Slide 1

Slide 1 text

4QFDUSFʹ͍ͭͯ 2018/08/04 
 ͢ΈͩηΩϡϦςΟษڧձ 
 @saiyuki1919

Slide 2

Slide 2 text

ࣗݾ঺հ w ໊લɿᴡ౻༔ر 4BJUP:VLJ w झຯɿ w ϦόʔεΤϯδχΞϦϯάͳͲͷηΩϡϦςΟશൠ w ػցֶश w ܦྺ w ηΩϡϦςΟɾΩϟϯϓશࠃେձ w ݩ.JDSPTPGU4UVEFOU1BSUOFST w ݱηΩϡϦςΟΤϯδχΞʁ ηΩϡϦςΟؔ࿈ۀ຿ w ࠷ۙ΍ͬͯΈ͍ͨ͜ͱ w ϋχʔϙοτͷࣗ୐ӡ༻ w ηΩϡϦςΟؔ࿈ͷ044ͷ։ൃ

Slide 3

Slide 3 text

໨࣍ 4QFDUSFͷҰ࿈ͷࣄ݅ ൃݟ͞Εͨ੬ऑੑͱ͸ʁ ߈ܸͱରࡦ

Slide 4

Slide 4 text

4QFDUSFͷҰ࿈ͷ૽ಈ 2018೥ਖ਼݄ૣʑɺϓϩηοαۀքʹ૽ಈ͕ى͖ͨʂ SpectreʢεϖΫλʔʣͱMeltdownʢϝϧτμ΢ϯʣͱݺ͹ΕΔϓϩηοαͷ੬ऑੑ͕ൃݟ͞Εͨɻ Meltdown͸Intel੡CPUͱARM ੡ CPU ͷҰ෦͕ӨڹͰɺSpectre͸IntelɾAMDɾARMͳͲͷ͢΂ͯͷ ϓϩηοαʹ಺ࡏ͢ΔՄೳੑ͕͋Δͱൃද͞Εͨɻ GoogleͷηΩϡϦςΟରࡦ෦໳Project Zero͸ɺʮ౤ػత࣮ߦʯʹΑͬͯҾ͖ى͜͞ΕΔਂࠁͳη ΩϡϦςΟ্ͷ੬ऑੑΛ2017೥6݄ͷஈ֊Ͱ೺Ѳ͠ɺIntelɺAMDɺARMͳͲͷνοϓϕϯμʔʹ௨஌ ͍ͯͨ͠ɻ
 ͦ͜ͰɺMircosoft͸1݄9೔ͷPatch TuesdayͰdisclose͞ΕΔ༧ఆͰͨ͠ɻ
 ͔͠͠ɺΠΪϦεͷITࢽʮThe Registerʯ͕1݄2೔ʹ
 ʮϋʔυ΢ΣΞͷมߋ͕ඞཁͰ͋Γɺιϑτ΢ΣΞͰͷηΩϡϦςΟରࡦ͸ύϑΥʔϚϯεͷେ෯ͳ ௿ԼΛҾ͖ى͜͢ʯ
 ͱൃදͨ͠ͷͰɺۀքΛࠞཚͤͨ͞!

Slide 5

Slide 5 text

ൃݟ͞Εͨ੬ऑੑ • Variant 1: bounds check bypass (CVE-2017-5753)
 • Variant 2: branch target injection (CVE-2017-5715)
 • Variant 3: rogue data cache load (CVE-2017-5754)
 • Variant 3a: Rogue System Register Read (CVE-2018-3640)
 • Variant 4: Speculative store bypass (CVE-2018-3639)
 ʮVariant 1ʯͱʮVariant 2ʯ͕Spectre
 ʮVariant 3ʯ͕Meltdownͱݺ͹ΕΔ੬ऑੑͰ͢ɻ
 CPUੑೳ޲্ͷͨΊͷʮ౤ػత࣮ߦ(Speculative Execution)ʯͱ͍͏࢓૊Έ͕ݪҼ Ͱɺ͍ͣΕͷ੬ऑੑ΋αΠυνϟωϧ߈ܸʹ෼ྨ͞Ε·͢ɻ

Slide 6

Slide 6 text

αΠυνϟωϧ߈ܸͱ͸ αΠυνϟωϧ߈ܸ͸ి࣓೾΍೤ɺిྗྔ΍ॲཧ࣌ؒͷҧ͍ͳͲΛ ෺ཧతखஈͰ؍࡯͢Δ͜ͱͰख͕͔ΓΛಘΑ͏ͱ͢Δ΋ͷͰ͢ɻ
 
 αΠυνϟωϧͱ͸ɺਖ਼نͷೖग़ྗܦ࿏Ͱ͸ͳ͍͜ͱΛҙຯ͓ͯ͠Γɺ ΞϧΰϦζϜͱ͸ҟͳΔ෭࣍త৘ใͰ͋Δ͜ͱ͔Β͜ͷΑ͏ʹݺ͹Ε ͍ͯ·͢ɻ IUUQJPUKQDPNJPUTVNNBSZJPUUFDI &#&"&&&"&%&"#&## &&'#$TJEFDIBOOFMBUUBDL&'#$IUNM Ҿ༻ݩ

Slide 7

Slide 7 text

ΠϯύΫτ w Ϋϥ΢υαʔϏε΍.41
 Ϩϯλϧαʔό΍ɺ*BB41BB4౳ͷ7.Λಈ͔͢Ϋϥ΢υαʔϏεͷࣄۀ ऀ౳ʹ͸େ͖ͳΠϯύΫτΛ༩͑ͨɻ
 w ϓϩηοαۀք
 4QFDUSF͸*OUFM͚ͩͰͳ͘ɺ".%΍"3.ͳͲͷνοϓશൠʹؔ܎͢Δ੬ ऑੑͰ͋Γɺ1$͚ͩͰͳ͘"3.ϕʔεͷ$16Λ࠾༻͢ΔεϚʔτϑΥϯ ΛؚΊͨɺΑΓ޿͍୺຤ʹӨڹΛٴ΅͔͠Ͷͳ͍ͱ͍͏͜ͱͰେ͖ͳ࿩୊ ͱͳͬͨɻ

Slide 8

Slide 8 text

ެදޙʹى͖ͨࣄ݅ w ʮ.FMUEPXOʯʮ4QFDUSFʯΛૂ͏Ϛϧ΢ΣΞαϯϓϧɺେྔʹൃݟ w "75&45*OTUJUVUF͸ɺ$16ʹଘࡏ͢Δʮ.FMUEPXOʯ͓Αͼʮ4QFDUSFʯ੬ऑੑΛѱ༻͠Α͏ ͱ͢ΔϚϧ΢ΣΞͷઌۦ͚ͱݟΒΕΔαϯϓϧݸΛൃݟͨ͠ɻ
 IUUQTKBQBODOFUDPNBSUJDMF
 w ʮ4QFDUSFʯʮ.FMUEPXOʯͷύονΛِ૷ͨ͠Ϛϧ΢ΣΞʹ஫ҙ w ύονΛِ૷ͨ͠Ϛϧ΢ΣΞ͕ଘࡏ͠ʮ4NPLF-PBEFSʯ΁ͷײછΛଅ͢
 IUUQTOFXTNZOBWJKQBSUJDMF
 w Πϯςϧɺ4QFDUSFɾ.FMUEPXOରԠͰϓϩηοαʔઃܭΛมߋ w Πϯςϧ͸੬ऑੑΛܰࢹ͍͗ͯͨ͢͠ͱͯ͠ɺถࠃٞձ͔Βઆ໌ΛٻΊΒΕɺ͞Βʹ໿݅΋ ͷूஂૌুΛى͜͞Εͨ
 IUUQTKBQBOFTFFOHBEHFUDPNTQFDUSFNFMUEPXO

Slide 9

Slide 9 text

4QFDUSFͱ͸ • Variant 1: bounds check bypass (CVE-2017-5753)
 ͋Δ໋ྩͰຊདྷɺಡΈࠐΉ͜ͱ͕Ͱ͖ͳ͍ଞϓϩηεͷϝϞϦʔྖҬΛΩϟογϡ ʹಡΈͩͤ͞ɺผͷ໋ྩͰʰΩϟογϡྖҬʱͷϝϞϦͷread଎౓ΛνΣοΫ͢Δ ͜ͱͰϝϞϦྖҬͷ಺༰ΛਪఆͰ͖Δɻ
 
 • Variant 2: branch target injection (CVE-2017-5715)
 ʮؒ઀෼ذ༧ଌثʯΛར༻͢Δ΋ͷͰɺยํͷVMͰ෼ذΛෆਖ਼ͳϓϩάϥϜΛݺ ͼग़ͨ͢Ίʹௐઅ͠·͢ɻௐઅͨ͠༧ଌςʔϒϧΛ΋͏ยํͷVMͰϝϞϦΞυϨ ε͔Β౤ػ࣮ߦͤ͞Δɻ

Slide 10

Slide 10 text

4QFDUSFͷ੬ऑੑ֓ཁ ι ϑ τ ΢ Σ Ξ ϋ c υ ΢ Σ Ξ ΞϓϦέʔγϣϯ" ΞϓϦέʔγϣϯ# ɾɾɾ 04 $16 ੬ऑੑ ௨ৗ͸ΞΫηεͰ͖ͳ͍ϝϞϦྖҬಡΈࠐΉ ϝϞϦྖҬɹϝϞϦྖҬɹϝϞϦྖҬ

Slide 11

Slide 11 text

౤ػ࣮ߦͱ͸ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 5JNFMPTT ௨ৗ ౤ػ࣮ߦ

Slide 12

Slide 12 text

bounds check bypass (CVE-2017-5753) JGจͷ಺༰͕USVFʹͳ͍ͬͯΔύλʔϯ͕ଟ͚Ε͹ɺJGจͷ಺༰͕GBMTFͰ΋౤ػ࣮ ߦʹΑΓ෼ذ໋ྩΛ௒͑ͯઌʹ࣮ߦ͞ΕΔ Yͷ஋Λࣗ༝ʹૢ࡞ͯ͠ɺBSSBZͰݺͼग़͍ͨ͠ϝϞϦΞυϨεʹ͢Δ BSSBͰBSSBZͷΩϟογϡϥΠϯ෼ΛBSSBZͰࢦఆ͠ϝϞϦʔʹอଘ ͠Ωϟογϡ͢Δ BSSBZ@TJ[Fͷॲཧ͕GBMTFͱΘ͔Ε͹ɺBSSBZ͸ϝϞϦʔ͔Βഁغ͞ΕΔ͕-- -౳Ωϟογϡʹ͸࢒Δ BSSBZ͸---౳ʹΩϟογϡʹ৐͍ͬͯΔͷͰɺ͔ΒͰ૬౰͢ΔΞυϨ εʹॱংʹΞΫηε͠ɺSFBE଎౓͕ૣ͔ͬͨͱ͜Ζ͕BSSBZͷϝϞϦͷ஋ʹͳΔ if (x < array1_size) y = array2[array1[x] * 256];

Slide 13

Slide 13 text

branch target injection (CVE-2017-5715) ౤ػ࣮ߦͱ#5# ෼ذઌόοϑΝ ͱؒ઀෼ذ໋ྩΛར༻ͨ͠߈ܸͰ͢ ؒ઀෼ذ໋ྩͱ͸
 ෼ذઌ͕Ϩδελ΍ϝϞϦͷ஋ʹΑͬͯࢦఆ͞ΕΔ໋ྩ
 YͰ͸DBMMͱKNQͳͲ
 ౤ػ࣮ߦʹΑ࣮ͬͯߦ͞ΕΔ໋ྩ͸ʁɹ὎#5#Λ֬ೝʂ #5##SBODI5BSHFU#V⒎FSͱ͸
 ෼ذઌΛ෼ذݩΞυϨεͰอଘ͢ΔόοϑΝ
 ෼ذݩͷϝϞϦΞυϨεͷ಺ͷCJUΛݩʹ෼ذઌͷ
 ɹɹϝϞϦΞυϨεΛ༧ଌ͍ͯ͠Δ
 ͭͷ෺ཧίΞΛͭͷ࿦ཧίΞʹ෼ׂͯ͠΋ؒ઀෼ذ༧ଌʹ࢖ΘΕΔ༧ଌ
 ςʔϒϧ #5# ͸ڞ༗͞ΕΔ

Slide 14

Slide 14 text

#)##SBODI)JTUPSZ#V⒎FSͱ͸ աڈͷ෼ذ༧૝݁Ռͷ౰ͨΓ֎ΕΛه࿥͢ΔόοϑΝ ௚ۙ໿ճ෼ͷཤྺΛอ؅͍ͯ͠Δ
 ෼ذύλʔϯΛ#)#Ͱݟ͚ͭΔͱɺ෼ذઌΛ#5#ʹ୳͠ʹߦ͘

Slide 15

Slide 15 text

branch target injection (CVE-2017-5715) ϢʔβۭؒͰ#)#Λʮֶशʯͤ͞Δ
 #)#ͷֶशͷͨΊʹճ෼͸࠶ݱ͢Δ ผͷεϨουͰ༠ಋ͍ͨ͠ΞυϨε΁ͷ෼ذΛ܁Γฦ͠ɺ#5#ͷ෼ ذઌͷΞυϨεΛ࣮ߦ͍ͨ͠ෆਖ਼ͳ໋ྩͷΞυϨεʹઃఆ͢Δ ౤ػ࣮ߦʹΑͬͯෆਖ਼ͳ໋ྩΛ࣮ߦͤ͞Δ

Slide 16

Slide 16 text

૝ఆ͞ΕΔ߈ܸ w ύεϫʔυ΍ΫοΩʔɺ҉߸ݤͷ಺༰Λ౪ௌ͞ΕΔՄೳੑ͕͋Δ w ϓϩάϥϜΛഁյ͞ΕΔՄೳੑ͕͋Δ ʲ૝ఆ͞ΕΔγφϦΦʳ 944ʹΑΔ੬ऑੑ͔ΒJGSBNFΛ࢓ֻ͚Δ λϒ಺ͷJGSBNF΍ϙοϓΞοϓͰผͷαΠτ͕ಡΈࠐ·ΕΔ৔߹ ͸ϝΠϯλϒͱಉҰϓϩηεͰಈ͍͍ͯΔͷͰ4QFDUSFΛ࣮ߦ 4QFDUSFʹΑͬͯɺΫοΩʔ΍ύεϫʔυͳͲͷ৘ใΛऔಘ
 ·ͨ͸ɺϓϩάϥϜͷఀࢭ

Slide 17

Slide 17 text

ରࡦ w (PPHMF$ISPNF
 ʮ4QFDUSFʯͱݺ͹ΕΔ੬ऑʢ͍ͥ͡Ό͘ʣੑ͕8FCϒϥ΢βܦ༝Ͱѱ༻ ͞ΕΔ͜ͱΛ๷͙ͨΊʮαΠτ෼཭ʢ4JUF*TPMBUJPOʣʯͱݺ͹ΕΔରࡦ ػೳΛσϑΥϧτͰ༗ޮʹͨ͠
 
 4JUF*TPMBUJPOΛ༗ޮʹ͢Ε͹ɺ֤8FCαΠτ͕ಠཱͨ͠ϓϩηεͰಡΈ ࠐ·ΕΔΑ͏ʹͳΓɺෆਖ਼ͳ8FCαΠτ͕ϢʔβʔͷΞΧ΢ϯτ΍ଞͷ 8FCαΠτʹΞΫηεͨ͠Γɺ৘ใΛ౪ΜͩΓ͢Δ͜ͱ͕೉͘͠ͳΔ "OESPJE޲͚ͷ$ISPNFʹ΋ର৅Λ֦େ͢Δํ਑

Slide 18

Slide 18 text

֤04͝ͱͷରࡦ w 8JOEPXT
 8JOEPXT޲͚ͷߋ৽ϓϩάϥϜʮ,#ʯΛެ։ w .BD
 lNBD04)JHI4JFSSB4VQQMFNFOUBM6QEBUFzͰɺ.FMUEPXO ରࡦʹՃ͑ɺ4QFDUSFରࡦ͕ద༻͞Ε͍ͯΔ w -JOVY
 -JOVYΧʔωϧͷ࠷৽൛ʢʣ͕ϦϦʔε͞Εͨɻ͜ͷόʔδϣϯͰ ͸ɺʮ4QFDUSF.FMUEPXOʯͷ੬ऑੑ΁ͷରࡦ΋௥Ճ͞Ε͍ͯΔɻ w "OESPJE J04 $FOU04 3FE)BU΋Ξοϓσʔτ͕ϦϦʔε͞Ε͍ͯΔ

Slide 19

Slide 19 text

·ͱΊ w 4QFDUSFͷҰ࿈ͷ૽ಈ
 ɾൃݟ͞Εͨ੬ऑੑ
 ɾαΠυνϟωϧ߈ܸͱ͸
 ɾΠϯύΫτ
 ɾެදޙʹى͖ͨࣄ݅ w 4QFDUSFͷ੬ऑੑͷ֓ཁ౤ػ࣮ߦͱ͸
 ɾCPVOETDIFDLCZQBTT($7&)
 ɾCSBODIUBSHFUJOKFDUJPO($7&) • ૝ఆ͞ΕΔ߈ܸ / ରࡦ
 ɾChrome Site Isolationػೳ
 ɾOS͝ͱͷରࡦ

Slide 20

Slide 20 text

ࢀߟจݙ w 4QFDUSF#VTUFST͋Δ͍͸-JOVYʹ͓͚Δ4QFDUSFରࡦ
 IUUQTXXXTMJEFTIBSFOFUNIJSBNBUTQFDUSFCVTUFSTMJOVYTQFDUSF w ʮϝϧτμ΢ϯʯͱʮεϖΫλʔʯɺڪΖ͍ۙ͠୅$16ͷ੬ऑੑΛղઆ
 IUUQTMPHNJKQ w 1SPKFDU;FSP
 IUUQTHPPHMFQSPKFDU[FSPCMPHTQPUDPNSFBEJOHQSJWJMFHFENFNPSZXJUITJEFIUNM w ୈճେ૽͗ͷ4QFDUSFͱ.FMUEPXOͷ੬ऑੑΛͬ͘͟Γͱղઆ
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM w ʲਤղʳ$16ͷ੬ऑੑ<4QFDUSF><.FMUEPXO>͸۩ମతʹͲͷΑ͏ͳ࢓૊ΈͰ߈ܸ͢ Δʁ
 IUUQTNJMFTUPOFPGTFOFTVLFDPNTWBEWBODFETWTFDVSJUZNFMUEPXOTQFDUSF w ੈؒΛ૽͕͢ʮϓϩηοα੬ऑੑʯɹԿ͕ຊ౰ͷ໰୊ͳͷ͔
 IUUQXXXJUNFEJBDPKQQDVTFSBSUJDMFTOFXTIUNM

Slide 21

Slide 21 text

ࢀߟจݙ w αΠυνϟωϧ߈ܸʢTJEFDIBOOFMBUUBDLʣ
 IUUQJPUKQDPNJPUTVNNBSZJPUUFDI &#&"&&&"&%& "#&##&&'#$TJEFDIBOOFM BUUBDL&'#$IUNM w ʮ4QFDUSFʯʮ.FMUEPXOʯͷରࡦޙͷύϑΥʔϚϯεൺֱ
 IUUQXXXQPSUXFMMDPKQCMPHTQFDUSF@NFMUEPXO