Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性発見者の目から見た、脆弱性対応の最前線

 脆弱性発見者の目から見た、脆弱性対応の最前線

Internet Week 2016の講演資料です。

MUNEAKI NISHIMURA

December 01, 2016
Tweet

More Decks by MUNEAKI NISHIMURA

Other Decks in Technology

Transcript

  1. ੬ऑੑൃݟऀͷ໨͔Βݟͨɺ੬ऑੑରԠͷ࠷લઢ
    גࣜձࣾϦΫϧʔτςΫϊϩδʔζ
    αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦
    ੢ଜ फߊ

    View full-size slide

  2. ੢ଜ फߊ
    גࣜձࣾϦΫϧʔτςΫϊϩδʔζ
    αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦
    γχΞηΩϡϦςΟΤϯδχΞ
    ࠃ಺ܞଳి࿩ϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ
    ͳͲΛܦͯ೥݄ΑΓݱ৬ɻϦΫϧʔτͷ*%؅ཧج
    ൫ͷηΩϡϦςΟอक΍ϦΫϧʔτάϧʔϓશࣾͷ੬ऑ
    ੑमਖ਼ࢧԉʹܞΘΔɻझຯ͸ϒϥ΢βͷ੬ऑੑΛ୳͢͜
    ͱɻ೥ʹใࠂͨ͠੬ऑੑ͸݅Λ௒͑Δɻஶॻʹ
    ϒϥ΢βϋοΫʢ؂༁ʣɻओͳߨԋྺʹ$0%& #-6&
    ɺ"750,:0 ɺ1BD4FD ɻ೥ΑΓ
    ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ

    View full-size slide

  3. ੬ऑੑ͕େ޷͖
    ؆୯ʹݴ͏ͱ

    View full-size slide

  4. ຊ೔ͷ͓࿩
    • ੬ऑੑΛ୳࢝͠Ίͨཧ༝ͱଓ͚Δཧ༝
    • ੬ऑੑΛݟ͚ͭΔͨΊʹ࣮ફ͍ͯ͠Δ͜ͱ
    • ൃݟऀͷ໨͔Βݟͨ੬ऑੑରԠͷݱ৔
    • ϦΫϧʔτʹ͓͚Δ੬ऑੑରԠ
    • ·ͱΊ

    View full-size slide

  5. ੬ऑੑΛ୳࢝͠Ίͨཧ༝ͱଓ͚Δཧ༝

    View full-size slide

  6. ͖͔͚ͬ͸೥ͷηΩϡϦςΟɾΩϟϯϓ
    • Ϋϥε௕ͷ௕୩઒ཅհࢯ͔ΒϑϥϯΫʹߨࢣͷґཔ͕དྷͨ

    View full-size slide

  7. ηΩϡϦςΟɾΩϟϯϓͱ͸
    • ࣍୅Λ୲͏ηΩϡϦςΟਓࡐͷൃ۷ͱҭ੒Λ
    ໨తͱͨ͠׭ຽ࿈ܞࣄۀ
    - *1"ͱࣾͷڠࢍاۀ͔ΒͳΔ࣮ࢪڠٞձ͕ओ࠵
    - ܦࡁ࢈ۀল͕ڞ࠵
    - ࠓ೥Ͱ೥໨
    • ധ೔ɺே͔Β൩·ͰηΩϡϦςΟ௮͚ͷ߹॓
    - શࠃ໊ͷԠืऀ͔Βબൈ͞Ε໊͕ͨࢀՃ
    - ֤ྖҬͷҰઢͰ׆༂͢Δٕज़ऀਞ͕ߨࢣΛ୲౰

    View full-size slide

  8. ҆қʹҾ͖ड͚ͨ΋ͷͷɾɾɾ
    • ࣗ෼Ҏ֎͸௒༗໊ͳߨࢣਞ
    - ॻళ΍ωοτͷηΩϡϦςΟ࿈ࡌهࣄͳͲͰΑ໊͘લΛݟΔਓͨͪ
    - (PPHMFͷ੬ऑੑใࠂ݅਺ͰੈքҐͷਓ
    • $5'΍ະ౿ͳͲଟํ໘Ͱ׆༂͢Δνϡʔλʔ
    • શࠃ͔Βબͼൈ͔ΕͨԠืऀୡ
    • ຊ౰ʹࣗ෼͕ߨࢣͰྑ͔ͬͨͷ͔ʁ
    - ࣗ෼ͷ࣮ྗΛ٬؍తʹଌΔखஈ͕ཉ͔ͬͨ͠
    - ڭ͑Δࢿ͕֨͋Δ͔Λ͔֬Ί͔ͨͬͨ

    View full-size slide

  9. ͦ͜Ͱɺ'JSFGPYϒϥ΢βͷ੬ऑੑใ঑੍ۚ౓΁௅ઓ
    • ੈքதͷϓϨʔϠʔΑΓઌʹ੬ऑੑΛݟ͚ͭग़͢ڝ૪
    • ֫ಘͨ͠ใ঑ۚͷֹͰ࣮ྗΛՄࢹԽͰ͖Δ
    • ੬ऑੑΛݟ͚ͭΒΕͳ͚Ε͹ɺߨࢣΛࣙୀ͠Α͏ͱߟ͍͑ͯͨ
    • ϲ݄ͷۤ೉Λܦͯ੬ऑੑΛൃݟʂ

    View full-size slide

  10. ੬ऑੑ୳͠Λͯ͠ಘͨ΋ͷ
    • ΋ͪΖΜใ঑ۚ
    - ͜Ε·Ͱʹ ສԁҎ্
    - Ͱ΋ɺ࠷ॳʹखʹͨ͠ใ঑ۚͰࣗసंΛങͬͨΒɺۚમཉ͕ࣦͤͯ͠·ͬͨ
    • ηΩϡϦςΟΤϯδχΞͱͯ͠ͷجૅྗ
    - ೉ղͳ࢓༷΍ίʔυ͔Β໨Λഎ͚ͣʹಡΈղ͘ྗ
    - ࢥ͍ࠐΈΛࣺͯɺ෺ࣄΛࣗ෼ͷखͰݕূ͢Δྗ

    View full-size slide

  11. ੬ऑੑΛ୳͠ଓ͚Δཧ༝
    • ॅ୐ϩʔϯΛฦͨ͢Ί
    - ໨ඪ͸ࡀ·Ͱʹ׬ࡁ
    - Ք͍࣮ͩײͷͳ͍ใ঑ۚ͸ɺआΓ࣮ͨײͷͳ͍ϩʔϯͱ૬ੑ͕͍͍
    • ٕज़ྗͷҡ࣋޲্ͷͨΊ
    - ࢓༷΍ίʔυΛѱ༻ํ๏Λߟ͑Δश׳Λ͚͓ͭͯ͘ͱɺ
    ۀ຿Ͱݕࠪ΍ϨϏϡʔ͢Δͱ͖ʹ߈ܸํ๏͕ર͖΍͘͢ͳΔ
    - ଞͷൃݟऀ΍։ൃऀͱग़ձ͍ɺ৽ͨͳ߈ܸͷ࢓ํΛֶͿ

    View full-size slide

  12. ੬ऑੑΛݟ͚ͭΔͨΊʹ࣮ફ͍ͯ͠Δ͜ͱ

    View full-size slide

  13. ط஌ͷ੬ऑੑʹֶͿ
    • աڈͷ੬ऑੑ৘ใΛௐ΂Δ
    • ߈ܸίʔυΛ࡞࣮ͬͯࡍʹݕূ͢Δ
    - վमͷޡΓͳͲ͕ݪҼͰɺաڈͷ੬ऑੑ͕࠶ൃ͢Δ
    - ࠶ར༻Ͱ͖ΔΑ͏ʹɺ࡞੒ͨ͠߈ܸίʔυΛอଘ͓ͯ͘͠
    • ྨࣅͷ੬ऑੑΛ୳͢
    - աڈʹ੬ऑੑ͕ࢦఠ͞Εͨػೳ΍ɺͦΕͱΑ͘ࣅͨػೳ
    - લఏ৚݅Λগ͠ม͑ͯɺಉ͡߈ܸίʔυΛࢼ͢

    View full-size slide

  14. ط஌ͷ੬ऑੑʹֶͿ $41ҧ൓Ϩϙʔτ࣮૷ෆඋͷࣄྫ
    • .P[JMMBͷηΩϡϦςΟΞυόΠβϦ͔Βաڈͷ੬ऑੑ৘ใΛೖख
    https://www.mozilla.org/en-US/security/advisories/

    View full-size slide

  15. ط஌ͷ੬ऑੑʹֶͿ $41ҧ൓Ϩϙʔτ࣮૷ෆඋͷࣄྫ
    • ೥݄ɺ$POUFOU4FDVSJUZ1PMJDZʢ$41ʣͷҧ൓ϨϙʔτػೳΛ௨ͯ͡
    ଞͷαΠτͷ৘ใΛ౪ΊΔ͜ͱΛ*/3*"ͷݚڀऀ͕ࢦఠʢ$7&ʣ
    https://www.mozilla.org/en-US/security/advisories/mfsa2012-53/

    View full-size slide

  16. ط஌ͷ੬ऑੑʹֶͿ $41ҧ൓Ϩϙʔτ࣮૷ෆඋͷࣄྫ
    • ೥݄ɺߴ଎ԽͷͨΊʹ$41ͷ࣮૷ΛϦϑΝΫλϦϯάͨ͠ࡍɺ
    ಉ͡੬ऑੑ͕࠶ൃʢ$7&ʣ
    https://www.mozilla.org/en-US/security/advisories/mfsa2014-86/

    View full-size slide

  17. ط஌ͷ੬ऑੑʹֶͿ $41ҧ൓Ϩϙʔτ࣮૷ෆඋͷࣄྫ
    • ೥݄ɺJGSBNF಺ͷϖʔδͰ$41ʹҧ൓͢ΔॲཧΛߦ͏͜ͱʹΑΓ
    ྨࣅͷ੬ऑੑ͕࠶ݱʢ$7&ʣ
    https://www.mozilla.org/en-US/security/advisories/mfsa2016-18/

    View full-size slide

  18. ࢓༷ʹֶͿ
    • *&5'΍8$ͷ࢓༷ॻΛͻͨ͢ΒಡΉ
    - ෳ਺ͷ࢓༷Λ͋ΘͤಡΉͱɺ࢓༷ͷൈ͚࿙Ε͕ݟ͑ͯ͘Δ
    • ࢓༷ॻͷ4FDVSJUZ$POTJEFSBUJPOT͔Β߈ܸͷ؍఺ΛಘΔ
    - ϒϥ΢βͷதͰى͖ͯ͸͍͚ͳ͍͜ͱ͕෼͔Δ
    • ػೳ͕࢓༷Ͳ͓Γʹ࣮૷͞Ε͍ͯΔ͔ݕূ͢Δ
    - ࢓༷ʹॻ͔Ε͍ͯΔࢪࡦ͕࣮૷͞Ε͍ͯͳ͍͜ͱ͕͋Δ

    View full-size slide

  19. ࢓༷ʹֶͿ r )5.-*NQPSUTͷ࣮૷ෆඋͷࣄྫ
    • 3'$ Ͱ$POUFOU%JTQPTJUJPOͱ͍͏)551ϔομ͕ఆٛ͞Ε͍ͯΔ
    - $POUFOU%JTQPTJUJPOBUUBDINFOU͕)551Ϩεϙϯεʹࢦఆ͞Ε͍ͯΔ৔߹ɺ
    ϒϥ΢β͸ͦͷίϯςϯπΛ։͔ͣɺμ΢ϯϩʔυͤ͞ͳ͚Ε͹ͳΒͳ͍
    • $POUFOU%JTQPTJUJPOͷແࢹ͸੬ऑੑͱͯ͠ѻΘΕΔ
    - 'JSFGPYɿ$7&ɺ$7&
    - 4BGBSJɿ$7&ɺ$7&

    View full-size slide

  20. ࢓༷ʹֶͿ r )5.-*NQPSUTͷ࣮૷ෆඋͷࣄྫ
    • $ISPNFͷ)5.-*NQPSUT͕$POUFOU%JTQPTJUJPOΛແࢹ͢Δ͜ͱΛ
    ։ൃݩͷ(PPHMFʹใࠂʢ*TTVFʣ
    • ͜ΕΛड͚ɺ8$ͷ࢓༷ʹ$POUFOU%JTQPTJUJPOͷهड़͕௥Ճ͞Εͨ
    https://www.w3.org/TR/2016/WD-html-imports-20160225/

    View full-size slide

  21. աڈʹݟ͚ͭͨ࢓༷ͷ࣮૷ෆඋʢൈਮʣ
    • $ISPNFͷ$41ҧ൓Ϩϙʔτͷૹ৴ઌ͕CBTFͰ੍ޚͰ͖Δ
    IUUQTDSCVHDPN
    • $ISPNFͷ4FSWJDF8PSLFST͕JGSBNFTBOECPY಺Ͱಈ࡞͢Δ
    IUUQTDSCVHDPN
    • 'JSFGPYͷ3FGFSSFS1PMJDZ͕৽͍͠λϒͰ։͍ͨࡍʹޮ͔ͳ͍
    IUUQTMJTUTXPSH"SDIJWFT1VCMJDQVCMJDXFCBQQTFD"QSIUNM
    • 'JSFGPYͷ#SPBEDBTU$IBOOFM"1*͕ϓϥΠόγʔϞʔυ͔Β
    ௨ৗϞʔυͷ΢Οϯυ΢ʹ௨஌͞ΕΔ
    IUUQTCVH[JMMBNP[JMMBPSHTIPX@CVHDHJ JE
    • 'JSFGPYͷ'FUDI"1*Ͱ)PTU΍$PPLJFϦΫΤετϔομ͕ࢦఆͰ͖Δ
    IUUQTCVH[JMMBNP[JMMBPSHTIPX@CVHDHJ JE

    View full-size slide

  22. ൃݟऀͷ໨͔Βݟͨ੬ऑੑରԠͷݱ৔

    View full-size slide

  23. ϒϥ΢βϕϯμʔͷ੬ऑੑରԠ
    • ੬ऑੑͷରԠํ਑͸ϕϯμʔʹΑͬͯେ͖͘ҟͳΔ
    • ϦϞʔτίʔυ࣮ߦʢ3$&ʣͷ੬ऑੑ͸ॏࢹͯ͠मਖ਼͞ΕΔҰํɺ
    αϯυϘοΫεόΠύεʢಉҰੜ੒ݩϙϦγʔͷᷖճͳͲʣͷରԠ͸
    Թ౓ײ͕ϕϯμʔʹΑͬͯҟͳΔ
    - $ISPNFͱ'JSFGPYɿ੬ऑੑใ঑੍ۚ౓ͷର৅ɻ௨ৗ͸ʙϲ݄Ҏ಺ʹमਖ਼
    - 4BGBSJɿใ঑੍ۚ౓ͷର৅֎ɻ೥Ҏ্मਖ਼͞Εͳ͍͜ͱ΋

    View full-size slide

  24. 'JSFGPYͷ੬ऑੑରԠ
    • ಁ໌ੑ͕ߴ͍
    - मਖ਼͕ϦϦʔε͞ΕΔ·ͰͷաఔΛඇެ։ઃఆͷ#VH[JMMBͰ௥੻Ͱ͖Δ
    - ਂࠁ౓ͷ൑அཧ༝Λઆ໌ͯ͘͠ΕΔ
    - ଞͷ୭͔ͱಉ͡੬ऑੑʢ%VQMJDBUFEʣΛใࠂ͢Δͱɺͦ͏൑அͨ͠ূڌͱͯ͠ɺ
    ඇެ։ઃఆʹͳ͍ͬͯΔಉ͡੬ऑੑͷ#VH[JMMB΁ͷΞΫηεݖΛ΋Β͑Δ
    • ରԠ͕ૣ͍
    - ਂࠁ౓ͷߴ͍΋ͷ͸໿ʙ͔݄Ͱमਖ਼
    - ਂࠁͳ੬ऑੑ͸ۓٸΞοϓσʔτͰमਖ਼

    View full-size slide

  25. 'JSFGPYͷ੬ऑੑରԠ ূ໌ॻݕূόΠύεͷ੬ऑੑࣄྫ
    • 'JSFGPYͰ౥ࡌ͞Εͨ೔࿨ݟ҉߸Λ༻͍ͯɺ)5514ͷαʔόূ໌ॻݕূ
    ͱެ։伴ϐϯχϯάΛᷖճͰ͖Δ੬ऑੑʢ$7&ʣΛใࠂ
    • ೔ޙɺ'JSFGPY͕ۓٸϦϦʔε
    https://www.us-cert.gov/ncas/current-activity/2015/04/06/Mozilla-Releases-Security-Update-Firefox

    View full-size slide

  26. ೔ຊͷ੬ऑੑ૭ޱ
    • *1"ͷ੬ऑੑؔ࿈৘ใͷಧग़ड෇੍౓
    - ಧग़͔Β࠷ॳͷԠ౴·Ͱʹ໿ϲ݄
    - ୲౰ऀʹࢦఠ಺༰Λཧղͯ͠໯͏·Ͱʹ
    Կ౓͔΍ΓऔΓ͕ଓ͘
    - ݁Ռͱͯ͠ɺӈਤʮʯ·Ͱͷ͕ؒ௕ظԽ
    https://www.ipa.go.jp/files/000052737.pdf

    View full-size slide

  27. *1"ͷ੬ऑੑ૭ޱ r "QBDIF$PSEPWBͷ੬ऑੑࣄྫ
    • "QBDIF$PSEPWBͷ೚ҙϓϥάΠϯ࣮ߦͷ੬ऑੑʢ $7&ʣ
    - ѱҙͷ͋ΔαΠτΛ։͚ͩ͘ͰɺΞϓϦͷػೳΛѱ༻͞ΕΔ੬ऑੑɻ
    ใࠂͷࡍɺσϞͱͯ͠εϚϗͷి࿩ாΛվ͟Μ͢ΔίʔυΛૹ෇
    - ϲ݄ޙɺ*1"͔Βి࿩ா͕վ͟Μ͞ΕΔ͜ͱͷͲ͕͜੬ऑੑͳͷ͔ʁͱ͍͏࣭໰
    - ͜ͷ࣌఺Ͱɺ+1$&35$$ʹ࿈བྷ͕ߦΘΕ͍ͯͳ͍
    https://jvn.jp/jp/JVN41772178/

    View full-size slide

  28. ൃݟऀ͔Βͷ͓ئ͍
    • ରԠͷঢ়گΛఆظతʹڞ༗ͯ͠ཉ͍͠
    - ରԠ׬ྃ·ͰҰ੾࿈བྷͷདྷͳ͍૭ޱ͕ଟ͍
    - ೥Ҏ্Ի৴ෆ௨ͷࣄྫ΋͋Δ
    • ঢ়گ͕෼͔Βͳ͍ͱൃݟऀ͸ෆ҆ʹͳΔ
    - ใࠂͷ࢓ํ͕ޡ͍ͬͯͨͷͰ͸ͳ͍͔ʢӈਤʣ
    - ૣ͘͠ͳ͍ͱ੬ऑੑ͕ѱ༻͞ΕΔͷͰ͸ͳ͍͔
    • मਖ਼લͷ੬ऑੑ͕ެද͞ΕΔڪΕ΋
    - ใࠂΛແࢹ͞Εͨͱײͨ͡ൃݟऀౖ͕ͬͯ๫࿐
    - ެදʹΑΓमਖ਼Λଅͦ͏ͱ͢Δൃݟऀ΋
    ˞גࣜձࣾϨϐμϜ ྛࢯͷߨԋࢿྉΑΓҾ༻

    View full-size slide

  29. ϦΫϧʔτʹ͓͚Δ੬ऑੑରԠ

    View full-size slide

  30. ϦΫϧʔτʹ͓͚Δ੬ऑੑରԠͷجຊํ਑
    • ੬ऑੑରԠ͸֤ࣄۀͰ࣮ࢪ
    - ۓٸੑͷߴ͍੬ऑੑͷΈɺ$4*35͔Β֤ࣄۀ΁ରԠΛґཔ
    • ੬ऑੑ৘ใͷऩूͱਂࠁ౓ͷධՁΛ$4*35Ͱ࣮ࢪ
    - ࢲΛؚΊਓͷٕज़ऀ͕࣋ͪճΓͰ୲౰

    View full-size slide

  31. Ұൠతͳ੬ऑੑ৘ใఏڙαʔϏεͷ՝୊
    • ৘ใ഑৴ͷλΠϜϥά
    - ։ൃݩʹΑΔ৘ใެ։͔Β൒೔ఔ౓ͷ஗Ԇ
    • ৘ใͷ໢ཏੑ
    - $7&ͷׂΓ౰ͯΒΕ͍ͯͳ͍੬ऑੑͳͲʹൈ͚
    • ࣗࣾ؀ڥͱҰக͠ͳ͍ਂࠁ౓ධՁ
    - $744͸੬ऑੑ͕࠷େݶʹѱ༻͞ΕͨલఏͰݟੵ΋ΒΕΔ܏޲͕͋Γɺ
    ࣗࣾʹ͓͚Δਂࠁ౓ͱ͸Ұக͠ͳ͍͜ͱ͕͋Δ

    View full-size slide

  32. ͦ͜ͰɺࣗࣾͰ੬ऑੑ৘ใͷऩूͱධՁ͕ඞཁ
    • ৘ใల։ͷૣظԽ
    - ੬ऑੑͷҰ࣍৘ใΛపఈऩू
    - +1$&35$$ͷૣظܯռύʔτφʔγοϓΛ௨ͯ͡ɺެදલͷ੬ऑੑ৘ใΛೖख
    • ໢ཏੑͷ޲্
    - ࠃ಺֎ͷηΩϡϦςΟ৘ใൃ৴ऀΛ5XJUUFSͰϑΥϩʔ
    - +1$&35$$ͷૣظܯռ৘ใΛ༻͍ͯɺ৘ใͷऩू࿙ΕΛ௿ݮ
    • ࣗࣾ؀ڥʹج͍ͮͨ੬ऑੑධՁ
    - ੬ऑੑΛ$4*35Ͱղੳ͠ɺ߈ܸͷ೉қ౓΍ࣗࣾͰੜ͡͏Δඃ֐ΛධՁ

    View full-size slide

  33. ৘ใల։ͷૣظԽ
    • ߈ܸ͕དྷΔલʹɺ৘ใͷऩूɺධՁɺରԠࢧԉΛऴΘΒͤΔඞཁ͕͋Δ
    - ೥ͷ4IFMMTIPDLͷΑ͏ʹ৘ใ͕ެ։͞Εͨཌ೔͔Β߈ܸ͕؍ଌ͞Εͨࣄྫ΋
    ੬ऑੑ৘ใެ։
    ߈ܸίʔυ࡞੒ ߈ܸ׆ಈ
    ৘ใऩू ղੳͱධՁ ରԠࢧԉ
    ੬ऑੑͷղੳ
    ߈ܸऀ
    $4*35

    View full-size slide

  34. ৘ใల։ͷૣظԽ
    • ͭͷ৘ใܦ࿏Λ૊Έ߹Θͤͯɺ৘ใऩूͷૣظԽͱ໢ཏੑΛ௥ٻ
    - ೋ࣍৘ใͰ৘ใΛಘͨ΋ͷ͸ɺҰ࣍৘ใͰऩूͰ͖ΔΑ͏ʹϑΟʔυόοΫ
    ੬ऑੑ৘ใެ։
    +1$&35$$
    ૣظܯռύʔτφʔγοϓ
    Ұ࣍৘ใ ೋ࣍৘ใ
    +1$&35$$
    ૣظܯռ৘ใ
    • ެ։લͷ੬ऑੑ৘ใ • ֤छ344΍.-
    • ։ൃݩͷ8FCαΠτ
    • 5XJUUFS
    • ֤छχϡʔεαΠτ
    • ຖ೔༦ํʹདྷΔ
    ΞφϦετϊʔτ

    View full-size slide

  35. ৘ใల։ͷૣظԽ r (IPTUTDSJQUͷ੬ऑੑࣄྫ
    ೔࣌ ঢ়گ
    ೥݄೔ (IPTUTDSJQUͷ։ൃݩʹ੬ऑੑͷ౤ߘʢ࣮ূίʔυ͋Γʣ
    ೥݄೔ 0444FDVSJUZ.-Ͱ$7&࠾൪
    ೥݄೔ ࠃ಺ͷ੬ऑੑ৘ใαʔϏεʹ৘ใܝࡌ
    ೥݄೔ .FUBTQMPJUͷ(JU)VCʹͯຊ੬ऑੑͷ߈ܸίʔυΛ֬ೝ
    ೥݄೔ +1$&35$$ΑΓૣظܯռύʔτφʔγοϓ΁৘ใ഑৴
    ೥݄೔ +1$&35$$ΑΓૣظܯռ৘ใ഑৴
    • (IPTUTDSJQUʹ͓͚ΔϦϞʔτίʔυ࣮ߦͷ੬ऑੑʢ$7&ʣ
    ͜ͷ࣌఺Ͱ֤ࣄۀʹ
    ۓٸରԠΛґཔ

    View full-size slide

  36. ࣗࣾ؀ڥʹج͍ͮͨ੬ऑੑධՁ
    • ެ։͞Ε͍ͯΔ$744஋ΛӏವΈʹ͠ͳ͍
    - Өڹ͠ͳ͍੬ऑੑͷରԠʹ֤ࣄۀͷ޻਺Λׂ͘͜ͱʹͳΔ
    - ࣗࣾ؀ڥʹ͓͚ΔӨڹΛٕज़తʹ൑அ
    • ՄೳͳݶΓमਖ਼ύονͷιʔείʔυΛ֬ೝ
    - ߈ܸͷ༰қੑΛਪଌͰ͖Δ
    - ௥Ճ͞Εͨςετέʔε΍ίϛοτϝοηʔδʹ߈ܸίʔυؚ͕·ΕΔ͜ͱ΋
    • ߈ܸπʔϧͷ։ൃϦϙδτϦΛ؂ࢹͯ͠߈ܸͷՄೳੑΛ൑அ
    - .FUBTQMPJUͷ(JU)VCʹ߈ܸίʔυ͕ଓʑͱू·Δ
    IUUQTHJUIVCDPNSBQJENFUBTQMPJUGSBNFXPSLQVMMT

    View full-size slide

  37. ࣗࣾ؀ڥʹج͍ͮͨ੬ऑੑධՁ
    • ηΩϡϦςΟٕज़ऀ͕ू·Δ4MBDLίϛϡχςΟͷ׆༻
    - ॴଐ૊৫ͷนΛ௒͑ͯ੬ऑੑͷղੳঢ়گΛڞ༗
    - ηΧϯυΦϐχΦϯతʹ׆༻͠ɺղੳͷޡΓΛ๷͙

    View full-size slide

  38. ϝτϦΫε ஋
    ߈ܸϕΫλ ωοτϫʔΫ
    ߈ܸͷෳࡶ͞ ௿ʹ؆୯
    ೝূͷཁ൱ ೝূͳ͠
    ػີੑ΁ͷӨڹ શ໘త
    ׬શੑ΁ͷӨڹ શ໘త
    Մ༻ੑ΁ͷӨڹ શ໘త
    ࣗࣾ؀ڥʹج͍ͮͨ੬ऑੑධՁ r $7&
    • 0QFO44-ʹ͓͚ΔϝϞϦૢ࡞ͷෆඋͷ੬ऑੑ
    • /*45ධՁͷ$744ϕʔε஋͸
    - ϝϞϦഁյܥͷ੬ऑੑͷඃ֐͸௨ৗαʔϏε๦֐ɻ
    ϝϞϦͷյ͠ํ࣍ୈͰϦϞʔτίʔυ࣮ߦͱͳΔ
    - ߈ܸͷෳࡶ͞ʢ௿ʣ͸αʔϏε๦֐Λલఏʹ
    ݟੵ΋ΒΕ͍ͯΔҰํɺӨڹʢશ໘తʣ͸
    ϦϞʔτίʔυ࣮ߦΛલఏͱ͍ͯ͠Δ
    • 0QFO44-ͷΞυόΠβϦʢҰ࣍৘ใʣͰ͸
    - 8FCαʔό΍ϩʔυόϥϯα͕)5514௨৴࣌ʹ
    ࢖༻͢ΔMJCTTMʹ͸Өڹ͠ͳ͍
    /*45ͷ$744WϕʔεείΞ
    Ұ࣍৘ใΑΓۓٸରԠෆཁͱ൑அ

    View full-size slide

  39. ࣗࣾ؀ڥʹج͍ͮͨ੬ऑੑධՁ r $7&
    • Bind9におけるサービス妨害の脆弱性
    ೔࣌ ঢ়گ
    ೥݄೔
    ։ൃݩ͔Β੬ऑੑ৘ใެ։ɻ։ൃϦϙδτϦʹमਖ਼ύον͋Γɻ
    ղੳͷ݁Ռɺ%/4ϦΫΤετൃͰ%/4αʔόΛ
    མͱͤΔ͜ͱ͕൑໌ɻۓٸରԠΛ࣮ࢪ
    ೥݄೔ .FUBTQMPJUͷ(JU)VCʹ߈ܸίʔυͷଘࡏΛ֬ೝ
    ೥݄೔ ओཁαʔϏεʹ͓͍ͯύονద༻׬ྃ
    ೥݄೔
    ܯ࡯ிΑΓɺຊ੬ऑੑΛѱ༻ͨ͠ແࠩผͳ߈ܸ׆ಈ͕
    ؂ࢹ͞Εͨͱͷ஫ҙשى

    View full-size slide

  40. ༧ఆ͍ͯ͠ΔऔΓ૊Έ
    • ৘ใऩूͷޮ཰Խ
    - 5XJUUFSʹΑΔ৘ใऩूʢຖ೔෼ʙ࣌ؒʣͷஔ͖׵͑Λݕ౼த
    • ߈ܸ׆ಈͷ৘ใऩूΛڧԽ
    - ֤ࠃͷ߈ܸൃੜঢ়گΛऩू
    - ߈ܸͷൃੜঢ়گʹԠͯ͡ɺ଎΍͔ʹରԠͷԹ౓ײΛม͑Δ
    • ֤αʔϏεͷߏ੒ʹԠͨ͡ରԠґཔ
    - αʔόߏ੒΍ίϯϑΟάϨʔγϣϯͳͲΛৄࡉʹ೺Ѳ͠ɺ
    ֎෦͔Β߈ܸΛड͚ΔՄೳੑʹԠͯ͡ରԠͷԹ౓ײΛ෼͚Δ

    View full-size slide

  41. ·ͱΊ
    • ۀ຿ͱݸਓͷ׆ಈͷγφδʔΛڧԽ͍͖͍ͤͯͨ͞
    - ۀ຿Ͱ੬ऑੑΛղੳ͢Δ͜ͱͰɺ੬ऑੑΛݟ͚ͭΔྗ͕ͭ͘
    - ݸਓͷ׆ಈͰ੬ऑੑΛݟ͚ͭΔྗΛ਎ʹ͚ͭͯɺࣗࣾͷηΩϡϦςΟ඼࣭޲্ʹߩݙ

    View full-size slide