Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spectreについて

Yuki Saito
August 03, 2018

 Spectreについて

すみだセキュリティ勉強会にて

Yuki Saito

August 03, 2018
Tweet

More Decks by Yuki Saito

Other Decks in Programming

Transcript

  1. 4QFDUSFʹ͍ͭͯ
    2018/08/04 

    ͢ΈͩηΩϡϦςΟษڧձ 

    @saiyuki1919


    View full-size slide

  2. ࣗݾ঺հ
    w ໊લɿᴡ౻༔ر 4BJUP:VLJ

    w झຯɿ
    w ϦόʔεΤϯδχΞϦϯάͳͲͷηΩϡϦςΟશൠ
    w ػցֶश
    w ܦྺ
    w ηΩϡϦςΟɾΩϟϯϓશࠃେձ
    w ݩ.JDSPTPGU4UVEFOU1BSUOFST
    w ݱηΩϡϦςΟΤϯδχΞʁ ηΩϡϦςΟؔ࿈ۀ຿

    w ࠷ۙ΍ͬͯΈ͍ͨ͜ͱ
    w ϋχʔϙοτͷࣗ୐ӡ༻
    w ηΩϡϦςΟؔ࿈ͷ044ͷ։ൃ


    View full-size slide

  3. ໨࣍
    4QFDUSFͷҰ࿈ͷࣄ݅
    ൃݟ͞Εͨ੬ऑੑͱ͸ʁ
    ߈ܸͱରࡦ


    View full-size slide

  4. 4QFDUSFͷҰ࿈ͷ૽ಈ
    2018೥ਖ਼݄ૣʑɺϓϩηοαۀքʹ૽ಈ͕ى͖ͨʂ
    SpectreʢεϖΫλʔʣͱMeltdownʢϝϧτμ΢ϯʣͱݺ͹ΕΔϓϩηοαͷ੬ऑੑ͕ൃݟ͞Εͨɻ
    Meltdown͸Intel੡CPUͱARM ੡ CPU ͷҰ෦͕ӨڹͰɺSpectre͸IntelɾAMDɾARMͳͲͷ͢΂ͯͷ
    ϓϩηοαʹ಺ࡏ͢ΔՄೳੑ͕͋Δͱൃද͞Εͨɻ
    GoogleͷηΩϡϦςΟରࡦ෦໳Project Zero͸ɺʮ౤ػత࣮ߦʯʹΑͬͯҾ͖ى͜͞ΕΔਂࠁͳη
    ΩϡϦςΟ্ͷ੬ऑੑΛ2017೥6݄ͷஈ֊Ͱ೺Ѳ͠ɺIntelɺAMDɺARMͳͲͷνοϓϕϯμʔʹ௨஌
    ͍ͯͨ͠ɻ

    ͦ͜ͰɺMircosoft͸1݄9೔ͷPatch TuesdayͰdisclose͞ΕΔ༧ఆͰͨ͠ɻ

    ͔͠͠ɺΠΪϦεͷITࢽʮThe Registerʯ͕1݄2೔ʹ

    ʮϋʔυ΢ΣΞͷมߋ͕ඞཁͰ͋Γɺιϑτ΢ΣΞͰͷηΩϡϦςΟରࡦ͸ύϑΥʔϚϯεͷେ෯ͳ
    ௿ԼΛҾ͖ى͜͢ʯ

    ͱൃදͨ͠ͷͰɺۀքΛࠞཚͤͨ͞!


    View full-size slide

  5. ൃݟ͞Εͨ੬ऑੑ
    • Variant 1: bounds check bypass (CVE-2017-5753)

    • Variant 2: branch target injection (CVE-2017-5715)

    • Variant 3: rogue data cache load (CVE-2017-5754)

    • Variant 3a: Rogue System Register Read (CVE-2018-3640)

    • Variant 4: Speculative store bypass (CVE-2018-3639)

    ʮVariant 1ʯͱʮVariant 2ʯ͕Spectre

    ʮVariant 3ʯ͕Meltdownͱݺ͹ΕΔ੬ऑੑͰ͢ɻ

    CPUੑೳ޲্ͷͨΊͷʮ౤ػత࣮ߦ(Speculative Execution)ʯͱ͍͏࢓૊Έ͕ݪҼ
    Ͱɺ͍ͣΕͷ੬ऑੑ΋αΠυνϟωϧ߈ܸʹ෼ྨ͞Ε·͢ɻ


    View full-size slide

  6. αΠυνϟωϧ߈ܸͱ͸
    αΠυνϟωϧ߈ܸ͸ి࣓೾΍೤ɺిྗྔ΍ॲཧ࣌ؒͷҧ͍ͳͲΛ
    ෺ཧతखஈͰ؍࡯͢Δ͜ͱͰख͕͔ΓΛಘΑ͏ͱ͢Δ΋ͷͰ͢ɻ


    αΠυνϟωϧͱ͸ɺਖ਼نͷೖग़ྗܦ࿏Ͱ͸ͳ͍͜ͱΛҙຯ͓ͯ͠Γɺ
    ΞϧΰϦζϜͱ͸ҟͳΔ෭࣍త৘ใͰ͋Δ͜ͱ͔Β͜ͷΑ͏ʹݺ͹Ε
    ͍ͯ·͢ɻ
    IUUQJPUKQDPNJPUTVNNBSZJPUUFDI
    &#&"&&&"&%&"#&##
    &&'#$TJEFDIBOOFMBUUBDL&'#$IUNM
    Ҿ༻ݩ


    View full-size slide

  7. ΠϯύΫτ
    w Ϋϥ΢υαʔϏε΍.41

    Ϩϯλϧαʔό΍ɺ*BB41BB4౳ͷ7.Λಈ͔͢Ϋϥ΢υαʔϏεͷࣄۀ
    ऀ౳ʹ͸େ͖ͳΠϯύΫτΛ༩͑ͨɻ

    w ϓϩηοαۀք

    4QFDUSF͸*OUFM͚ͩͰͳ͘ɺ".%΍"3.ͳͲͷνοϓશൠʹؔ܎͢Δ੬
    ऑੑͰ͋Γɺ1$͚ͩͰͳ͘"3.ϕʔεͷ$16Λ࠾༻͢ΔεϚʔτϑΥϯ
    ΛؚΊͨɺΑΓ޿͍୺຤ʹӨڹΛٴ΅͔͠Ͷͳ͍ͱ͍͏͜ͱͰେ͖ͳ࿩୊
    ͱͳͬͨɻ


    View full-size slide

  8. ެදޙʹى͖ͨࣄ݅
    w ʮ.FMUEPXOʯʮ4QFDUSFʯΛૂ͏Ϛϧ΢ΣΞαϯϓϧɺେྔʹൃݟ
    w "75&45*OTUJUVUF͸ɺ$16ʹଘࡏ͢Δʮ.FMUEPXOʯ͓Αͼʮ4QFDUSFʯ੬ऑੑΛѱ༻͠Α͏
    ͱ͢ΔϚϧ΢ΣΞͷઌۦ͚ͱݟΒΕΔαϯϓϧݸΛൃݟͨ͠ɻ

    IUUQTKBQBODOFUDPNBSUJDMF

    w ʮ4QFDUSFʯʮ.FMUEPXOʯͷύονΛِ૷ͨ͠Ϛϧ΢ΣΞʹ஫ҙ
    w ύονΛِ૷ͨ͠Ϛϧ΢ΣΞ͕ଘࡏ͠ʮ4NPLF-PBEFSʯ΁ͷײછΛଅ͢

    IUUQTOFXTNZOBWJKQBSUJDMF

    w Πϯςϧɺ4QFDUSFɾ.FMUEPXOରԠͰϓϩηοαʔઃܭΛมߋ
    w Πϯςϧ͸੬ऑੑΛܰࢹ͍͗ͯͨ͢͠ͱͯ͠ɺถࠃٞձ͔Βઆ໌ΛٻΊΒΕɺ͞Βʹ໿݅΋
    ͷूஂૌুΛى͜͞Εͨ

    IUUQTKBQBOFTFFOHBEHFUDPNTQFDUSFNFMUEPXO


    View full-size slide

  9. 4QFDUSFͱ͸
    • Variant 1: bounds check bypass (CVE-2017-5753)

    ͋Δ໋ྩͰຊདྷɺಡΈࠐΉ͜ͱ͕Ͱ͖ͳ͍ଞϓϩηεͷϝϞϦʔྖҬΛΩϟογϡ
    ʹಡΈͩͤ͞ɺผͷ໋ྩͰʰΩϟογϡྖҬʱͷϝϞϦͷread଎౓ΛνΣοΫ͢Δ
    ͜ͱͰϝϞϦྖҬͷ಺༰ΛਪఆͰ͖Δɻ


    • Variant 2: branch target injection (CVE-2017-5715)

    ʮؒ઀෼ذ༧ଌثʯΛར༻͢Δ΋ͷͰɺยํͷVMͰ෼ذΛෆਖ਼ͳϓϩάϥϜΛݺ
    ͼग़ͨ͢Ίʹௐઅ͠·͢ɻௐઅͨ͠༧ଌςʔϒϧΛ΋͏ยํͷVMͰϝϞϦΞυϨ
    ε͔Β౤ػ࣮ߦͤ͞Δɻ


    View full-size slide

  10. 4QFDUSFͷ੬ऑੑ֓ཁ
    ι
    ϑ
    τ
    ΢
    Σ
    Ξ
    ϋ
    c
    υ
    ΢
    Σ
    Ξ
    ΞϓϦέʔγϣϯ" ΞϓϦέʔγϣϯ#
    ɾɾɾ
    04
    $16 ੬ऑੑ
    ௨ৗ͸ΞΫηεͰ͖ͳ͍ϝϞϦྖҬಡΈࠐΉ
    ϝϞϦྖҬɹϝϞϦྖҬɹϝϞϦྖҬ


    View full-size slide

  11. ౤ػ࣮ߦͱ͸
    'FUDI
    %FDPEF
    &YFDVUF
    8SJUF#BDL
    ໋ྩ ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ ໋ྩ
    ໋ྩ
    ໋ྩ
    'FUDI
    %FDPEF
    &YFDVUF
    8SJUF#BDL
    ໋ྩ ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ ໋ྩ
    ໋ྩ
    5JNFMPTT
    ௨ৗ
    ౤ػ࣮ߦ


    View full-size slide

  12. bounds check bypass (CVE-2017-5753)
    JGจͷ಺༰͕USVFʹͳ͍ͬͯΔύλʔϯ͕ଟ͚Ε͹ɺJGจͷ಺༰͕GBMTFͰ΋౤ػ࣮
    ߦʹΑΓ෼ذ໋ྩΛ௒͑ͯઌʹ࣮ߦ͞ΕΔ
    Yͷ஋Λࣗ༝ʹૢ࡞ͯ͠ɺBSSBZͰݺͼग़͍ͨ͠ϝϞϦΞυϨεʹ͢Δ
    BSSBͰBSSBZͷΩϟογϡϥΠϯ෼ΛBSSBZͰࢦఆ͠ϝϞϦʔʹอଘ
    ͠Ωϟογϡ͢Δ
    BSSBZ@TJ[Fͷॲཧ͕GBMTFͱΘ͔Ε͹ɺBSSBZ͸ϝϞϦʔ͔Βഁغ͞ΕΔ͕--
    -౳Ωϟογϡʹ͸࢒Δ
    BSSBZ͸---౳ʹΩϟογϡʹ৐͍ͬͯΔͷͰɺ͔ΒͰ૬౰͢ΔΞυϨ
    εʹॱংʹΞΫηε͠ɺSFBE଎౓͕ૣ͔ͬͨͱ͜Ζ͕BSSBZͷϝϞϦͷ஋ʹͳΔ
    if (x < array1_size)
    y = array2[array1[x] * 256];


    View full-size slide

  13. branch target injection (CVE-2017-5715)
    ౤ػ࣮ߦͱ#5# ෼ذઌόοϑΝ
    ͱؒ઀෼ذ໋ྩΛར༻ͨ͠߈ܸͰ͢
    ؒ઀෼ذ໋ྩͱ͸

    ෼ذઌ͕Ϩδελ΍ϝϞϦͷ஋ʹΑͬͯࢦఆ͞ΕΔ໋ྩ

    YͰ͸DBMMͱKNQͳͲ

    ౤ػ࣮ߦʹΑ࣮ͬͯߦ͞ΕΔ໋ྩ͸ʁɹ὎#5#Λ֬ೝʂ
    #5##SBODI5BSHFU#V⒎FSͱ͸

    ෼ذઌΛ෼ذݩΞυϨεͰอଘ͢ΔόοϑΝ

    ෼ذݩͷϝϞϦΞυϨεͷ಺ͷCJUΛݩʹ෼ذઌͷ

    ɹɹϝϞϦΞυϨεΛ༧ଌ͍ͯ͠Δ

    ͭͷ෺ཧίΞΛͭͷ࿦ཧίΞʹ෼ׂͯ͠΋ؒ઀෼ذ༧ଌʹ࢖ΘΕΔ༧ଌ

    ςʔϒϧ #5#
    ͸ڞ༗͞ΕΔ


    View full-size slide

  14. #)##SBODI)JTUPSZ#V⒎FSͱ͸
    աڈͷ෼ذ༧૝݁Ռͷ౰ͨΓ֎ΕΛه࿥͢ΔόοϑΝ
    ௚ۙ໿ճ෼ͷཤྺΛอ؅͍ͯ͠Δ

    ෼ذύλʔϯΛ#)#Ͱݟ͚ͭΔͱɺ෼ذઌΛ#5#ʹ୳͠ʹߦ͘


    View full-size slide

  15. branch target injection (CVE-2017-5715)
    ϢʔβۭؒͰ#)#Λʮֶशʯͤ͞Δ

    #)#ͷֶशͷͨΊʹճ෼͸࠶ݱ͢Δ
    ผͷεϨουͰ༠ಋ͍ͨ͠ΞυϨε΁ͷ෼ذΛ܁Γฦ͠ɺ#5#ͷ෼
    ذઌͷΞυϨεΛ࣮ߦ͍ͨ͠ෆਖ਼ͳ໋ྩͷΞυϨεʹઃఆ͢Δ
    ౤ػ࣮ߦʹΑͬͯෆਖ਼ͳ໋ྩΛ࣮ߦͤ͞Δ


    View full-size slide

  16. ૝ఆ͞ΕΔ߈ܸ
    w ύεϫʔυ΍ΫοΩʔɺ҉߸ݤͷ಺༰Λ౪ௌ͞ΕΔՄೳੑ͕͋Δ
    w ϓϩάϥϜΛഁյ͞ΕΔՄೳੑ͕͋Δ
    ʲ૝ఆ͞ΕΔγφϦΦʳ
    944ʹΑΔ੬ऑੑ͔ΒJGSBNFΛ࢓ֻ͚Δ
    λϒ಺ͷJGSBNF΍ϙοϓΞοϓͰผͷαΠτ͕ಡΈࠐ·ΕΔ৔߹
    ͸ϝΠϯλϒͱಉҰϓϩηεͰಈ͍͍ͯΔͷͰ4QFDUSFΛ࣮ߦ
    4QFDUSFʹΑͬͯɺΫοΩʔ΍ύεϫʔυͳͲͷ৘ใΛऔಘ

    ·ͨ͸ɺϓϩάϥϜͷఀࢭ


    View full-size slide

  17. ରࡦ
    w (PPHMF$ISPNF

    ʮ4QFDUSFʯͱݺ͹ΕΔ੬ऑʢ͍ͥ͡Ό͘ʣੑ͕8FCϒϥ΢βܦ༝Ͱѱ༻
    ͞ΕΔ͜ͱΛ๷͙ͨΊʮαΠτ෼཭ʢ4JUF*TPMBUJPOʣʯͱݺ͹ΕΔରࡦ
    ػೳΛσϑΥϧτͰ༗ޮʹͨ͠


    4JUF*TPMBUJPOΛ༗ޮʹ͢Ε͹ɺ֤8FCαΠτ͕ಠཱͨ͠ϓϩηεͰಡΈ
    ࠐ·ΕΔΑ͏ʹͳΓɺෆਖ਼ͳ8FCαΠτ͕ϢʔβʔͷΞΧ΢ϯτ΍ଞͷ
    8FCαΠτʹΞΫηεͨ͠Γɺ৘ใΛ౪ΜͩΓ͢Δ͜ͱ͕೉͘͠ͳΔ
    "OESPJE޲͚ͷ$ISPNFʹ΋ର৅Λ֦େ͢Δํ਑


    View full-size slide

  18. ֤04͝ͱͷରࡦ
    w 8JOEPXT

    8JOEPXT޲͚ͷߋ৽ϓϩάϥϜʮ,#ʯΛެ։
    w .BD

    lNBD04)JHI4JFSSB4VQQMFNFOUBM6QEBUFzͰɺ.FMUEPXO
    ରࡦʹՃ͑ɺ4QFDUSFରࡦ͕ద༻͞Ε͍ͯΔ
    w -JOVY

    -JOVYΧʔωϧͷ࠷৽൛ʢʣ͕ϦϦʔε͞Εͨɻ͜ͷόʔδϣϯͰ
    ͸ɺʮ4QFDUSF.FMUEPXOʯͷ੬ऑੑ΁ͷରࡦ΋௥Ճ͞Ε͍ͯΔɻ
    w "OESPJE J04 $FOU04 3FE)BU΋Ξοϓσʔτ͕ϦϦʔε͞Ε͍ͯΔ


    View full-size slide

  19. ·ͱΊ
    w 4QFDUSFͷҰ࿈ͷ૽ಈ

    ɾൃݟ͞Εͨ੬ऑੑ

    ɾαΠυνϟωϧ߈ܸͱ͸

    ɾΠϯύΫτ

    ɾެදޙʹى͖ͨࣄ݅
    w 4QFDUSFͷ੬ऑੑͷ֓ཁ౤ػ࣮ߦͱ͸

    ɾCPVOETDIFDLCZQBTT($7&)

    ɾCSBODIUBSHFUJOKFDUJPO($7&)
    • ૝ఆ͞ΕΔ߈ܸ / ରࡦ

    ɾChrome Site Isolationػೳ

    ɾOS͝ͱͷରࡦ


    View full-size slide

  20. ࢀߟจݙ
    w 4QFDUSF#VTUFST͋Δ͍͸-JOVYʹ͓͚Δ4QFDUSFରࡦ

    IUUQTXXXTMJEFTIBSFOFUNIJSBNBUTQFDUSFCVTUFSTMJOVYTQFDUSF
    w ʮϝϧτμ΢ϯʯͱʮεϖΫλʔʯɺڪΖ͍ۙ͠୅$16ͷ੬ऑੑΛղઆ

    IUUQTMPHNJKQ
    w 1SPKFDU;FSP

    IUUQTHPPHMFQSPKFDU[FSPCMPHTQPUDPNSFBEJOHQSJWJMFHFENFNPSZXJUITJEFIUNM
    w ୈճେ૽͗ͷ4QFDUSFͱ.FMUEPXOͷ੬ऑੑΛͬ͘͟Γͱղઆ

    IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM
    w ʲਤղʳ$16ͷ੬ऑੑ<4QFDUSF><.FMUEPXO>͸۩ମతʹͲͷΑ͏ͳ࢓૊ΈͰ߈ܸ͢
    Δʁ

    IUUQTNJMFTUPOFPGTFOFTVLFDPNTWBEWBODFETWTFDVSJUZNFMUEPXOTQFDUSF
    w ੈؒΛ૽͕͢ʮϓϩηοα੬ऑੑʯɹԿ͕ຊ౰ͷ໰୊ͳͷ͔

    IUUQXXXJUNFEJBDPKQQDVTFSBSUJDMFTOFXTIUNM


    View full-size slide

  21. ࢀߟจݙ
    w αΠυνϟωϧ߈ܸʢTJEFDIBOOFMBUUBDLʣ

    IUUQJPUKQDPNJPUTVNNBSZJPUUFDI
    &#&"&&&"&%&
    "#&##&&'#$TJEFDIBOOFM
    BUUBDL&'#$IUNM
    w ʮ4QFDUSFʯʮ.FMUEPXOʯͷରࡦޙͷύϑΥʔϚϯεൺֱ

    IUUQXXXQPSUXFMMDPKQCMPHTQFDUSF@NFMUEPXO


    View full-size slide