{"id":13821,"date":"2025-09-30T18:52:39","date_gmt":"2025-09-30T15:52:39","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13821"},"modified":"2025-09-30T18:52:39","modified_gmt":"2025-09-30T15:52:39","slug":"vmscape-spectre-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/vmscape-spectre-attack\/13821\/","title":{"rendered":"Bir Spectre v2 sald\u0131r\u0131s\u0131ndan sanal makine ile ka\u00e7\u0131\u015f"},"content":{"rendered":"<p>Z\u00fcrih\u2019teki \u0130svi\u00e7re Federal Teknoloji Enstit\u00fcs\u00fc\u2019nden (ETH Zurich) bir grup ara\u015ft\u0131rmac\u0131, Spectre v2 sald\u0131r\u0131s\u0131n\u0131n sanalla\u015ft\u0131r\u0131lm\u0131\u015f bir ortamda Sandbox\u2019tan ka\u00e7mak i\u00e7in nas\u0131l kullan\u0131labilece\u011fini g\u00f6steren bir <a href=\"https:\/\/comsec-files.ethz.ch\/papers\/vmscape_sp26.pdf\" target=\"_blank\" rel=\"noopener nofollow\">makale yay\u0131nlad\u0131<\/a>. Yaln\u0131zca tek bir izole sanal makineye eri\u015fen ara\u015ft\u0131rmac\u0131lar, normalde yaln\u0131zca sunucu y\u00f6neticisinin eri\u015febildi\u011fi de\u011ferli verileri \u00e7almay\u0131 ba\u015fard\u0131lar. AMD i\u015flemcileri (AMD\u2019nin Zen 5 mimarisine sahip en yenileri dahil) ya da Intel\u2019in Coffee Lake i\u015flemcilerini kullanan sunucular, sald\u0131r\u0131ya a\u00e7\u0131klar.<\/p>\n<h2>Sanal ortamlar i\u00e7in Spectre sald\u0131r\u0131lar\u0131 tehlikesi<\/h2>\n<p>Gizli bilgileri \u00e7almak i\u00e7in standart donan\u0131m \u00f6zelliklerinden yararlan\u0131lan spek\u00fclatif y\u00fcr\u00fctme kullanan i\u015flemci g\u00fcvenlik a\u00e7\u0131klar\u0131 hakk\u0131nda d\u00fczenli olarak yaz\u0131lar yay\u0131nl\u0131yoruz. Bu sald\u0131r\u0131lar\u0131n genel ilkelerinin ayr\u0131nt\u0131l\u0131 olarak a\u00e7\u0131kland\u0131\u011f\u0131 bu konuyla ilgili \u00f6nceki yaz\u0131lar\u0131m\u0131za <a href=\"https:\/\/www.kaspersky.com\/blog\/retbleed-practical-exploitation\/54169\/\" target=\"_blank\" rel=\"noopener nofollow\">buradan<\/a>, <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/retbleed-vulnerability\/10936\/\" target=\"_blank\" rel=\"noopener\">buradan<\/a> ve <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/spectre-meltdown-in-practice\/10485\/\" target=\"_blank\" rel=\"noopener\">buradan<\/a> ula\u015fabilirsiniz.<\/p>\n<p>Bu t\u00fcr bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ilk olarak 2018 y\u0131l\u0131nda ke\u015ffedilmi\u015f olmas\u0131na ra\u011fmen, bu makale yay\u0131nlanana kadar ara\u015ft\u0131rmac\u0131lar tek bir ger\u00e7ek sald\u0131r\u0131 bile ger\u00e7ekle\u015ftirmemi\u015fti. T\u00fcm bu \u00e7abalar, teorik olarak Spectre benzeri sofistike ve hedefli bir sald\u0131r\u0131n\u0131n m\u00fcmk\u00fcn oldu\u011fu fikriyle sonu\u00e7land\u0131. Dahas\u0131, bu makalelerin b\u00fcy\u00fck bir k\u0131sm\u0131nda ara\u015ft\u0131rmac\u0131lar kendilerini en temel sald\u0131r\u0131 senaryosuyla s\u0131n\u0131rland\u0131rm\u0131\u015flard\u0131: Bir bilgisayar\u0131 ele ge\u00e7irip \u00fczerine k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m y\u00fckledikten sonra i\u015flemci donan\u0131m a\u00e7\u0131\u011f\u0131n\u0131 kullanarak gizli bilgileri \u00e7almak. Bu yakla\u015f\u0131m\u0131n dezavantaj\u0131, bir sald\u0131rgan\u0131n bir bilgisayara k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 ba\u015far\u0131yla y\u00fcklemesi durumunda, verileri bir\u00e7ok farkl\u0131 ve \u00e7ok daha basit y\u00f6ntemlerle \u00e7alabilecek olmas\u0131d\u0131r. Bu nedenle, Spectre ve benzeri sald\u0131r\u0131lar\u0131n son kullan\u0131c\u0131 cihazlar\u0131 i\u00e7in bir tehdit olu\u015fturmas\u0131 pek olas\u0131 de\u011fildir. Ancak bulut ortamlar\u0131 s\u00f6z konusu oldu\u011funda Spectre\u2019yi g\u00f6z ard\u0131 etmemek gerekir.<\/p>\n<p>Kurulu\u015flara veya bireylere sanal sunucular kiralayan bir sa\u011flay\u0131c\u0131 d\u00fc\u015f\u00fcn\u00fcn. Her m\u00fc\u015fteriye kendi sanal makinesi atan\u0131r, bu da istedikleri yaz\u0131l\u0131m\u0131 \u00e7al\u0131\u015ft\u0131rmalar\u0131na olanak tan\u0131r. Di\u011fer istemcilerin sanal sistemleri, ayn\u0131 sunucu \u00fczerinde \u00e7al\u0131\u015f\u0131yor olabilir. Bu durumda veri eri\u015fim ayr\u0131cal\u0131klar\u0131n\u0131n ayr\u0131lmas\u0131 \u00e7ok \u00f6nemlidir. Bir sanal makineye eri\u015fim sa\u011flayan bir sald\u0131rgan\u0131n, biti\u015fikteki bir istemcinin gizli verilerini okumas\u0131n\u0131 veya ana bilgisayar\u0131n verilerine eri\u015fim sa\u011flayarak sa\u011flay\u0131c\u0131n\u0131n altyap\u0131s\u0131n\u0131 tehlikeye atmas\u0131n\u0131 \u00f6nlemeniz gerekir. \u0130\u015fte tam da bu senaryoda Spectre sald\u0131r\u0131lar\u0131 \u00e7ok daha tehlikeli bir tehdit olarak ortaya \u00e7\u0131kmaya ba\u015flar.<\/p>\n<h2>VMScape: Spectre v2 sald\u0131r\u0131s\u0131na pratik bir bak\u0131\u015f<\/h2>\n<p>Spectre sald\u0131r\u0131s\u0131n\u0131n uygulanabilirli\u011fine ili\u015fkin \u00f6nceki ara\u015ft\u0131rma makalelerinde, ara\u015ft\u0131rmac\u0131lar ger\u00e7ek\u00e7i bir sald\u0131r\u0131 senaryosunu incelememi\u015flerdi. Akademik bir makale i\u00e7in bu normaldir. Veri s\u0131z\u0131nt\u0131s\u0131 i\u00e7in teorik bir kavram kan\u0131t\u0131, genellikle i\u015flemci \u00fcreticilerinin ve yaz\u0131l\u0131m geli\u015ftiricilerinin savunmalar\u0131n\u0131 g\u00fc\u00e7lendirmeleri ve kar\u015f\u0131 \u00f6nlemler geli\u015ftirmeleri i\u00e7in yeterlidir.<\/p>\n<p>ETH Zurich\u2019in yeni makalesinin yazarlar\u0131, bu bo\u015flu\u011fa do\u011frudan de\u011finerek, sanal ortamlara y\u00f6nelik sald\u0131r\u0131lar i\u00e7in daha \u00f6nce incelenen senaryolar\u0131n (ETH Zurich\u2019in <a href=\"https:\/\/comsec.ethz.ch\/wp-content\/files\/bprc_sec25.pdf\" target=\"_blank\" rel=\"noopener nofollow\">bu makalesinde<\/a> oldu\u011fu gibi) son derece geni\u015f bir varsay\u0131mda bulundu\u011funu belirtiyorlar; sald\u0131rganlar\u0131n ana bilgisayara zaten k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m y\u00fcklemeyi ba\u015fard\u0131klar\u0131 varsay\u0131m\u0131. T\u0131pk\u0131 normal masa\u00fcst\u00fc bilgisayarlara yap\u0131lan sald\u0131r\u0131larda oldu\u011fu gibi, bu da pratik olarak pek mant\u0131kl\u0131 de\u011fildir. Sunucu zaten tehlikeye girmi\u015fse, hasar \u00e7oktan meydana gelmi\u015ftir.<\/p>\n<p>Makalelerinde \u00f6nerilen yeni sald\u0131r\u0131 (VMScape olarak adland\u0131r\u0131l\u0131yor) Spectre v2\u2019den bu yana t\u00fcm sald\u0131r\u0131larda bulunan <em>dal hedef enjeksiyon<\/em> mekanizmas\u0131n\u0131n ayn\u0131s\u0131n\u0131 kullan\u0131yor. <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/spectre-meltdown-in-practice\/10485\/\" target=\"_blank\" rel=\"noopener\">Daha \u00f6nce<\/a> birka\u00e7 kez bu konuyu konu\u015ftuk, burada \u015fimdi k\u0131sa bir \u00f6zetini sunuyoruz.<\/p>\n<p>Dal hedef enjeksiyonu, i\u015flemcinin dal tahmin sistemini e\u011fitmenin bir yoludur ve <em>spek\u00fclatif y\u00fcr\u00fctme<\/em> kullanarak programlar\u0131 h\u0131zland\u0131r\u0131r. Bu, i\u015flemcinin \u00f6nceki hesaplamalar\u0131n sonu\u00e7lar\u0131n\u0131 bile bilmeden bir sonraki komut grubunu \u00e7al\u0131\u015ft\u0131rmaya \u00e7al\u0131\u015ft\u0131\u011f\u0131 anlam\u0131na gelir. Yaz\u0131l\u0131m\u0131n alaca\u011f\u0131 do\u011fru y\u00f6n\u00fc (dal) tahmin etmeyi ba\u015fard\u0131\u011f\u0131nda, performans \u00f6nemli \u00f6l\u00e7\u00fcde artar. Yanl\u0131\u015f tahmin ederse, sonu\u00e7lar silinir.<\/p>\n<p>Dal hedef enjeksiyonu; sald\u0131rgan\u0131n i\u015flemciyi gizli verilere eri\u015fmeye y\u00f6nlendirip, spek\u00fclatif y\u00fcr\u00fctme s\u0131ras\u0131nda bunlar\u0131 \u00f6nbelle\u011fe aktarabilece\u011fi bir sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr. Sald\u0131rgan daha sonra bu verileri bir yan kanal arac\u0131l\u0131\u011f\u0131yla dolayl\u0131 olarak al\u0131r.<\/p>\n<p>Ara\u015ft\u0131rmac\u0131lar, spek\u00fclatif y\u00fcr\u00fctme s\u0131ras\u0131nda ana bilgisayar ve konuk i\u015fletim sistemleri aras\u0131ndaki ayr\u0131cal\u0131k ayr\u0131m\u0131n\u0131n kusurlu oldu\u011funu ke\u015ffettiler. Bu, \u201cSanalla\u015ft\u0131rma tabanl\u0131 Spectre-BTI\u201d veya vBTI olarak adland\u0131rd\u0131klar\u0131 yeni bir dal hedef enjeksiyon sald\u0131r\u0131s\u0131 versiyonuna olanak tan\u0131r.<\/p>\n<p>Sonu\u00e7 olarak, ara\u015ft\u0131rmac\u0131lar varsay\u0131lan ayarlarla bir sanal makineye eri\u015fime sahipken, ana bilgisayar\u0131n belle\u011finden rastgele verileri okuyabildiler. AMD Zen 4 i\u015flemcisinde veri okuma h\u0131z\u0131 saniyede 32 bayt idi ve g\u00fcvenilirlik oran\u0131 neredeyse %100\u2019d\u00fc. Bu, veri \u015fifreleme anahtarlar\u0131 gibi \u015feyleri \u00e7almak i\u00e7in yeterince h\u0131zl\u0131d\u0131r ve bu da kom\u015fu sanal makinelerden bilgi \u00e7almak i\u00e7in do\u011frudan bir yol a\u00e7ar.<\/p>\n<h2>VMScape ger\u00e7ek d\u00fcnyada bir tehdit olu\u015fturuyor mu?<\/h2>\n<p>Zen mimarisine sahip AMD i\u015flemcilerinin ilk nesilden en son be\u015finci nesle kadar olan t\u00fcm modellerinin bu sald\u0131r\u0131ya kar\u015f\u0131 savunmas\u0131z oldu\u011fu kan\u0131tlanm\u0131\u015ft\u0131r. Bunun nedeni, bu i\u015flemcilerin Spectre sald\u0131r\u0131 korumalar\u0131n\u0131 uygulama bi\u00e7imlerindeki ince farklar ve yazarlar\u0131n vBTI primitiflerinin benzersiz \u00e7al\u0131\u015fma bi\u00e7imidir. Intel i\u015flemciler i\u00e7in bu sald\u0131r\u0131, yaln\u0131zca 2017 y\u0131l\u0131ndan kalma eski Coffee Lake i\u015flemcilere sahip sunucularda m\u00fcmk\u00fcnd\u00fcr. Daha yeni Intel mimarileri, VMScape sald\u0131r\u0131lar\u0131n\u0131n g\u00fcncel versiyonlar\u0131n\u0131n ger\u00e7ekle\u015ftirilmesini imkans\u0131z hale getiren geli\u015fmi\u015f korumalara sahiptir.<\/p>\n<p>Ara\u015ft\u0131rmac\u0131lar\u0131n ba\u015far\u0131s\u0131, ger\u00e7ek d\u00fcnya ko\u015fullar\u0131na yak\u0131n sanal bir ortamda ilk Spectre v2 sald\u0131r\u0131s\u0131n\u0131 tasarlamak oldu. Bu sald\u0131r\u0131, a\u015f\u0131r\u0131 izin verici varsay\u0131mlara veya k\u00f6t\u00fc niyetli hiperviz\u00f6r seviyesi yaz\u0131l\u0131mlar gibi koltuk de\u011fneklerine dayanmaz. VMScape sald\u0131r\u0131s\u0131 etkilidir; KASLR dahil olmak \u00fczere bir\u00e7ok standart g\u00fcvenlik \u00f6nlemini a\u015far ve de\u011ferli bir gizli bilgiyi ba\u015far\u0131yla \u00e7alar; bir \u015fifreleme anahtar\u0131.<\/p>\n<p>Neyse ki, ara\u015ft\u0131rmac\u0131lar sald\u0131r\u0131y\u0131 tasarlad\u0131ktan hemen sonra bir d\u00fczeltme de \u00f6nerdiler. Soruna <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-40300\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2025-40300<\/a> g\u00fcvenlik a\u00e7\u0131\u011f\u0131 tan\u0131mlay\u0131c\u0131s\u0131 atanm\u0131\u015f ve Linux \u00e7ekirde\u011finde yamas\u0131 yap\u0131lm\u0131\u015ft\u0131r. Bu \u00f6zel yama, Spectre sald\u0131r\u0131lar\u0131na kar\u015f\u0131 yaz\u0131l\u0131m tabanl\u0131 korumalarda genellikle bir endi\u015fe kayna\u011f\u0131 olan hesaplama performans\u0131n\u0131 \u00f6nemli \u00f6l\u00e7\u00fcde azaltmamaktad\u0131r.<\/p>\n<p>Sanal ortamlarda gizli verilerin korunmas\u0131na y\u00f6nelik y\u00f6ntemler bir s\u00fcredir var. AMD \u201cG\u00fcvenli \u015eifreli Sanalla\u015ft\u0131rma\u201d ve alt t\u00fcr\u00fc <a href=\"https:\/\/www.kaspersky.com\/blog\/badram-cpu-attack\/52849\/\" target=\"_blank\" rel=\"noopener nofollow\">SEV-SNP<\/a> adl\u0131 bir teknolojiye sahipken, Intel G\u00fcvenilir Etki Alan\u0131 Uzant\u0131lar\u0131na (TDX) sahiptir. Bu teknolojiler, gizli bilgileri \u015fifreleyerek, do\u011frudan \u00e7almaya \u00e7al\u0131\u015fmay\u0131 anlams\u0131z hale getirirler. Ara\u015ft\u0131rmac\u0131lar SEV\u2019in AMD i\u015flemcilerde VMScape sald\u0131r\u0131s\u0131na kar\u015f\u0131 ek koruma sa\u011flad\u0131\u011f\u0131n\u0131 do\u011frulad\u0131. Ba\u015fka bir deyi\u015fle, modern sunuculara kar\u015f\u0131 ger\u00e7ek d\u00fcnyada bir VMScape sald\u0131r\u0131s\u0131 olas\u0131 de\u011fildir. Ancak her yeni \u00e7al\u0131\u015fma ile Spectre sald\u0131r\u0131lar\u0131 daha da ger\u00e7ek\u00e7i g\u00f6r\u00fcn\u00fcyor.<\/p>\n<p>Ara\u015ft\u0131rman\u0131n akademik do\u011fas\u0131na ra\u011fmen, modern i\u015flemcilerde spek\u00fclatif y\u00fcr\u00fctmeyi kullanan sald\u0131r\u0131lar ge\u00e7erlili\u011fini korumaktad\u0131r. Sanalla\u015ft\u0131r\u0131lm\u0131\u015f ortamlar\u0131n operat\u00f6rleri, tehdit modellerinde bu g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 ve potansiyel sald\u0131r\u0131lar\u0131 g\u00f6z \u00f6n\u00fcnde bulundurmaya devam etmelidir.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"10128\">\n","protected":false},"excerpt":{"rendered":"<p>Yay\u0131nlanan yeni bir makale, i\u015flemcilerdeki karma\u015f\u0131k g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n bulut tabanl\u0131 sistemlere y\u00f6nelik sald\u0131r\u0131larda nas\u0131l kullan\u0131labilece\u011fini g\u00f6steriyor.<\/p>\n","protected":false},"author":665,"featured_media":13822,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[2807,2038,2806],"class_list":{"0":"post-13821","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-islemci","11":"tag-sanallastirma","12":"tag-yan-kanal-saldirilari"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/vmscape-spectre-attack\/13821\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/vmscape-spectre-attack\/29570\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/vmscape-spectre-attack\/24667\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vmscape-spectre-attack\/29496\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/vmscape-spectre-attack\/28594\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/vmscape-spectre-attack\/31467\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/vmscape-spectre-attack\/40550\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vmscape-spectre-attack\/54377\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/vmscape-spectre-attack\/23236\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/vmscape-spectre-attack\/24307\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vmscape-spectre-attack\/29671\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vmscape-spectre-attack\/35423\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vmscape-spectre-attack\/35051\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/yan-kanal-saldirilari\/","name":"yan kanal sald\u0131r\u0131lar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=13821"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13821\/revisions"}],"predecessor-version":[{"id":13824,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13821\/revisions\/13824"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/13822"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=13821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=13821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=13821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}