, ngokuvamile kuyamukelwa ukuthi i-enclave ikwazi ukusebenzisa kuphela isicelo somsingathi, nokuthi i-enclave ayikwazi ukusebenzisa ukuqalisa kwayo, okuhlanganisa nezinonya. Lokhu kusho ukuthi i-enclave ayinalo usizo olungokoqobo kubabhali begciwane. Lokhu kucatshangwa okuxhamazelayo kungesinye sezizathu zokuthi kungani ukuvikelwa kwe-SGX kungalingani: ikhodi yesicelo somsingathi ayikwazi ukufinyelela inkumbulo ye-enclave, kuyilapho ikhodi ye-enclave ingafunda futhi ibhale kunoma yiliphi ikheli lememori yohlelo lokusebenza.
Ngakho-ke, uma ikhodi ye-enclave enonya ikwazile ukwenza amakholi esistimu ngokungafanele egameni lomsingathi, ikhiphe ikhodi engafanele esikhundleni sayo, iskene inkumbulo yohlelo lokusebenza futhi ithole amaketanga e-ROP ahlukumezayo kuyo, ingase ibambe ukulawula okuphelele kohlelo lokusebenza lomsingathi, imodi yesinyenyela. Ayikwazi ukweba nokubethela amafayela omsebenzisi kuphela, kodwa futhi yenzela umsebenzisi. Isibonelo, thumela ama-imeyili obugebengu bokweba imininingwane ebucayi egameni lakhe noma wenze ukuhlasela kwe-DoS. Ngaphandle kokwesaba ngisho nezindlela zokuzivikela zesimanje kakhulu, ezifana nama-canaries estaki kanye nokuhlanzwa kwekheli.
Sizokukhombisa ama-hack ambalwa abahlaseli abawasebenzisayo ukuze banqobe imikhawulo echazwe ngenhla ukuze basizakale nge-SGX ngezinjongo zabo ezinonya: Ukuhlasela kwe-ROP. Ukusebenzisa ikhodi engafanele efihlwe njengenqubo yesicelo somsingathi (okufana nokucubungula i-hollowing, evame ukusetshenziswa uhlelo olungayilungele ikhompuyutha), noma ukufihla uhlelo olungayilungele ikhompuyutha eseluvele lwenziwe (ukulondoloza uhlelo olungayilungele ikhompuyutha ekushushisweni ngama-antivirus nezinye izindlela zokuzivikela).
Hack ukuze uthole amakheli ukuze ubone ukuthi angafundwa yini
Njengoba i-enclave ingazi ukuthi iziphi izigaba zesikhala sekheli elibonakalayo elifinyeleleka kuhlelo lokusebenza lomsingathi, futhi njengoba i-enclave iphoqeleka ukuthi inqamule lapho izama ukufunda ikheli elingafinyeleleki, umhlaseli ubhekene nomsebenzi wokuthola indlela yokunephutha- skena ngokubekezelela isikhala sekheli. Thola indlela yokubeka imephu yamakheli atholakalayo. I-villain ixazulula le nkinga ngokusebenzisa kabi ubuchwepheshe be-Intel's TSX. Isebenzisa omunye wemiphumela emibi ye-TSX: uma umsebenzi wokufinyelela inkumbulo ubekwe ku-TSX transaction, khona-ke okuhlukile okuvela ekufinyeleleni amakheli angavumelekile kucindezelwa yi-TSX ngaphandle kokufinyelela ohlelweni lokusebenza. Uma kwenziwa umzamo wokufinyelela ikheli lenkumbulo elingavumelekile, okwenziwayo manje kuphela okuchithwayo, hhayi lonke uhlelo lwe-enclave. Lokho. I-TSX ivumela i-enclave ukuthi ifinyelele ngokuphephile noma yiliphi ikheli kusukela ngaphakathi kokwenziwe - ngaphandle kwengozi yokuwa.
Uma ikheli elishiwo liyatholakala isicelo sokusingatha, ukuthengiselana kwe-TSX kuvame ukuphumelela. Ezimweni ezingavamile, ingase yehluleke ngenxa yemithelela yangaphandle efana nokuphazamiseka (njengokuphazamiseka komhleli), ukukhishwa kwenqolobane, noma ukuguqulwa ngesikhathi esisodwa kwendawo yenkumbulo ngezinqubo eziningi. Kulezi zimo ezingavamile, i-TSX ibuyisela ikhodi yephutha ebonisa ukuthi ukwehluleka kungokwesikhashana. Kulezi zimo, udinga nje ukuqala kabusha umsebenzi.
Uma ikheli elishiwo alitholakali uhlelo lokusebenza lomsingathi, i-TSX icindezela okuhlukile okwenzekile (i-OS ayaziswa) futhi ichitha okwenziwayo. Ikhodi yephutha ibuyiselwa kukhodi ye-enclave ukuze ikwazi ukusabela eqinisweni lokuthi okwenziwayo kukhanseliwe. Lawa makhodi ephutha abonisa ukuthi ikheli okukhulunywa ngalo alitholakali kuhlelo lokusebenza lomsingathi.
Lokhu kukhohlisa kwe-TSX ngaphakathi kwe-enclave kunesici esihle se-villain: njengoba izinto zokubala zokusebenza kwehadiwe eziningi azibuyekezwa ngesikhathi kukhishwa ikhodi ye-enclave, akunakwenzeka ukulandelela ukuthengiselana kwe-TSX okwenziwa ngaphakathi kwe-enclave. Ngakho-ke, ukukhohlisa okunonya kwe-TSX kuhlala kungabonakali ngokuphelele ohlelweni lokusebenza.
Ukwengeza, njengoba ukugebenga okungenhla akuncikile kunoma yiziphi izingcingo zesistimu, akukwazi ukutholwa noma kuvinjwe ngokumane uvimbele izingcingo zesistimu; okuvame ukunikeza umphumela omuhle ekulweni nokuzingela amaqanda.
Isigebengu sisebenzisa ukugebenga okuchazwe ngenhla ukusesha ikhodi yesicelo somsingathi kumagajethi afanele ukwenza uchungechunge lwe-ROP. Ngesikhathi esifanayo, akadingi ukuhlola wonke amakheli. Kwanele ukuhlola ikheli elilodwa ekhasini ngalinye lesikhala sekheli elibonakalayo. Ukuhlola wonke amagigabhayithi ayi-16 enkumbulo kuthatha imizuzu engama-45 (kwi-Intel i7-6700K). Ngenxa yalokho, isigebengu sithola uhlu lwamakhasi asebenzisekayo afanele ukwakha iketango le-ROP.
I-Hack yokuphenya amakheli ukuze ibhaleke
Ukuze kwenziwe inguqulo ye-enclave yokuhlasela kwe-ROP, umhlaseli udinga ukwazi ukusesha izindawo zememori ezibhalekayo ezingasetshenzisiwe zohlelo lokusebenza lomsingathi. Umhlaseli usebenzisa lezi zindawo zenkumbulo ukuze ajove uzimele wesitaki mbumbulu futhi ajove umthwalo okhokhelwayo (ikhodi yegobolondo). Okubalulekile ukuthi i-enclave enonya ayikwazi ukudinga ukuthi uhlelo lokusebenza lomsingathi luzabele inkumbulo ngokwalo, kodwa esikhundleni salokho lungasebenzisa kabi inkumbulo esivele yabelwe uhlelo lokusebenza lomsingathi. Uma, kunjalo, ekwazi ukuthola izindawo ezinjalo ngaphandle kokudiliza i-enclave.
I-villain yenza lokhu kusesha ngokusebenzisa omunye umthelela oseceleni we-TSX. Okokuqala, njengasesikhathini esidlule, iphenya ikheli ukuthi ikhona yini, bese ihlola ukuthi ikhasi elihambisana naleli kheli liyabhaleka yini. Ukuze wenze lokhu, isigebengu sisebenzisa i-hack elandelayo: ubeka umsebenzi wokubhala ekuthengiseni kwe-TSX, futhi ngemva kokuba usuqedile, kodwa ngaphambi kokuba kuqedwe, uchitha ukuthengiselana ngenkani (ukukhipha isisu esicacile).
Ngokubheka ikhodi yokubuyisela evela kumsebenzi we-TSX, umhlaseli uyaqonda ukuthi iyabhaleka yini. Uma “kuwukuhushula isisu okusobala”, isigebengu siyaqonda ukuthi ukuqoshwa bekungaba yimpumelelo ukube ubekulandela. Uma ikhasi lifundwa kuphela, khona-ke okwenziwayo kugcina ngephutha ngaphandle kokuthi "khipha isisu esisobala".
Lokhu kukhohlisa kwe-TSX kunesinye isici esihle ku-villain (ngaphandle kokungenzeki kokulandelela ngokusebenzisa izinto zokubala zokusebenza kwehadiwe): njengoba yonke imiyalo yokubhala inkumbulo yenziwa kuphela uma ukuthengiselana kuphumelela, ukuphoqa ukuthengiselana ukuthi kuqedwe kuqinisekisa ukuthi inkumbulo ehlolisisiwe. iseli lihlala lingashintshiwe.
Hack ukuze uqondise kabusha ukugeleza kokulawula
Uma wenza ukuhlasela kwe-ROP endaweni evalelwe - ngokungafani nokuhlasela kwe-ROP evamile - umhlaseli angakwazi ukulawula irejista ye-RIP ngaphandle kokusebenzisa noma yiziphi iziphazamisi ohlelweni oluhlaselwe (buffer ukuchichima noma into enjalo). Umhlaseli angabhala ngaphezulu ngokuqondile inani lerejista ye-RIP egcinwe esitakini. Ikakhulukazi, ingashintsha inani lale rejista ngochungechunge lwayo lwe-ROP.
Nokho, uma uchungechunge lwe-ROP lude, khona-ke ukubhala phezu kwengxenye enkulu yesitaki somsingathi kungaholela ekonakaleni kwedatha nokuziphatha kohlelo okungalindelekile. Isikhohlakali, esifuna ukwenza ukuhlasela kwaso sicashile, asigculisekile ngalesi simo. Ngakho-ke, izenzela uhlaka lwestaki lwesikhashana olungelona iqiniso futhi igcine uchungechunge lwayo lwe-ROP kulo. Uhlaka lwesitaki mbumbulu lubekwe endaweni yenkumbulo ebhalekayo engahleliwe, okushiya isitaki sangempela sinjalo.
Ama-hacks amathathu abhalwe ngenhla asinika ini isigebengu?
(1) Okokuqala, inzondo igoqa Hack ukuze uphenye amakheli ukuze ubone ukuthi angafundwa yini, – isesha uhlelo lokusebenza lokusingatha amagajethi e-ROP ahlukumezayo.
(2) Ngemva kwalokho Hack ukuze uhlole amakheli ukuze abhaleke, - i-enclave enonya ikhomba izindawo kumemori yohlelo lokusebenza ezifanele ukujova umthwalo okhokhelwayo.
(3) Okulandelayo, i-enclave idala uchungechunge lwe-ROP kusukela kumagajethi atholwe esinyathelweni (1) bese ijova lolu ketango kusitaki sohlelo lokusebenza.
(4) Ekugcineni, lapho uhlelo lokusebenza lomsingathi lihlangabezana nochungechunge lwe-ROP oludalwe esinyathelweni sangaphambilini, ukukhokhelwa okunonya kuqala ukusebenza - ngezimvume zohlelo lokusebenza lomsingathi kanye nekhono lokwenza amakholi esistimu.
Isikhohlakali sisisebenzisa kanjani lesi sigebengu ukuze sidale i-ranzowari
Ngemva kokuthi umsingathi edlulisa ukulawula ku-enclave ngeyodwa ye-ECALLs (ngaphandle kokusola ukuthi le enclave inonya), i-enclave enonya isesha isikhala esikhululekile kumemori yohlelo lokusebenza lomsingathi ukuze uthole ikhodi yokujova (ithatha izikhala zamahhala lezo zinhlaka zamaseli. egcwaliswe ngoziro). Bese udlula Hack ukuze uphenye amakheli ukuze ubone ukuthi angafundwa yini, - i-enclave icinga amakhasi asebenzisekayo kuhlelo lokusebenza lomsingathi futhi ikhiqize uchungechunge lwe-ROP oludala ifayela elisha elibizwa ngokuthi "RANSOM" kuhla lwemibhalo lwamanje (ekuhlaselweni kwangempela, i-enclave ibhala ngemfihlo amafayela omsebenzisi akhona) futhi ibonise umlayezo wesihlengo. Ngasikhathi sinye, uhlelo lokusebenza lomsingathi ngokungazi lutho lukholelwa ukuthi i-enclave imane ingeza izinombolo ezimbili. Lokhu kubukeka kanjani kukhodi?
Ukuze kube lula ukuqonda, ake sethule amanye ama-mnemonics ngezincazelo:
Sigcina amanani angempela werejista ye-RSP ne-RBP ukuze sibuyisele ukusebenza okuvamile kohlelo lokusebenza lomsingathi ngemva kokwenza umthwalo okhokhelwayo:
Sifuna uhlaka lwesitaki olufanelekile (bona ikhodi evela esigabeni esithi “i-hack yokuqondisa kabusha ukugeleza kokulawula”).
Ukuthola amagajethi e-ROP afanelekile:
Ukuthola indawo yokujova umthamo wokukhokha:
Sakha iketango le-ROP:
Lena yindlela ubuchwepheshe be-Intel be-SGX, obuklanyelwe ukulwa nezinhlelo ezinonya, buxhashazwa ngayo abantu abayizigebengu ukufeza izinhloso eziphambene.
Source: www.habr.com