Izolo sishicilele lapha kubhulogi izindaba ezimayelana I-Aya, umtapo wolwazi wokwakha amashayeli we-eBPF kuRust futhi ngukuthi inhloso yalokhu ukudala abashayeli abaphephe kakhulu noma i- Iphrojekthi ye-Prossimo yokuqinisekisa inkumbulo ye-Linux kernel ene-Rust (amaphrojekthi amabili amahle azoba nokuningi ongakhuluma ngakho ezinyangeni ezilandelayo).
Futhi yilokho esikhathini esifushane, ubungozi obuhlukahlukene bubikiwe lapho sisebenzise izimbungulu ku-eBPF nokuthi kuyinkinga lapho abathuthukisi be-kernel bengayekanga ukusebenza futhi mhlawumbe iRust iyisixazululo.
Isizathu sokuthinta lesi sihloko ukuthi muva nje kukhishwe izindaba abazibonile Ukuba sengozini "kokunye" ku-kernel ye-Linux (I-CVE-2021-33624) ye dlula ukuvikelwa ebungozini besigaba seSpecter, ngoba lokhu kuvumela ukusebenzisa uhlelo olungaphansi lwe-eBPF ukuze lukwazi ukuthola okuqukethwe kwememori njengomphumela wokwenziwa kwezimo zokuqagela kokwenziwa kwemisebenzi ethile.
Kushiwo ukuthi ukuba sengozini kubangelwa ukwehluleka kokuqinisekisa, okusetshenziselwa ukuthola amaphutha nomsebenzi ongavumelekile ezinhlelweni ze-BPF. Isiqinisekisi sibala izindlela ezingahle zenziwe zekhodi, kepha azinaki noma yiziphi izinketho zegatsha ezingavumelekile ukusuka endaweni yokubuka yama-semantics we-set set of architecture.
Lapho kuqhutshwa uhlelo lwe-BPF, izinketho zamagatsha ezingazange zibhekelwe isiqinisekisi zingabikezelwa ngokungafanele yiprosesa futhi zenziwe ngemodi yokuqagela.
Kuzinhlelo ezithintekile, uhlelo lwe-BPF olungavikelekile lungasebenzisa lobu bucayi ukuhlunga okuqukethwe kwememori ye-kernel engenangqondo (ngakho-ke yonke imemori ebonakalayo) ngesiteshi eseceleni.
Isibonelo, lapho uhlaziya umsebenzi "wokulayisha", isiqinisekisi sithatha ukuthi imiyalo isebenzisa irejista ngekheli elinenani elihlala likhona ngaphakathi kwemikhawulo ebekiwe, kepha umhlaseli angadala izimo ngaphansi kwayo iprosesa lizozama ngandlela thile ukwenza ukuhweba ngekheli elingahlangabezani nemibandela yokuqinisekisa.
Ukuhlaselwa kweSpecter kudinga ubukhona beskripthi esithile kukhodi enelungelo, okuholela ekusetshenzisweni kokuqagela kwemiyalo. Ngokukhohlisa izinhlelo ze-BPF ezidluliselwe ukwenziwa, kungenzeka ukuthi kukhiqizwe imiyalo enjalo ku-eBPF bese kuhlunga okuqukethwe kwememori ye-kernel nezindawo eziyimpikiswano zememori ebonakalayo ngeziteshi eziseceleni.
Futhi, ungamaka inothi mayelana nomthelela wokusebenza wezimpahla ukuvikela isigaba se-Specter sobungozi.
Leli nothi lifingqa imiphumela rr (Record and Replay) debugger optimization, once created by Mozilla ukulungisa amaphutha okulukhuni ukuwaphinda kuFirefox. Ukulondolozwa kwesikhashana izingcingo zesistimu ezisetshenziselwa ukuqinisekisa ubukhona bezinkomba kunciphise ukusebenza kwe- "rr sources" kwephrojekthi yokuhlola kusuka kumizuzu emi-3 imizuzwana engu-19 kuye kumasekhondi angama-36.
Umbhali wokusebenzisa kahle uthathe isinqumo sokuhlola kuzoshintsha kangakanani ukusebenza ngemuva kokukhubaza ukuvikelwa kweSpecter. Ngemuva kokuqalisa uhlelo ngepharamitha "mitigations = off", isikhathi sokwenza "imithombo ye-rr" ngaphandle kokusebenzisa kube yimizuzu emi-2 imizuzwana emi-5 (izikhathi eziyi-1.6 ngokushesha) nangokusebenzisa kahle amasekhondi angama-33 (9% ngokushesha).
Kuyathakazelisa ukuthi, ukukhubaza ukuvikelwa kweSpecter hhayi kuphela isikhathi esincishisiwe sokusebenza kwekhodi yezinga le-kernel ezikhathini eziyi-1.4 (kusuka ku-2 min 9s kuya ku-1 min 32s), kuphinde kwehlisa phakathi nesikhathi sokwenza endaweni yomsebenzisi (kusuka ku-1 min 9s kuya ku-33s), mhlawumbe ngenxa yokwehla kwesilondolozi se-CPU ne-TLB kusethwe kabusha lapho ukuvikelwa kweSpecter kunikwe amandla.
Inkinga ivele selokhu kukhishwe i-4.15 kernel futhi ilungisiwe ngendlela yezimagqabhagqabha, okwamanje ezingafinyeleli kukho konke ukusatshalaliswa, ngakho-ke kunconywa abasebenzisi ukuthi kulezi zinsuku benza izibuyekezo ezifanele ngokushesha nje lapho bethola izaziso.
Si ufuna ukwazi kabanzi ngayo, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.