A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser.
一组学者设计了一种名为iLeakage的新型侧信道攻击,利用Apple iOS、iPadOS和macOS设备上运行的A系列和M系列CPU的弱点,从Safari Web浏览器中提取敏感信息。
"An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution," researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom said in a new study.
“攻击者可以诱使Safari渲染任意网页,随后使用推测执行从中恢复存在的敏感信息,”研究人员Jason Kim、Stephan van Schaik、Daniel Genkin和Yuval Yarom在一项新研究中说。
In a practical attack scenario, the weakness could be exploited using a malicious web page to recover Gmail inbox content and even recover passwords that are autofilled by credential managers.
在实际的攻击场景中,可以利用恶意网页来恢复Gmail收件箱内容,甚至可以恢复由凭据管理器自动填充的密码。
iLeakage, besides being the first case of a Spectre-style speculative execution attack against Apple Silicon CPUs, also works against all third-party web browsers available for iOS and iPadOS owing to Apple's App Store policy that mandates browser vendors to use Safari's WebKit engine.
除了是第一个针对Apple Silicon CPU的Spectre-style推测执行攻击之外,iLeakage还针对iOS和iPadOS上提供的所有第三方Web浏览器,因为苹果的App Store政策要求浏览器供应商使用Safari的WebKit引擎。
Apple was notified of the findings on September 12, 2022. The shortcoming impacts all Apple devices released from 2020 that are powered by Apple's A-series and M-series ARM processors.
苹果于2022年9月12日被告知了这些发现。这个缺陷影响了自2020年以来由苹果的A系列和M系列ARM处理器供电的所有苹果设备。
The crux of the problem is rooted in the fact that malicious JavaScript and WebAssembly embedded in a web page in one browser tab can surreptitiously read the content of a target website when a victim visits the attacker-controlled web page.
问题的关键在于,一个浏览器标签中的恶意JavaScript和WebAssembly嵌入的网页可以在受害者访问攻击者控制的网页时,秘密地读取目标网站的内容。
This is accomplished by means of a microarchitectural side-channel that can be weaponized by a malicious actor to infer sensitive information through other variables like timing, power consumption, or electromagnetic emanations.
这是通过一种称为侧信道的微架构实现的,恶意行为者可以通过时间、功耗或电磁辐射等其他变量来推断敏感信息。
The side channel that forms the basis of the latest attack is a performance optimization mechanism in modern CPUs called speculative execution, which has been the target of several such similar methods since Spectre came to light in 2018.
最新攻击的基础是现代CPU中的一种性能优化机制,称为推测执行,自2018年Spectre曝光以来,已经成为几种类似方法的目标。
While speculative execution is designed as a way to yield a performance advantage by using spare processing cycles to execute program instructions in an out-of-order fashion when encountering a conditional branch instruction whose direction depends on preceding instructions whose execution is not completed yet.
这项技术的基石是对程序将遵循的路径进行预测,并沿着路径推测执行指令。当预测被证明是正确的时,任务比其他情况下更快地完成。
The cornerstone of this technique is to make a prediction as to the path that the program will follow, and speculatively execute instructions along the path. When the prediction turns out to be correct, the task is completed quicker than it would have taken otherwise.
但当发生错误的预测时,推测执行的结果被放弃,处理器恢复沿着正确的路径。也就是说,这些错误的预测在缓存中留下了某些痕迹。
But when a misprediction occurs, the results of the speculative execution are abandoned and the processor resumes along the correct path. That said, these erroneous predictions leave behind certain traces in the cache.
Attacks like Spectre involve inducing a CPU to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via the side channel.
像Spectre这样的攻击涉及诱使CPU进行推测性操作,这些操作在正确的程序执行期间不会发生,并通过侧信道泄漏受害者的机密信息。
In other words, by coercing CPUs into mispredicting sensitive instructions, the idea is to enable an attacker (through a rogue program) to access data associated with a different program (i.e., victim), effectively breaking down isolation protections.
换句话说,通过迫使CPU错误预测敏感指令,其目的是使攻击者(通过恶意程序)能够访问与不同程序(即受害者)相关的数据,有效地打破了隔离保护。
iLeakage not only bypasses hardening measures incorporated by Apple, but also implements a timer-less and architecture-agnostic method that leverages race conditions to distinguish individual cache hits from cache misses when two processes -- each associated with the attacker and the target -- run on the same CPU.
iLeakage不仅绕过了苹果的硬化措施,还实施了一种无定时器和体系结构不可知的方法,利用竞争条件来区分运行在同一CPU上的两个进程(分别与攻击者和目标相关),从而形成了一个秘密通道,最终实现了对Safari渲染进程地址空间中的任何位置的越界读取,导致信息泄漏。
This gadget then forms the basis of a covert channel that ultimately achieves an out-of-bounds read anywhere in the address space of Safari's rendering process, resulting in information leakage.
While chances of this vulnerability being used in practical real-world attacks are unlikely owing to the technical expertise required to pull it off, the research underscores the continued threats posed by hardware vulnerabilities even after all these years.
尽管实际世界中使用这个漏洞的可能性不大,因为需要技术专业知识,但这项研究强调了在所有这些年过去之后,硬件漏洞仍然带来的持续威胁。
News of iLeakage comes months after cybersecurity researchers revealed details of a trifecta of side-channel attacks – Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569) – that could be exploited to leak sensitive data from modern CPUs.
iLeakage的消息发布几个月后,网络安全研究人员披露了一系列侧信道攻击的细节 - Collide+Power(CVE-2023-20583)、Downfall(CVE-2022-40982)和Inception(CVE-2023-20569),这些攻击可以用来从现代CPU中泄漏敏感数据。
It also follows the discovery of RowPress, a variant of the RowHammer attack on DRAM chips and an improvement over BlackSmith that can be used to cause bitflips in adjacent rows, leading to data corruption or theft.
这也是继发现RowPress(DRAM芯片上的RowHammer攻击变种)和BlackSmith(可以用于引起相邻行中的位翻转,导致数据损坏或窃取)之后的消息。
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...