͘͞ΒΠϯλʔωοτגࣜձࣾ (C) Copyright 1996-2020 SAKURA Internet Inc ͘͞ΒΠϯλʔωοτݚڀॴ ΫϥΠΞϯτϓϩηεͷݖݶ৘ใʹجͮ͘ TCPΛհͨ͠ಁաతͳݖݶ෼཭ํࣜͷઃܭ 2020/05/15 ্ڃݚڀһ দຊ ྄հ দຊ྄հ, ௶಺༎थ, 2020೥౓ୈ1ճ(IOT௨ࢉ49ճ)ݚڀձ

1. എܠͱ໨త 2. Ϛϧνςφϯτํࣜʹ͓͚Δݖݶ෼཭ͱؔ࿈ݚڀ 3. TCPΛհͨ͠ಁաతͳݖݶ෼཭ख๏ͷఏҊ 4. ·ͱΊ 2 ໨࣍

1. എܠͱ໨త

• ݹ͔͘Βར༻͞Ε͖ͯͨߴूੵܕͷϚϧνςφϯτํࣜ • WebϗεςΟϯάαʔϏεʹ͓͚Δڞ༗ܕϨϯλϧαʔό • WebαʔϏεͷ֤छΞϓϦέʔγϣϯΛಉҰͷOSϊʔυ্ʹىಈ • ୯ҰͷOSϊʔυ্ʹෳ਺ͷϓϩηε΍ίϯςφΛىಈ͢ΔͳͲ • ֤ςφϯτͰಈ͘ϓϩηε͸੬ऑੑʹΑͬͯ৐ͬऔΒΕΔ͜ͱ͕͋Δ • Ϩϯλϧαʔόʹ͓͚Δ֤ςφϯτͷެ։ΞϓϦͷ੬ऑੑ͸೔ৗ஡൧ࣄ • ݎ࿚ͳWebαʔϏεͰ͋ͬͯ΋੬ऑੑ͔Β೚ҙͷίϚϯυΛ࣮ߦͳͲ 4 എܠ

• ֤ςφϯτؒͷݖݶ෼཭͸ݚڀ։ൃ͞Ε͖͍ͯͯΔʢίϯςφ΋ؚΉʣ • جຊઓུ: Linuxϓϩηεͷ໊લۭؒ΍Ϧιʔεͷִ཭ • جຊઓུ: Φʔφ΍ύʔϛογϣϯ৘ใΛར༻ͨ͠ݖݶ෼཭ • εϨουΛར༻ͯ͠ߴ଎ʹݖݶ෼཭Λߦ͏ख๏[1]ͳͲ • ωοτϫʔΫΛհͨ͠ݖݶ෼཭ͷ೉͠͞ ← ຊݚڀͷϞνϕʔγϣϯ • ID/PASS͕࿙ΕΔͱϦϞʔτʹ഑ஔ͞ΕͨDBͱ୭Ͱ΋௨৴Մೳ • ςφϯτ୯ҐͰNW΍DBΛ෼཭͢Δίετ΍ෳࡶੑͷߴ͞΋՝୊ 5 ςφϯτج൫ଆͰղܾ͍ͨ͠ - ؔ࿈ݚڀͱ՝୊ <>দຊ྄հ Ԭ෦णஉ εϨου୯ҐͰݖݶ෼཭Λߦ͏8FCαʔόͷΞΫηε੍ޚΞʔΩςΫνϟ ిࢠ৘ใ௨৴ֶձ࿦จࢽ7PM+# /P QQ 0DU

• Ϛϧνςφϯτ؀ڥʹ͓͍ͯTCP௨৴ͷݖݶΛಁաతʹ෼཭͢ΔํࣜͷఏҊ • લఏ:ϗετ΍IPΞυϨε͕৐ͬऔΒΕͣҰൠϢʔβ͕ར༻͢Δςφϯτ • ෳ਺ςφϯτͰڞ༗͍ͯ͠ΔDBʹରͯ͠ɺ઀ଓݩϓϩηεʹج͍ͮͯೝূ • DBͷID/PASS͕࿙Εͯ΋઀ଓ͢΂͖ϓϩηε(ςφϯτ)͔ΒͷΈ઀ଓՄೳ • ςφϯτ͕৐ͬऔΒΕͯ΋࠮শͰ͖ͳ͍Α͏ʹTCPͷϨΠϠʔͰ੍ޚ • SSHͷΑ͏ͳެ։伴ೝূͰ͸֤ςφϯτͷൿີ伴͕࿙Ӯ͢Δͱ࠮শՄೳ • TLSΛར༻͍ͯ͠ͳ͍Α͏ͳ҆શ͕୲อ͞ΕͨωοτϫʔΫͰ΋ར༻Մೳ 6 ຊݚڀͷ໨తͱείʔϓɺٴͼɺߩݙ

• TCPΦϓγϣϯϔομϑΟʔϧυʹΩʔ৘ใΛొ࿥Ͱ͖ΔྖҬΛఆٛ • ຊݚڀͰ͸ͦͷྖҬʹϓϩηεͷΦʔφ৘ใ(uid/gid)Λอଘ͢Δ • LinuxΧʔωϧϞδϡʔϧʹΑΓಁաతʹ઀ଓݩϓϩηεͷ৘ใΛ઀ଓઌͷ αʔόଆͷϓϩηε(ϛυϧ΢ΣΞͳͲ)Ͱར༻ • ಁաతʹΦʔφ৘ใΛར༻͢Δ͜ͱʹΑͬͯγεςϜߏ੒ͷෳࡶ͞΍γεςϜ ͷ௥ՃίετΛ௿ݮ • ݖݶ෼཭ͷΦʔόʔϔου΋௿͘͢Δ͜ͱͰద༻ՄೳέʔεΛ૿΍͢ 7 ຊݚڀͷ໨తͱείʔϓɺٴͼɺߩݙ

2. Ϛϧνςφϯτํࣜʹ͓͚Δݖݶ෼཭ͱ ؔ࿈ݚڀ

Ϛϧνςφϯτํࣜʹ͓͚ΔDB೷͖ݟͷྫ 9 Tenant A (Malicious User) Tenant B (include ID/Pass) Database Malicious User An exploit Read ID/Pass Steal tenant B and C data Normal data access Tenant C (include ID/Pass) An exploit Read ID/Pass An exploit Read ID/Pass Internet Hosting System

WebαʔϏεʹ͓͚Δσʔλͷ࿙Ӯͷྫ 10 Image Upload Script Data Management Script (include ID/Pass) Database Malicious User An exploit Read ID/Pass Steal customer data Normal data access Internet Web System

• identϓϩτίϧʢPostgreSQLͷೝূʹ΋͋Δʣ • ϦϞʔταʔόʹΞΫηεͨ͠ͱ͖ʹͦͷΞΫηεݩͷϢʔβ͸ͳʹ΋ͷ͔ Λٯʹ઀ଓݩʹηογϣϯΛషͬͯ໰͍߹ΘͤΔ • identdΛrootͰ্͛Δ͜ͱʹΑͬͯҰൠϢʔβ͔Β੍ޚෆՄʹ͢Δ • identd΁ͷTCPίωΫγϣϯ͕ඞཁͷͨΊNAT௒͑Ͱ͖ͳ͍ • ંฦ͠ͷ໰͍߹Θͤͱidentdͷ୳ࡧ͕ൃੜ͢ΔͨΊɺ઀ଓͷΦʔόʔϔου ͕૿͑Δ 11 TCPΛհͨ͠ݖݶ෼཭ͷؔ࿈ݚڀ

• ௨৴ݩIPΞυϨε΍ϙʔτΛ؅ཧͯ͠ΞΫηε੍ޚΛߦ͏৔߹ • ςφϯτ୯ҐͰϙʔτ਺ΛҰҙͰ؅ཧ͢Δඞཁ͕͋Δ • ςφϯτ͕10ສͳͲ૿͑ͨ৔߹ʹ؅ཧର৅͕૿͑ͨΓϙʔτ͕ރׇ • ؅ཧର৅ͷ૿Ճ΍γεςϜͷෳࡶੑͷ૿Ճ • ΞΫηε੍ޚϦετͱͷϚονϯάͷΦʔόʔϔουͳͲ 12 TCPΛհͨ͠ݖݶ෼཭ͷؔ࿈ݚڀ

• ςφϯτ΍ΞϓϦέʔγϣϯϓϩηε୯ҐͰൿີ伴Λ࣋ͪɺ௨৴ઌϛυϧ΢Σ ΞͰೝূ͢Δํ๏ • ςφϯτ୯ҐͰಡΈऔΓՄೳͳ伴Λ࣋ͭඞཁ͕͋Δ • ID/PASSϑΝΠϧͱಉ༷ʹ੬ऑੑ͔Β伴͕࿙Ӯ͠ɺଞͷςφϯτ͋Δ͍͸઀ ଓՄೳͳϓϩηε͔ΒͦΕΒΛར༻ͯ͠ೝূΛಥഁͰ͖ΔՄೳੑ͕͋Δ • ςφϯτͷΞϓϦ͸੬ऑੑʹΑͬͯ৐ͬऔΒΕΔ͜ͱ͕͋Δʂ 13 TLSτϯωϦϯάͰެ։伴ೝূํࣜΛ࢖͏৔߹

• Host Identity Protocol (HIP) • IPΞυϨεͷࣝผࢠͱϩέʔγϣϯͷ໾ׂΛ෼཭ • ެ։伴Ͱ҉߸Խͨࣝ͠ผࢠʹΑͬͯ௨৴ݩϗετͷҰҙੑΛ઀ଓઌͰࣝผ • ݪཧతʹ͸TLSτϯωϦϯάͷެ։伴ೝূͱಉ͘͡ϚϧνςφϯτͰར༻͢ Δ৔߹ʹ͸ςφϯτ͕࣋ͭࣝผࢠͷ࿙Ӯͷ໰୊͕࢒Δ 14 HIP

• SPIFFE͸Zero Trust Networkͷߟ͑ํʹ΋ͱͮ͘αʔϏεؒೝূͷ࢓༷ • APIͷ௨৴ݩΫϥΠΞϯτ͕৴པͰ͖Δ͔Λݕূ͢Δ࢓૊Έ • Ξϓϩʔνͱͯ͠͸ެ։伴ೝূʹΑͬͯ௨৴ݩΛݕূ • Perfect Forward Secrecy (PFS)ͷ؍఺͔Βఆظతʹ伴ͷߋ৽Λߦ͏ • ݪཧతʹ͸TLSτϯωϦϯάͷެ։伴ར༻ͱಉ͘͡ϚϧνςφϯτͰར༻͢ Δ৔߹ʹ͸ςφϯτʹ͓͚Δ伴ͷ࿙Ӯͷ໰୊͕࢒Δ 15 SPIFFE

• RCF 7974 An Experimental TCP Option for Host Identification • IPΞυϨεڞ༗؀ڥͰ઀ଓݩϗετͷҰҙੑΛೝূ • TCPΦϓγϣϯϔομʹ৘ใΛॻ͖ࠐΜͰ͓͘͜ͱͰಁաੑΛ࣮ݱ • RFCͰ͸ҰҙͷΩʔΛͲ͏͢Δ͔͸ٞ࿦த • ݪཧతʹ͸઀ଓݩͰݻ༗ͷIDΛੜ੒ͯ͠઀ଓ͢ΔͨΊɺTLSτϯωϦϯά΍ HIPΞϓϩʔνͱಉ༷ɺ৐ͬऔΒΕͨςφϯτʹ͓͚ΔIDऔಘͷ՝୊͕࢒Δ 16 TCPΦϓγϣϯϔομΛར༻ͨؔ͠࿈ݚڀ

3. TCPΛհͨ͠ಁաతݖݶ෼཭ख๏ͷఏҊ

• ςφϯτ͔Βσʔλ͕࿙Ӯ͍ͯ͠Δঢ়گͰ΋ɺ઀ଓ͢΂͖ϓϩηε͔ΒͷΈೝ ূΛڐՄ͢ΔͨΊͷΦʔόʔϔουͷগͳ͍ಁաతͳΞΫηε੍ޚͷఏҊ • ϗετ΍IPΞυϨε͕৐ͬऔΒΕͣҰൠϢʔβʹΑΔςφϯτ͕લఏ • ςφϯτͷϑΝΠϧ͕࿙Ӯͯ͠΋ɺςφϯτࣗମͷݖݶΛ৐ͬऔΒͳ͍ݶΓ ͸ೝূ͕ಥഁͰ͖ͳ͍ํࣜ • ઀ଓͷΦʔόʔϔουΛ௿ݮ͢ΔͨΊTCPΦϓγϣϯϔομʹϓϩηεͷ Φʔφ৘ใΛΧʔωϧଆͰಁաతʹอଘͯ͠௨৴ 18 ఏҊख๏ͷΞϓϩʔν

ఏҊख๏ (tcpriv) ͷϑϩʔ 19 Kernel TCP/IP Stack User Land Read tcpriv information Process(Middleware) Detect tcpriv TCP Options Kernel Module Library /proc Socket API Kernel TCP/IP Stack User Land Insert tcpriv TCP Options Kernel Module Process(Client) )PTU" )PTU# 5$1

• TCPΦϓγϣϯϔομʔʹ࣮ݧతΦϓγϣϯͱͯ͠ΩʔอଘྖҬΛఆٛ • ઀ଓཱ֬࣌ͷsynύέοτͷTCPΦϓγϣϯϔομΛར༻ • kind no(8bits) + length(8bits) + ExID(32bits) + contents(64bits) • contentsྖҬʹLinuxͷuid(32bits)ͱgid(32bits)ΛΧʔωϧͰอଘ • ૹ৴ݩͰอଘޙɺૹ৴ઌͷαʔόͰ͜ͷྖҬΛparseͯ͠औಘ • ͢΂ͯΛLinuxΧʔωϧϞδϡʔϧͱͯ͠ΧʔωϧʹखΛೖΕͣʹ࣮૷ • Մൖੑͷ֬อʢͱ͸͍͑ΧʔωϧόʔδϣϯΛ௥͏ඞཁ͋Γʣ 20 ઃܭͱ࣮૷

DEMO 21 https://github.com/matsumotory/tcpriv

5. ·ͱΊ

• ઀ଓݩϓϩηεͷΦʔφ৘ใΛಁաతʹར༻ͨ͠ΞΫηε੍ޚͷఏҊ • ެ։伴΍ID/PASS৘ใΛςφϯτʹಡΈऔΓՄೳঢ়ଶͰอଘͤͣʹར༻Մೳ • Ϣʔβϥϯυ͔Β઀ଓཱ֬࣌ʹΦʔφ৘ใΛऔಘ͢ΔϥΠϒϥϦΛ։ൃ༧ఆ • σʔλϕʔεͷΑ͏ͳϛυϧ΢ΣΞʹ࣮૷ͯ͠ੑೳ΍৴པੑͷධՁ • ϓϩΩγܕͷೝূGWͷΑ͏ͳܗࣜͰઃܭɾ࣮૷Ͱ͖ͳ͍͔΋ݕ౼ • ident΍ΞΫηε੍ޚϦετʹΑΔ੍ޚͱͷੑೳൺֱΛ࣮ࢪ༧ఆ 23 ·ͱΊͱࠓޙͷ՝୊