モブセキュリティで話した内容です。 https://mob-security.connpass.com/event/209884/ 情報の倫理的な取り扱いをお願いします。
lͬ͘͟Γz͢ "84 *".ͷಛݖঢ֨ͷߟ͑ํͱରࡦϞϒηΩϡϦςΟ ୈճ-5େձ [email protected]"[BSB [email protected][[email protected]
View Slide
ࣗݾհ໊લ"[BSB[email protected][[email protected]"CPVUηΩϡϦςΟؔͷࣄΛ͍ͯ͠Δ৽ଔΤϯδχΞͰ͢ηΩϡϦςΟͱ8FCͱΫϥυ "84͕͖Ͱ͢࠷ۙ"84440ͱ$POUSPM5PXFSͱٔΕͯ·ͨ͠[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
༨ஊࠓͷؾ࣋ͪ• ؇ͦ͘͏ͱࢥͬͯ-5ʹొ࣮ͨ͠ࡢ·ͰΕͯͨʜ ͋ͱࢀՃऀଟ͍ʜ• ϏΫϏΫ͍ͯ͠·͢[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ࠓ͢͜ͱ• "84 *". ͬͯͳʹ• "84*".ͷಛݖঢ֨• ͳΜͱͳ͘Θ͔Δఔʹ͢• ͯ͢ͷݸผࣄྫ͞ͳ͍• ରࡦͲ͏͢ΜͶΜ• ূͷอશͲ͏͢ΜͶΜ"84*".ͷ ಛݖঢ֨ͷߟ͑ํ ରࡦূͷอશ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
͢༰• कΔଆ߈ܸऀ͕͢Δ߈ܸͷݪཧΛ͓ͬͯ͘ͱରࡦ͍͢͠ΑͶͱ͍͏ؾ࣋ͪͰॻ͍ͯ·͢• ରࡦํ๏ईͷ্͍ؔͰ͕ྃ͢͝ঝΛ• ݸʑͷࣄʹ͍ͭͯৄ͘͢͠Θ͚Ͱ͋Γ·ͤΜ• lͳΜͱͳ͘Θ͔ͬͨzͱ͍͏ͱ͜Ζ·Ͱ͠·͢• ֤αʔϏεͷৄ͍͠ར༻ํ๏ʹؔͯ͠ެࣜυΩϡϝϯτΛࢀরͯ͠Լ͍͞• ࠓޙͲ͔͜ͰύϫʔΞοϓ൛Λ͔͢͠Ε·ͤΜ͕ࠓճ͕͍࣌ؒͷͰ zͬ͘͟Γzόʔδϣϯ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ҙࣄ߲• ߈ܸʹར༻Ͱ͖ΔΛ͠·͢• ྙཧ؍Λ࣋ͬͯฉ͍ͯ͘ΕΔͱ͏Ε͍͠Ͱ͢• ຊ൪ڥ࣮ڥʹհͨ͠߈ܸͳͲΛڐՄͳ͘ʹ࣮ߦ͠ͳ͍Ͱ͍ͩ͘͞ɻ• ࡞ͬͯͨΒ͘ͳͬͯ͠·ͬͨͷͰૣޱ͔͠Ε·ͤΜ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ"84*".ͷ "84 *".ͷಛݖঢ֨ͷߟ͑ํରࡦূͷอશ
͢͜ͱ• "84*".ͱ• lͬ͘͟ΓzΘ͔Δ "84*".• *". 1PMJDZ• *".6TFS• *".3PMF• *".(SPVQ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
"84*".ͱ˞͜ͷεϥΠυͰ "84*".͕ఏڙ͢Δ6TFS3PMFΛҰׅΓʹ͢Δࡍʹ l"84*".zͱදه͠·͢[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ"84ެࣜͷ *".ͷհϖʔδ ͜ͷεϥΠυͷొਓ
lͬ͘͟ΓzΘ͔Δ "84*".*".1PMJDZ• *".ͷج൫• ͜ͷϙϦγʔʹݖݶΛॻ͘• ར༻Ͱ͖Δ݅ڋ൱ʹ͔͚ؔͯ͠Δ• ݖݶʹ lzΛ͚ͭΔͱϫΠϧυΧʔυʹͳΔ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟこいつ͜Μͳײ͡ʹهड़͢Δ Πϝʔδ
lͬ͘͟ΓzΘ͔Δ "84*".*".6TFS• "84Λ࢝ΊΔͱΈΜͳ͏• ίϯιʔϧʹ$-*ʹରԠ͍ͯ͠Δ• ࿙ΕΔͱΊΜͲ͍͘͞• ࿙ΕΔέʔε• ਓҝతϛεͰ࿙Εͯ͠·͏• ΫϥΠΞϯτϚγϯ͕৵ೖ͞Ε౪·ΕΔ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟこいつ
lͬ͘͟ΓzΘ͔Δ "84*".*".6TFS[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟϙϦγʔΛΞλονޙड़ͷάϧʔϓʹՃͯ͠ݖݶΛ༩͢Δ*".6TFSΞΫηεʹؔ͢Δೝূใఏڙ͍ͯ͠·͢
lͬ͘͟ΓzΘ͔Δ "84*".*".3PMF• Ұ࣌తͳೝূใΛ༩ͯ͘͠ΕΔ• ผΞΧϯτʹ༩Ͱ͖ΔΑΫϩεΞΧϯτ• αʔϏεʹΞλον͢Δ͜ͱͰͦͷαʔϏε͔Βͷૢ࡞ʹར༻Ͱ͖ΔҰ࣌తͳೝূใΛ͍ग़͢Α• &$-BNCEBɺ$PEF#VJMEͳͲͳͲ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟこいつ
lͬ͘͟ΓzΘ͔Δ "84*".*".6TFS[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ*".6TFSͷΑ͏ʹQPMJDZΛΞλονͯ͠ݖݶΛ༩͢Δ*". 3PMFΛར༻Ͱ͖ΔϦιʔεΞΧϯτͳͲʹ৴པؔΛઃఆ͠·͢&$Ͱ͍͍ͨ࣌͜Μͳײ͡Πϝʔδ
lͬ͘͟ΓzΘ͔Δ "84*".*".(SPVQ• *". 6TFSΛ·ͱΊͯ͘ΕΔ• ͜ΕʹϙϦγʔΛΞλον͢Δͱάϧʔϓʹଐ͍ͯ͠Δ*".6TFS͕ΈΜͳڧ͘ͳΔ• *".6TFS͕૿͑Δͱׂͱ͏[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟこいつら
lͬ͘͟ΓzΘ͔Δ "84*".*".6TFS[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟϢʔβʔΛՃͯ͠·ͱΊͯϙϦγʔΛ༩Ͱ͖Δ*".6TFS3PMFಉ༷ϙϦγʔʹΑΔݖݶΛΞλον͢Δ
*".ͷzͬ͘͟Γz·ͱΊ*".1PMJDZ• ݖݶΛهड़͢Δ• 3PMF6TFSɺ(SPVQʹΞλονΛͯ͠ݖݶΛ༩Ͱ͖Δ*". 6TFS• 6TFSͷར༻͢ΔೝূใͳͲΛఏڙͰ͖Δ*". 3PMF• αʔϏεผΞΧϯτʹҰ࣌తͳݖݶΛ༩Ͱ͖Δ*". (SPVQ• *".6TFSΛ·ͱΊͯཧͰ͖Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ"84*".ͷ ରࡦূͷอશ"84*".ͷಛݖঢ֨ͷߟ͑ํ
͢͜ͱ• "84*".ʹ͓͚Δಛݖঢ֨ͱ• ߈ܸαΠΫϧͷҰ෦ͱͯ͠ͷಛݖঢ֨• ख๏ʹ͍ͭͯ• lͬ͘͟Γzख๏Λେผ͢Δͱ• "84*".ʹతͳมߋૢ࡞Λߦ͏• طଘͷͷΛѱ༻͢Δ• FUD [email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
"84*".ʹ͓͚Δಛݖঢ֨ͱ• "846TFS 3PMF͕ʹ༩͞ΕͨݖݶΛΑΓڧྗ·ͨ༗༻ͳݖݶʹΞοϓάϨʔυ͢Δߦҝ• ΞοϓάϨʔυͷख๏• ݖݶͷॻ͖͑มߋ• ଞͰར༻͞Ε͍ͯΔผͷೝূใͷऔಘ• *". 3PMFϙϦγʔͷ͛͢ସ͑• FUD [email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
߈ܸαΠΫϧͷҰ෦ͱͯ͠ͷಛݖঢ֨• ߈ܸऀ͕ "84Λૂ͏ཧ༝• ଞਓͷ&$Ϧιʔε͍͍ͨͥ• 3%4ͱ͔ͷใൈ͖औΓ͍ͨͥ• SPPUݖݶऔͬͯΈ͍ͨͥ• FUD ʜ• ͱ͔͘ѱ༻ͷͨΊʹ͍ΖΜͳ͜ͱΛͯ͘͠Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟೝূใΛऔಘͲͷΑ͏ͳݖݶ͕༩͞Ε͍ͯΔ͔୳ࡧಛݖঢ֨ѱ༻͋͘·ͰΠϝʔδ
lͬ͘͟Γz ख๏Λେผ͢Δ• "84*". ʹతͳมߋૢ࡞Λߦ͏• ྫ• *".QPMJDZͷతͳมߋ• *".3PMFͷϙϦγʔΞλον• ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔Βऔಘ• ྫ• -BNCEBͷίʔυΛมߋ͠ɺFOW͔ΒೝূใΛൈ͘• ϋΠϒϦοτ• ྫ• *". 3PMFΛ৽͘͠࡞Γ &$ʹΞλον• ͦͷଞ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
lͬ͘͟Γz ख๏Λେผ͢Δ• "84*". ʹతͳมߋૢ࡞Λߦ͏ ܰ͘৮Ε·͢• ྫ• *".QPMJDZͷతͳมߋ• *".3PMFͷϙϦγʔΞλον• ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔Βऔಘ ͬͪ͜Λ͠·͢• ྫ• -BNCEBͷίʔυΛมߋ͠ɺFOW͔ΒೝূใΛൈ͘• ϋΠϒϦοτ• ྫ• *". 3PMFΛ৽͘͠࡞Γ &$ʹΞλον• ͦͷଞ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
"84*". ʹతͳมߋૢ࡞Λߦ͏[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟͲͷΑ͏ͳͷͷ͜ͱΛࢦ͢ͷ͔• *".6TFSͷ࡞• طଘͷ*".6TFS͔ΒݤΛ࡞• *". 1PMJDZͷ࡞มߋ• *".3PMFʹ*".1PMJDZͷΞλονͳͲ༩͞Εͨ "84*".ͷݖݶΛར༻ࣗ͠ͷཉ͍ͯ͠ΔݖݶΛऔಘઃఆ͢Δ
ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔ΒऔಘͲͷΑ͏ͳͷͷ͜ͱΛࢦ͢ͷ͔• طଘͷ-BNCEBͷίʔυΛมߋ• $MPVE'PSNBUJPOʹ*". 3PMFΛ༩• &$ʹ*".3PMFΛ༩ͳͲϦιʔεʹ༩͞ΕΔҰ࣌తͳೝূใΛͳΜΒ͔ͷख๏Ͱऔಘ͠ར༻͢Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ例: Lambdaから取得する場合の⼤体のイメージ
ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔Βऔಘొ͢Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ˞ ຊղઆʹ͓͍ͯ߈ܸऀࣄલʹ*".3PMF໊ΛѲ͍ͯ͠Δલఏͱ͢Δ
ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔ΒऔಘطଘͷϦιʔεΛ࣮ߦ͢Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔ΒऔಘطଘͷϦιʔεΛߋ৽͢Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔Βऔಘ৽نͰϦιʔεΛ্ཱͪ͛3PMFΛड͚͢[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ"84*".ͷ"84 *".ͷಛݖঢ֨ͷߟ͑ํରࡦূͷอશ
ରࡦ• औಘΛ·્ͣࢭ͢Δ• HJUTFDSFUͷಋೖͰ HJUͷೝূใࠞೖΛ͙• ͨΒʹೝূใΛڞ༗͠ͳ͍૿͞ͳ͍• FUD• ࠷খݖݶͷݪଇΛकΓ *".ͷϙϦγʔΛ࡞• Θ͔Βͳ͍߹*"."DDFTT"OBMZ[FSͳͲΛ༻͍Δ• ݖݶ͚ͩͰͳ͘ར༻Ͱ͖ΔϦιʔεͳͲΛ੍ݶ͢Δ• 4FDVSJUZ)VCΛ༻͍ͯΞΧϯτͷڴҖใΛऩू• ΞΧϯτͰར༻͠ͳ͍ݖݶ4$1 4FSWJDF$POUSPM1PMJDZͰ੍ݶ͢Δ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ূͷऔಘͱอશূͷऔಘ• $MPVE5SBJMͳͲΛ"1*ͷར༻ϩάΛऔಘ• ΞϓϦέʔγϣϯͷϩάͳͲ$MPVE 8BUDI-PHTΛ༻͍ͯऔಘূͷอଘ• 4ΫϩεΞΧϯτઌͷ4ʹอଘূͷอશ• আͤ͞ͳ͍ͨΊʹ• 4ͷόʔδϣχϯάΛ༗ޮԽ• .'" EFMFUFͷ༗ޮԽ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ·ͱΊ"84*".ͷ"84 *".ͷಛݖঢ֨ͷߟ͑ํରࡦূڌͷอશ
·ͱΊ͜ͷ-5Ͱͬ͘͟Γͱͨ͠ݖݶঢ֨ͷϑϩʔʹ͍ͭͯ৮Ε·ͨ͠• "84*". ʹతͳมߋͳͲʹΑΓѱ༻͢Δͷ• طଘͷͷΛѱ༻͢Δͷ• ೋͭΛ߹ΘͤͨϋΠϒϦοτ"84ͳͲͷΫϥυαʔϏεʹରͯ͠ɺ߈ܸऀৗʹΛޫΒ͍ͤͯ·͢ɻར༻ऀͱͯ͠ɺࢲͨͪͰ͖ΔݶΓͷରࡦͱূڌΛूΊམͪண͍ͨΫϥυϥΠϑΛա͝͠·͠ΐ͏ɻ[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
͓͠·͍4QFDJBMUIBOLT*$000/.0/0IUUQTJDPPPONPOPDPN[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ͓·ֶ͚शʹ͍ͭͯ
ֶशؔ࿈• "84ެࣜυΩϡϝϯτͱᛀΊͬ͜• ࣮ڥͰࢼͯ͠ΈΔ• ࠷ॳ GMBXTDMPVE ͱ͔Ͱ͍͍͔• 4FSWFSMFTTपΓͩͱಈ͘ͷগͳ͍• ҰԠհ• 08"41%74"• 08"414FSWFSMFTT(PBU[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ֶशؔ࿈[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟ
ֶशؔ࿈[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟhttps://github.com/RhinoSecurityLabs/cloudgoat
ֶशؔ࿈[email protected][[email protected]@TFDVSJUZϞϒηΩϡϦςΟhttps://rhinosecuritylabs.com/blog/?category=cloud-security
azara
sachag
cherdarchuk
orderedlist
garrettdimon
bermonpainter
roundedbygravity
paigeccino
bkeepers
rasmusluckow
pedronauck
chriscoyier
sstephenson