您现在的位置: 纽约时报中英文网 >> 纽约时报中英文版 >> 商业 >> 正文

芯片安全曝重大隐患,影响波及全球电脑

更新时间:2018-1-6 5:30:39 来源:纽约时报中文网 作者:佚名

Researchers Discover Two Major Flaws in the World’s Computers
芯片安全曝重大隐患,影响波及全球电脑

SAN FRANCISCO — Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.

旧金山——计算机安全专家在全世界几乎所有电脑都装有的微处理器中发现了两个重大安全漏洞。

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers, servers running in so-called cloud computer networks.

这两个被命名为“Meltdown”(崩溃)和“Spectre”(幽灵)的漏洞允许黑客窃取计算机的全部内存内容,包括移动设备、个人计算机,以及在所谓的云计算机网络中运行的服务器。

There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.

据研究人员称,Spectre没有简单的解决方案,或许还需要重新设计处理器;至于Meltdown,解决这个问题所需的软件补丁可能会使计算机运行速度下降30%——对于已经习惯从最喜欢的在线服务器上快速下载的人来说,这是一个尴尬的境地。

“What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.

“各个漏洞的具体情况不同,解决方法也会不一样,”保罗·科克(Paul Kocher)说。科克曾是一个研究团队的重要成员,漏洞就是由这个团队发现的,该团队的研究人员都来自于谷歌、Rambus这样的大型科技公司或学术界。

Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft. By Wednesday evening, Google and Microsoft said they had updated their systems to deal with the flaw.

Meltdown是亚马逊、谷歌、微软等公司提供的云计算服务的特有问题。周三晚上,谷歌和微软表示他们已经升级了系统以解决漏洞。

Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.” It said that it had already protected nearly all instances of AWS and that customers must update their own software running atop the service as well.

亚马逊告知使用亚马逊网络服务(Amazon Web Services,简称AWS)云服务的用户,称该漏洞“在现代处理器架构中已经存在了20多年”,并表示他们已经对AWS进行了全面防护,用户也必须升级自己在这些云服务上运行的软件。

To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers.

要利用Meltdown,黑客可以像其他商业客户一样租用云服务空间。一旦他们登入服务器,漏洞便可以让他们获取其他用户的信息,比如密码。

That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.

这对云计算系统的运行方式来说是一个重大威胁。云服务往往会在多个用户之间共享计算机——而比如单个服务器只服务于单一客户的情况并不常见。尽管有旨在分离用户数据的安全工具和协议,但近期发现的芯片漏洞会使恶意使用者得以绕开这些保护措施。

The personal computers used by consumers are also vulnerable, but hackers would have to first find a way to run software on a personal computer before they could gain access to information elsewhere on the machine. There are various ways that could happen: Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website.

用户使用的个人计算机也容易受到攻击,但黑客得首先想办法在个人计算机上运行软件,才有途径获取计算机的其他信息。这有多种实现方式:攻击者可以诱骗用户从邮件、应用商店,或通过访问受病毒感染的网站来下载软件。

According to the researchers, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

据研究人员称,Meltdown漏洞差不多影响了英特尔(Intel)生产的所有微处理器,而这些作为互联网和私人业务运营基础的计算机服务器,有90%都在使用英特尔制造的芯片。

Customers of Microsoft, the maker of the Windows operating system, will need to install an update from the company to fix the problem. The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30 percent of computer servers worldwide, has already posted a patch for that operating system. Apple had a partial fix for the problem and is expected to have an additional update.

Windows操作系统的生产商微软(Microsoft)的用户想解决这个问题需要安装公司提供的升级;Linux则运行着全球30%的计算机服务器,监管着Linux开源操作系统的世界程序员社区已为该系统发布了补丁;苹果公司也部分修复了这个问题,并预计会另外再发布一个更新。

The software patches could slow the performance of affected machines by 20 to 30 percent, said Andres Freund, an independent software developer who has tested the new Linux code. The researchers who discovered the flaws voiced similar concerns.

已对新的Linux代码进行了测试的独立软件开发人员安德烈斯·弗洛因德(Andres Freund)说,软件补丁可能会使受影响的计算机性能降低20%到30%。发现这两个漏洞的研究人员表达了类似的担忧。

This could become a significant issue for any business running websites and other software through cloud systems.

这可能会成为所有通过云系统运行网站和其他软件的企业面临的一个大问题。

There is no evidence that hackers have taken advantage of the vulnerability — at least not yet. But once a security problem becomes public, computer users take a big risk if they do not install a patch to fix the issue. A so-called ransomware attack that hit computers around the world last year took advantage of machines that had not received a patch for a flaw in Windows software.

没有证据表明这个漏洞已被黑客利用,至少目前还没有。但一旦一个安全问题被公开,计算机用户如果不安装解决这个问题的补丁,就会面临很大的风险。去年世界各地的计算机遭受的那场所谓的勒索软件攻击,就是利用了没有收到补丁的计算机,当时那个补丁针对的是Windows软件中的一个漏洞。

The other flaw, Spectre, affects most processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.

另一个漏洞Spectre会影响目前正在使用的大部分处理器,但研究人员认为,利用这个漏洞的难度更大。还没有已知的解决办法,并且不清楚英特尔等芯片制造商会采取什么措施解决这个问题。

It is not certain what the disclosure of the chip issues will do to Intel’s business, and on Wednesday, the Silicon Valley giant played down the problem.

尚不确定这些芯片问题的曝光会对英特尔的业务产生什么影响。周三当天,这家硅谷巨头对这个问题轻描淡写。

“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the company said in a statement. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

“英特尔和其他科技公司已知悉新的安全研究。相关研究介绍了一些如果用于恶意目的,便有可能从正常运行的计算设备不当收集敏感数据的软件分析方法,”该公司在一份声明中说。“英特尔认为,这些漏洞不具备破坏、修改或删除数据的潜力。”

Spectre will be much more difficult to deal with than issuing a software patch.

解决Spectre的问题远不像发布一个软件补丁这么简单。

The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.

Meltdown漏洞是英特尔特有的,但Spectre是很多处理器制造商用了数十年的设计中出现的漏洞。它几乎会影响市场上的所有微处理器,包括设计与英特尔相同的AMD芯片,以及很多基于英国的ARM的设计制造的芯片。

Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” said Kocher, the president and chief scientist at Cryptography Research, a division of Rambus.

Spectre这个问题出现在设计处理器的基本方式上,它的威胁“会伴随我们几十年,”Rambus的密码学研究部门负责人兼首席科学家科克说。

“Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors,” Kocher said. An emphasis on speed while designing new chips has left them vulnerable to security issues, he said.

“Meltdown是一场紧急危机,但Spectre 影响的是几乎所高速微处理器,”科克说。他表示,设计新芯片时对速度的强调导致它们容易出现安全问题。

“We’ve really screwed up,” Kocher said. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”

“我们真的搞砸了,”科克说。“整个行业一直希望越快越好,同时做到安全。Spectre表明,鱼和熊掌不可兼得。”

A fix may not be available for Spectre until a new generation of chips hit the market.

可能要到新一代芯片进入市场,才能找到解决Spectre的办法。

“This will be a festering problem over hardware life cycles. It’s not going to change tomorrow or the day after,” Kocher said. “It’s going to take a while.”

“这是一个会随着硬件的生命周期不断恶化的问题。不是一天两天就能改变的,”科克说。“要花一段时间。”

“全文请访问纽约时报中文网,本文发表于纽约时报中文网(http://cn.nytimes.com),版权归纽约时报公司所有。任何单位及个人未经许可,不得擅自转载或翻译。订阅纽约时报中文网新闻电邮:http://nytcn.me/subscription/”

相关文章列表