22歲程序員如何發(fā)現(xiàn)史上最嚴(yán)重的芯片缺陷
2013年,一位名為雅恩·霍恩的青年參加了總理安格拉·默克爾的招待會(huì)。在一次由政府舉辦、旨在鼓勵(lì)學(xué)生從事科研的競(jìng)賽中,他和其他64位德國(guó)年輕人表現(xiàn)優(yōu)異。 就霍恩來(lái)說(shuō),這次競(jìng)賽起到了效果。去年夏天,作為一名22歲的谷歌(Google)網(wǎng)絡(luò)安全研究員,他率先報(bào)告了至今為止發(fā)現(xiàn)的最嚴(yán)重芯片缺陷。整個(gè)行業(yè)目前仍未擺脫他的發(fā)現(xiàn)帶來(lái)的影響,從今以后處理器的設(shè)計(jì)也要進(jìn)行調(diào)整。這讓他有違本愿地成為了一位名人。在上周蘇黎世的行業(yè)會(huì)議上,他受到的熱烈招待和迫切的問(wèn)題證明了這一點(diǎn)。 通過(guò)對(duì)霍恩及其熟人的采訪,我們掌握了他憑借堅(jiān)定的意志和強(qiáng)大的頭腦,偶然發(fā)現(xiàn)存在超過(guò)十年卻不為人知的特性和缺陷的全過(guò)程。這些問(wèn)題會(huì)讓大部分個(gè)人計(jì)算機(jī)、互聯(lián)網(wǎng)服務(wù)器和智能手機(jī)暴露于潛在的黑客行為之下。 比霍恩晚幾個(gè)月找到相同安全漏洞的研究人員,對(duì)獨(dú)立發(fā)現(xiàn)問(wèn)題的他表示了贊嘆。奧地利格拉茨科技大學(xué)(Graz University of Technology)的團(tuán)隊(duì)成員丹尼爾·格魯斯表示:“我們有幾個(gè)團(tuán)隊(duì),也知道從哪著手。他是從頭做起。”這個(gè)團(tuán)隊(duì)隨后發(fā)現(xiàn)了如今被稱作Meltdown和Spectre的問(wèn)題。 去年4月底,當(dāng)霍恩開(kāi)始閱讀英特爾(Intel Corp.)數(shù)千頁(yè)的處理器手冊(cè)時(shí),沒(méi)有想著要發(fā)現(xiàn)全球計(jì)算機(jī)芯片中存在的重大缺陷。他表示,自己當(dāng)時(shí)只是想確定計(jì)算機(jī)的硬件可以處理他編寫的一個(gè)需要極大數(shù)據(jù)運(yùn)算量的代碼。 但位于蘇黎世的霍恩就職于Alphabet谷歌(Google)的精英項(xiàng)目Project Zero。這個(gè)項(xiàng)目中的成員,都是尋找“零日”漏洞的網(wǎng)絡(luò)偵探,這些無(wú)意的設(shè)計(jì)瑕疵可能會(huì)被黑客利用來(lái)入侵計(jì)算機(jī)系統(tǒng)。 所以他開(kāi)始仔細(xì)研究芯片進(jìn)行推測(cè)執(zhí)行(speculative execution)的方式,并抓取需求的數(shù)據(jù)。推測(cè)執(zhí)行是一種加速技術(shù),處理器會(huì)試圖猜測(cè)下一步將使用哪一部分代碼,并提前開(kāi)始執(zhí)行它們。霍恩表示,手冊(cè)表明:如果處理器猜錯(cuò)了,那些錯(cuò)誤的嘗試記錄仍會(huì)儲(chǔ)存在芯片的存儲(chǔ)器中。霍恩意識(shí)到,既然如此,這些信息可能會(huì)暴露在聰明的黑客眼前。 霍恩在回復(fù)彭博社問(wèn)題的郵件中表示:“這時(shí),我意識(shí)到我們正在編寫的代碼模式可能會(huì)泄露機(jī)密數(shù)據(jù)。隨后,我意識(shí)到至少?gòu)睦碚撋峡矗挠绊懣赡懿粌H限于我們編寫的代碼片段。” 這促使他展開(kāi)了深入調(diào)查缺陷的“漸進(jìn)過(guò)程”。霍恩表示,處理器檢索信息的細(xì)微耗時(shí)差異大到何種地步,就可以讓入侵者掌握信息的存儲(chǔ)位置,這方面的研究,包括格魯斯和格拉茨科技大學(xué)團(tuán)隊(duì)的成果,他都很關(guān)注。 霍恩與谷歌在蘇黎世的另一位年輕研究人員菲利克斯·威廉探討了這個(gè)問(wèn)題,后者給霍恩提供了他和其他人完成的類似研究。霍恩說(shuō),這讓他 “豁然開(kāi)朗”。威廉和其他人測(cè)試的技術(shù)可以“反向運(yùn)作”,強(qiáng)迫處理器運(yùn)行通常情況下不會(huì)嘗試的新的推測(cè)執(zhí)行。這會(huì)欺騙芯片檢索特定數(shù)據(jù),從而讓黑客獲取它們。 霍恩表示,無(wú)意中發(fā)現(xiàn)了這些攻擊芯片的辦法后,他去請(qǐng)教了谷歌的老員工羅伯特·斯維基,他曾向他借過(guò)計(jì)算機(jī)來(lái)測(cè)試自己的部分想法。斯維基教他如何以最佳方式通知英特爾、ARM和超微半導(dǎo)體公司(Advanced Micro Devices Inc.)相關(guān)缺陷。于是霍恩在6月1日這么做了。 此舉引發(fā)了這些全球最大的公司對(duì)漏洞的匆忙修補(bǔ)。到1月初,當(dāng)Meltdown和Spectre漏洞公布于世時(shí),大部分功勞都?xì)w于霍恩。官方網(wǎng)站的說(shuō)明和安全補(bǔ)丁列出了超過(guò)十位匯報(bào)問(wèn)題的研究人員,霍恩的名字在兩項(xiàng)漏洞中都被列在首位。 在離德國(guó)北部海岸20英里的老城奧爾登堡(Oldenburg)的Caecilienschule高中,霍恩當(dāng)時(shí)的計(jì)算機(jī)科學(xué)老師沃爾夫?qū)べ囈蛸M(fèi)爾特對(duì)他的成功并不驚訝。他說(shuō):“在我的印象里,雅恩一直都才智過(guò)人。”霍恩之前曾發(fā)現(xiàn)過(guò)學(xué)校計(jì)算機(jī)網(wǎng)絡(luò)中的安全問(wèn)題,賴因費(fèi)爾特坦承這讓他瞠目結(jié)舌。 霍恩在青少年時(shí)期就擅長(zhǎng)數(shù)學(xué)和物理。為了在2013年獲得默克爾的接見(jiàn),他和學(xué)校的一個(gè)朋友構(gòu)思了控制雙擺運(yùn)動(dòng)的辦法,這是一個(gè)著名的數(shù)學(xué)難題。兩人編寫了軟件,使用傳感器來(lái)預(yù)測(cè)運(yùn)動(dòng),之后利用磁鐵來(lái)修正意料之外或他們不希望出現(xiàn)的移動(dòng)。問(wèn)題的關(guān)鍵在于在混亂之中理出規(guī)律。他們?cè)诟?jìng)賽中得到了第五名,取得了前往柏林的資格,不過(guò)這只是霍恩能力的初步展現(xiàn)。 馬里奧·海德里希是柏林網(wǎng)絡(luò)安全咨詢公司Cure53的創(chuàng)始人。他在2014年中期第一次注意到霍恩。那時(shí),霍恩還不到20歲,就已經(jīng)在針對(duì)如何繞開(kāi)阻止惡意代碼感染用戶計(jì)算機(jī)的核心安全功能,發(fā)表有趣的推文。Cure53一直在研究類似的方法,所以海德里希給霍恩發(fā)了條信息,不久以后,他就邀請(qǐng)霍恩加入Cure53的小團(tuán)隊(duì)。 海德里希很快發(fā)現(xiàn)霍恩還是波鴻魯爾大學(xué)(Ruhr University Bochum)的本科生,而海德里希也在那里做博士后研究。最終,他成為了霍恩本科畢業(yè)論文的導(dǎo)師,而霍恩與Cure53簽約成為了承包人。 網(wǎng)絡(luò)安全專家布萊恩特·扎德甘和安全信息初創(chuàng)公司Cyph的總裁賴安·萊斯特在2016年與霍恩共同提交了一項(xiàng)專利。扎德甘通過(guò)Cure53,邀請(qǐng)霍恩審核Cyph的服務(wù),檢查容易被黑客入侵的地方。他的發(fā)現(xiàn)最終成為了專利的一部分,而這一部分無(wú)比重要,以至于扎德甘認(rèn)為霍恩的功勞足以讓他成為發(fā)明者之一。他們開(kāi)發(fā)的工具可以確保即使Cyph的主服務(wù)器被入侵,個(gè)人用戶的數(shù)據(jù)也安全無(wú)虞。 扎德甘表示:“雅恩的特長(zhǎng)在于他可以發(fā)現(xiàn)有趣的響應(yīng),那些計(jì)算機(jī)運(yùn)轉(zhuǎn)的有趣模式,他像是覺(jué)得‘這里有些奇怪’,然后他就會(huì)去深度挖掘。這就是他大腦的魔力。如果有些東西看起來(lái)有一點(diǎn)點(diǎn)毛病,他就會(huì)深入研究,找到它的運(yùn)作機(jī)制。這就像是找到了母體錯(cuò)誤一樣。” 不久以后,Cure53的深度測(cè)試者就開(kāi)始討論所謂的“雅恩效應(yīng)”——這位年輕的黑客不斷開(kāi)發(fā)極具創(chuàng)造力的攻擊。海德里希表示,Meltdown和Spectre只是霍恩聰明才智的兩個(gè)例子。“他不只是曇花一現(xiàn)。這就是他做的事情。” 在Cure53待了兩年,完成了本科項(xiàng)目后,霍恩被谷歌招募,進(jìn)入Project Zero。當(dāng)霍恩要求海德里希為這份工作寫封推薦信時(shí),他感到喜憂參半。他說(shuō):“谷歌是霍恩的夢(mèng)想,我們不會(huì)試圖阻止他去那里。但讓他離開(kāi)確實(shí)很痛苦。” 霍恩如今已是明星,至少在網(wǎng)絡(luò)安全領(lǐng)域如此。在漏洞公布后一周的1月11日,他在蘇黎世的會(huì)議上,面對(duì)座無(wú)虛席的禮堂,展示了Spectre 和Meltdown的發(fā)現(xiàn),并獲得了同行研究者的響亮掌聲。 剪著西瓜頭、皮膚白皙、身材瘦削的霍恩操著帶有德國(guó)口音的英語(yǔ),向他的同行展示理論上的攻擊模式。對(duì)于目前尚不清楚的事情,他口風(fēng)很緊。霍恩對(duì)聽(tīng)眾表示,在通知英特爾后,他與該公司幾個(gè)月沒(méi)有聯(lián)系,直到這家芯片商在12月初給他電話,告訴他其他安全研究人員也報(bào)告了同樣的漏洞。谷歌發(fā)言人亞倫·施泰因則有不同的說(shuō)法:“雅恩在報(bào)告了這個(gè)問(wèn)題之后,和Project Zero與英特爾保持了定期聯(lián)系。” 就處理器的另一個(gè)設(shè)計(jì)特性也可能易于受到攻擊的問(wèn)題,一名同行向他詢問(wèn),而霍恩用短暫而真誠(chéng)的笑容回答道:“我對(duì)此感到疑惑,但我還沒(méi)有深入調(diào)查。”(財(cái)富中文網(wǎng)) ?譯者:嚴(yán)匡正 |
In 2013, a teenager named Jann Horn attended a reception in Berlin hosted by Chancellor Angela Merkel. He and 64 other young Germans had done well in a government-run competition designed to encourage students to pursue scientific research. In Horn’s case, it worked. Last summer, as a 22-year-old Google cybersecurity researcher, he was first to report the biggest chip vulnerabilities ever discovered. The industry is still reeling from his findings, and processors will be designed differently from now on. That’s made him a reluctant celebrity, evidenced by the rousing reception and eager questions he received at an industry conference in Zurich last week. Interviews with Horn and people who know him show how a combination of dogged determination and a powerful mind helped him stumble upon features and flaws that have been around for over a decade but had gone undetected, leaving most personal computers, internet servers and smartphones exposed to potential hacking. Other researchers who found the same security holes months after Horn are amazed he worked alone. “We were several teams, and we had clues where to start. He was working from scratch,” said Daniel Gruss, part of a team at Graz University of Technology in Austria that later uncovered what are now known as Meltdown and Spectre. Horn wasn’t looking to discover a major vulnerability in the world’s computer chips when, in late April, he began reading Intel Corp. processor manuals that are thousands of pages long. He said he simply wanted to make sure the computer hardware could handle a particularly intensive bit of number-crunching code he’d created. But Zurich-based Horn works at Project Zero, an elite unit of Alphabet Inc.’s Google, made up of cybersleuths who hunt for “zero day” vulnerabilities, unintended design flaws that can be exploited by hackers to break into computer systems. So he started looking closely at how chips handle speculative execution — a speed-enhancing technique where the processor tries to guess what part of code it will be required to execute next and starts performing those steps ahead of time — and fetching the required data. Horn said the manuals stated that if the processor guessed wrong, the data from those misguided forays would still be stored in the chip’s memory. Horn realized that, once there, the information might be exposed by a clever hacker. “At this point, I realized that the code pattern we were working on might potentially leak secret data,” Horn said in emailed responses to Bloomberg questions. “I then realized that this could — at least in theory — affect more than just the code snippet we were working on.” That started what he called a “gradual process” of further investigation that led to the vulnerabilities. Horn said he was aware of other research, including from Gruss and the team at Graz, on how tiny differences in the time it takes a processor to retrieve information could let attackers learn where information is stored. Horn discussed this with another young researcher at Google in Zurich, Felix Wilhelm, who pointed Horn to similar research he and others had done. This led Horn to what he called “a big aha moment.” The techniques Wilhelm and others were testing could be “inverted” to force the processor to run new speculative executions that it wouldn’t ordinarily try. This would trick the chip into retrieving specific data that could be accessed by hackers. Having come across these ways to attack chips, Horn said he consulted with Robert Swiecki, an older Google colleague whose computer he had borrowed to test some of his ideas. Swiecki advised him how best to tell Intel, ARM Holdings Plc. and Advanced Micro Devices Inc. about the flaws, which Horn did on June 1. That set off a scramble by the world’s largest technology companies to patch the security holes. By early January, when Meltdown and Spectre were announced to the world, most of the credit went to Horn. The official online hub for descriptions and security patches lists more than ten researchers who reported the problems, and Horn is listed on top for both vulnerabilities. Wolfgang Reinfeldt, Horn’s high school computer-science teacher at the Caecilienschule in the medieval city of Oldenburg about 20 miles from Germany’s north coast, isn’t surprised by his success. “Jann was in my experience always an outstanding mind,” he said. Horn found security problems with the school’s computer network that Reinfeldt admits left him speechless. As a teenager he excelled at mathematics and physics. To reach the Merkel reception in 2013, he and a school friend conceived a way to control the movement of a double pendulum, a well-known mathematical conundrum. The two wrote software that used sensors to predict the movement, then used magnets to correct any unexpected or undesired movement. The key was to make order out of chaos. The pair placed fifth in the competition that took them to Berlin, but it was an early indicator of Horn’s ability. Mario Heiderich, founder of Berlin-based cybersecurity consultancy Cure53, first noticed Horn in mid-2014. Not yet 20, Horn had posted intriguing tweets on a way to bypass a key security feature designed to prevent malicious code from infecting a user’s computer. Cure53 had been working on similar methods, so Heiderich shot Horn a message, and before long they were discussing whether Horn would like to join Cure53’s small team. Heiderich soon discovered that Horn was still an undergraduate at the Ruhr University Bochum, where Heiderich was doing post-doctoral research. Ultimately, he became Horn’s undergraduate thesis supervisor, and Horn signed on at Cure53 as a contractor. Cybersecurity specialist Bryant Zadegan and Ryan Lester, head of secure messaging startup Cyph, submitted a patent application alongside Horn in 2016. Zadegan had asked Horn, through Cure53, to audit Cyph’s service to check for hacking vulnerabilities. His findings ended up as part of the patent and proved so significant that Zadegan felt Horn more than merited credit as one of the inventors. The tool they built would ensure that, even if Cyph’s main servers were hacked, individual user data were not exposed. “Jann’s skill set is that he would find an interesting response, some interesting pattern in how the computer works, and he’s just like ‘There’s something weird going on’ and he will dig,” Zadegan said. “That’s the magic of his brain. If something just seems a little bit amiss, he will dig further and find how something works. It’s like finding the glitch in the Matrix.” Before long, Cure53’s penetration testers were talking about what they called “the Jann effect” — the young hacker consistently came up with extremely creative attacks. Meltdown and Spectre are just two examples of Horn’s brilliance, according to Heiderich. “He’s not a one-hit wonder. This is what he does.” After two years at Cure53 and completing his undergraduate program, Horn was recruited by Google to work on Project Zero. It was a bittersweet day for Heiderich when Horn asked him to write a recommendation letter for the job. “Google was his dream, and we didn’t try to prevent him from going there,” he said. “But it was painful to let him go.” Horn is now a star, at least in cybersecurity circles. He received resounding applause from fellow researchers when he presented his Spectre and Meltdown findings to a packed auditorium at a conference in Zurich on Jan. 11, a week after the attacks became public. With bowl-cut brown hair, light skin and a thin build, Horn walked his fellow researchers through the theoretical attacks in English with a German accent. He gave little away that wasn’t already known. Horn told the crowd that after informing Intel, he had no contact with the company for months until the chipmaker called him in early December to say other security researchers had also reported the same vulnerabilities. Aaron Stein, a Google spokesman, has a different account though: “Jann and Project Zero were in touch with Intel regularly after Jann reported the issue.” When a fellow researcher asked him about another possible aspect of processor design that might be vulnerable to attack, Horn said, with a brief-but-telling smile: “I’ve been wondering about it but I have not looked into it.” |
-
熱讀文章
-
熱門視頻