Slide 1
Slide 1 text
WebσόΠετϥοΩϯάख๏ͷ
հ
@kuro_m88
ใՊֶएखͷձ ౙͷਞ 2019/01/20
Slide 2
Slide 2 text
ࣗݾհ
• ࠇ࡚ ༏ଠ (@kuro_m88)
• ใՊֶएखͷձ װࣄ
• ࣄαʔόαΠυΤϯδχΞ
• झຯͰαʔόӡ༻Λ͍ͯ͠·͢
Slide 3
Slide 3 text
ຊ͓͢Δ͜ͱ
• ݸਓతʹWebσόΠετϥοΩϯάख๏͕ͲΜͳͷ͕
ଘࡏ͢Δͷ͔ௐͯɺڵຯਂ͔ͬͨख๏ͷհ
Slide 4
Slide 4 text
σόΠετϥοΩϯάͱ
Slide 5
Slide 5 text
σόΠετϥοΩϯάΛ͍ͨ͠ཧ༝
• αʔόଆ͕ಉ͡ਓͱͷ௨৴Ͱ͋ΔࣄΛΓ͍ͨ
• Ұൠʹ =
• ෳσόΠεʹ·͕ͨΔ߹ΫϩεσόΠετϥοΩϯά
Slide 6
Slide 6 text
σόΠετϥοΩϯάͰͰ͖Δ͜ͱ
(ྫ)
• ηογϣϯ(ϩάΠϯ)ͷҡ࣋
• ϦεΫϕʔεೝূ
• σδλϧϑΥϨϯδΫε
• ߦಈλʔήςΟϯάࠂ
Slide 7
Slide 7 text
σόΠετϥοΩϯάͷͨΊʹඞཁ
ͳ͜ͱ
• ಉҰΛಛఆ/ਪఆ͢ΔͨΊͷใΛूΊͳ͚ΕͳΒͳ͍
• Fingerprintingͱݴ͏ͱը໘ղ૾GPUͷڍಈ
UserAgent͕ྫͱͯ͠Α͘ڍ͛ΒΕΔ͕ɺεϚϗͷ߹
΄ͱΜͲҰॹʹͳͬͯ͠·͏
Slide 8
Slide 8 text
σόΠετϥοΩϯάख๏ʹ
·ͭΘΔٞ
• ݱ࣮ੈքͰԿ͔͠ΒͷαʔϏεΛఏڙ͢ΔதͰσόΠεΛτϥο
Ωϯά͢ΔࡍϢʔβʹڐՄΛऔͬͨΓ(ΦϓτΠϯ)ɺڋ൱͢Δ
͜ͱ͕Ͱ͖ͨΓ(ΦϓτΞτ)͢Δ͜ͱ͕ଟ͍
• Ϣʔβͷίϯτϩʔϧ͕ޮ͔ͳ͍ํ๏ʹͳΔ͜ͱ͕ଟ͍
• ࠓճٕज़ͷͷΈ͠·͢
Slide 9
Slide 9 text
σόΠετϥοΩϯάٕज़6બʂ
• Cookie
• IP Address
• HSTS Super Cookie
• TCP Timestamp
• SSL Session Ticket
• IP Address (࠶)
Slide 10
Slide 10 text
Cookie
Slide 11
Slide 11 text
Cookie
• Web։ൃ͍ͯ͠ΔਓͳΒ͖ͬͱ͍ͬͯΔͣ#
• Same Origin Policy͕͋Δ
• ྫ: example.com ͷCookieexample.jpͷαʔό͔ΒݟΒΕͳ͍
• Cookie SyncΛ͢Δ͜ͱͰτϥοΩϯάͰ͖Δൣғ͕ͻΖ͕Δ
• AppleITPͱ͍͏ͷΛಋೖ͠CookieʹΑΔτϥοΩϯάʹ
੍ݶΛ͔͚͍ͯΔ
• εϚϗͩͱIDFA/AdIDͱ͍͏ͷ͋Δ
Slide 12
Slide 12 text
• ࠂͷDSPͱSSPͷؒͳͲͰΑ͘ߦΘΕΔॲཧ
Cookie Sync
example.com: AAAA
example.jp: BBBB
example.com: AAAA
redirect example.jp, param: =AAAA
example.jp: BBBB, param: AAAA
example.com: AAAA example.jp: BBBB
=
Slide 13
Slide 13 text
IP Address
Slide 14
Slide 14 text
IP Address
• 192.168.0.1ͷΑ͏ʹॻ͖ද͞ΕΔͷ
• ʮΠϯλʔωοτ্ͷॅॴ ʯͳͲͱݴΘΕΔ͜ͱ
• 32bit, 2^32 ≒ 43ԯ ௨Γͷදݱ͕Ͱ͖Δ
• ٿਓޱ73ԯਓʹ1ׂͭͮͭΓͯΒΕͳ͍ͱ͍͏ܽΛ࣋ͭ
Slide 15
Slide 15 text
IP Address͚ͩͰτϥοΩϯάෆ
ೳ
• ʮΠϯλʔωοτ্ͷॅॴ ʯ= Ͱͳ͍
• ͱ͍͏ΑΓ
• ͜ͷͨΊʹૹ৴ݩIP͕͔ͬͯಉҰૹ৴ݩͱݶΒͳ͍'
Slide 16
Slide 16 text
NAT
• NetworkAddressTranslation
• Global IPΞυϨεΛԆ໋/અ͢Δٕज़
• PrivateIPΛ༻͍ɺ(srcIP,srcPort,dstIP,dstPort,protocolNum)ͷ
Έ߹ΘͤͰΞυϨεΛ1ରଟͰϚοϐϯά͢Δ
• ISP͕ߦ͏߹CareerGradeNATͱ͔LargeScaleNAT
ͱݺΕΔ
Slide 17
Slide 17 text
ͱ͍͏͜ͱ…
• Global IPͱPrivate IP͕1ରଟͰϚοϐϯά͞Ε͍ͯΔ͔Β
ಛఆͰ͖ͳ͍
• Global IPͱPrivate IPͷΈ߹Θ͕ͤಘΒΕΕ
ಛఆͰ͖ΔͷͰ
• ※2ஈҎ্ͷଟஈNATͷ߹ಛఆෆೳ
Slide 18
Slide 18 text
XHRํࣜ
• JavaScriptͷXHRͰదͳൣғͷશͯͷPrivateIPʹϦΫΤετ
Λૹ৴͠ɺฦ͖ͬͯͨͷͷϨεϙϯελΠϜΛಛྔͱ͢Δ
• ύέοτΛେྔʹૹΔͱ߈ܸʹͳΓ͔Ͷͳ͍
εΩϟϯ͢Δ
Slide 19
Slide 19 text
WebRTCํࣜ
• WebRTCͷRTCPeerConnectionͷicecandidateΛར༻͢Δ
• WebRTC(P2P)ͷʮNAT͑ʯͷͨΊͷٕज़
• Private IP͕औಘͰ͖Δ
ΓऔΓ͢ΔͨΊʹ͓ޓ͍ͷIPΞυϨε
(Private/Global)
Λަ͢Δ
Slide 20
Slide 20 text
HSTS Super Cookie
Slide 21
Slide 21 text
HSTS Super Cookie
• HSTSͱ͍͏ϓϩτίϧΛར༻ͨ͠ख๏
• HSTS: webαʔό͕httpͰΞΫηε͞Εͨ࣌ʹ࣍ճ͔Β
httpsͰଓͯ͠΄͍͠ͱ͍͏ใΛՃ͢Δ
• HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ
͞Εͯ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ
Slide 22
Slide 22 text
HSTS Super Cookie
• HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ͞Εͯ
࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ
• httpͰΞΫηεͤͨ͞ͷͷhttpsͰ௨৴͕དྷͨ => 1bitͷใྔ
• 32ݸͷαϒυϝΠϯΛ༻ҙͯ͠ɺHSTS͕༗ޮ/ແޮΛϥϯμϜʹ
Γସ͑Δͱ32bitͷใྔʹͳΓɺ43ԯσόΠε͕ࣝผͰ͖Δ
Slide 23
Slide 23 text
HSTS Super Cookie
• Super CookieΛ"هԱͤ͞Δ"
HSTS ON
HSTS OFF
HSTS ON
a.example.com
b.example.com
c.example.com
Slide 24
Slide 24 text
HSTS Super Cookie
• Super CookieΛ"ಡΈग़͢"
• HTTPͰΞΫηεͤ͞Δ
• HSTS͕༗ޮͳͱ͜Ζ͚ͩHTTPͷͭΓ͕
HTTPSͰϦΫΤετ͕͘Δ
1
0
1
HTTP
HTTPS
HTTPS
ϢʔβͷID: 011
a.example.com
b.example.com
c.example.com
Slide 25
Slide 25 text
࣮ࡍͷڍಈ
Slide 26
Slide 26 text
TCP Timestamp
Slide 27
Slide 27 text
TCP Timestamp
Slide 28
Slide 28 text
RFC1323
• TCP Timestampʹ͍ͭͯنఆ
• Timestamp1msʙ1ඵִؒͰ૿ܾ͢·Γ
• OptionalͳϑΟʔϧυ
• ߋ৽ִؒ໌ࣔ͞Ε͍ͯͳ͍, ࣮ґଘ
Slide 29
Slide 29 text
TCPͷγʔέϯε൪߸ͱͷҧ͍ʁ
• TCP Timestamp ≠ TCP Sequence '
• γʔέϯε൪߸σʔλͷόΠτຖʹৼΒΕΔ(32bit)
• ߴͳωοτϫʔΫͰ࣌ؒͰΧϯλ͕1िͯ͠͠·͏
• λΠϜελϯϓ+γʔέϯε൪߸ͰύέοτͷॱংΛอূ͢Δ
Slide 30
Slide 30 text
TCP TimeStampΛτϥοΩϯάʹར༻͢Δ
• ͋Δఔ(25msʙ10minఔ)ஔ͍ͨ2ͭͷTCPύέοτͷ
• ౸ண࣌ࠁ(t1, t2)
• TCPλΠϜελϯϓ(ts1, ts2)
• TCPλΠϜελϯϓͷपΛٻΊΔ
freq = (ts2 - ts0) * 1000 / (t1 - t0)
Slide 31
Slide 31 text
TCP TimeStampΛτϥοΩϯάʹར༻
͢Δ
• TCPλΠϜελϯϓΛपͰׂΔ
• σόΠεͷuptime(ىಈ࣌ؒ)͕ٻ·Δ
• uptime͑͞ٻ·ΕIPΞυϨεͱֻ͚߹ΘͤΕ͕
ਪఆՄೳʹ(ͽͬͨΓಉ࣌ࠁʹىಈ͢Δ͍ͳ͍ͱԾఆ)
uptime = ts1 / freq
Slide 32
Slide 32 text
uptimeਪఆ͕؆୯ʹࢼͤΔπʔϧ
• p0f (http://lcamtuf.coredump.cx/p0f3/)
• ىಈͯ͠ΠϯλʔϑΣΠεΛࢦఆ͢Δ͚ͩ
.-[ 10.0.3.10/47099 -> 10.0.3.1/22 (syn) ]-
|
| client = 10.0.3.10/47099
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ 10.0.3.10/47099 -> 10.0.3.1/22 (uptime) ]-
|
| client = 10.0.3.10/47099
| uptime = 0 days 0 hrs 8 min (modulo 198 days)
| raw_freq = 250.04 Hz
|
Slide 33
Slide 33 text
͏·͍͔͘ͳͦ͞͏ͳ
• Linuxͷ࣮ΛݟͨݶΓɺtimestampͷߋ৽CPUͷλΠϚʔׂΓࠐΈ͕
ϕʔεͬΆ͍(jiffies)
• ͕εϦʔϓͯ͠ΔؒλΠϜελϯϓͷߋ৽͕ࢭ·Δ…ʁ
• Linux v4.10͔ΒTCP Timestamp͕ίωΫγϣϯ͝ͱʹϥϯμϜʹͳͬͨ
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
commit/?id=95a22caee396cef0bb2ca8fafdd82966a49367bb
Slide 34
Slide 34 text
SSL Session Ticket
Slide 35
Slide 35 text
SSL Handshake
https://blogs.msdn.microsoft.com/kaushal/2013/08/02/ssl-handshake-and-https-bindings-on-iis/
Slide 36
Slide 36 text
SSL Session Ticket
https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
Slide 37
Slide 37 text
SSL Session Ticket
https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
Slide 38
Slide 38 text
SSL Session TicketΛτϥοΩϯάʹ
͏
ͨ͠νέοτΛͬͯ࠶ଓͯ͘͠ΔͷͰ
ಉҰϢʔβͩͱΘ͔Δ
Slide 39
Slide 39 text
IP Address (࠶)
Slide 40
Slide 40 text
IPv6
• ͖͞΄ͲͷྫIPv4
• IPv4͔ΒҠߦதͷٕज़(ͱݴΘΕ͍ͯΔ)
• 2001:240:2401:4f7f:d051:d1bf:544e:cfc0 ͜Μͳײ͡Ͱද͞ΕΔ
• 128bit, 2^128 ≒ 340ݸ
• ਓྨͷͷໟ1ຊ1ຊʹΞυϨεΛׂΓͯͯશ͘৺ͳ͍
εέʔϥϏϦςΟ(ͱݴΘΕ͍ͯΔ)
Slide 41
Slide 41 text
IPv6NAT͠ͳ͍ͷ͔ʁ
• NATෆཁ (NAT as a Firewallͷ࣌ऴΘΔ…ʁ)
• → 1IP = ͷ͕͖͍࣌ͯΔ
• සൟʹม͑Δͱ௨৴ཱ͕͠ͳ͘ͳΔ
• !໋ͳIDͱͯ͠ػೳ͠͏Δ
Slide 42
Slide 42 text
IPv6ͷσϓϩΠঢ়گ
• Appleͷ৹ࠪͰIPv6ରԠ͕ඞਢʹ
• ຊͷܞଳΩϟϦΞIPv6σϓϩΠʹফۃతͩͬͨ
• ૯লౖ͕ͬͯ2017தͷ
ಋೖΛཁ
• ࠓͰΘΓͱ
ීٴ͖͍ͯͯ͠Δͣ
Slide 43
Slide 43 text
·ͱΊ
• ༷ʑͳσόΠεͷτϥοΩϯάख๏Λௐࠪ͠·ͨ͠
• ཁૉٕज़ͷత͔Β͢ΔͱҙਤͤͣτϥοΩϯάͰ͖
ͯ͠·͏ͷʹؔͯ͠ηΩϡϦςΟ্ͷཧ༝͔Βम
ਖ਼͕Ճ͑ΒΕ͍ͯΔͷ͋Δ