Ithimba labacwaningi abavela ku-ETH Zurich, Vrije Universiteit Amsterdam, kanye ne-Qualcomm bashicilele indlela entsha yokuhlasela ye-RowHammer-class evumela ukuguqulwa kokuqukethwe kwezingcezu ngazinye kumemori yokufinyelela okungahleliwe (i-DRAM). Ukuhlasela kunikezwe igama lekhodi elithi Blacksmith kanye nenkomba CVE-2021-42114. Ama-chips amaningi e-DDR4 avikelwe ezindleleni ezaziwayo ze-RowHammer-class asengozini kulolu daba. Ikhithi yamathuluzi yokuhlola amasistimu okuba sengozini ishicilelwe ku-GitHub.
Njengesikhumbuzo, i-RowHammer ihlasela konakalisa okuqukethwe kwezingcezu zememori ngayinye ngokufunda idatha ngomjikelezo kumaseli enkumbulo aseduze. Njengoba inkumbulo ye-DRAM iwuxhaxha lwamaseli anezinhlangothi ezimbili, ngalinye liqukethe i-capacitor ne-transistor, ngokuqhubekayo ukufunda indawo yenkumbulo efanayo kubangela ukuguquguquka kwe-voltage kanye nokudidayo, okubangela ukulahleka kweshaji kancane kumaseli aseduze. Uma ukuqina kokufunda kuphezulu, iseli eliseduze lingalahlekelwa inani elibalulekile lokushajwa, futhi umjikelezo wokuvuselela olandelayo ngeke ube nesikhathi sokubuyisela isimo sawo sangempela, esizoshintsha inani ledatha egcinwe kuseli.
Ukuze kuvikelwe ku-RowHammer, abakhiqizi bama-chip bahlongoze indlela ye-TRR (Target Row Refresh), evikela ekonakalisweni kwamaseli emigqeni eseduze. Kodwa-ke, njengoba lesi sivikelo sasisekelwe esimisweni esithi "ukuphepha ngokufihlakala," ayizange ibhekane nomsuka wenkinga, kodwa ivikelwe kuphela ezimweni ezingaziwa, eziqondile, okwenza kube lula ukuthola izindlela ezizungeze ukuvikela. Isibonelo, ngoMeyi, i-Google iphakamise indlela ye-Half-Double, engazange ithintwe ukuvikelwa kwe-TRR ngoba ukuhlasela kuthinte amaseli ayengekho eduze ngokuqondile nokuhlosiwe.
Indlela entsha ye-Blacksmith inikeza indlela ehlukile yokudlula ukuvikela kwe-TRR, ngokusekelwe ekufinyeleleni okungaguquki emigqeni yokuhlasela emibili noma ngaphezulu kumaza ahlukene ukuze kuvuze ukushaja. Ukuze kunqunywe iphethini yokufinyelela inkumbulo eholela ekuvuzeni kokushaja, i-fuzzer ekhethekile yathuthukiswa ekhetha ngokuzenzakalelayo imingcele yokuhlasela ye-chip ethile, eshintsha ukuhleleka, ukushuba, kanye nokuhleleka kokufinyelela kweseli.
Le ndlela, engaqondile amaseli afanayo, yenza izindlela zamanje zokuvikela i-TRR zingasebenzi. Lezi zindlela, ngendlela eyodwa noma enye, zincike ekubaleni inani lokufinyelela kweseli okuphindaphindiwe futhi, lapho amanani athile efinyelelwa, aqalise ukushajwa kabusha kwamaseli aseduze. Ku-Blacksmith, iphethini yokufinyelela isakazwa kumaseli amaningana ezinhlangothini ezihlukene zeseli eliqondiwe, okuvumela ukuvuza kweshaja ngaphandle kokufinyelela imikhawulo.
Le ndlela ibonakale iphumelela kakhulu kunezindlela zokudlula ezihlongozwayo ze-TRR — abacwaningi baphumelele ukuhlanekezela ama-bits kuwo wonke ama-memory chips angama-40 asanda kuthengwa ku-Samsung, Micron, SK Hynix, kanye nomakhi ongaziwa (umkhiqizi akakhonjiswanga kuma-chips amane). Ngokuqhathanisa, indlela ye-TRRespass, eyahlongozwa ngaphambili ngabacwaningi abafanayo, yayisebenza kuma-chips angu-13 kuphela kwangu-42 ahlolwe ngaleso sikhathi.
Ngenkathi indlela yeBlacksmith ngokuvamile kulindeleke ukuthi isebenze ku-94% wawo wonke ama-chip e-DRAM emakethe, abacwaningi bathi amanye ama-chips asengozini enkulu futhi kulula ukuwahlasela kunamanye. Ukusetshenziswa kwamakhodi okulungisa amaphutha (ECC) kanye nenkumbulo yokuvuselela kabili kulawa mashiphu akunikezeli ukuvikeleka okuphelele kodwa kwenza ukuxhashazwa kube nzima. Ngokuphawulekayo, ubungozi abunakuvinjwa kuma-chips akhona futhi budinga ukuvikelwa kwezingxenyekazi zekhompuyutha ezintsha, okusho ukuthi ukuhlasela kuzohlala kusebenza iminyaka eminingi ezayo.
Kunikezwa izibonelo ezisebenzayo zendlela yokusebenzisa iBlacksmith ukuguqula okuqukethwe kokufakiwe ku-memory page table entry (PTE) ukuze uthole amalungelo e-kernel, ulimaze ukhiye womphakathi we-RSA-2048 ogcinwe ku-OpenSSH (ungaletha ukhiye womphakathi kowomunye umuntu). umshini obonakalayo (okuhambisana nokhiye wangasese womhlaseli wokuxhuma kwi-VM yesisulu) kanye nokweqa ukuhlolwa kwamalungelo ngokushintsha inkumbulo yenqubo ye-sudo ukuze uthole amalungelo ezimpande. Kuye nge-chip, ukushintsha i-target bit eyodwa kungathatha noma yikuphi kusukela kumasekhondi ama-3 kuya emahoreni amaningana ukuqeda.
Ukwengeza, uhlaka lomthombo ovulekile lwe-LiteX Row Hammer Tester lokuhlola izindlela zokuvikela inkumbulo ekuhlaselweni kwe-RowHammer, oluthuthukiswe yi-Antmicro ye-Google, luyaphawuleka. Uhlaka lusebenzisa i-FPGA ukuphatha ngokugcwele imiyalo ethunyelwe ngokuqondile ku-chip ye-DRAM, isusa ithonya lesilawuli senkumbulo. Ikhithi yamathuluzi yePython iyatholakala ukuze uxhumane ne-FPGA. Isango elisekelwe ku-FPGA lihlanganisa imojula yephakethe ledatha (enquma amaphethini okufinyelela inkumbulo), I-Payload Executor, isilawuli esisekelwe ku-LiteDRAM (siphatha yonke ingqondo ehlobene ne-DRAM, okuhlanganisa ukwenza kusebenze umugqa nokuvuselela inkumbulo), kanye ne-VexRiscv CPU. Umsebenzi wephrojekthi unikezwe ilayisense ngaphansi kwelayisensi ye-Apache 2.0. Kusekelwa amapulatifomu e-FPGA ahlukahlukene, okuhlanganisa i-Lattice ECP5, i-Xilinx Series 6, 7, UltraScale, ne-UltraScale+.
Source: opennet.ru
