Slide 1
Slide 1 text
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷ
ʮΨʔυϨʔϧʯΛඋ͠Α͏
(P$POGFSFODF4QSJOH#4
ถوࢤ:0/&6$)*
5BLBTIJ
גࣜձࣾ'MBUU4FDVSJUZ
Slide 2
Slide 2 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
XIPBNJ
4FFIUUQTTIJGUKTJOGP
ถوࢤ !MNU@TXBMMPX
גࣜձࣾ'MBUU4FDVSJUZ
࠷ۙʰ8FCϒϥβηΩϡϦςΟʱͱ͍͏ॻ੶Λग़͠·ͨ͠
Slide 3
Slide 3 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
͋Εɺ͜Εͬͯ҆શ͚ͩͬʜʜ
/* ... */
x := 0
blah(unsafe.Pointer(x))
/* ... */
Slide 4
Slide 4 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
͋Εɺ͜Εͬͯ҆શ͚ͩͬʜʜ
/* ... */
x := 0
blah(unsafe.Pointer(x))
/* ... */
/* .... */
config = &tls.Config{
InsecureSkipVerify: true,
};
/* .... */
Slide 5
Slide 5 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
͋Εɺ͜Εͬͯ҆શ͚ͩͬʜʜ
/* ... */
x := 0
blah(unsafe.Pointer(x))
/* ... */
/* .... */
config = &tls.Config{
InsecureSkipVerify: true,
};
/* .... */
https://golang.org/pkg/math/rand
Slide 6
Slide 6 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
͋͋ɺ҆શͳίʔυΛॻ͘ͷർΕΔ
ʜʜͦΕ͕ͨͱ͑(PͰ͋ͬͯʂ
/* ... */
x := 0
blah(unsafe.Pointer(x))
/* ... */
/* .... */
config = &tls.Config{
InsecureSkipVerify: true,
};
/* .... */
https://golang.org/pkg/math/rand
Slide 7
Slide 7 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
৫ͷίʔυΛηΩϡΞʹอ্ͭͰͷ՝
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
՝
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
՝
ͦͦԿʹؾΛ͚ͭΔ͖
͔Λ୭Βͳ͍··
՝
c := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
Slide 8
Slide 8 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
৫ͷίʔυΛηΩϡΞʹอ্ͭͰͷ՝
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
՝
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
՝
ͦͦԿʹؾΛ͚ͭΔ͖
͔Λ୭Βͳ͍··
՝
c := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
Slide 9
Slide 9 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
৫ͷίʔυΛηΩϡΞʹอ্ͭͰͷ՝
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
՝
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
՝
ͦͦԿʹؾΛ͚ͭΔ͖
͔Λ୭Βͳ͍··
՝
c := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
Slide 10
Slide 10 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
ͦͦԿʹؾΛ͚ͭΔ͖͔Λ୭Βͳ͍··
͔͍ࣗͬͯΔ͕ɺνʔϜʹݟ͕ਁಁ͠ͳ͍
͍ͬͯͯҙෆͰ੬ऑͳίʔυΛॻ͍ͯ͠·͏
΄͍͠ͷʜ
՝
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
՝
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
՝
ͦͦԿʹؾΛ͚ͭΔ͖͔Λ୭Βͳ͍··
՝
c := &http.Client{
Transport:
&http.Transport{
TLSClientConfig:
&tls.Config{
InsecureSkipVerify:
true,
},
},
}
Slide 11
Slide 11 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
ͦͦԿʹؾΛ͚ͭΔ͖͔Λ୭Βͳ͍··
͔͍ࣗͬͯΔ͕ɺνʔϜʹݟ͕ਁಁ͠ͳ͍
͍ͬͯͯҙෆͰ੬ऑͳίʔυΛॻ͍ͯ͠·͏
΄͍͠ͷʜΨʔυϨʔϧ🚧
՝
ҎԼΛຬͨ͢Α͏ͳʮΨʔυϨʔϧʯ͕΄͍͠ʂ
✔ Α͋͘ΔϛεΛେ·͔ʹरͬͯ͘ΕΔ
✔ ҰਓͷݟΛνʔϜʹεέʔϧͤ͞ΒΕΔ
✔ ؾΛ͚ͭଓ͚ͳͯ͘ɺΛػց͕ڭ͑ͯ͘ΕΔ
ཧ
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
՝
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
՝
ͦͦԿʹؾΛ͚ͭΔ͖͔Λ୭Βͳ͍··
՝
c := &http.Client{
Transport:
&http.Transport{
TLSClientConfig:
&tls.Config{
InsecureSkipVerify:
true,
},
},
}
Slide 12
Slide 12 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
ΨʔυϨʔϧΛߏ͢ΔͨΊͷ
ͭͷΞΫγϣϯ
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
ͦͦԿʹؾΛ͚ͭΔ͖
͔Λ୭Βͳ͍··
՝
·ͣHPTFDͰΑ͋͘Δ
ϛεΛݕग़Ͱ͖ΔΑ͏ʹ͢Δ
HPSVMFHVBSEΛ׆༻ͯ͠
ݟΛίʔυͱͯ͠ੵ͍ͯ͘͠
$*ʹHPTFDΛஔ͢Δ
ॳظSFWJFXEPHͷซ༻(PPE
ΞΫγϣϯ
Slide 13
Slide 13 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
‣ యܕతͳ҆શͰͳ͍(PίʔυύλʔϯΛݕग़ͯ͘͠ΕΔπʔϧ
‣ HPMBOHDJMJOUܦ༝Ͱར༻Մೳ
‣ ,VCFSOFUFT$BEEZͷஶ໊ͳ(PϓϩδΣΫτͰར༻͞Ε͍ͯΔ
HPTFD
IUUQTHJUIVCDPNTFDVSFHPHPTFD
$ gosec ./main.go
[/app/main.go:6] - G404 (CWE-338): Use of weak random number generator
(math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
5: func main() {
> 6: sample := rand.Int()
7:
Slide 14
Slide 14 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
҆શͰͳ͍(PίʔυͷయܕྫΛݕग़Մೳ
/* ... */
x := 0
blah(unsafe.Pointer(x))
/* ... */
/* .... */
config = &tls.Config{
InsecureSkipVerify: true,
};
/* .... */
(
(
HPTFD
https://golang.org/pkg/math/rand
(
Slide 15
Slide 15 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
‣ HP
ܥύοέʔδ
‣ HP
(Pඪ४ͷ੩తղੳ༻ͷύοέʔδ܈
‣ HPTFDͰओʹHPBTUʢߏจपΓʣͱHPUZQFTʢܕपΓʣ͕ར༻͞Ε͍ͯΔ
‣ ֤ݕग़ϧʔϧHP
ͱHPTFDʹΑΔHP
ͷUIJOXSBQQFSͰॻ͔ΕΔ
HPTFDͷ͘͠Έ
if ident, ok := n.Key.(*ast.Ident); ok {
switch ident.Name {
case "InsecureSkipVerify":
if node, ok := n.Value.(*ast.Ident); ok {
if node.Name != "false" {
return gosec.NewIssue(c, n, t.ID(),
"TLS InsecureSkipVerify set true.",
gosec.High, gosec.High)
}
} // ....
https://github.com/securego/gosec/blob/27a5ffb5c8f6dd3b6dea3b8e6019a2b3d43bf0f9/rules/tls.go#L64-L72
Slide 16
Slide 16 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
՝৫ݻ༗ͷϧʔϧ࡞ͰࠔΔ
func applyUnsafeOpToDir(path string) error {
/* ... */
}
/* ... */
s := scanner.Text()
applyUnsafeOpToDir("/etc")
applyUnsafeOpToDir("/etc"+ "/gogogo")
applyUnsafeOpToDir(s)
ͦͦ͜͜ةͳ͍ؔ
‣ QSJWBUFͳύοέʔδʹؔ͢ΔηΩϡϦςΟϧʔϧΛHPTFDʹՃ͢Δͷࠔ
‣ 044ͳͷͰ৫ʹݻ༗ͷϧʔϧΛ࡞ͬͯDPOUSJCVUFͰ͖ͳ͍
‣ ҰԠHPTFDΛGPSLͯ͠ϝϯςφϯε͢Δͱ͍͏ख͋Δ͕ɺͭΒ͍
‣ ࿑ྗ࠷খԽͭͭࣗ͠࡞-JOUFSΛ༻ҙͰ͖ͨΒخ͍͕͠ʜʜ
ྫҾ͕ίϯύΠϧ
࣌ఆͰͳ͍Մೳੑ͕
͋Δ߹ʹܯࠂ͍ͨ͠
Slide 17
Slide 17 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
‣ (Pίʔυ͚ͷಠࣗ੩తղੳϧʔϧͷ࡞Λิॿ͢Δ-JOUFS
‣ ৫ಠࣗͷϧʔϧΛڧྗͳύλʔϯϚονϟʢETMύοέʔδʣΛ༻͍ͯهड़Ͱ͖Δ
‣ HPBOBMZTJT
HPHSFQϕʔεͰ࡞͞Ε͍ͯΔ
HPSVMFHVBSE
IUUQTHJUIVCDPNRVBTJMZUFHPSVMFHVBSE
m.Match(`copy($b, []byte($s))`).
Where(m["s"].Type.Is(`string`)).
Suggest(`copy($b, $s)`)
sample := "test"
copy(buf, []byte(sample))
ղੳϧʔϧͷྫ
ݕग़͍ͨ͠அยͷྫ
Slide 18
Slide 18 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
m.Match(`applyUnsafeOpToDir($x)`).
Where(!m["x"].Const).
Report(`$x should be a compile-time constant value`)
func applyUnsafeOpToDir(path string) error { /* ... */ }
/* ... */
s := scanner.Text()
applyUnsafeOpToDir("/etc")
applyUnsafeOpToDir("/etc"+ "/gogogo")
applyUnsafeOpToDir(s)
/app/main.go:39:2: permitOnlyConstant: s should be a compile-time constant
value (rules.go:14)
ղੳରͷίʔυྫ
ղੳϧʔϧͷྫ
ղੳ݁Ռͷྫ
࠷ऴߦͷΑ͏ͳ
ݺͼग़͠Λݕग़͍ͨ͠ʂ
Slide 19
Slide 19 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
m.Match(`applyUnsafeOpToDir($x)`).
Where(!m["x"].Const).
Report(`$x should be a compile-time constant value`)
func applyUnsafeOpToDir(path string) error { /* ... */ }
/* ... */
s := scanner.Text()
applyUnsafeOpToDir("/etc")
applyUnsafeOpToDir("/etc"+ "/gogogo")
applyUnsafeOpToDir(s)
/app/main.go:39:2: permitOnlyConstant: s should be a compile-time constant
value (rules.go:14)
ղੳରͷίʔυྫ
ղੳϧʔϧͷྫ
ղੳ݁Ռͷྫ
Slide 20
Slide 20 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
m.Match(`applyUnsafeOpToDir($x)`).
Where(!m["x"].Const).
Report(`$x should be a compile-time constant value`)
func applyUnsafeOpToDir(path string) error { /* ... */ }
/* ... */
s := scanner.Text()
applyUnsafeOpToDir("/etc")
applyUnsafeOpToDir("/etc"+ "/gogogo")
applyUnsafeOpToDir(s)
/app/main.go:39:2: permitOnlyConstant: s should be a compile-time constant
value (rules.go:14)
ղੳରͷίʔυྫ
ղੳϧʔϧͷྫ
ղੳ݁Ռͷྫ
^
\
Slide 21
Slide 21 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
(PʹಛԽ͍ͯ͠Δ͔Βͦ͜ͷڧΈ
https://go-ruleguard.github.io/by-example/
m.Match(`fmt.Sprint($x)`).
Where(m["x"].Type.
Implements(`fmt.Stringer`)).
Suggest(`$x.String()`)
m.Match(`$x<$a && $x>$b`).
Where(m["a"].Value.Int()
<= m["b"].Value.Int()).
Report("always false")
‣ HPSVMFHVBSE(PʹಛԽͯ͠࡞ΒΕ͍ͯΔ
‣ ͦͷͨΊྨࣅπʔϧͱൺΔͱศརɾߴػೳ
‣ ίϯύΠϧ࣌ఆͷऔΓѻ͍ɺܕपΓͷऔΓѻ͍ɺʜ
ܕใΛ༻͍ͨ
ϧʔϧ
ίϯύΠϧ࣌ఆΛ
༻͍ͨϧʔϧ
Slide 22
Slide 22 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
ܧଓతʹվળ͍ͯͨ͘͠Ίʹ
͜ͷखͷπʔϧͷಋೖॳظোน͕ߴ͍͕ʜʜ
$ curl -sfL https://raw.githubusercontent.com/securego/gosec/
master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.0
$ gosec ./...
ʮࢼ͠ʹͬͯΈΑ͏ʂʯ
Slide 23
Slide 23 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
ܧଓతʹվળ͍ͯͨ͘͠Ίʹ
͜ͷखͷπʔϧͷಋೖॳظোน͕ߴ͍͕ʜʜ
$ curl -sfL https://raw.githubusercontent.com/securego/gosec/
master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.0
$ gosec ./...
/* ... */
Summary:
Files: 77
Lines: 4034
Nosec: 0
Issues: 543
$
ʮͷౖ͍͢͝ΒΕͯΔͳɺಋೖ·ͨࠓߟ͑Δ͔ʜʯ
Slide 24
Slide 24 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
ܧଓతʹվળ͍ͯͨ͘͠Ίʹ
͜ͷखͷπʔϧͷಋೖॳظোน͕ߴ͍͕ʜʜ
$ curl -sfL https://raw.githubusercontent.com/securego/gosec/
master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.0
$ gosec ./main.go
/* ... */
Summary:
Files: 77
Lines: 4034
Nosec: 0
Issues: 543
$
ʮͷౖ͍͢͝ΒΕͯΔͳɺಋೖ·ͨࠓߟ͑Δ͔ʜʯ
Slide 25
Slide 25 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
‣ ֤छ-JOUFSπʔϧͷग़ྗΛίϝϯτͱͯ͠ߘͯ͘͠ΕΔ(Pπʔϧ
‣ (JU)VCͰͷࠩϨϏϡʔ࣌ʹɺࠩ෦ͷΈͷ-JOU݁ՌΛڭ͑ͯ͘ΕΔ
‣ πʔϧͷ'BMTF1PTJUJWFཱ͕ͭ߹Ͱɺదʹʹͭ͘ͱ͜ΖͰҙשىͰ͖Δ
‣ ίʔυશମʹରͯ͠େྔͷΞϥʔτ͕ग़ΔڥͰɺஈ֊తʹվળΛ࢝ΊΒΕΔ
SFWJFXEPH🐾
IUUQTHJUIVCDPNSFWJFXEPHSFWJFXEPH
͜ͷ෦ͷݕࠪ݁ՌΛ
ίϝϯτͱͯ͠ߘ
͜ͷ෦ͷݕࠪ݁Ռ
Ұ୴ࣺͯΔ
Slide 26
Slide 26 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
&YBNQMFHPTFD
SFWJFXEPH🐾
https://github.com/security-aware-repo-examples/gosec/pull/1
ࠩʹର͢Δࢦఠ͕ίϝϯτͰ
Slide 27
Slide 27 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
,FZ5BLFBXBZT
͍ͬͯͯҙෆͰ
੬ऑͳίʔυΛॻ͍ͯ͠·͏
՝
͔͍ࣗͬͯΔ͕ɺ
νʔϜʹݟ͕ਁಁ͠ͳ͍
՝
ͦͦԿʹؾΛ͚ͭΔ͖
͔Λ୭Βͳ͍··
՝ ·ͣHPTFD͔Β࢝ΊΑ͏
HPSVMFHVBSEΛ׆༻Ͱ͖Δ
$*ʹHPTFDΛஔͰ͖Δ
ॳظSFWJFXEPHͷซ༻(PPE
&YBNQMFTBSFBWBJMBCMFBU
IUUQTHJUIVCDPNTFDVSJUZBXBSFSFQPFYBNQMFT
Slide 28
Slide 28 text
ΨʔυϨʔϧΛඋͯ͠ɺ
҆৺ɾ҆શͳ(PϥΠϑΛૹΓ·͠ΐ͏ʂ
Slide 29
Slide 29 text
TIJGUKTJOGP
(PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛඋ͠Α͏
‣ େྔͷ(PQIFS͘Μͨͪ
‣ .BSJB-FUUBGSFFHPQIFSTQBDL
‣ IUUQTHJUIVCDPN.BSJB-FUUBGSFFHPQIFSTQBDL
‣ ΨʔυϨʔϧͷΠϥετ
‣ ͍Β͢ͱ
‣ IUUQTXXXJSBTVUPZBDPNCMPHQPTU@IUNM
"QQFOEJYը૾ͷग़ࣗ