Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spectreについて

Yuki Saito
August 03, 2018
Programming
2
1.6k

 Spectreについて

すみだセキュリティ勉強会にて

Yuki Saito

August 03, 2018
Tweet

More Decks by Yuki Saito

See All by Yuki Saito
Black Hatで話題になったGyoiThonを使ってみた!
saiyuki1919
1
1k
私の大好きなFormat String Attack
saiyuki1919
2
720

Other Decks in Programming

See All in Programming
良い開発生産性を目指せば採用もうまくいく
rinchsan
0
350
Avoiding common pitfalls with modern microservices testing
hollycummins
0
150
what's new in Material Design で気になったトピック
punchdrunker
1
230
デザイナーと協業しているNuxtプロジェクトを、ChromaticによるVRTでさらに改善した話
mozu1206
0
140
Let's write RBS!
pocke
0
1.6k
Parsing RBS
soutaro
0
460
LINEBotCourse.pdf
maguroalternative
0
100
SwiftSyntaxが面白い
ryu_hu03
1
350
FSE時代におけるWEBサイト制作の研究 #wpshinshu / 2023-05-20 Shinshu WordPress Meetup vol.23
torounit
0
210
ランニングコストやっべぇぞ!ECS/FargateでECRへのアクセスについて
honma12345
0
770
読みやすいコードの書き方 第 1 回 / Code readability: Session 1 (ver. 2, Ja)
munetoshi
1
490
Architecting For Scale
squer
0
170

Featured

See All Featured
The Mythical Team-Month
searls
211
41k
RailsConf 2023
tenderlove
0
89
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
The Language of Interfaces
destraynor
149
21k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.2k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
The Invisible Side of Design
smashingmag
292
49k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
A Philosophy of Restraint
colly
195
15k
Infographics Made Easy
chrislema
236
17k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
Three Pipe Problems
jasonvnalue
89
9.1k

Transcript

  1. 4QFDUSFʹ͍ͭͯ
    2018/08/04 

    ͢ΈͩηΩϡϦςΟษڧձ 

    @saiyuki1919


    View Slide

  2. ࣗݾ঺հ
    w ໊લɿᴡ౻༔ر 4BJUP:VLJ

    w झຯɿ
    w ϦόʔεΤϯδχΞϦϯάͳͲͷηΩϡϦςΟશൠ
    w ػցֶश
    w ܦྺ
    w ηΩϡϦςΟɾΩϟϯϓશࠃେձ
    w ݩ.JDSPTPGU4UVEFOU1BSUOFST
    w ݱηΩϡϦςΟΤϯδχΞʁ ηΩϡϦςΟؔ࿈ۀ຿

    w ࠷ۙ΍ͬͯΈ͍ͨ͜ͱ
    w ϋχʔϙοτͷࣗ୐ӡ༻
    w ηΩϡϦςΟؔ࿈ͷ044ͷ։ൃ


    View Slide

  3. ໨࣍
    4QFDUSFͷҰ࿈ͷࣄ݅
    ൃݟ͞Εͨ੬ऑੑͱ͸ʁ
    ߈ܸͱରࡦ


    View Slide

  4. 4QFDUSFͷҰ࿈ͷ૽ಈ
    2018೥ਖ਼݄ૣʑɺϓϩηοαۀքʹ૽ಈ͕ى͖ͨʂ
    SpectreʢεϖΫλʔʣͱMeltdownʢϝϧτμ΢ϯʣͱݺ͹ΕΔϓϩηοαͷ੬ऑੑ͕ൃݟ͞Εͨɻ
    Meltdown͸Intel੡CPUͱARM ੡ CPU ͷҰ෦͕ӨڹͰɺSpectre͸IntelɾAMDɾARMͳͲͷ͢΂ͯͷ
    ϓϩηοαʹ಺ࡏ͢ΔՄೳੑ͕͋Δͱൃද͞Εͨɻ
    GoogleͷηΩϡϦςΟରࡦ෦໳Project Zero͸ɺʮ౤ػత࣮ߦʯʹΑͬͯҾ͖ى͜͞ΕΔਂࠁͳη
    ΩϡϦςΟ্ͷ੬ऑੑΛ2017೥6݄ͷஈ֊Ͱ೺Ѳ͠ɺIntelɺAMDɺARMͳͲͷνοϓϕϯμʔʹ௨஌
    ͍ͯͨ͠ɻ

    ͦ͜ͰɺMircosoft͸1݄9೔ͷPatch TuesdayͰdisclose͞ΕΔ༧ఆͰͨ͠ɻ

    ͔͠͠ɺΠΪϦεͷITࢽʮThe Registerʯ͕1݄2೔ʹ

    ʮϋʔυ΢ΣΞͷมߋ͕ඞཁͰ͋Γɺιϑτ΢ΣΞͰͷηΩϡϦςΟରࡦ͸ύϑΥʔϚϯεͷେ෯ͳ
    ௿ԼΛҾ͖ى͜͢ʯ

    ͱൃදͨ͠ͷͰɺۀքΛࠞཚͤͨ͞!


    View Slide

  5. ൃݟ͞Εͨ੬ऑੑ
    • Variant 1: bounds check bypass (CVE-2017-5753)

    • Variant 2: branch target injection (CVE-2017-5715)

    • Variant 3: rogue data cache load (CVE-2017-5754)

    • Variant 3a: Rogue System Register Read (CVE-2018-3640)

    • Variant 4: Speculative store bypass (CVE-2018-3639)

    ʮVariant 1ʯͱʮVariant 2ʯ͕Spectre

    ʮVariant 3ʯ͕Meltdownͱݺ͹ΕΔ੬ऑੑͰ͢ɻ

    CPUੑೳ޲্ͷͨΊͷʮ౤ػత࣮ߦ(Speculative Execution)ʯͱ͍͏࢓૊Έ͕ݪҼ
    Ͱɺ͍ͣΕͷ੬ऑੑ΋αΠυνϟωϧ߈ܸʹ෼ྨ͞Ε·͢ɻ


    View Slide

  6. αΠυνϟωϧ߈ܸͱ͸
    αΠυνϟωϧ߈ܸ͸ి࣓೾΍೤ɺిྗྔ΍ॲཧ࣌ؒͷҧ͍ͳͲΛ
    ෺ཧతखஈͰ؍࡯͢Δ͜ͱͰख͕͔ΓΛಘΑ͏ͱ͢Δ΋ͷͰ͢ɻ


    αΠυνϟωϧͱ͸ɺਖ਼نͷೖग़ྗܦ࿏Ͱ͸ͳ͍͜ͱΛҙຯ͓ͯ͠Γɺ
    ΞϧΰϦζϜͱ͸ҟͳΔ෭࣍త৘ใͰ͋Δ͜ͱ͔Β͜ͷΑ͏ʹݺ͹Ε
    ͍ͯ·͢ɻ
    IUUQJPUKQDPNJPUTVNNBSZJPUUFDI
    &#&"&&&"&%&"#&##
    &&'#$TJEFDIBOOFMBUUBDL&'#$IUNM
    Ҿ༻ݩ


    View Slide

  7. ΠϯύΫτ
    w Ϋϥ΢υαʔϏε΍.41

    Ϩϯλϧαʔό΍ɺ*BB41BB4౳ͷ7.Λಈ͔͢Ϋϥ΢υαʔϏεͷࣄۀ
    ऀ౳ʹ͸େ͖ͳΠϯύΫτΛ༩͑ͨɻ

    w ϓϩηοαۀք

    4QFDUSF͸*OUFM͚ͩͰͳ͘ɺ".%΍"3.ͳͲͷνοϓશൠʹؔ܎͢Δ੬
    ऑੑͰ͋Γɺ1$͚ͩͰͳ͘"3.ϕʔεͷ$16Λ࠾༻͢ΔεϚʔτϑΥϯ
    ΛؚΊͨɺΑΓ޿͍୺຤ʹӨڹΛٴ΅͔͠Ͷͳ͍ͱ͍͏͜ͱͰେ͖ͳ࿩୊
    ͱͳͬͨɻ


    View Slide

  8. ެදޙʹى͖ͨࣄ݅
    w ʮ.FMUEPXOʯʮ4QFDUSFʯΛૂ͏Ϛϧ΢ΣΞαϯϓϧɺେྔʹൃݟ
    w "75&45*OTUJUVUF͸ɺ$16ʹଘࡏ͢Δʮ.FMUEPXOʯ͓Αͼʮ4QFDUSFʯ੬ऑੑΛѱ༻͠Α͏
    ͱ͢ΔϚϧ΢ΣΞͷઌۦ͚ͱݟΒΕΔαϯϓϧݸΛൃݟͨ͠ɻ

    IUUQTKBQBODOFUDPNBSUJDMF

    w ʮ4QFDUSFʯʮ.FMUEPXOʯͷύονΛِ૷ͨ͠Ϛϧ΢ΣΞʹ஫ҙ
    w ύονΛِ૷ͨ͠Ϛϧ΢ΣΞ͕ଘࡏ͠ʮ4NPLF-PBEFSʯ΁ͷײછΛଅ͢

    IUUQTOFXTNZOBWJKQBSUJDMF

    w Πϯςϧɺ4QFDUSFɾ.FMUEPXOରԠͰϓϩηοαʔઃܭΛมߋ
    w Πϯςϧ͸੬ऑੑΛܰࢹ͍͗ͯͨ͢͠ͱͯ͠ɺถࠃٞձ͔Βઆ໌ΛٻΊΒΕɺ͞Βʹ໿݅΋
    ͷूஂૌুΛى͜͞Εͨ

    IUUQTKBQBOFTFFOHBEHFUDPNTQFDUSFNFMUEPXO


    View Slide

  9. 4QFDUSFͱ͸
    • Variant 1: bounds check bypass (CVE-2017-5753)

    ͋Δ໋ྩͰຊདྷɺಡΈࠐΉ͜ͱ͕Ͱ͖ͳ͍ଞϓϩηεͷϝϞϦʔྖҬΛΩϟογϡ
    ʹಡΈͩͤ͞ɺผͷ໋ྩͰʰΩϟογϡྖҬʱͷϝϞϦͷread଎౓ΛνΣοΫ͢Δ
    ͜ͱͰϝϞϦྖҬͷ಺༰ΛਪఆͰ͖Δɻ


    • Variant 2: branch target injection (CVE-2017-5715)

    ʮؒ઀෼ذ༧ଌثʯΛར༻͢Δ΋ͷͰɺยํͷVMͰ෼ذΛෆਖ਼ͳϓϩάϥϜΛݺ
    ͼग़ͨ͢Ίʹௐઅ͠·͢ɻௐઅͨ͠༧ଌςʔϒϧΛ΋͏ยํͷVMͰϝϞϦΞυϨ
    ε͔Β౤ػ࣮ߦͤ͞Δɻ


    View Slide

  10. 4QFDUSFͷ੬ऑੑ֓ཁ
    ι
    ϑ
    τ
    ΢
    Σ
    Ξ
    ϋ
    c
    υ
    ΢
    Σ
    Ξ
    ΞϓϦέʔγϣϯ" ΞϓϦέʔγϣϯ#
    ɾɾɾ
    04
    $16 ੬ऑੑ
    ௨ৗ͸ΞΫηεͰ͖ͳ͍ϝϞϦྖҬಡΈࠐΉ
    ϝϞϦྖҬɹϝϞϦྖҬɹϝϞϦྖҬ


    View Slide

  11. ౤ػ࣮ߦͱ͸
    'FUDI
    %FDPEF
    &YFDVUF
    8SJUF#BDL
    ໋ྩ ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ ໋ྩ
    ໋ྩ
    ໋ྩ
    'FUDI
    %FDPEF
    &YFDVUF
    8SJUF#BDL
    ໋ྩ ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ
    5JNFMPTT
    ௨ৗ
    ౤ػ࣮ߦ


    View Slide

  12. bounds check bypass (CVE-2017-5753)
    JGจͷ಺༰͕USVFʹͳ͍ͬͯΔύλʔϯ͕ଟ͚Ε͹ɺJGจͷ಺༰͕GBMTFͰ΋౤ػ࣮
    ߦʹΑΓ෼ذ໋ྩΛ௒͑ͯઌʹ࣮ߦ͞ΕΔ
    Yͷ஋Λࣗ༝ʹૢ࡞ͯ͠ɺBSSBZͰݺͼग़͍ͨ͠ϝϞϦΞυϨεʹ͢Δ
    BSSBͰBSSBZͷΩϟογϡϥΠϯ෼ΛBSSBZͰࢦఆ͠ϝϞϦʔʹอଘ
    ͠Ωϟογϡ͢Δ
    [email protected][Fͷॲཧ͕GBMTFͱΘ͔Ε͹ɺBSSBZ͸ϝϞϦʔ͔Βഁغ͞ΕΔ͕--
    -౳Ωϟογϡʹ͸࢒Δ
    BSSBZ͸---౳ʹΩϟογϡʹ৐͍ͬͯΔͷͰɺ͔ΒͰ૬౰͢ΔΞυϨ
    εʹॱংʹΞΫηε͠ɺSFBE଎౓͕ૣ͔ͬͨͱ͜Ζ͕BSSBZͷϝϞϦͷ஋ʹͳΔ
    if (x < array1_size)
    y = array2[array1[x] * 256];


    View Slide

  13. branch target injection (CVE-2017-5715)
    ౤ػ࣮ߦͱ#5# ෼ذઌόοϑΝ
    ͱؒ઀෼ذ໋ྩΛར༻ͨ͠߈ܸͰ͢
    ؒ઀෼ذ໋ྩͱ͸

    ෼ذઌ͕Ϩδελ΍ϝϞϦͷ஋ʹΑͬͯࢦఆ͞ΕΔ໋ྩ

    YͰ͸DBMMͱKNQͳͲ

    ౤ػ࣮ߦʹΑ࣮ͬͯߦ͞ΕΔ໋ྩ͸ʁɹ὎#5#Λ֬ೝʂ
    #5##SBODI5BSHFU#V⒎FSͱ͸

    ෼ذઌΛ෼ذݩΞυϨεͰอଘ͢ΔόοϑΝ

    ෼ذݩͷϝϞϦΞυϨεͷ಺ͷCJUΛݩʹ෼ذઌͷ

    ɹɹϝϞϦΞυϨεΛ༧ଌ͍ͯ͠Δ

    ͭͷ෺ཧίΞΛͭͷ࿦ཧίΞʹ෼ׂͯ͠΋ؒ઀෼ذ༧ଌʹ࢖ΘΕΔ༧ଌ

    ςʔϒϧ #5#
    ͸ڞ༗͞ΕΔ


    View Slide

  14. #)##SBODI)JTUPSZ#V⒎FSͱ͸
    աڈͷ෼ذ༧૝݁Ռͷ౰ͨΓ֎ΕΛه࿥͢ΔόοϑΝ
    ௚ۙ໿ճ෼ͷཤྺΛอ؅͍ͯ͠Δ

    ෼ذύλʔϯΛ#)#Ͱݟ͚ͭΔͱɺ෼ذઌΛ#5#ʹ୳͠ʹߦ͘


    View Slide

  15. branch target injection (CVE-2017-5715)
    ϢʔβۭؒͰ#)#Λʮֶशʯͤ͞Δ

    #)#ͷֶशͷͨΊʹճ෼͸࠶ݱ͢Δ
    ผͷεϨουͰ༠ಋ͍ͨ͠ΞυϨε΁ͷ෼ذΛ܁Γฦ͠ɺ#5#ͷ෼
    ذઌͷΞυϨεΛ࣮ߦ͍ͨ͠ෆਖ਼ͳ໋ྩͷΞυϨεʹઃఆ͢Δ
    ౤ػ࣮ߦʹΑͬͯෆਖ਼ͳ໋ྩΛ࣮ߦͤ͞Δ


    View Slide

  16. ૝ఆ͞ΕΔ߈ܸ
    w ύεϫʔυ΍ΫοΩʔɺ҉߸ݤͷ಺༰Λ౪ௌ͞ΕΔՄೳੑ͕͋Δ
    w ϓϩάϥϜΛഁյ͞ΕΔՄೳੑ͕͋Δ
    ʲ૝ఆ͞ΕΔγφϦΦʳ
    944ʹΑΔ੬ऑੑ͔ΒJGSBNFΛ࢓ֻ͚Δ
    λϒ಺ͷJGSBNF΍ϙοϓΞοϓͰผͷαΠτ͕ಡΈࠐ·ΕΔ৔߹
    ͸ϝΠϯλϒͱಉҰϓϩηεͰಈ͍͍ͯΔͷͰ4QFDUSFΛ࣮ߦ
    4QFDUSFʹΑͬͯɺΫοΩʔ΍ύεϫʔυͳͲͷ৘ใΛऔಘ

    ·ͨ͸ɺϓϩάϥϜͷఀࢭ


    View Slide

  17. ରࡦ
    w (PPHMF$ISPNF

    ʮ4QFDUSFʯͱݺ͹ΕΔ੬ऑʢ͍ͥ͡Ό͘ʣੑ͕8FCϒϥ΢βܦ༝Ͱѱ༻
    ͞ΕΔ͜ͱΛ๷͙ͨΊʮαΠτ෼཭ʢ4JUF*TPMBUJPOʣʯͱݺ͹ΕΔରࡦ
    ػೳΛσϑΥϧτͰ༗ޮʹͨ͠


    4JUF*TPMBUJPOΛ༗ޮʹ͢Ε͹ɺ֤8FCαΠτ͕ಠཱͨ͠ϓϩηεͰಡΈ
    ࠐ·ΕΔΑ͏ʹͳΓɺෆਖ਼ͳ8FCαΠτ͕ϢʔβʔͷΞΧ΢ϯτ΍ଞͷ
    8FCαΠτʹΞΫηεͨ͠Γɺ৘ใΛ౪ΜͩΓ͢Δ͜ͱ͕೉͘͠ͳΔ
    "OESPJE޲͚ͷ$ISPNFʹ΋ର৅Λ֦େ͢Δํ਑


    View Slide

  18. ֤04͝ͱͷରࡦ
    w 8JOEPXT

    8JOEPXT޲͚ͷߋ৽ϓϩάϥϜʮ,#ʯΛެ։
    w .BD

    lNBD04)JHI4JFSSB4VQQMFNFOUBM6QEBUFzͰɺ.FMUEPXO
    ରࡦʹՃ͑ɺ4QFDUSFରࡦ͕ద༻͞Ε͍ͯΔ
    w -JOVY

    -JOVYΧʔωϧͷ࠷৽൛ʢʣ͕ϦϦʔε͞Εͨɻ͜ͷόʔδϣϯͰ
    ͸ɺʮ4QFDUSF.FMUEPXOʯͷ੬ऑੑ΁ͷରࡦ΋௥Ճ͞Ε͍ͯΔɻ
    w "OESPJE J04 $FOU04 3FE)BU΋Ξοϓσʔτ͕ϦϦʔε͞Ε͍ͯΔ


    View Slide

  19. ·ͱΊ
    w 4QFDUSFͷҰ࿈ͷ૽ಈ

    ɾൃݟ͞Εͨ੬ऑੑ

    ɾαΠυνϟωϧ߈ܸͱ͸

    ɾΠϯύΫτ

    ɾެදޙʹى͖ͨࣄ݅
    w 4QFDUSFͷ੬ऑੑͷ֓ཁ౤ػ࣮ߦͱ͸

    ɾCPVOETDIFDLCZQBTT($7&)

    ɾCSBODIUBSHFUJOKFDUJPO($7&)
    • ૝ఆ͞ΕΔ߈ܸ / ରࡦ

    ɾChrome Site Isolationػೳ

    ɾOS͝ͱͷରࡦ


    View Slide

  20. ࢀߟจݙ
    w 4QFDUSF#VTUFST͋Δ͍͸-JOVYʹ͓͚Δ4QFDUSFରࡦ

    IUUQTXXXTMJEFTIBSFOFUNIJSBNBUTQFDUSFCVTUFSTMJOVYTQFDUSF
    w ʮϝϧτμ΢ϯʯͱʮεϖΫλʔʯɺڪΖ͍ۙ͠୅$16ͷ੬ऑੑΛղઆ

    IUUQTMPHNJKQ
    w 1SPKFDU;FSP

    IUUQTHPPHMFQSPKFDU[FSPCMPHTQPUDPNSFBEJOHQSJWJMFHFENFNPSZXJUITJEFIUNM
    w ୈճେ૽͗ͷ4QFDUSFͱ.FMUEPXOͷ੬ऑੑΛͬ͘͟Γͱղઆ

    IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM
    w ʲਤղʳ$16ͷ੬ऑੑ<4QFDUSF><.FMUEPXO>͸۩ମతʹͲͷΑ͏ͳ࢓૊ΈͰ߈ܸ͢
    Δʁ

    IUUQTNJMFTUPOFPGTFOFTVLFDPNTWBEWBODFETWTFDVSJUZNFMUEPXOTQFDUSF
    w ੈؒΛ૽͕͢ʮϓϩηοα੬ऑੑʯɹԿ͕ຊ౰ͷ໰୊ͳͷ͔

    IUUQXXXJUNFEJBDPKQQDVTFSBSUJDMFTOFXTIUNM


    View Slide

  21. ࢀߟจݙ
    w αΠυνϟωϧ߈ܸʢTJEFDIBOOFMBUUBDLʣ

    IUUQJPUKQDPNJPUTVNNBSZJPUUFDI
    &#&"&&&"&%&
    "#&##&&'#$TJEFDIBOOFM
    BUUBDL&'#$IUNM
    w ʮ4QFDUSFʯʮ.FMUEPXOʯͷରࡦޙͷύϑΥʔϚϯεൺֱ

    [email protected]


    View Slide