Inkampani yocwaningo lwezokuphepha i-Kudelski Security ishicilele ithuluzi elibizwa nge-Shufflecake elikuvumela ukuthi udale amasistimu wefayela afihliwe ahlakazeke esikhaleni esitholakalayo samahhala kuma-partitions akhona futhi angenakuhlukaniswa nedatha eyinsalela engahleliwe. Ukuhlukaniswa kudalwe ngendlela yokuthi ngaphandle kokwazi ukhiye wokufinyelela, kunzima ukufakazela ubukhona bawo ngisho nalapho kwenziwa ukuhlaziya kwe-forensic. Ikhodi yezinsiza (shufflecake-userland) kanye nemojula ye-Linux kernel (dm-sflc) ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-GPLv3, okwenza kube nzima ukufaka imojuli ye-kernel eshicilelwe ku-Linux kernel enkulu ngenxa yokungahambisani ne ilayisensi ye-GPLv2 lapho i-kernel ihlinzekwa ngaphansi kwayo .
Le phrojekthi ibekwe njengesixazululo esithuthuke kakhulu kune-Truecrypt ne-Veracrypt yokufihla idatha edinga ukuvikelwa, enokusekelwa komdabu kweplathifomu ye-Linux futhi ikuvumela ukuthi ubeke izingxenye ezifihliwe ezingafika kwezingu-15 kudivayisi, ezibekwe ngaphakathi komunye nomunye ukuze kudideke ukuhlukanisa. ngokuba khona kwabo. Uma ukusetshenziswa kwe-Shufflecake ngokwayo akuyona imfihlo, njengoba kungahlulelwa, isibonelo, ngokuba khona kwezinsiza ezihambisanayo ohlelweni, inani eliphelele lama-partitions afihliwe adaliwe alikwazi ukunqunywa. Izingxenye ezifihliwe ezidaliwe zingafomethwa ngokubona komsebenzisi ukuze kufakwe noma iyiphi isistimu yefayela, isibonelo, i-ext4, xfs noma i-btrfs. Ingxenye ngayinye iphathwa njengedivayisi ehlukile yebhulokhi enokhiye wayo wokuvula.
Ukuze kudideke ukulandelelwa, kuhlongozwa ukuba kusetshenziswe imodeli yokuziphatha "yokuphika okuzwakalayo", ingqikithi yayo okuwukuthi idatha ebalulekile efihliwe njengezendlalelo ezengeziwe ezigabeni ezibethelwe ezinedatha engabalulekanga kangako, yakhe uhlobo lwezigaba ezifihliwe. Esimeni sokucindezela, umnikazi wedivayisi angaveza ukhiye wokuhlukanisa okubethelwe, kodwa ezinye izingxenye (kufika kumaleveli angu-15 afakwe esidlekeni) zingase zifihlwe kulokhu kuhlukaniswa, futhi ukunquma ubukhona bazo nokuqinisekisa ukuba khona kwazo kuyinkinga.
Ukucasha kufinyelelwa ngokwakha ukwahlukanisa ngakunye njengesethi yezingcezu ezibethelwe ezibekwe ezindaweni ezingahleliwe kudivayisi yokugcina. Ucezu ngalunye ludalwe ngokuguquguqukayo lapho isikhala sokulondoloza esengeziwe sidingeka ekuhlukaniseni. Ukwenza ukuhlaziya kube nzima kakhulu, izingcezu zezigaba ezahlukene ziyashintshana, i.e. Izigaba ze-Shufflecake azixhunyanisiwe nezifunda ezihlangene futhi izingcezu ezivela kuzo zonke izigaba zixutshiwe. Ulwazi mayelana nezingcezu ezisetshenzisiwe nezimahhala zigcinwa kumephu yendawo ehlotshaniswa nengxenye ngayinye, ekhonjwa unhlokweni obethelwe. Amakhadi nesihloko kubethelwe futhi, ngaphandle kokwazi ukhiye wokufinyelela, awahlukaniseki kudatha engahleliwe.
Unhlokweni uhlukaniswe ngezikhala, ngayinye echaza isigaba sayo kanye nezingcezu ezihambisanayo. Izikhala kunhlokweni ziyapakishwa futhi zixhunywe ngokuphindaphindiwe - indawo yamanje iqukethe ukhiye wokukhipha ukubethela amapharamitha esigaba sangaphambilini sohlelo (esifihlekile kancane), okuvumela iphasiwedi eyodwa ukuthi isetshenziselwe ukususa ukubethela zonke izigaba ezicashile ezihambisana nayo. ingxenye ekhethiwe. I-partition ngayinye efihleke kancane iphatha izingcezu zama-partitions avalelwe njengezimahhala.
Ngokuzenzakalelayo, zonke izigatshana ze-Shufflecake zinosayizi ofanayo obonakalayo njengesigaba sezinga eliphezulu. Isibonelo, uma kukhona ama-partitions amathathu kudivayisi engu-1 GB, ngayinye yazo izobonakala ohlelweni njenge-partition engu-1 GB futhi isamba sesikhala esitholakalayo sediski sizokwabelwa kuzo zonke izingxenye - uma usayizi ophelele wedatha egciniwe udlula. usayizi wangempela wedivayisi, izoqala iphutha le-I/O liyaphonswa.
Izigaba ezifakwe isidleke ezingavuliwe azihlanganyeli ekwabiweni kwesikhala, i.e. umzamo wokugcwalisa ukwahlukanisa kwezinga eliphezulu uzophumela ekuhlukaniseni idatha ekuhlukaniseni okufakwe isidleke, kodwa ngeke kwenze kube nokwenzeka ukuveza ubukhona bazo ngokuhlaziywa kosayizi wedatha engafakwa esabelweni ngaphambi kokuba iphutha liqale (it kucatshangwa ukuthi izingxenye ezingenhla ziqukethe idatha engaguquki ukuze iphazamise ukunaka futhi ayikaze isetshenziswe ngokuhlukana, futhi umsebenzi ojwayelekile uhlale wenziwa ngesigaba esisanda kufakwa, uhlelo ngokwalo lusho ukuthi kubaluleke kakhulu ukugcina imfihlo yokuba khona idatha kunokulahlekelwa le datha).
Eqinisweni, izingxenye ezingu-15 ze-Shufflecake zihlala zidaliwe - igama-mfihlo lomsebenzisi linamathiselwe kuma-partitions asetshenzisiwe, futhi izingxenye ezingasetshenziswanga zinikezwa nephasiwedi ekhiqizwa ngokungahleliwe (akunakwenzeka ukuqonda ukuthi zingaki izingxenye ezisetshenzisiwe ngempela). Uma ama-partitions e-Shufflecake aqaliswa, idiski, i-partition, noma idivayisi ye-virtual block eyabelwe ukubekwa kwayo igcwaliswa ngedatha engahleliwe, okwenza kube nzima ukuhlonza imethadatha ye-Shufflecake kanye nedatha ngokumelene nengemuva elijwayelekile.
Ukuqaliswa kwe-Shufflecake kunokusebenza okuphezulu kakhulu, kodwa ngenxa yokuba khona kwe-overhead, cishe kuhamba kancane ngokuphindwe kabili ekudluliseni kokuqhathaniswa nokubethela kwediski okusekelwe ohlelweni olungaphansi lwe-LUKS. Ukusebenzisa i-Shufflecake nakho kuholela ezindlekweni ezengeziwe ze-RAM nesikhala sediski sokugcina idatha yesevisi. Ukusetshenziswa kwememori kulinganiselwa ku-60 MB ngokuhlukaniswa ngakunye, kanye nesikhala sediski ku-1% yenani losayizi. Ukuze uqhathanise, indlela ye-WORAM, efana nenjongo, iholela ekwehleni kwezikhathi ezi-5 kuye kwezingu-200 ngokulahleka okungu-75% kwesikhala sediski esisebenzisekayo.
Ikhithi yamathuluzi nemojula ye-kernel ihlolwe kuphela ku-Debian naku-Ubuntu ngama-kernel 5.13 kanye no-5.15 (asekelwa ku-Ubuntu 22.04). Kuyaphawulwa ukuthi iphrojekthi kusafanele ithathwe njengesibonelo esisebenzayo, okungafanele isetshenziselwe ukugcina idatha ebalulekile. Ngokuzayo, sihlela ukwenza ukulungiselelwa okwengeziwe kokusebenza, ukwethembeka nokuphepha, futhi sinikeze amandla okuqalisa kusuka kuma-partitions we-Shufflecake.
Source: opennet.ru