揭露我们机器里的幽灵
更新:Dmitry Evtyushkin的最最近的研究进入分支预测器发表了题为“分支范围:一种新的侧向通道攻击的定向分支预测器。”他在3月28日的编程语言和操作系统架构支持国际会议上展示了这些发现。
新年前后,这一威胁开始成为头条新闻。全球各地的出版物都对迄今发现的最大的计算机芯片漏洞发出了警告,这是一系列影响从笔记本电脑到智能手机等任何带有微处理器的设备的安全漏洞。研究人员发现,为了提高计算机芯片的效率,主要制造商无意中插入了一个漏洞,使黑客能够窥探敏感数据。在1月3日发表的两篇论文中,研究人员创造了网络安全威胁Meltdown和Spectre。之所以选择Meltdown这个名字,是因为这种攻击能够“融化”通常由处理器硬件执行的安全系统。Spectre这个名字是基于安全漏洞的根本原因,推测执行,这是一种提高速度的技术,处理器试图预测接下来需要执行的代码部分,并开始执行它。而且,就像真正的幽灵一样,这种攻击几乎不可能被发现。到1月底,英特尔(Intel)、安谋国际(ARM Holdings Plc.)等硬件公司Advanced Micro Devices Inc.已经发布了微码更新来解决这些漏洞。两家公司还与Windows和Linux等操作系统开发商合作,设计和发布软件更新。这些缺陷是物理上的,是计算机处理硬件的一部分。完全消除这个问题需要修改数百万的计算机芯片。相反,开发商和制造商选择尝试用软件更新来修复硬件缺陷。这些更新减慢了性能,在某些情况下,使系统无法操作,但协调一致的努力似乎已经成功地防止了Meltdown,并降低了对Spectre攻击的脆弱性。世界迅速向前发展,但德米特里·叶夫图什金不能他多年前就知道类似幽灵的处理器存在缺陷。事实上,他的研究从一开始就帮助人们了解了这些问题。幽灵党,就像它的名字一样,仍然潜伏在那里。“研究人员仍然不能完全确定Spectre的真正影响是什么,”威廉与玛丽大学计算机科学系助理教授Evtyushkin说。“他们不知道他们正在处理的事情的全部范围。有这么多不同的处理器,有这么多不同的方法来利用这类漏洞。”把幽灵的攻击想象成电脑里的声纳。为了了解处理过程是如何工作的,攻击者将程序相互碰撞,并根据这些碰撞绘制图像。然后,攻击者利用这张照片以及碰撞产生的其他副作用来访问计算机内部的敏感数据。“我们有不同的程序负责不同的活动,”Evtyushkin说。“你可以把它们当成你的应用。例如,你有你的电子邮件客户端,密码管理器,你的游戏。它们都需要被隔离。他们不应该互相干扰。”
In 2016, while completing his Ph.D. at Binghamton University, Evtyushkin and two other researchers found a way to force processes to interfere. Their study, titled “Jump Over ASLR: Attacking the Branch Predictor to Bypass ASLR,” was part of a collection of research that detailed processor flaws similar to those shown in studies about Meltdown and Spectre.
“I discovered that it is possible to create collisions inside these multiple domains,” Evtyushkin said, “which contributes to the discovery of memory layout.”
Computer systems are designed to make a program’s memory layout extremely hard to find. It’s hidden through a hardening technique known as Address Space Layout Randomization (ASLR). The security measure protects a program’s memory structure by randomizing positions of key program components, making it next to impossible for an attacker to know the specific addresses where those components are located. The ASLR is like a combination of a safe. An attack that gets through the ASLR would reveal a program’s entire data structure – every piece of information it contains.
Evtyushkin found that a hacker could bypass the ASLR using a central component of computer chip hardware, the Branch Predictor. The BP was introduced to make computer processors – or CPUs – operate more efficiently by streamlining the way programs run. When a program is executed, it is sent along a path known as a branch. The first time a program is executed, the processor can’t figure out the branch’s final target. So it relies on a hardware mechanism, the BP, which predicts a target based on previous branch behavior.
If attackers gain access to the BP, they can control how branches are handled by the processor and cause all kinds of collisions. A knowledgeable attacker can detect such collisions and bypass the randomization-based protection that hides a program’s layout.
“I discovered that many mechanisms in today’s computers are shared between different programs,” Evtyushkin said. “An attacker can execute code that causes changes inside internal data structures in the hardware. By doing this, they can either detect branch instructions in a victim program or trigger some speculative execution in a way that it starts to leak security sensitive data.”
In the controlled environment of the lab, Evtyushkin and his team executed a series of attacks through the BP. In December 2016, the team published their results. Their work became part of an international body of research large enough to create a surge of global media attention.
“This design flaw was there for a long time and I just discovered one way to use it,” Evtyushkin said. “There are other ways to manipulate speculative execution, which turn out to be more serious in terms of security.”
Since publishing his findings in 2016, Evtyushkin has continued researching Branch Predictors. His current area of focus is another part of the BP’s job: telling programs which direction to take. The specifics of his research cannot be disclosed until a paper on his work is released at the end of March. He said Intel has been notified about the flaws he’s discovered and is reviewing the research before the paper is released.
Evtyushkin is not optimistic about a quick fix. He, along with scores of other researchers, has spent the past several years telling hardware manufacturers they need to redesign their processors in order to solve security flaws. Currently, the companies have released a few software updates, but the hardware has not been updated to address the problem. Evtyushkin says there needs to be a broad, systematic fix to address multiple issues in modern hardware design.
“This whole culture of prioritizing performance, rather than security, is to blame,” Evtyushkin said. “There is high competition in computer hardware production. Developers want to make faster chips, so they have to add aggressive speculative execution. They are giving up on security checks in order to make it fast.”
On the bright side, there are no known incidents of Spectre-type attacks, but Evtyushkin says an attack could occur without the knowledge of even a savvy operator. A Spectre attack can come in through myriad of different avenues such as a website, a file download, a cell phone application or a media player. Once it’s in, it’s invisible.
“One of the problems with Spectre is that it’s completely silent,” Evtyushkin said. “You don’t see anything happening. Compared to traditional attacks, where an application usually crashes and you can see the damage, with microarchitecture attacks you won’t see it or know it happened.”
To guard yourself against any kind of attack, Evtyushkin encourages safe computing practices such as not executing untrusted code and regularly updating your systems.
“Usually, the people who are responsible for these updates know more about vulnerabilities and hopefully can do something about it,” Evtyushkin said.
Evtyushkin says his work is bringing awareness and eventually the required hardware updates will follow. He’s currently working with collaborators to develop more systemic protection methods, such as restructuring speculative execution and Branch Predictor hardware to make it more secure while maintaining high performance.
“This research used to be considered extremely geeky, but now the public is paying attention to it,” Evtyushkin said. “It’s helping address the problem, because everybody knows about it. It motivates all of these big companies to take things more seriously.”
