Google yana nuna amfani da raunin Specter ta amfani da JavaScript a cikin wani bincike

Darkcrizt

4 minti

Google ya bayyana kwanaki da suka wuce nau'ikan amfani da samfura wanda ke nuna yiwuwar yin amfani da rauni na Ajin Specter yayin aiwatar da lambar JavaScript a cikin mai bincike, ba tare da bi ta hanyoyin tsaro da aka kara a sama ba.

Ana iya amfani da abubuwan amfani don samun damar ƙwaƙwalwar ajiyar wani aiki wanda ke sarrafa bayanan yanar gizo a cikin shafin yanzu. Don gwada aikin amfani, an ƙaddamar da rukunin yanar gizon don shafin ɓarna kuma an buga lambar da ke bayanin ma'anar aikin a GitHub.

An tsara samfurin da aka tsara don kai hari tsarin tare da Intel Core i7-6500U masu sarrafawa a cikin Linux da yanayin Chrome 88, kodayake wannan baya keɓe cewa ana iya yin canje-canje don amfani da amfani a wasu mahalli.

Hanyar aiki ba takamaiman masu sarrafawa Intel: bayan dace dacewa, An tabbatar da amfani don aiki akan tsarin tare da CPUs na ɓangare na uku, gami da Apple M1 dangane da tsarin ARM. Bayan ƙananan gyare-gyare, amfani yana aiki a kan sauran tsarin aiki da sauran masu bincike dangane da injin Chromium.

A cikin yanayin da ya dogara da daidaitattun Chrome 88 da Intel Skylake processor, mun cimma nasarar kutsawar bayanai daga tsarin da ke da alhakin bayar da abun cikin yanar gizo a cikin shafin Chrome na yanzu (aikin ba da kyauta) cikin saurin 1 kilobyte a kowane dakika. Bugu da kari, an samar da wasu samfura na daban, misali, wani amfani wanda yake ba da dama, a farashin rage kwanciyar hankali, don kara saurin zubewa zuwa 8kB / s yayin amfani da aikin. Yanzu () mai kayyade lokaci daidai da 5 microseconds (0.005 milliseconds) ). An kuma shirya wani bambance-bambancen da ke aiki da daidaitaccen lokaci na millisecond ɗaya, wanda za a iya amfani da shi don tsara damar zuwa ƙwaƙwalwar wani aiki a ƙimar kusan baiti 60 a sakan ɗaya.

Lambar demo da aka buga ta ƙunshi sassa uku:

  • Kashi na farko daidaita ma'aunin lokaci don kimanta lokacin gudu na ayyukan da ake buƙata don dawo da bayanan da suka rage a cikin ɓoye mai sarrafawa sakamakon sakamakon aiwatar da umarnin CPU.
  • Kashi na biyu Yana bayyana saitin ƙwaƙwalwar ajiyar da aka yi amfani dashi lokacin rarraba tsararren JavaScript.
  • Kashi na uku kai tsaye yana amfani da raunin Specter don ƙayyade abubuwan ƙwaƙwalwar ajiya na tsarin yanzu sakamakon samarda yanayi don yin tunanin wasu ayyukan, wanda mai sarrafawa yayi watsi da sakamakonsa bayan kayyade hasashen da baiyi nasara ba, amma ana samun alamun aiwatarwa a cikin ma'ajiyar raba kuma ana iya dawo dasu ta amfani hanyoyi don mineayyade abubuwan da ke cikin ɓoye ta amfani da tashoshi na ɓangare na uku waɗanda ke nazarin canji a cikin damar samun damar zuwa ɓoye da bayanan da ba a ɓoye ba.

Dabarar amfani da ita da aka gabatar gusar da ƙayyadaddun lokaci ana samun sa ta API mai aiki.now () kuma ba tare da tallafi ba ga nau'in SharedArrayBuffer, wanda zai baka damar ƙirƙirar tsararru a cikin mahimmin ƙwaƙwalwa.

Amfani ya haɗa da na'urar Specter, wanda ke haifar da aiwatar da lambar ƙididdigar sarrafawa, da mai binciken kwararar hanyar tashar ruwa, wanda ke tantance abin da aka ɓoye bayanan yayin aiwatar da hasashen.

Ana aiwatar da na'urar ta amfani da tsararren JavaScript, a cikin abin da an yi ƙoƙari don samun damar yanki a waje da iyakokin buffer, wanda ke shafar yanayin ƙididdigar reshen reshe saboda kasancewar duba adadin girman ma'auni wanda mai tarawa ya ƙara (mai sarrafawa yana aiwatar da damar kafin lokaci, amma ya sake dawo da jihar bayan dubawa).

Don bincika abubuwan da ke cikin ɓoye a cikin yanayin rashin ƙarancin lokacin, an samar da wata hanyar da ke dabaru dabarun fitar da bayanan Tree-PLRU ɓoye bayanan da aka yi amfani da su a cikin masu sarrafawa kuma ya ba da izini, ta hanyar ƙara yawan hawan keke, don haɓaka bambancin lokacin da ƙimar gaske. an dawo daga ma'ajin kuma in babu ƙima a cikin ma'ajin.

Google ya wallafa samfurin amfani da shi don nuna yiwuwar hare-haren ta amfani da raunin aji na Specter da kuma karfafa masu ci gaban yanar gizo da su yi amfani da dabaru wadanda zasu rage kasadar irin wadannan hare-hare.

A lokaci guda, Google ya yi imanin cewa ba tare da mahimmancin sake fasalin samfurin ba, ba shi yiwuwa a ƙirƙirar fa'idodin duniya waɗanda suke shirye ba kawai don zanga-zanga ba, har ma don amfani da yawa.

Source: https://security.googleblog.com


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.