Masu bincike daga kamfanin NCC Group sun buga kwanan nan sakamakon binciken aikin Zephyr, wanda shine tsarin aiki na ainihi (RTOS), wanda aka tsara don samarda na'urori bisa ga ma'anar "Intanet na abubuwa" (IoT). Ana haɓaka Zephyr tare da haɗin Intel.
Zephyr yana ba da adireshin adireshi na kama ɗaya don duk matakai na kowa da kowa (SASOS, Tsarin Adireshin Tsarin Tsarin Adireshin Adireshi). Ana haɗa takamaiman lambar aikace-aikace tare da kwaya wacce aka keɓance don takamaiman aikace-aikace kuma ta samar da fayil mai zartarwa wanda zai iya yin komai don saukarwa da gudana akan wasu kwamfutoci.
Duk albarkatun tsarin an ƙaddara su a matakin tattarawa, wanda ke rage girman lambar kuma yana ƙara yawan aiki. Abubuwan fasalin kernel kawai waɗanda ake buƙata don gudanar da aikace-aikacen za a iya haɗa su cikin hoton tsarin.
Abin lura ne cewa daga cikin manyan fa'idodi Zephyr da aka ambata ci gaba tare da ido kan aminci. Ana jayayya da cewa Duk matakan ci gaba suna wucewa ne ta hanyar tilas tabbatar da lambar tsaro: gwaji mai ban tsoro, bincike na yau da kullun, gwajin shigar azzakari cikin farji, nazarin kodin, nazarin tura kayan daki na baya, da kuma samfurin yin barazana.
Game da rauni
Binciken ya nuna raunin 25 a cikin Zephyr da raunin 1 a cikin MCUboot. Gaba ɗaya, an gano su 6 rauni a cikin cibiyar sadarwar, 4 a cikin kwaya, 2 a cikin harsashin umarni, 5 a cikin tsarin kira masu kulawa, 5 a cikin tsarin USB da 3 a cikin aikin sabunta firmware.
Matsaloli biyu an sanya su cikin mawuyacin haɗari, biyu: babba, 9 matsakaici, 9 - kaɗan da 4 - don la'akari. Matsaloli mahimmanci yana tasiri tasirin IPv4 da mai binciken MQTT, yayin da abinMasu haɗari sun haɗa da adana kebul na USB da direbobin USB DFU.
A lokacin fitowar bayanai, an shirya gyara don raunin 15 kawai mafi haɗari, har yanzu akwai batutuwan da aka warware, wanda ke haifar da ƙin sabis ko rashin nasaba da hanyoyin don ƙarin kernel kariya.
An gano raunin da aka yi amfani da shi daga nesa a cikin tarin IPv4 na dandamali, wanda ke haifar da lalata ƙwaƙwalwa yayin da aka aiwatar da fakitin ICMP da aka gyara ta wata hanya.
An sami wata matsala mai mahimmanci a cikin fassarar yarjejeniyar MQTT, qHakan na faruwa ne ta rashin tabbataccen tabbaci na tsawon filayen a cikin taken kuma yana iya haifar da aiwatar da lambar nesa. Ana samun ƙarancin musun al'amuran sabis a cikin tarin IPv6 da aiwatar da yarjejeniya ta CoAP.
Sauran matsalolin za'a iya amfani dasu a cikin gida haifar da kin aiki ko aiwatar da lambar a matakin kernel. Yawancin waɗannan raunin yanayin suna da alaƙa da rashin cikakken bincike game da takaddama na tsarin kira, kuma zai iya haifar da rubuce-rubuce da karatun yankunan sabani na ƙwaƙwalwar ƙwaƙwalwar.
Batutuwan kuma sun shafi lambar sarrafa lambar kira kanta - samun dama ga lambar kira mara kyau yana haifar da ambaliyar lamba. DAKernel kuma ya gano batutuwa wajen aiwatar da kariya ta ASLR (adireshin bazuwar sararin samaniya) da kuma tsarin girka alamun canary a kan tari, wanda ya mayar da waɗannan hanyoyin rashin inganci.
Al'amura da yawa sun shafi tarin USB da direbobin mutum. Misali, batun adana tarin USB yana baka damar haifar da ambaliyar ajiya da kunna lambar a matakin kernel lokacin da ka haɗa na'urar da mai kai hari USB mai kulawa.
Raunin yanayin cikin USB DFU, direba don saukar da sabon firmware ta USB, yana ba ku damar loda hoton firmware da aka gyara zuwa Flash na ciki na mai sarrafawa ba tare da yin amfani da ɓoyewa ba da kuma tsallake yanayin ƙirar amintacce tare da tabbacin sa hannun dijital. Bugu da kari, an yi karatun lambar bude bootloader ta MCUboot, wacce a ciki aka gano wani rauni mai hadari wanda zai iya haifar da ambaliya yayin amfani da lamuran Gudanar da Sauki (SMP) ta hanyar UART.