Kees Cook, tsohon shugaban sysadmin a kernel.org kuma shugaban kungiyar tsaro ta Ubuntu, yanzu yana aiki a Google don kare Android da ChromeOS, ya fito da wasu faci wadanda ke baje kolin kayan kwaya lokacin da ake amfani da tsarin kira. Faci na inganta kernel tsaro ta canza wurin tari, lko hakan yana haifar da hare-haren tari da wahala da rashin nasara
Tunanin asali don facin na aikin PaX RANDKSTACK ne. A cikin 2019, Elena Reshetova, injiniyan Intel, yayi ƙoƙarin ƙirƙirar aiwatar da wannan ra'ayin, ya dace don haɗawa cikin babban kayan aikin kernel na Linux.
Daga baya, Kees Cook ne ya dauki matakin wanda ya gabatar da aiwatarwa mai dacewa don babban nau'in kwaya kuma waɗanda aka shirya faci don sigar 5.13 na Linux.
Yanayin zai kashe ta tsoho kuma don kunna ta, ana miƙa layin layin umarnin kernel "Randomize_kstack_offset = kunna / kashe»Da saituna CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, Bugu da kari, sama da kunna yanayin ana kiyasta kimanin kashi 1% na aiki.
Mahimmancin samarwar kariya shine zaɓar tsararren tsararraki akan kowane tsarin kira, wanda ke rikitar da ƙaddarar tsarin shimfiɗa a cikin ƙwaƙwalwa koda kuwa an karɓi bayanin adreshin, tunda asalin adireshin tarin zai canza akan kira na gaba.
Ba kamar aiwatar da Takaddar PAX, a cikin facin da aka gabatar don hada shi a cikin kwaya, ba a yin bazuwar a matakin farko, amma bayan kafa tsarin pt_regs, wanda ya sa ba zai yiwu a yi amfani da hanyoyin tushen ptrace don ƙayyade ɓarna bazuwar yayin kiran tsarin tsarin na dogon lokaci.
Kamar yadda kariyar kernel ta Linux ta inganta koyaushe (taswirar taswirar vmap tare da shafuka masu kariya, cire thread_info, STACKLEAK), maharan dole ne su nemi sabbin hanyoyi don amfani da su.
Suna da, kuma suna ci gaba da dogaro da ƙaddarar kwaya, a cikin yanayi inda VMAP_STACK da THREAD_INFO_IN_TASK_STRUCT ba su dace ba. Misali, wadannan hare-hare na baya-bayan nan da an samu matsala idan tsautsayin da aka samu bai zama mai yanke hukunci tsakanin kiran tsarin ba
Dalilin aikin bazuwar_kstack_offset shine a karawa mutum tsari bayan an tura pt_regs akan dunbin kuma kafin ayi amfani da sauran zaren zaren yayin aikin kira na tsarin, kuma canza shi duk lokacin da wani tsari ya gabatar da tsarin kira. Tushen bazuwar a halin yanzu an bayyana shi ta hanyar gine-gine (amma x86 yana amfani da ƙaramin baiti na rdtsc ()).
Abubuwan haɓaka na gaba suna yiwuwa ga hanyoyin mabuɗin cuta daban-daban, amma banda iyakar wannan facin. Hakanan, don ƙara ƙarin rashin tabbas, ana zaɓar sabbin abubuwa a ƙarshen tsarin kira (lokacin da yakamata ya zama ba shi da sauƙi a auna daga sararin mai amfani fiye da lokacin shigowar kiran tsarin) kuma Ana adana su a cikin mai canji guda ɗaya CPU, saboda rayuwar rayuwar ƙimar ba za ta kasance a bayyane take da aiki ɗaya ba.
Babu canje-canje a bayyane don wannan a kan x86 saboda mai tanadin ajiya tuni ya kasance ba shi da ƙa'ida ba ga ƙungiyar tattarawa, amma ana buƙatar canjin a arm64. Abin takaici, babu wata sifa da za a iya amfani da ita don kashe mai yin tarin abubuwa don takamaiman ayyuka. Kwatantawa tare da aikin PaX RANDKSTACK: Aikin RANDKSTACK ya rikitar da wurin da aka fara tari (cpu_current_top_of_stack), ma'ana, ya haɗa da wurin da tsarin pt_regs yake akan tari.
Da farko, wannan facin ya bi hanya ɗaya, amma yayin tattaunawar kwanan nan an ƙaddara cewa ba shi da ƙima kamar idan ana iya samun aikin saƙo ga mai kai hari, za ka iya amfani da PTRACE_PEEKUSR don karanta / rubuta abubuwa daban-daban zuwa tsarin pt_regs, kiyaye halayyar ɓoye hanyoyin samun damar pt_regs kuma gano hakan bazuwar tari biya diyya
A ƙarshe an ambata cewa aiwatarwa ta farko tana tallafawa masu sarrafa ARM64 da x86 / x86_64.