Slide 1
Slide 1 text
ϦϞʔτϫʔΫ࣌ͷकޢਆ
PHP։ൃऀͷͨΊͷηΩϡϦςΟڧԽज़
ʙલࡇͰҿΈ͗͢ͳ͍ٕज़ʙ
Slide 2
Slide 2 text
ࢁԼ!QZBNB
(.0ϖύϘٕज़ج൫νʔϜ
γχΞɾϓϦϯγύϧ
ɹΩϟϯϓɺཱྀߦɺώϧτϯ८ΓɺιϫχΤ८Γ
1SPYZαʔό։ൃɺ0QFO5FMFNFUSZɺ"84
Slide 3
Slide 3 text
ϗεςΟϯάࣄۀ &$ࢧԉࣄۀ ϋϯυϝΠυɾͦͷଞࣄۀ
Slide 4
Slide 4 text
ͬͱ͓͠Ζ͘Ͱ͖Δ
Slide 5
Slide 5 text
ใηΩϡϦςΟ
Slide 6
Slide 6 text
FireWall
「飲み会の帰りにパソコン紛失しました」
「XSS?CSRF?新
手
のTRFか?」
CVE-2024-06221430
徳丸本、この世のすべてをそこに置いてきた
ハッキング
Slide 7
Slide 7 text
ใηΩϡϦςΟͷ3ཁૉ
ػີੑ
શੑ
Մ༻ੑ
ػີੑʢ$PO
fi
EFOUJBMJUZʣͱɺڐՄ͞Εͨऀ͚͕ͩใʹΞΫηεͰ͖ΔΑ͏ʹ͢Δ͜ͱͰ͢ɻڐՄ͞Ε͍ͯͳ͍ར༻ऀɺ
ίϯϐϡʔλσʔλϕʔεʹΞΫηε͢Δ͜ͱ͕Ͱ͖ͳ͍Α͏ʹͨ͠ΓɺσʔλΛӾཡ͢Δ͜ͱͰ͖Δ͕ॻ͖͑Δ͜ͱ
Ͱ͖ͳ͍Α͏ʹͨ͠Γ͠·͢ɻ
શੑʢ*OUFHSJUZʣͱɺอ༗͢Δใ͕ਖ਼֬Ͱ͋ΓɺશͰ͋Δঢ়ଶΛอ࣋͢Δ͜ͱͰ͢ɻใ͕ෆਖ਼ʹվ͟Μ͞ΕͨΓɺ
ഁյ͞ΕͨΓ͠ͳ͍͜ͱΛࢦ͠·͢ɻ
Մ༻ੑʢ"WBJMBCJMJUZʣͱɺڐՄ͞Εͨऀ͕ඞཁͳͱ͖ʹ͍ͭͰใʹΞΫηεͰ͖ΔΑ͏ʹ͢Δ͜ͱͰ͢ɻ
ͭ·ΓɺՄ༻ੑΛҡ࣋͢Δͱ͍͏͜ͱɺใΛఏڙ͢ΔαʔϏε͕ৗʹಈ࡞͢Δͱ͍͏͜ͱΛද͠·͢ɻ
Ҿ༻ݩIUUQTXXXTPVNVHPKQNBJO@TPTJLJKPIP@UTVTJOTFDVSJUZCVTJOFTTFYFDVUJWFIUNM
Slide 8
Slide 8 text
ϦϞʔτϫʔΫ
Slide 9
Slide 9 text
ϦϞʔτϫʔΫʹ͓͚ΔωοτϫʔΫ
Employee
DMZ
FW
VPN
Server
Intranet
App
Servers
The Internet
VPNΛར༻ͯ͠ɺωοτϫʔΫͷڥքͰΞΫηεΛ੍ޚ͢Δ
͍ΘΏΔʮڥքϞσϧʯ͕ओྲྀ
Slide 10
Slide 10 text
ڥքϞσϧͷσϝϦοτ
DMZ
FW
VPN
Server
Intranet
App
Servers
The Internet
ࣗ༝͕ߴ͍͕Ώ͑ʹɺഁΒΕͨޙͷ੍ޚͷ͠͞
෦ωοτϫʔΫʹ
͍͞Δ͔ͷΑ͏ʹ
ৼΔ͑Δ
ੌϋοΧʔ
Slide 11
Slide 11 text
θϩτϥετ
ωοτϫʔΫ
ͯ͢ͷτϥϑΟοΫΛ
৴༻͠ͳ͍͜ͱΛલఏͱ͢Δ
https://www.oreilly.co.jp//books/9784873118888/
Slide 12
Slide 12 text
θϩτϥετωοτϫʔΫͱԿ͔
• ωοτϫʔΫৗʹ҆શͰͳ͍ͱݟͳ͞ΕΔ
• ωοτϫʔΫ্ʹ֎෦ٴͼ෦ͷڴҖ͕ৗʹଘࡏ͢Δ
• ωοτϫʔΫΛ৴༻Ͱ͖Δͱஅʹ͢ΔʹɺϩʔΧϧωοτϫʔΫͰ
ෆेͰ͋Δ
• σόΠεɺϢʔβʔɺωοτϫʔΫϑϩʔ1ͭΒͣೝূ͓ΑͼೝՄ͞ΕΔ
• ϙϦγʔಈతͰ͋ΓɺͰ͖Δ͚ͩଟ͘ͷใݯʹج͍ͮͯ࡞͞Εͳ͚Ε
ͳΒͳ͍
Evan GilmanɺDoug Barthɹஶɺླ ݚޗɹ༁ θϩτϥετωοτϫʔΫ ʮ1.1 θϩτϥετωοτϫʔΫͱԿ͔ʯΑΓҾ༻
Slide 13
Slide 13 text
GoogleͳͲͷαʔϏεΛ
ར༻͍ͯ͠Δͱ͖ʹɺ
ීஈͱҟͳΔNWͩͱ
ϩάΞτ͞Εͨܦݧ
ΞϓϦέʔγϣϯʹ͓͚Δθϩτϥετ
ීஈͱҟͳΔ;Δ·͍ɺڥΛ৴པ͠ͳ͍
Slide 14
Slide 14 text
ࠓ͢͜ͱ
• θϩτϥετϞσϧΛ༻͍ͯɺշదͳϦϞʔτϫʔΫڥΛ࡞Δ࣮ྫ
• ϢʔβʔͷৼΔ͍ૢ࡞ΛͲͷΑ͏ʹࠪ͢Δ͔
Slide 15
Slide 15 text
௨৴ܦ࿏
Slide 16
Slide 16 text
௨৴ܦ࿏
PKI(Public Key Infrastructure)Λར༻ͯ͠
҉߸Խͯ͠௨৴͢Δ
Client Server
1.ଓཁٻ
2. αʔόূ໌ॻૹ৴
4.҉߸Խ௨৴
3.ΓͷϋϯυγΣΠΫ(লུ)
Slide 17
Slide 17 text
௨৴ܦ࿏
ূ໌ॻΛૹ৴ͨ͠αʔό͕ਖ਼͍͔͠Ͳ͏͔Λ
ূ໌͢Δͷ͕ೝূہ
Client Server
1.ଓཁٻ
2. αʔόূ໌ॻૹ৴
4.҉߸Խ௨৴
3.ΓͷϋϯυγΣΠΫ(লུ)
ྫ͑ɺαʔό͕
exampe.comͷূ໌ॻΛ
ฦ٫ͯ͠ɺຊʹexample.comΛ
ཧ͍ͯ͠Δαʔό͔Θ͔Βͳ͍
Slide 18
Slide 18 text
αʔόͷਖ਼͠͞࿈తʹ֬ೝ͞ΕΔ
OSϒϥβʹଘࡏ͢Δϧʔτূ໌ॻ
͕CAͷਖ਼͠͞Λূ໌͠ɺCA͕֤αʔό
ূ໌ॻͷਖ਼͠͞Λূ໌͢ΔΑ͏ʹ
ਖ਼͠͞࿈͓ͯ͠ΓɺTrust Chainͱ
ݺΕΔ
WebϒϥβͱೝূہɺτϥετΞϯΧʔΛ८Δٕज़ಈ
https://www.nic.ad.jp/ja/newsletter/No69/0800.html ΑΓҾ༻
Slide 19
Slide 19 text
PKICAͷҧ͍Ͱେ͖͘2ͭ͋Δ
θϩτϥετϞσϧͰPrivate PKI͕ओʹར༻͞ΕΔ
Public Private
GMO άϩʔόϧαΠϯ
Let’s Encrypt
දྫ
༻్
WEBαʔϏεͷSSLূ໌ॻͳͲɻ
ίετ؍͔ΒϝλσʔλͳͲΛ
ࡉ͔͘සൟʹॻ͖͑ͨΓ͠ਏ͍
HashiCorp Vault
OpenSSL ΦϨΦϨೝূہ
දྫ
༻్
γεςϜͷmTLS௨৴ɺ
ݕূʹ͓͚Δఆతͳূ໌ॻɻ
Slide 20
Slide 20 text
HashiCorp VaultΛར༻ͨ͠mTLS
Mutual Transport Layer Security = mTSL
VaultΛར༻͢ΔͱࣗಈԽ͞Εͨূ໌ॻɺ伴ͷཧ͕Մೳ
Client at
Home
Server
TLS Connection
ೝূɾೝՄ
ূ໌ॻɾ伴
ೝূɾೝՄ
ূ໌ॻɾ伴
Slide 21
Slide 21 text
GitHubͷϢʔβʔʹΑΔೝূೝՄ
• GitHubϢʔβʔ͕ॴଐ͢ΔνʔϜͱVault্ͷϩʔϧΛඥ͚ͮ͢Δ͜ͱͰ
ݖݶཧΛҰݩԽɻݖݶΛ͍ͬͯΔϢʔβʔɺάϧʔϓ͚͕ͩඞཁ
ͳαʔόʹଓ͕Ͱ͖Δ
• Vault͕͍ग़͢ূ໌ॻͷTTLΛ໋ʹઃఆ͢Δ͜ͱͰɺྲྀग़࣌ͷӨڹΛখ
ͨ͘͞͠Γɺٳ৬ɺୀ৬࣌ͷࣦޮΛࣗಈԽ
• ΫϥΠΞϯτɺαʔόʹconsul-templateΛಋೖ͠ɺೝূ݁ՌͷԆ໋ɺ
ূ໌ॻͷߋ৽ΛࣗಈԽ
Slide 22
Slide 22 text
ٕज़෦
Ϣʔβ
ٕज़෦αʔό
ਓࣄ෦αʔό
1.ೝূཁٻ
2.ೝূཁٻ
3.ೝՄ
4. 1͚ٕͩज़෦αʔόʹ
ଓՄೳͳূ໌ॻͱ伴Λ
͍ग़͠
5. mTLSଓ
GitHubͷϢʔβʔʹΑΔೝূೝՄ
Slide 23
Slide 23 text
consul-templateόϦศར
vault {
address = "https://vault.exapmle.com"
token = "init token"
renew_token = true
}
template {
contents = "{{ with secret \"example/issue/api\" \"common_name=api.example.com\" }}{{ .Data.issuing_ca }}{{ end }}"
destination = "/foo/bar/api.example.com.raw"
command = "sudo /usr/local/sbin/update_ca_certs api.example.com"
}
Go Templateه๏Ͱূ໌ॻͷग़ྗɺ
֤छϛυϧΣΞͷઃఆϑΝΠϧͳͲΛग़ྗͰ͖Δ
Slide 24
Slide 24 text
Ϣʔβʔೝূ
Slide 25
Slide 25 text
ύεϑϨʔζ҆શ͔ʁ
• ैۀһͷར༻͍ͯ͠ΔαʔϏεͷηΩϡϦςΟɾΠϯγσϯτ
• ར༻ͷฆࣦιʔγϟϧɾϋοΩϯά
ύεϑϨʔζैۀһͷաࣦͷ༗ແʹؔͳ͘
ྲྀग़͢ΔՄೳੑ͕͋Δ
Slide 26
Slide 26 text
ύ
ε
ϫ
υ
ͷ
ఆ
ظ
త
ͳ
ม
ߋ
ͯ
Ϣ
β
ͷ
҆
ͳ
ύ
ε
ϫ
υ
ઃ
ఆ
Λ
༠
ൃ
͢
Δ
͔
Β
·
Δ
Ͱ
ҙ
ຯ
ͳ
͍
ແ
ҙ
ຯ
ͷ
ۃ
Έ
ʂ
ʂ
ʂ
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
https://haveibeenpwned.com/
Slide 29
Slide 29 text
ଟཁૉೝূඞਢ
• ύεϑϨʔζɺൿີ伴͍ͭͩͬͯྲྀग़ͷϦεΫ͕͋Δ
• ηΩϡϦςΟτʔΫϯੜମೝূΛར༻ͨ͠ଟཁૉೝূ͕ඞਢ
Slide 30
Slide 30 text
Կ͔͋ͬͨͱ͖ʹɺ
Ͳ͏ؾ͔ͮ͘ʁ
Slide 31
Slide 31 text
߈ܸऀͷྨ
1. εΫϦϓτΩσΟ: πʔϧͰ߈ܸͯ͘͠Δೳྗͷ͍߈ܸऀ
2. ඪ४ܕ߈ܸऀ : ಛఆͷඪతΛૂͬͨ߈ܸऀ
3. ΠϯαΠμʔڴҖ: ಛݖΛ࣋ͨͳ͍෦Ϣʔβʔ
4. ৴པ͞ΕͨΠϯαΠμʔ: ಛݖΛ࣋ͭ෦Ϣʔβʔ
5. ࠃՈϨϕϧͷΞΫλʔ: ࠃՈͷࢧԉΛड͚ɺ५ͳϦιʔεΛ࣋ͭ߈ܸऀ
Evan GilmanɺDoug Barthɹஶɺླ ݚޗɹ༁ θϩτϥετωοτϫʔΫ ʮ2.1.1 ҰൠతͳڴҖϞσϧʯΑΓҾ༻
Slide 32
Slide 32 text
େମ
ͨ·ͨ·߈ܸ͞Εͯͳ͍͔
߈ܸ͞Ε͍ͯΔ͜ͱʹ
ؾ͍͍ͮͯͳ͍
Slide 33
Slide 33 text
AuditLog
• γεςϜOSʹߦΘΕͨ͋ΒΏΔૢ࡞͕ه͞Ε͍ͯΔ
• ୭͕ɺ͍ͭɺͲ͜ͰɺͳʹΛͨ͠
• LinuxͰ͋ΕauditdɺkubernetesͰ͋Εkube-apiserverͷauditlogͳͲ
ҰൠతͳOSɺϛυϧΣΞʹଘࡏ͢Δ
• ͋ΒΏΔϩά߈ܸऀ͔Βফ͞ΕΔՄೳੑ͕͋ΔͷͰɺ
χΞϦΞϧλΠϜʹόοΫΞοϓ͢Δ͔ɺҟৗݕ͢Δඞཁ͕͋Δ
Slide 34
Slide 34 text
OSSEC
• ࠪϩάΛݩʹͨ͠৵ೖݕ
• ϑΝΠϧมߋݕ
• ϧʔτΩοτ/ϚϧΣΞݕ
• γεςϜΠϯϕϯτϦ
https://www.ossec.net/
Slide 35
Slide 35 text
Wazuh
https://documentation.wazuh.com/current/getting-started/architecture.html
Slide 36
Slide 36 text
Ϣʔβʔ͕Կ͔͕ͨ͠௨͞ΕΔ
Slide 37
Slide 37 text
ϗετΠϯϕϯτϦཧՄೳ
ద߹͍ͯ͠Δ
CVE
• Πϯετʔϧ͞Ε͍ͯΔύοέʔδ
• ىಈ͍ͯ͠Δϓϩηε
• Ϧοεϯ͍ͯ͠Δϙʔτ
Slide 38
Slide 38 text
θϩτϥετωοτϫʔΫͷ
ଟཁૉೝূͱ໋ͳূ໌ॻ
ࠪج൫
Slide 39
Slide 39 text
ͳΜ͔Ͱ͖ͨ
LinuxͰҙͷPHPεΫϦϓτͰ
Ϣʔβʔೝূ͕࣮ߦͰ͖Δ
Slide 40
Slide 40 text
σϞ
ࠑॲ͔ΒઌͲ͏ͳΔ͔
·ΔͰΘ͔Βͳ͍
Slide 41
Slide 41 text
PHPͷC֦ுͰ͋Δͷ͕ͩ…
Slide 42
Slide 42 text
int call_php_handler(pam_handle_t *pamh, const char
*
fi
lename, const char *cfunction_name)
{
PHP_EMBED_START_BLOCK(0, NULL)
… ͜ͷதʹCͷίϯςΩετͰPHPͷίʔυΛॻ͘
PHP_EMBED_END_BLOCK();
}
PHPΛऴྃ͢Δͱ͖ʹϝϞϦ͕ഁ໓ʂʂʂ
1. PAM͔Βݺͼग़͞Εpam_handle_t
ɹͳͲͷϦιʔεΛ֬อ
2. PHPΛىಈ͢Δ
3. PHPͷॲཧ͕CͷίϯςΩετͰ
ɹ࣮ߦ͞ΕΔ
4. PHP͕ऴྃ
͜͜ͰmallocͷΤϥʔ
Slide 43
Slide 43 text
CͱPHPͷΦϒδΣΫτͷड͚͠
pamh
CͷίϯςΩετ PHPͷίϯςΩετ
pam_authenticate($pamh)
get_user($pamh)
get_user($pamh)
call
call
call
CͰੜ͞ΕͨϙΠϯλΛ૬ޓʹΓऔΓ͢Δ
Slide 44
Slide 44 text
zend_register_resource
zend_register_resource(pamh, le_pam_handle)
CͷϙΠϯλͳͲͷΦϒδΣΫτΛ
PHPͷϦιʔεͱͯ͠ొ͢Δ͜ͱͰ
PHPͰѻ͍͘͢͢Δ
Slide 45
Slide 45 text
if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &arg) == FAILURE) {
RETURN_FALSE;
}
pamh = (pam_handle_t *)Z_RES_P(arg);
͍͑ͬʂʂʂʂ
Slide 46
Slide 46 text
ࠓͨ͜͠ͱ
• ڥքϞσϧΫϥυશͷࡢࠓʹ͓͍ͯѻ͍ͮΒ͍͜ͱଟ͘ɺ·ͨ
ڥք͕ແඋͳ͜ͱ͕ଟ͍
• mTLSΛ׆༻͢ΔͳͲͯ͠ɺ௨৴ܦ࿏ͷೝূɺ҉߸ԽΛར༻͢Δ
• ύεϑϨʔζৗʹྲྀग़ͷϦεΫ͕͋ΔͷͰɺଟཁૉೝূΛඞͣར༻͢Δ
• pam-phpΛར༻ͨ͠ɺϓϥΨϒϧͳೝূͰޮੑͱ҆શੑΛ֬อ͢Δ
Slide 47
Slide 47 text
·ͩࠓͷ࠾༻͋Γ·͢ʂʂ
ਓྨͷΞτϓοτΛ૿͠·͠ΐ͏ˠ !QC@SFDSVJU