{"id":11676,"date":"2023-08-30T10:00:01","date_gmt":"2023-08-30T07:00:01","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=11676"},"modified":"2024-04-10T02:21:41","modified_gmt":"2024-04-09T23:21:41","slug":"rowpress-method","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/rowpress-method\/11676\/","title":{"rendered":"RowPress RAM sald\u0131r\u0131s\u0131"},"content":{"rendered":"

Bug\u00fcn\u00fcn g\u00f6nderisi, PC\u2019leri, sunucular\u0131 ve ak\u0131ll\u0131 telefonlar\u0131 etkileyebilen DRAM yongalar\u0131na y\u00f6nelik yeni bir sald\u0131r\u0131 hakk\u0131nda. RowPress adl\u0131 yeni bir DRAM sald\u0131r\u0131 y\u00f6ntemini ara\u015ft\u0131ran yeni bir \u00e7al\u0131\u015fma<\/a> yay\u0131nland\u0131\u011f\u0131ndan, g\u00f6nderinin zamanlamas\u0131 olduk\u00e7a uygun. Bir DRAM s\u0131ras\u0131n\u0131 bir\u00e7ok kez \u00e7eki\u00e7lemeyi, yak\u0131n s\u0131ralarda (fiziksel olarak) bit fliplere neden olmay\u0131 ifade eder. Fikrin kendisi yeni de\u011fil \u2013 Benzer bir \u015fey neredeyse on y\u0131l \u00f6nce RowHammer ad\u0131 alt\u0131nda sunuldu<\/a>. Ancak RowPress daha etkili bir tekniktir. Ama \u00f6nce, \u201c\u00e7eki\u00e7lemenin\u201d ger\u00e7ekte ne anlama geldi\u011fini bulal\u0131m.<\/p>\n

RAM nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/h2>\n

RAM \u00e7ipleri hi\u00e7 bu kadar g\u00fcvenilir olmam\u0131\u015ft\u0131. Kabaca s\u00f6ylemek gerekirse, i\u00e7inde bir bit bilginin depoland\u0131\u011f\u0131 her bellek h\u00fccresi minyat\u00fcr bir pildir. \u015earj etti\u011fimizde h\u00fccreye \u201cbir\u201d yaz\u0131yoruz. \u015earj yoksa \u201cs\u0131f\u0131r\u201dd\u0131r. Ve bu tekrarlar\u2026 saniyede milyonlarca kez! Modern mikro\u00e7iplerde, bu h\u00fccreler ola\u011fan\u00fcst\u00fc derecede yo\u011fun bir \u015fekilde paketlenmi\u015ftir: Hepsi t\u0131rnak b\u00fcy\u00fckl\u00fc\u011f\u00fcnde bir kristal \u00fczerinde milyarlarca. Elektronik bile\u015fenlerin y\u00fcksek g\u00fcncelleme h\u0131z\u0131 ve a\u015f\u0131r\u0131 minyat\u00fcrle\u015ftirilmesiyle, er ya da ge\u00e7 ar\u0131za olmas\u0131 ka\u00e7\u0131n\u0131lmazd\u0131r \u2013 minyat\u00fcr \u201cpil\u201d \u015farj\u0131 bitecek ve bir s\u0131f\u0131ra d\u00f6n\u00fc\u015fecektir. Bazen ar\u0131zalar, \u00f6rne\u011fin bellek yongas\u0131n\u0131n \u0131s\u0131ya ve hatta kozmik \u0131\u015f\u0131nlara maruz kalmas\u0131 gibi d\u0131\u015f etkenlerden kaynaklan\u0131r.<\/p>\n

Bu t\u00fcr hatalar kritik hatalara yol a\u00e7abilir. Bir program\u0131n, belirli ko\u015fullar kar\u015f\u0131land\u0131\u011f\u0131nda eri\u015filmesi gereken bir adresi RAM\u2019de saklad\u0131\u011f\u0131n\u0131 hayal edin. Bu adresteki baz\u0131 bitler, kodunuz yerine kendili\u011finden birden s\u0131f\u0131ra d\u00f6nerse, neyin y\u00fcr\u00fct\u00fclece\u011fini bilemezsiniz. Ar\u0131zalar\u0131 \u00f6nlemek i\u00e7in bir\u00e7ok teknoloji kullan\u0131l\u0131r; \u00f6rne\u011fin, bellek h\u00fccrelerinin i\u00e7eri\u011finin zorunlu bir g\u00fcncellemesi: S\u0131ral\u0131 bilgi okuma\/yazma \u2013 ne CPU ne de program buna hemen orada ihtiya\u00e7 duymasa bile. Veri okuma s\u00fcreci y\u0131k\u0131c\u0131d\u0131r, bu nedenle eri\u015fildikten sonra bilgilerin \u00fczerine yaz\u0131lmas\u0131 gerekir. Ayr\u0131ca bir hata d\u00fczeltme mekanizmas\u0131 da vard\u0131r: Bellek, verilerin do\u011frulu\u011funu kontrol etmek i\u00e7in hem verileri hem de ayr\u0131 bilgileri depolar. Modern bilgisayarlardaki bellek h\u00fccrelerinin y\u00fcksek yo\u011funlu\u011funun temel bir \u00f6zellik oldu\u011funu anlamak \u00f6nemlidir; ba\u015fka t\u00fcrl\u00fc \u00e7al\u0131\u015fmazlar.<\/p>\n

RowHammer sald\u0131r\u0131s\u0131<\/h2>\n

Ancak 2014 RowHammer raporuna geri d\u00f6nelim. Hem Carnegie Mellon \u00dcniversitesi\u2019nden hem de Intel\u2019den ara\u015ft\u0131rmac\u0131lar, dinamik olarak g\u00fcncellenen RAM\u2019in yukar\u0131da a\u00e7\u0131klanan \u00f6zelliklerinin zarar vermek i\u00e7in nas\u0131l k\u00f6t\u00fcye kullan\u0131labilece\u011fini g\u00f6sterdi. Veri okuma y\u0131k\u0131c\u0131ysa ve ard\u0131ndan \u00fczerine yazma geliyorsa, saniyede onlarca veya y\u00fcz binlerce kez okuyan bir program yazarsak ne olur? Bu s\u00fcre\u00e7, ara\u015ft\u0131rmac\u0131lar\u0131n \u201c\u00e7eki\u00e7leme\u201d dedi\u011fi \u015feydir.<\/p>\n

\"RAM<\/a>

RAM h\u00fccrelerinin yap\u0131s\u0131n\u0131n \u015fematik g\u00f6sterimi. Kaynak<\/a><\/p><\/div>\n

Bellek h\u00fccreleri bir matris olarak d\u00fczenlenir ve belirli bir h\u00fccre \u00fczerindeki herhangi bir i\u015flem, bunlar\u0131n t\u00fcm aral\u0131\u011f\u0131na eri\u015fmeyi i\u00e7erir. Bir s\u0131ra h\u00fccreye ard\u0131\u015f\u0131k, tekrarlanan eri\u015fimin kom\u015fu s\u0131ralar\u0131 etkiledi\u011fi ortaya \u00e7\u0131kt\u0131. Bu i\u015flem bir\u00e7ok defa<\/em> tekrarlan\u0131rsa kom\u015fu sat\u0131rdaki h\u00fccrelerdeki birler ve s\u0131f\u0131rlar yer de\u011fi\u015ftirebilir. 2014 ara\u015ft\u0131rmas\u0131, o zamanlar standart olan DDR3 bellek mod\u00fcllerine b\u00f6yle bir sald\u0131r\u0131n\u0131n m\u00fcmk\u00fcn oldu\u011funu g\u00f6sterdi.<\/p>\n

Bu neden tehlikeli? Bir bilgisayar korsan\u0131n\u0131n hedeflenen sistemde baz\u0131 rasgele kodlar \u00e7al\u0131\u015ft\u0131rabilece\u011fini ancak \u00f6zel ayr\u0131cal\u0131klara sahip olmad\u0131\u011f\u0131n\u0131 hayal edin. U\u00e7 \u00f6rneklerde, kurbana bir ba\u011flant\u0131 g\u00f6nderilen bir web sayfas\u0131n\u0131n kodu bile olabilir. Bu kodun belirli bir RAM alan\u0131n\u0131 \u201c\u00e7eki\u00e7lemesine\u201d izin verilirse, \u00f6rne\u011fin i\u015fletim sistemi verilerinin depolanabilece\u011fi kom\u015fu h\u00fccrelerde okuma bozuklu\u011funa neden olabilir.<\/p>\n

2015 y\u0131l\u0131nda Google ara\u015ft\u0131rmac\u0131lar\u0131, RowHammer\u2019\u0131n bir bilgisayar\u0131n RAM\u2019ine s\u0131n\u0131rs\u0131z eri\u015fim elde etmek i\u00e7in nas\u0131l kullan\u0131labilece\u011fini g\u00f6sterdi<\/a>. Bu, bir\u00e7ok bilinmeyeni olan olduk\u00e7a karma\u015f\u0131k bir sald\u0131r\u0131d\u0131r: Bilgisayar\u0131n donmamas\u0131 ve program\u0131n \u00e7al\u0131\u015fmay\u0131 durdurmamas\u0131 i\u00e7in bir \u015fekilde do\u011fru bellek alan\u0131na girmek ve \u201cdo\u011fru\u201d veri bozulmas\u0131na neden olmak hala gereklidir. Bununla birlikte, b\u00f6yle bir sald\u0131r\u0131n\u0131n teorik olas\u0131l\u0131\u011f\u0131 do\u011fruland\u0131.<\/p>\n

BlackSmith: RowHammer korumalar\u0131n\u0131 atlamak<\/h2>\n

Veriler bir RowHammer sald\u0131r\u0131s\u0131ndan nas\u0131l korunur? En basit yol, bir bellek h\u00fccre sat\u0131r\u0131ndan veri okuma talebinden sonra kom\u015fu sat\u0131rlardaki bilgilerin g\u00fcncellenmesini zorunlu k\u0131lmakt\u0131r. Bu, verilerin bozulma olas\u0131l\u0131\u011f\u0131n\u0131 \u00f6nemli \u00f6l\u00e7\u00fcde azalt\u0131r. CPU\u2019lardaki donan\u0131m a\u00e7\u0131klar\u0131nda oldu\u011fu gibi, her koruma y\u00f6nteminde er ya da ge\u00e7 bir sorun ke\u015ffedilir.<\/p>\n

2021\u2019de ara\u015ft\u0131rmac\u0131lar, belirli ko\u015fullar alt\u0131nda RowHammer korumalar\u0131 yerinde olsa bile ar\u0131zalara neden olman\u0131n m\u00fcmk\u00fcn oldu\u011funu g\u00f6steren bir BlackSmith<\/a> sald\u0131r\u0131s\u0131 g\u00f6sterdi. Bunu tam olarak nas\u0131l yapt\u0131lar? Ya birisi hedef h\u00fccrenin yan\u0131ndaki bellek h\u00fccrelerini \u201c\u00e7eki\u00e7lemek\u201d yerine farkl\u0131 kombinasyonlar denerse: Hedefin \u00fcst\u00fcndeki ve alt\u0131ndaki sat\u0131rlar\u0131 y\u00fcz binlerce kez sorgulasa ya da belirli bir s\u0131rada ayn\u0131 anda d\u00f6rt sat\u0131ra sald\u0131rsa? \u0130\u015fe yarad\u0131. Neden? \u00c7\u00fcnk\u00fc temel sorun (haf\u0131za h\u00fccrelerinin y\u00fcksek yo\u011funlu\u011fu) hi\u00e7bir yere gitmedi!<\/p>\n

RowPress: Artan sald\u0131r\u0131 etkinli\u011fi<\/h2>\n

Yeni RowPress sald\u0131r\u0131s\u0131, k\u00fc\u00e7\u00fck ama \u00f6nemli bir de\u011fi\u015fiklikle, ayn\u0131 temel prensibi kullanmas\u0131na ra\u011fmen daha da etkili: Sald\u0131rgan, bir sat\u0131r h\u00fccreyi m\u00fcmk\u00fcn oldu\u011fu kadar uzun s\u00fcre okumak i\u00e7in a\u00e7\u0131k tutmaya \u00e7al\u0131\u015f\u0131r. Ara\u015ft\u0131rmac\u0131lar, bellek \u00e7iplerinin ve denetleyicinin nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131na dair, kom\u015fu bellek h\u00fccresi s\u0131ralar\u0131n\u0131 etkileyen daha da fazla rahats\u0131zl\u0131\u011fa neden olan ba\u015fka bir standart \u00f6zellik bulmay\u0131 ba\u015fard\u0131lar. Etkililik a\u00e7\u0131s\u0131ndan (gerekli \u201c\u00e7eki\u00e7leme\u201d say\u0131s\u0131yla \u00f6l\u00e7\u00fcl\u00fcr \u2013 Ne kadar az, o kadar iyi), RowPress, RowHammer\u2019dan onlarca hatta y\u00fczlerce kat daha g\u00fc\u00e7l\u00fcd\u00fcr. Birka\u00e7 marjinal \u00f6rnekte, kom\u015fu veriler \u00fczerinde tek bir okuma i\u015fleminden sonra istenen bitflip elde edildi.<\/p>\n

\"RAM<\/a>

RAM mod\u00fcllerinin \u00e7al\u0131\u015fmas\u0131n\u0131 ara\u015ft\u0131rmak i\u00e7in ak\u0131\u015f \u015femas\u0131n\u0131 test edin. Kaynak<\/a><\/p><\/div>\n

Bu ne kadar ciddi bir problem? Ev kullan\u0131c\u0131lar\u0131na d\u00f6n\u00fck bir RowHammer, Blacksmith veya RowPress sald\u0131r\u0131s\u0131 olas\u0131l\u0131\u011f\u0131 \u00e7ok azd\u0131r. \u015eirketler risk alt\u0131ndad\u0131r. Teorik olarak, bu sald\u0131r\u0131lar genel bulutlarda \u00e7al\u0131\u015fan sunucular\u0131n belle\u011fini hedef alabilir. Ne de olsa sa\u011flay\u0131c\u0131lar, kullan\u0131c\u0131lar\u0131n istedikleri herhangi bir kodu \u00e7al\u0131\u015ft\u0131rmalar\u0131 i\u00e7in bir t\u00fcr sanal makine tahsis ederek sunucular\u0131na eri\u015fim sa\u011flar. Bu makinenin sanal ortam\u0131ndan ka\u00e7ma ve di\u011fer m\u00fc\u015fterilerin verilerine eri\u015fme olana\u011f\u0131 olmad\u0131\u011f\u0131ndan emin olmal\u0131d\u0131rlar. Kabaca konu\u015fursak, b\u00f6yle bir sanal sistem, bir sunucunun RAM\u2019ine veri okuyabilen ve yazabilen bir programd\u0131r; ba\u015fka bir deyi\u015fle \u2014 fiziksel bir sunucunun belle\u011fine sald\u0131rmak i\u00e7in haz\u0131r bir platformdur.<\/p>\n

RowPress\u2019i incelemek i\u00e7in kullan\u0131lan test d\u00fczene\u011finin foto\u011fraf\u0131ndan b\u00f6yle bir sald\u0131r\u0131n\u0131n ne kadar teorik oldu\u011fu g\u00f6r\u00fclebilir. Bellek mod\u00fcl\u00fc ayr\u0131 bir panoya ta\u015f\u0131nm\u0131\u015ft\u0131r. RAM i\u015flemine ince ayar yapmak i\u00e7in bir t\u00fcr hata ay\u0131klama ayg\u0131t\u0131 ona ba\u011fl\u0131. Baz\u0131 koruma sistemleri devre d\u0131\u015f\u0131 b\u0131rak\u0131ld\u0131. En \u00f6nemlisi, bellek \u00e7iplerine sahip mod\u00fcle bir \u0131s\u0131t\u0131c\u0131 tak\u0131l\u0131r ve s\u0131cakl\u0131\u011f\u0131 50 hatta 80 santigrat dereceye y\u00fckseltir, bu da kendi i\u00e7inde kazara veya kas\u0131tl\u0131 veri bozulma olas\u0131l\u0131\u011f\u0131n\u0131 art\u0131r\u0131r.<\/p>\n

Donan\u0131m sald\u0131r\u0131s\u0131 \u00f6zellikleri<\/h2>\n

RowPress\u2019i \u00f6nceki RowHammer ile kar\u015f\u0131la\u015ft\u0131rd\u0131\u011f\u0131m\u0131zda, bellek eri\u015fim y\u00f6nteminde, sald\u0131rganlar\u0131n mod\u00fcl \u00fcreticileri taraf\u0131ndan uygulanan korumalar\u0131 (ger\u00e7ek bir sistemde, \u0131s\u0131tma veya \u201chile\u201d yapmadan dahil olmak \u00fczere) atlamas\u0131na izin veren k\u00fc\u00e7\u00fck bir de\u011fi\u015fiklik g\u00f6r\u00fcyoruz. Ara\u015ft\u0131rmac\u0131lar, neyse ki performans \u00fczerinde \u00e7ok az etkisi olan bu soruna kendi \u00e7\u00f6z\u00fcmlerini \u00f6nerdiler. Ancak, \u00e7o\u011fu donan\u0131m g\u00fcvenlik a\u00e7\u0131\u011f\u0131nda oldu\u011fu gibi, bunlardan tamamen kurtulmak ger\u00e7ek\u00e7i de\u011fildir. G\u00fcn\u00fcm\u00fcz\u00fcn bellek \u00e7iplerinin yo\u011funlu\u011funu azaltmak bir \u00e7\u00f6z\u00fcm de\u011fildir. Di\u011fer yandan, kapasiteleri gittik\u00e7e b\u00fcy\u00fcmeye devam eder.<\/p>\n

\u201cG\u00fcvenilir\u201d hata d\u00fczeltme uygulamak da sorunu \u00e7\u00f6zmez, \u00e7\u00fcnk\u00fc bu RAM\u2019in \u00fc\u00e7te birini kaplar. Hata d\u00fczeltme kodlar\u0131na (ECC) dayal\u0131 ola\u011fan y\u00f6ntem, sald\u0131r\u0131lar\u0131 daha az etkili hale getirir ancak ortadan kald\u0131rmaz. Bu nedenle, RowPress\u2019in g\u00f6rd\u00fc\u011f\u00fcm\u00fcz son \u201c\u00e7eki\u00e7\u201d sald\u0131r\u0131s\u0131 olmayaca\u011f\u0131n\u0131 s\u00f6ylemek yanl\u0131\u015f olmaz.<\/p>\n

\u0130\u015fin olumlu taraf\u0131, bu t\u00fcr \u00e7al\u0131\u015fmalar \u015fimdilik b\u00fcy\u00fck \u00f6l\u00e7\u00fcde teorik bir al\u0131\u015ft\u0131rma olarak kal\u0131yor. Ara\u015ft\u0131rmac\u0131lar yeni sald\u0131r\u0131 vekt\u00f6rleri bulurken cihaz \u00fcreticileri de yeni savunmalar buluyor. Elbette, eninde sonunda yanl\u0131\u015fl\u0131kla kitlesel s\u00f6m\u00fcr\u00fc potansiyeline sahip bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ke\u015ffetmeleri m\u00fcmk\u00fcnd\u00fcr. Bununla birlikte, son on y\u0131ldaki bu t\u00fcr \u00e7al\u0131\u015fmalar\u0131n ge\u00e7mi\u015fine bak\u0131l\u0131rsa, bu pek olas\u0131 g\u00f6r\u00fcnm\u00fcyor.<\/p>\n

Ancak bu t\u00fcr ara\u015ft\u0131rmalar tamamen teorik ve soyut diye de reddedilmemeli: Bug\u00fcn laboratuvarda \u00e7al\u0131\u015fan uzmanlar\u0131n yapabildi\u011fini, ger\u00e7ek siber su\u00e7lular yar\u0131n ya da be\u015f on y\u0131l sonra yapabilirler. Bulut servis sa\u011flay\u0131c\u0131lar\u0131n\u0131n ise son geli\u015fmelerden hemen haberdar olmalar\u0131 ve g\u00fcvenlik modellerine sa\u011flam bir \u015fekilde dahil etmeleri gerekiyor.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Bellek h\u00fccrelerini bitflip yapan yeni sald\u0131r\u0131 y\u00f6ntemi.<\/p>\n","protected":false},"author":665,"featured_media":11674,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[667,2656],"class_list":{"0":"post-11676","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-arastirma","11":"tag-ram"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/rowpress-method\/11676\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/rowpress-method\/25912\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/rowpress-method\/21349\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/rowpress-method\/28611\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/rowpress-method\/26249\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/rowpress-method\/35737\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/rowpress-method\/48616\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/rowpress-method\/26535\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/rowpress-method\/32219\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/rowpress-method\/31904\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/ram\/","name":"RAM"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=11676"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11676\/revisions"}],"predecessor-version":[{"id":11678,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11676\/revisions\/11678"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/11674"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=11676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=11676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=11676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}