Abacwaningi abavela eWorcester Polytechnic Institute (USA) bethule uhlobo olusha lokuhlasela kweMayhem olusebenzisa indlela ye-Rowhammer eshukumisayo yokufinyelela okungahleliwe yokuhlanekezela ukushintsha amanani okuguquguquka kwesitaki asetshenziswa njengamafulegi ohlelweni ukuze kunqunywe ukuthi ukuqinisekiswa nokuphepha kunakho yini. kudlule. Izibonelo ezingokoqobo zokuhlasela ziboniswa ukudlula ukuqinisekiswa kwe-SUDO, i-OpenSSH ne-MySQL, kanye nokuguqula umphumela wokuhlola okuhlobene nokuvikeleka kulabhulali ye-OpenSSL.
Ukuhlasela kungasetshenziswa ezinhlelweni ezisebenzisa ukuhlola ukuze kuqhathaniswe amanani ahluke ku-zero. Isibonelo sekhodi esengozini: int auth = 0; ... // ikhodi yokuqinisekisa eshintsha inani le-auth esimweni sokuqinisekisa ngempumelelo uma(i-auth != 0) ibuyisela okuthi AUTH_SUCCESS; futhi buyisela okuthi AUTH_FAILURE;
Kumongo walesi sibonelo, ekuhlaselweni okuyimpumelelo kwanele ukonakalisa noma yikuphi okuncane kumemori okuhlotshaniswa nokuguquguquka kwe-32-bit auth kusitaki. Uma noma iyiphi ibhithi ekuguquguqukayo yonakalisiwe, inani ngeke lisaba uziro futhi u-opharetha onemibandela uzonquma ukuqedwa ngempumelelo kokuqinisekisa. Amaphethini anjalo okuqinisekisa ajwayelekile ezinhlelweni zokusebenza futhi atholakala, ngokwesibonelo, ku-SUDO, OpenSSH, MySQL kanye ne-OpenSSL.
Ukuhlasela kungasetshenziswa futhi ekuqhathaniseni ifomu elithi "uma (i-auth == 1)", kodwa kulokhu ukuqaliswa kwayo kuba nzima kakhulu, ngoba kudingekile ukuhlanekezela hhayi noma yikuphi okuncane kwe-32, kodwa okokugcina. Indlela ingase futhi isetshenziselwe ukuthonya amanani okuguquguqukayo kumarejista okucubungula, njengoba okuqukethwe kwamarejista kungashibilika okwesikhashana esitakini lapho kushintshwa umongo, ucingo lomsebenzi, noma isibambi sesignali sivutha umlilo. Phakathi nesikhathi lapho amanani erejista esenkumbulweni, ukuhlanekezela kungangeniswa kule nkumbulo futhi inani elishintshiwe lizobuyiselwa kurejista.
Ukuhlanekezela izingcezu, enye yezinguquko zokuhlasela kwesigaba se-RowHammer isetshenziswa. Njengoba inkumbulo ye-DRAM iwuxhaxha lwamaseli anezinhlangothi ezimbili, ngalinye liqukethe i-capacitor ne-transistor, ukufunda okuqhubekayo kwendawo yenkumbulo efanayo kubangela ukuguquguquka kwe-voltage kanye nokudidayo okubangela ukulahleka kweshaji okuncane kumaseli angomakhelwane. Uma umfutho wokufunda uphakeme, khona-ke iseli elingumakhelwane lingase lilahlekelwe inani elikhulu ngokwanele lenkokhelo futhi umjikelezo wokuvuselela olandelayo ngeke ube nesikhathi sokubuyisela isimo sawo sokuqala, okuzoholela ekushintsheni kwenani ledatha egcinwe esitokisini. . Ukuze kuvikelwe ku-RowHammer, abakhiqizi bama-chip bangeze indlela ye-TRR (Target Row Refresh) evimba ukonakala kwamaseli ezimeni ezikhethekile, kodwa ayivikeli kukho konke ukuhlukahluka okungenzeka kokuhlasela.
Ukuze uvikele ekuhlaselweni kwe-Mayhem, kutuswa ukusebenzisa ekuqhathaniseni hhayi ukuhlola umehluko ukusuka ku-zero noma ukuqondana nokukodwa, kodwa ukuhlola okufanayo kusetshenziswa inani lembewu elingahleliwe elinama-octet angewona aziro. Kulesi simo, ukusetha inani elifunayo lokuguquguquka, kuyadingeka ukuhlanekezela ngokunembile inani elibalulekile lama-bits, okungenangqondo, ngokungafani nokuhlanekezela kancane kancane. Isibonelo sekhodi engahlaseleki: int auth = 0xbe406d1a; ... // ikhodi yokuqinisekisa esetha inani le-auth ku-0x23ab8701 esimweni sokuqinisekisa okuyimpumelelo uma(i-auth == 0x23ab8701) ibuyisela AUTH_SUCCESS; futhi buyisela okuthi AUTH_FAILURE;
Indlela yokuvikela eshiwo isivele isetshenziswe onjiniyela be-sudo futhi yafakwa ekukhishweni kwe-1.9.15 njengendlela yokulungisa ukuba sengozini kwe-CVE-2023-42465. Bahlela ukushicilela isibonelo sekhodi sokuhlasela ngemva kokulungiswa kwamaphrojekthi amakhulu asengozini.
Source: opennet.ru