[12¿ù º¸¾È/IT ´º½º] CPU Ĩ¼Â Ãë¾àÁ¡ º¸¾È ¾÷µ¥ÀÌÆ® ±Ç°í
Ãâó: https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26929
¡à °³¿ä
o GoogleÞä Project Zero´Â IntelÞä, AMDÞä, ARMÞä CPU Á¦Ç°ÀÇ Ãë¾àÁ¡À» ¹ßÇ¥ [1]
o ¿µÇâ ¹Þ´Â ¹öÀü »ç¿ëÀÚ´Â ÇØ°á¹æ¾È¿¡ µû¶ó ÃֽŹöÀüÀ¸·Î ¾÷µ¥ÀÌÆ® ±Ç°í
¡à ³»¿ë
o CPUÀÇ ºÎä³Î °ø°Ý(side channel attack)À¸·Î ÀÎÇØ Ä³½Ã ¸Þ¸ð¸®ÀÇ ÀúÀåµÈ Á¤º¸°¡ ³ëÃâµÇ´Â Ãë¾àÁ¡
- ½ºÆåÅÍ(Spectre, CVE-2017-5753, CVE-2017-5715)
- ¸áÆ®´Ù¿î(Meltdown, CVE-2017-5754)
¡à ÇØ°á ¹æ¾È
o ¾Æ·¡ Ĩ¼Â Á¦Á¶»ç ¹× OS °³¹ß»ç¸¦ È®ÀÎÇÏ¿© ÃֽŠ¾÷µ¥ÀÌÆ® Àû¿ë
¡Ø ÃֽŠ¾÷µ¥ÀÌÆ®°¡ ¹Ì Á¦°øµÈ Á¦Ç°À» »ç¿ëÇÒ °æ¿ì ÆÐÄ¡ ¿¹Á¤ÀÏÀ» È®ÀÎÇÏ¿© ½Å¼ÓÇÏ°Ô ÆÐÄ¡ ÇÏ´Â °ÍÀ» ±Ç°í
¡Ø º¸¾È ÆÐÄ¡ ÀÌÈÄ ½Ã½ºÅÛ ¼º´É¿¡ ¿µÇâÀ» ¹ÌÄ¡´Â ¹®Á¦°¡ ¹ß»ýÇÒ ¼ö ÀÖÀ¸¹Ç·Î ¼³Ä¡ Àü Á¦Á¶»çÀÇ º¸¾È °øÁö ³»¿ëÀ» »ó¼¼È÷ È®ÀÎÇÏ´Â °ÍÀÌ ÇÊ¿ä
¡Ø Á¦Ç° ¹öÀüº° »ó¼¼ ¾÷µ¥ÀÌÆ® °ü·Ã »çÇ×Àº Âü°í»çÀÌÆ® ¹æ¹® ȤÀº Á¦Á¶»ç¿¡°Ô ¹®ÀÇ ¹Ù¶÷
¡à ¿ë¾î¼³¸í
o ºÎä³Î °ø°Ý(side channel attack) : Ư¼öÇÑ »óȲ¿¡¼ ó¸® ½Ã°£ Â÷ÀÌÀÇ Æ¯¼ºÀ» ÀÌ¿ëÇÑ °ø°Ý ¹æ½Ä Áß Çϳª
¡à ±âŸ ¹®ÀÇ»çÇ×
o Çѱ¹ÀÎÅͳÝÁøÈï¿ø ÀÎÅͳÝħÇØ´ëÀÀ¼¾ÅÍ: ±¹¹ø¾øÀÌ 118
[Âü°í»çÀÌÆ®]
[1] https://googleprojectzero.blogspot.kr/2018/01/reading-privileged-memory-with-side.html
[2] https://aws.amazon.com/ko/security/security-bulletins/AWS-2018-013/
[3] http://www.amd.com/en/corporate/speculative-execution
[4] https://support.apple.com/en-us/HT208394
[5] https://developer.arm.com/support/security-update
[6] https://lists.centos.org/pipermail/centos-announce/2018-January/date.html
[7] https://www.chromium.org/Home/chromium-security/ssca
[8] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
[9] https://support.citrix.com/article/CTX231390
[10] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
[11] http://lists.dragonflybsd.org/pipermail/users/2018-January/313758.html
[12] https://support.f5.com/csp/article/K91229003
[13] https://fedoramagazine.org/protect-fedora-system-meltdown/
[14] https://fortiguard.com/psirt/FG-IR-18-002
[15] https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
[16] http://source.android.com/security/bulletin/2018-01-01
[17] http://www.huawei.com/en/psirt/security-notices/huawei-sn-20180104-01-intel-en
[18] https://securityintelligence.com/cpu-vulnerability-can-allow-attackers-to-read-privileged-kernel-memory-and-leak-data/
[19] https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
[20] https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
[21] https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
[22] https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&cat=SIRT_1&actp=LIST
[23] https://support.lenovo.com/us/en/solutions/len-18282
[24] https://lkml.org/lkml/2017/12/4/709
[25] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
[26] https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
[27] https://support.microsoft.com/en-us/help/4073707/
[28] https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
[29] https://security.netapp.com/advisory/ntap-20180104-0001/
[30] http://info.nutanix.com/TA5G00u0C000PVD00O0A8Q0
[31] https://kb.netgear.com/000053240
[32] http://nvidia.custhelp.com/app/answers/detail/a_id/4609
[33] https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html
[34] http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
[35] https://www.qubes-os.org/news/2018/01/04/xsa-254-meltdown-spectre/
[36] https://access.redhat.com/security/vulnerabilities/speculativeexecution?sc_cid=701f2000000tsLNAAY&
[37] http://lists.suse.com/pipermail/sle-security-updates/2018-January/date.html
[38] https://www.synology.com/en-us/support/security/Synology_SA_18_01
[39] https://success.trendmicro.com/solution/1119183
[40] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
[41] https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
[42] http://xenbits.xen.org/xsa/advisory-254.html
