Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spectreについて

3e71996925e8cd2623ccd93c624a24c7?s=47 Yuki Saito
August 03, 2018

 Spectreについて

すみだセキュリティ勉強会にて

3e71996925e8cd2623ccd93c624a24c7?s=128

Yuki Saito

August 03, 2018
Tweet

Transcript

  1. 4QFDUSFʹ͍ͭͯ 2018/08/04 
 ͢ΈͩηΩϡϦςΟษڧձ 
 @saiyuki1919  

  2. ࣗݾ঺հ w ໊લɿᴡ౻༔ر 4BJUP:VLJ  w झຯɿ w ϦόʔεΤϯδχΞϦϯάͳͲͷηΩϡϦςΟશൠ w

    ػցֶश w ܦྺ w ηΩϡϦςΟɾΩϟϯϓશࠃେձ w ݩ.JDSPTPGU4UVEFOU1BSUOFST w ݱηΩϡϦςΟΤϯδχΞʁ ηΩϡϦςΟؔ࿈ۀ຿  w ࠷ۙ΍ͬͯΈ͍ͨ͜ͱ w ϋχʔϙοτͷࣗ୐ӡ༻ w ηΩϡϦςΟؔ࿈ͷ044ͷ։ൃ  
  3. ໨࣍  4QFDUSFͷҰ࿈ͷࣄ݅  ൃݟ͞Εͨ੬ऑੑͱ͸ʁ  ߈ܸͱରࡦ  

  4. 4QFDUSFͷҰ࿈ͷ૽ಈ 2018೥ਖ਼݄ૣʑɺϓϩηοαۀքʹ૽ಈ͕ى͖ͨʂ SpectreʢεϖΫλʔʣͱMeltdownʢϝϧτμ΢ϯʣͱݺ͹ΕΔϓϩηοαͷ੬ऑੑ͕ൃݟ͞Εͨɻ Meltdown͸Intel੡CPUͱARM ੡ CPU ͷҰ෦͕ӨڹͰɺSpectre͸IntelɾAMDɾARMͳͲͷ͢΂ͯͷ ϓϩηοαʹ಺ࡏ͢ΔՄೳੑ͕͋Δͱൃද͞Εͨɻ GoogleͷηΩϡϦςΟରࡦ෦໳Project Zero͸ɺʮ౤ػత࣮ߦʯʹΑͬͯҾ͖ى͜͞ΕΔਂࠁͳη

    ΩϡϦςΟ্ͷ੬ऑੑΛ2017೥6݄ͷஈ֊Ͱ೺Ѳ͠ɺIntelɺAMDɺARMͳͲͷνοϓϕϯμʔʹ௨஌ ͍ͯͨ͠ɻ
 ͦ͜ͰɺMircosoft͸1݄9೔ͷPatch TuesdayͰdisclose͞ΕΔ༧ఆͰͨ͠ɻ
 ͔͠͠ɺΠΪϦεͷITࢽʮThe Registerʯ͕1݄2೔ʹ
 ʮϋʔυ΢ΣΞͷมߋ͕ඞཁͰ͋Γɺιϑτ΢ΣΞͰͷηΩϡϦςΟରࡦ͸ύϑΥʔϚϯεͷେ෯ͳ ௿ԼΛҾ͖ى͜͢ʯ
 ͱൃදͨ͠ͷͰɺۀքΛࠞཚͤͨ͞!  
  5. ൃݟ͞Εͨ੬ऑੑ • Variant 1: bounds check bypass (CVE-2017-5753)
 • Variant

    2: branch target injection (CVE-2017-5715)
 • Variant 3: rogue data cache load (CVE-2017-5754)
 • Variant 3a: Rogue System Register Read (CVE-2018-3640)
 • Variant 4: Speculative store bypass (CVE-2018-3639)
 ʮVariant 1ʯͱʮVariant 2ʯ͕Spectre
 ʮVariant 3ʯ͕Meltdownͱݺ͹ΕΔ੬ऑੑͰ͢ɻ
 CPUੑೳ޲্ͷͨΊͷʮ౤ػత࣮ߦ(Speculative Execution)ʯͱ͍͏࢓૊Έ͕ݪҼ Ͱɺ͍ͣΕͷ੬ऑੑ΋αΠυνϟωϧ߈ܸʹ෼ྨ͞Ε·͢ɻ  
  6. αΠυνϟωϧ߈ܸͱ͸ αΠυνϟωϧ߈ܸ͸ి࣓೾΍೤ɺిྗྔ΍ॲཧ࣌ؒͷҧ͍ͳͲΛ ෺ཧతखஈͰ؍࡯͢Δ͜ͱͰख͕͔ΓΛಘΑ͏ͱ͢Δ΋ͷͰ͢ɻ
 
 αΠυνϟωϧͱ͸ɺਖ਼نͷೖग़ྗܦ࿏Ͱ͸ͳ͍͜ͱΛҙຯ͓ͯ͠Γɺ ΞϧΰϦζϜͱ͸ҟͳΔ෭࣍త৘ใͰ͋Δ͜ͱ͔Β͜ͷΑ͏ʹݺ͹Ε ͍ͯ·͢ɻ IUUQJPUKQDPNJPUTVNNBSZJPUUFDI &#&"&&&"&%&"#&## &&'#$TJEFDIBOOFMBUUBDL&'#$IUNM

    Ҿ༻ݩ  
  7. ΠϯύΫτ w Ϋϥ΢υαʔϏε΍.41
 Ϩϯλϧαʔό΍ɺ*BB41BB4౳ͷ7.Λಈ͔͢Ϋϥ΢υαʔϏεͷࣄۀ ऀ౳ʹ͸େ͖ͳΠϯύΫτΛ༩͑ͨɻ
 w ϓϩηοαۀք
 4QFDUSF͸*OUFM͚ͩͰͳ͘ɺ".%΍"3.ͳͲͷνοϓશൠʹؔ܎͢Δ੬ ऑੑͰ͋Γɺ1$͚ͩͰͳ͘"3.ϕʔεͷ$16Λ࠾༻͢ΔεϚʔτϑΥϯ ΛؚΊͨɺΑΓ޿͍୺຤ʹӨڹΛٴ΅͔͠Ͷͳ͍ͱ͍͏͜ͱͰେ͖ͳ࿩୊

    ͱͳͬͨɻ  
  8. ެදޙʹى͖ͨࣄ݅ w ʮ.FMUEPXOʯʮ4QFDUSFʯΛૂ͏Ϛϧ΢ΣΞαϯϓϧɺେྔʹൃݟ w "75&45*OTUJUVUF͸ɺ$16ʹଘࡏ͢Δʮ.FMUEPXOʯ͓Αͼʮ4QFDUSFʯ੬ऑੑΛѱ༻͠Α͏ ͱ͢ΔϚϧ΢ΣΞͷઌۦ͚ͱݟΒΕΔαϯϓϧݸΛൃݟͨ͠ɻ
 IUUQTKBQBODOFUDPNBSUJDMF
 w ʮ4QFDUSFʯʮ.FMUEPXOʯͷύονΛِ૷ͨ͠Ϛϧ΢ΣΞʹ஫ҙ w

    ύονΛِ૷ͨ͠Ϛϧ΢ΣΞ͕ଘࡏ͠ʮ4NPLF-PBEFSʯ΁ͷײછΛଅ͢
 IUUQTOFXTNZOBWJKQBSUJDMF
 w Πϯςϧɺ4QFDUSFɾ.FMUEPXOରԠͰϓϩηοαʔઃܭΛมߋ w Πϯςϧ͸੬ऑੑΛܰࢹ͍͗ͯͨ͢͠ͱͯ͠ɺถࠃٞձ͔Βઆ໌ΛٻΊΒΕɺ͞Βʹ໿݅΋ ͷूஂૌুΛى͜͞Εͨ
 IUUQTKBQBOFTFFOHBEHFUDPNTQFDUSFNFMUEPXO  
  9. 4QFDUSFͱ͸ • Variant 1: bounds check bypass (CVE-2017-5753)
 ͋Δ໋ྩͰຊདྷɺಡΈࠐΉ͜ͱ͕Ͱ͖ͳ͍ଞϓϩηεͷϝϞϦʔྖҬΛΩϟογϡ ʹಡΈͩͤ͞ɺผͷ໋ྩͰʰΩϟογϡྖҬʱͷϝϞϦͷread଎౓ΛνΣοΫ͢Δ

    ͜ͱͰϝϞϦྖҬͷ಺༰ΛਪఆͰ͖Δɻ
 
 • Variant 2: branch target injection (CVE-2017-5715)
 ʮؒ઀෼ذ༧ଌثʯΛར༻͢Δ΋ͷͰɺยํͷVMͰ෼ذΛෆਖ਼ͳϓϩάϥϜΛݺ ͼग़ͨ͢Ίʹௐઅ͠·͢ɻௐઅͨ͠༧ଌςʔϒϧΛ΋͏ยํͷVMͰϝϞϦΞυϨ ε͔Β౤ػ࣮ߦͤ͞Δɻ  
  10. 4QFDUSFͷ੬ऑੑ֓ཁ ι ϑ τ ΢ Σ Ξ ϋ c υ

    ΢ Σ Ξ ΞϓϦέʔγϣϯ" ΞϓϦέʔγϣϯ# ɾɾɾ 04 $16 ੬ऑੑ ௨ৗ͸ΞΫηεͰ͖ͳ͍ϝϞϦྖҬಡΈࠐΉ ϝϞϦྖҬɹϝϞϦྖҬɹϝϞϦྖҬ  
  11. ౤ػ࣮ߦͱ͸ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ

    ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 5JNFMPTT ௨ৗ ౤ػ࣮ߦ  
  12. bounds check bypass (CVE-2017-5753)  JGจͷ಺༰͕USVFʹͳ͍ͬͯΔύλʔϯ͕ଟ͚Ε͹ɺJGจͷ಺༰͕GBMTFͰ΋౤ػ࣮ ߦʹΑΓ෼ذ໋ྩΛ௒͑ͯઌʹ࣮ߦ͞ΕΔ  Yͷ஋Λࣗ༝ʹૢ࡞ͯ͠ɺBSSBZ<Y>Ͱݺͼग़͍ͨ͠ϝϞϦΞυϨεʹ͢Δ 

    BSSB<Y> ͰBSSBZͷΩϟογϡϥΠϯ෼ΛBSSBZͰࢦఆ͠ϝϞϦʔʹอଘ ͠Ωϟογϡ͢Δ  BSSBZ@TJ[Fͷॲཧ͕GBMTFͱΘ͔Ε͹ɺBSSBZ͸ϝϞϦʔ͔Βഁغ͞ΕΔ͕-- -౳Ωϟογϡʹ͸࢒Δ  BSSBZ͸---౳ʹΩϟογϡʹ৐͍ͬͯΔͷͰɺ͔ΒͰ૬౰͢ΔΞυϨ εʹॱংʹΞΫηε͠ɺSFBE଎౓͕ૣ͔ͬͨͱ͜Ζ͕BSSBZͷϝϞϦͷ஋ʹͳΔ if (x < array1_size) y = array2[array1[x] * 256];  
  13. branch target injection (CVE-2017-5715) ౤ػ࣮ߦͱ#5# ෼ذઌόοϑΝ ͱؒ઀෼ذ໋ྩΛར༻ͨ͠߈ܸͰ͢ ؒ઀෼ذ໋ྩͱ͸
 ෼ذઌ͕Ϩδελ΍ϝϞϦͷ஋ʹΑͬͯࢦఆ͞ΕΔ໋ྩ
 YͰ͸DBMMͱKNQͳͲ


    ౤ػ࣮ߦʹΑ࣮ͬͯߦ͞ΕΔ໋ྩ͸ʁɹ὎#5#Λ֬ೝʂ #5##SBODI5BSHFU#V⒎FSͱ͸
 ෼ذઌΛ෼ذݩΞυϨεͰอଘ͢ΔόοϑΝ
 ෼ذݩͷϝϞϦΞυϨεͷ಺ͷCJUΛݩʹ෼ذઌͷ
 ɹɹϝϞϦΞυϨεΛ༧ଌ͍ͯ͠Δ
 ͭͷ෺ཧίΞΛͭͷ࿦ཧίΞʹ෼ׂͯ͠΋ؒ઀෼ذ༧ଌʹ࢖ΘΕΔ༧ଌ
 ςʔϒϧ #5# ͸ڞ༗͞ΕΔ  
  14. #)##SBODI)JTUPSZ#V⒎FSͱ͸ աڈͷ෼ذ༧૝݁Ռͷ౰ͨΓ֎ΕΛه࿥͢ΔόοϑΝ ௚ۙ໿ճ෼ͷཤྺΛอ؅͍ͯ͠Δ
 ෼ذύλʔϯΛ#)#Ͱݟ͚ͭΔͱɺ෼ذઌΛ#5#ʹ୳͠ʹߦ͘  

  15. branch target injection (CVE-2017-5715)  ϢʔβۭؒͰ#)#Λʮֶशʯͤ͞Δ
 #)#ͷֶशͷͨΊʹճ෼͸࠶ݱ͢Δ  ผͷεϨουͰ༠ಋ͍ͨ͠ΞυϨε΁ͷ෼ذΛ܁Γฦ͠ɺ#5#ͷ෼ ذઌͷΞυϨεΛ࣮ߦ͍ͨ͠ෆਖ਼ͳ໋ྩͷΞυϨεʹઃఆ͢Δ

     ౤ػ࣮ߦʹΑͬͯෆਖ਼ͳ໋ྩΛ࣮ߦͤ͞Δ  
  16. ૝ఆ͞ΕΔ߈ܸ w ύεϫʔυ΍ΫοΩʔɺ҉߸ݤͷ಺༰Λ౪ௌ͞ΕΔՄೳੑ͕͋Δ w ϓϩάϥϜΛഁյ͞ΕΔՄೳੑ͕͋Δ ʲ૝ఆ͞ΕΔγφϦΦʳ 944ʹΑΔ੬ऑੑ͔ΒJGSBNFΛ࢓ֻ͚Δ λϒ಺ͷJGSBNF΍ϙοϓΞοϓͰผͷαΠτ͕ಡΈࠐ·ΕΔ৔߹ ͸ϝΠϯλϒͱಉҰϓϩηεͰಈ͍͍ͯΔͷͰ4QFDUSFΛ࣮ߦ 4QFDUSFʹΑͬͯɺΫοΩʔ΍ύεϫʔυͳͲͷ৘ใΛऔಘ


    ·ͨ͸ɺϓϩάϥϜͷఀࢭ  
  17. ରࡦ w (PPHMF$ISPNF
 ʮ4QFDUSFʯͱݺ͹ΕΔ੬ऑʢ͍ͥ͡Ό͘ʣੑ͕8FCϒϥ΢βܦ༝Ͱѱ༻ ͞ΕΔ͜ͱΛ๷͙ͨΊʮαΠτ෼཭ʢ4JUF*TPMBUJPOʣʯͱݺ͹ΕΔରࡦ ػೳΛσϑΥϧτͰ༗ޮʹͨ͠
 
 4JUF*TPMBUJPOΛ༗ޮʹ͢Ε͹ɺ֤8FCαΠτ͕ಠཱͨ͠ϓϩηεͰಡΈ ࠐ·ΕΔΑ͏ʹͳΓɺෆਖ਼ͳ8FCαΠτ͕ϢʔβʔͷΞΧ΢ϯτ΍ଞͷ 8FCαΠτʹΞΫηεͨ͠Γɺ৘ใΛ౪ΜͩΓ͢Δ͜ͱ͕೉͘͠ͳΔ

    "OESPJE޲͚ͷ$ISPNFʹ΋ର৅Λ֦େ͢Δํ਑  
  18. ֤04͝ͱͷରࡦ w 8JOEPXT
 8JOEPXT޲͚ͷߋ৽ϓϩάϥϜʮ,#ʯΛެ։ w .BD
 lNBD04)JHI4JFSSB4VQQMFNFOUBM6QEBUFzͰɺ.FMUEPXO ରࡦʹՃ͑ɺ4QFDUSFରࡦ͕ద༻͞Ε͍ͯΔ w -JOVY


    -JOVYΧʔωϧͷ࠷৽൛ʢʣ͕ϦϦʔε͞Εͨɻ͜ͷόʔδϣϯͰ ͸ɺʮ4QFDUSF.FMUEPXOʯͷ੬ऑੑ΁ͷରࡦ΋௥Ճ͞Ε͍ͯΔɻ w "OESPJE J04 $FOU04 3FE)BU΋Ξοϓσʔτ͕ϦϦʔε͞Ε͍ͯΔ  
  19. ·ͱΊ w 4QFDUSFͷҰ࿈ͷ૽ಈ
 ɾൃݟ͞Εͨ੬ऑੑ
 ɾαΠυνϟωϧ߈ܸͱ͸
 ɾΠϯύΫτ
 ɾެදޙʹى͖ͨࣄ݅ w 4QFDUSFͷ੬ऑੑͷ֓ཁ౤ػ࣮ߦͱ͸
 ɾCPVOETDIFDLCZQBTT($7&)


    ɾCSBODIUBSHFUJOKFDUJPO($7&) • ૝ఆ͞ΕΔ߈ܸ / ରࡦ
 ɾChrome Site Isolationػೳ
 ɾOS͝ͱͷରࡦ  
  20. ࢀߟจݙ w 4QFDUSF#VTUFST͋Δ͍͸-JOVYʹ͓͚Δ4QFDUSFରࡦ
 IUUQTXXXTMJEFTIBSFOFUNIJSBNBUTQFDUSFCVTUFSTMJOVYTQFDUSF w ʮϝϧτμ΢ϯʯͱʮεϖΫλʔʯɺڪΖ͍ۙ͠୅$16ͷ੬ऑੑΛղઆ
 IUUQTMPHNJKQ w 1SPKFDU;FSP
 IUUQTHPPHMFQSPKFDU[FSPCMPHTQPUDPNSFBEJOHQSJWJMFHFENFNPSZXJUITJEFIUNM

    w ୈճେ૽͗ͷ4QFDUSFͱ.FMUEPXOͷ੬ऑੑΛͬ͘͟Γͱղઆ
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM w ʲਤղʳ$16ͷ੬ऑੑ<4QFDUSF><.FMUEPXO>͸۩ମతʹͲͷΑ͏ͳ࢓૊ΈͰ߈ܸ͢ Δʁ
 IUUQTNJMFTUPOFPGTFOFTVLFDPNTWBEWBODFETWTFDVSJUZNFMUEPXOTQFDUSF w ੈؒΛ૽͕͢ʮϓϩηοα੬ऑੑʯɹԿ͕ຊ౰ͷ໰୊ͳͷ͔
 IUUQXXXJUNFEJBDPKQQDVTFSBSUJDMFTOFXTIUNM  
  21. ࢀߟจݙ w αΠυνϟωϧ߈ܸʢTJEFDIBOOFMBUUBDLʣ
 IUUQJPUKQDPNJPUTVNNBSZJPUUFDI &#&"&&&"&%& "#&##&&'#$TJEFDIBOOFM BUUBDL&'#$IUNM w ʮ4QFDUSFʯʮ.FMUEPXOʯͷରࡦޙͷύϑΥʔϚϯεൺֱ
 IUUQXXXQPSUXFMMDPKQCMPHTQFDUSF@NFMUEPXO