Goなどで作る脆弱性対策ゲーム / go-bigbridge

6DIJP,POEP 'VLVPLBHP (PͳͲͰ࡞Δ੬ऑੑରࡦήʔϜ

(.0ϖύϘγχΞϓϦϯγύϧ ۙ౻͏͓ͪ!VE[VSB 044ϓϩμΫτ w NSVCZͷίϯςφϥϯλΠϜ)BDPOJXB w 3VCZͷ ZFU"OPUIFS 0QFO4UBDLDMJFOU:BP 3VCZ͸೥΄Ͳɺ(P͸೥͙Β͍ʁ
޷͖ͳϥΠϒϥϦIBTIJDPSQIDM ར༻ϒΩϓϥΠϜγϡʔλʔίϥϘ ηΩϡϦςΟ͸ษڧ࢝͠Ίͨ͹͔ΓͰ͢

"MTPB3VCZJTU

'VLVPLBSC ! ԙϖύες

8FCΞϓϦέʔγϣϯͷ ੬ऑੑ

42- *OKFDUJPO

߈ܸ͞Εͨ͜ͱ ͋Γ·͔͢ʁ

߈ܸΛ஌Γ͍ͨ ๷ޚ͍ͨ͠

࿅शʢʁʣ͠Α͏

DG%78" w%BNO7VMOFSBCMF8FC"QQMJDBUJPO w͋͑ͯ੬ऑͳ࡞Γʹͨ͠΢ΣϒΞϓϦέʔγϣϯ w༷ʑͳ߈ܸΛ࣮ࡍʹߦ͏͜ͱͰɺ߈ܸଆͷؾ࣋ͪʹͳΓ  ͦΕ͕։ൃʹ͓͍ͯ΋໾ʹཱͭ wΞϓϦέʔγϣϯͷ੬ऑ౓߹͍ΛઃఆͰ͖ͯศརʢʁʣ IUUQXXXEWXBDPVL

߈ܸΛͯ͠ΈΔͱ

͜ΕΛࣗಈԽ͢Δͱ

๷ޚଆͷ ࿅शʹ΋࢖͑ΔͷͰ͸ʁ

CJHCSJEHFϓϩδΣΫτʢԾʣ wೋͭͷίϯςφΛ࡞Δ߈ܸଆɺ๷ޚଆ w߈ܸଆ͸όΠφϦͰϒϥοΫϘοΫεͷϓϩάϥϜ w๷ޚଆ͸"QBDIF NPE@QIQͳ੬ऑͳΞϓϦέʔγϣϯ  TTIͰௐࠪՄೳͳΑ͏ɺγεςϜίϯςφʹͳ͍ͬͯΔ

CJHCSJEHF IUUQTDTLZVTIVVBDKQFOQJUQSP

ߏ੒ Binary Apache MySQL App (PHP) SSHD Attacker Defender

๷ޚଆ͔ΒৄࡉΛɻ wTPWFSMBZͱ͍͏ɺ%PDLFS΍ίϯςφʹಛԽͨ͠γϯϓϧͳJOJUͷ࢓ ૊ΈΛ࢖ͬͯγεςϜίϯςφΛ࡞Δɻ wTTIE ϩάͷͨΊSTZTMPH ɺBQBDIFɺ.Z42-Λࣂ͍ͬͯΔ wPDUPQBTTͰTTIϩάΠϯपΓΛ؆୯ʹ IUUQTHJUIVCDPNKVTUDPOUBJOFSTTPWFSMBZ

߈ܸଆɻ wṖͷόΠφϦ͕͋Δ wઃఆʹ͸ɺ߈ܸઌͷΞυϨεͳͲͷ৘ใ͔͠౉ͤͳ͘ɺͲ͏͍͏߈ܸ Λ͍ͯ͠Δ͔͸Θ͔Βͳ͍ wىಈ͢Δͱɺର৅΁ͷ߈ܸͷ੒ޭࣦഊ͚͕ͩΘ͔Δ wˠ๷ޚଆͷϩάͳͲΛ֬ೝ͠ɺΞϓϦΛվमͯ͠

߈ܸϕϯνϚʔΫͷྲྀΕ w߈ܸଆͰόΠφϦىಈˠ๷ޚଆͰϩάͳͲΛ֬ೝ wˠ๷ޚଆͷઃఆΛมߋͨ͠ΓɺΞϓϦΛվम wˠ࠶౓߈ܸΛ͠ɺࣦഊͨ͠Β๷Ӵ੒ޭʂʂʂ̍

ṖͷόΠφϦ

ͦ͜ͰɺΛ࢖͏

࣮૷ͷྫ

໾ʹཱͭ΋ͷ wIFBE[PPTVSG wঢ়ଶΛอͭ͜ͱ͕Ͱ͖Δ΢ΣϒεΫϨΠύʔϥΠϒϥϦ IUUQTHJUIVCDPNIFBE[PPTVSG

EFNP wʢतۀͰ࢖͏ͱ͍͏͜ͱͰɺৄࡉ͸·ͩφΠγϣʣ

ࠓޙ΍Γ͍ͨ͜ͱ w߈ܸͷόϦΤʔγϣϯΛ૿΍͢ w؆୯ͳରࡦͰ͋ͬͨΒ߈ܸଆͰݟൈ͔Εͯ͢Γൈ͚Δ΍ͭͱ͔ w߈ܸόΠφϦΛ΋ͬͱ೉ಡԽ͢Δ w๷ޚଆɺ1)1Ҏ֎ͷݴޠϑϨʔϜϫʔΫΛ૿΍͢

จࣈྻΛӅ͍ͨ͠ w(Pݴޠ੡ͷόΠφϦͰ΋ɺ΋ͪΖΜTUSJOHT ͳͲͰ߈ܸख๏ʹؔ ܎͢Δจࣈྻ͸ݟ͑ͯ͠·͏ɻ wจࣈσʔλΛ·ͱΊͯ֎෦͔Βఏڙͭͭɺ҉߸Խ͞ΕͨܗͰόΠφϦ ؚΉΑ͏ͳπʔϧΛ࡞ΕΔͱྑͦ͞͏ʁ wʢ΋ͪΖΜɺҰൠతͳ࿩ͰόΠφϦ಺ͷจࣈྻΛ҉߸Խͯ͠΋  ɹͦΜͳʹηΩϡϦςΟରࡦʹ͸ͳΒͳ͍ɻΫΠζͷ೉қ౓తͳ࿩Ͱʣ

PT&YJU

Goなどで作る脆弱性対策ゲーム / go-bigbridge

Goなどで作る脆弱性対策ゲーム / go-bigbridge

KONDO Uchio

More Decks by KONDO Uchio

Other Decks in Technology

Featured

Transcript

6DIJP,POEP 'VLVPLBHP (PͳͲͰ࡞Δ੬ऑੑରࡦήʔϜ

(.0ϖύϘγχΞϓϦϯγύϧ ۙ౻͏͓ͪ!VE[VSB 044ϓϩμΫτ w NSVCZͷίϯςφϥϯλΠϜ)BDPOJXB w 3VCZͷ ZFU"OPUIFS 0QFO4UBDLDMJFOU:BP 3VCZ͸೥΄Ͳɺ(P͸೥͙Β͍ʁ

"MTPB3VCZJTU

13

'VLVPLBSC ! ԙϖύες

8FCΞϓϦέʔγϣϯͷ ੬ऑੑ

944

$43'

42- *OKFDUJPO

߈ܸ͞Εͨ͜ͱ ͋Γ·͔͢ʁ

߈ܸΛ஌Γ͍ͨ ๷ޚ͍ͨ͠

࿅शʢʁʣ͠Α͏

DG%78" w%BNO7VMOFSBCMF8FC"QQMJDBUJPO w͋͑ͯ੬ऑͳ࡞Γʹͨ͠΢ΣϒΞϓϦέʔγϣϯ w༷ʑͳ߈ܸΛ࣮ࡍʹߦ͏͜ͱͰɺ߈ܸଆͷؾ࣋ͪʹͳΓ  ͦΕ͕։ൃʹ͓͍ͯ΋໾ʹཱͭ wΞϓϦέʔγϣϯͷ੬ऑ౓߹͍ΛઃఆͰ͖ͯศརʢʁʣ IUUQXXXEWXBDPVL

߈ܸΛͯ͠ΈΔͱ

͜ΕΛࣗಈԽ͢Δͱ

๷ޚଆͷ ࿅शʹ΋࢖͑ΔͷͰ͸ʁ

CJHCSJEHFϓϩδΣΫτʢԾʣ wೋͭͷίϯςφΛ࡞Δ߈ܸଆɺ๷ޚଆ w߈ܸଆ͸όΠφϦͰϒϥοΫϘοΫεͷϓϩάϥϜ w๷ޚଆ͸"QBDIF NPE@QIQͳ੬ऑͳΞϓϦέʔγϣϯ  TTIͰௐࠪՄೳͳΑ͏ɺγεςϜίϯςφʹͳ͍ͬͯΔ

CJHCSJEHF IUUQTDTLZVTIVVBDKQFOQJUQSP

ߏ੒ Binary Apache MySQL App (PHP) SSHD Attacker Defender

๷ޚଆ͔ΒৄࡉΛɻ wTPWFSMBZͱ͍͏ɺ%PDLFS΍ίϯςφʹಛԽͨ͠γϯϓϧͳJOJUͷ࢓ ૊ΈΛ࢖ͬͯγεςϜίϯςφΛ࡞Δɻ wTTIE ϩάͷͨΊSTZTMPH ɺBQBDIFɺ.Z42-Λࣂ͍ͬͯΔ wPDUPQBTTͰTTIϩάΠϯपΓΛ؆୯ʹ IUUQTHJUIVCDPNKVTUDPOUBJOFSTTPWFSMBZ

߈ܸଆɻ wṖͷόΠφϦ͕͋Δ wઃఆʹ͸ɺ߈ܸઌͷΞυϨεͳͲͷ৘ใ͔͠౉ͤͳ͘ɺͲ͏͍͏߈ܸ Λ͍ͯ͠Δ͔͸Θ͔Βͳ͍ wىಈ͢Δͱɺର৅΁ͷ߈ܸͷ੒ޭࣦഊ͚͕ͩΘ͔Δ wˠ๷ޚଆͷϩάͳͲΛ֬ೝ͠ɺΞϓϦΛվमͯ͠

߈ܸϕϯνϚʔΫͷྲྀΕ w߈ܸଆͰόΠφϦىಈˠ๷ޚଆͰϩάͳͲΛ֬ೝ wˠ๷ޚଆͷઃఆΛมߋͨ͠ΓɺΞϓϦΛվम wˠ࠶౓߈ܸΛ͠ɺࣦഊͨ͠Β๷Ӵ੒ޭʂʂʂ̍

ṖͷόΠφϦ

ͦ͜ͰɺΛ࢖͏

࣮૷ͷྫ

໾ʹཱͭ΋ͷ wIFBE[PPTVSG wঢ়ଶΛอͭ͜ͱ͕Ͱ͖Δ΢ΣϒεΫϨΠύʔϥΠϒϥϦ IUUQTHJUIVCDPNIFBE[PPTVSG

EFNP wʢतۀͰ࢖͏ͱ͍͏͜ͱͰɺৄࡉ͸·ͩφΠγϣʣ

ࠓޙ΍Γ͍ͨ͜ͱ w߈ܸͷόϦΤʔγϣϯΛ૿΍͢ w؆୯ͳରࡦͰ͋ͬͨΒ߈ܸଆͰݟൈ͔Εͯ͢Γൈ͚Δ΍ͭͱ͔ w߈ܸόΠφϦΛ΋ͬͱ೉ಡԽ͢Δ w๷ޚଆɺ1)1Ҏ֎ͷݴޠϑϨʔϜϫʔΫΛ૿΍͢

PT&YJU