Spectreについて

Transcript

1. 4QFDUSFʹ͍ͭͯ 2018/08/04 
 ͢ΈͩηΩϡϦςΟษڧձ 
 @saiyuki1919
   

2. ࣗݾ঺հ w ໊લɿᴡ౻
   ༔ر 4BJUP
   :VLJ
   w झຯɿ
   w ϦόʔεΤϯδχΞϦϯάͳͲͷηΩϡϦςΟશൠ
   w

   ػցֶश
   w ܦྺ
   w ηΩϡϦςΟɾΩϟϯϓશࠃେձ
   w ݩ
   .JDSPTPGU
   4UVEFOU
   1BSUOFST
   w ݱηΩϡϦςΟΤϯδχΞʁ ηΩϡϦςΟؔ࿈ۀ຿
   w ࠷ۙ΍ͬͯΈ͍ͨ͜ͱ
   w ϋχʔϙοτͷࣗ୐ӡ༻
   w ηΩϡϦςΟؔ࿈ͷ044ͷ։ൃ
   

3. ໨࣍  4QFDUSFͷҰ࿈ͷࣄ݅
    ൃݟ͞Εͨ੬ऑੑͱ͸ʁ
    ߈ܸͱରࡦ
   

4. 4QFDUSFͷҰ࿈ͷ૽ಈ 2018೥ਖ਼݄ૣʑɺϓϩηοαۀքʹ૽ಈ͕ى͖ͨʂ SpectreʢεϖΫλʔʣͱMeltdownʢϝϧτμ΢ϯʣͱݺ͹ΕΔϓϩηοαͷ੬ऑੑ͕ൃݟ͞Εͨɻ Meltdown͸Intel੡CPUͱARM ੡ CPU ͷҰ෦͕ӨڹͰɺSpectre͸IntelɾAMDɾARMͳͲͷ͢΂ͯͷ ϓϩηοαʹ಺ࡏ͢ΔՄೳੑ͕͋Δͱൃද͞Εͨɻ GoogleͷηΩϡϦςΟରࡦ෦໳Project Zero͸ɺʮ౤ػత࣮ߦʯʹΑͬͯҾ͖ى͜͞ΕΔਂࠁͳη

   ΩϡϦςΟ্ͷ੬ऑੑΛ2017೥6݄ͷஈ֊Ͱ೺Ѳ͠ɺIntelɺAMDɺARMͳͲͷνοϓϕϯμʔʹ௨஌ ͍ͯͨ͠ɻ
 ͦ͜ͰɺMircosoft͸1݄9೔ͷPatch TuesdayͰdisclose͞ΕΔ༧ఆͰͨ͠ɻ
 ͔͠͠ɺΠΪϦεͷITࢽʮThe Registerʯ͕1݄2೔ʹ
 ʮϋʔυ΢ΣΞͷมߋ͕ඞཁͰ͋Γɺιϑτ΢ΣΞͰͷηΩϡϦςΟରࡦ͸ύϑΥʔϚϯεͷେ෯ͳ ௿ԼΛҾ͖ى͜͢ʯ
 ͱൃදͨ͠ͷͰɺۀքΛࠞཚͤͨ͞!
   

5. ൃݟ͞Εͨ੬ऑੑ • Variant 1: bounds check bypass (CVE-2017-5753)
 • Variant

   2: branch target injection (CVE-2017-5715)
 • Variant 3: rogue data cache load (CVE-2017-5754)
 • Variant 3a: Rogue System Register Read (CVE-2018-3640)
 • Variant 4: Speculative store bypass (CVE-2018-3639)
 ʮVariant 1ʯͱʮVariant 2ʯ͕Spectre
 ʮVariant 3ʯ͕Meltdownͱݺ͹ΕΔ੬ऑੑͰ͢ɻ
 CPUੑೳ޲্ͷͨΊͷʮ౤ػత࣮ߦ(Speculative Execution)ʯͱ͍͏࢓૊Έ͕ݪҼ Ͱɺ͍ͣΕͷ੬ऑੑ΋αΠυνϟωϧ߈ܸʹ෼ྨ͞Ε·͢ɻ
   

6. αΠυνϟωϧ߈ܸͱ͸ αΠυνϟωϧ߈ܸ͸ి࣓೾΍೤ɺిྗྔ΍ॲཧ࣌ؒͷҧ͍ͳͲΛ ෺ཧతखஈͰ؍࡯͢Δ͜ͱͰख͕͔ΓΛಘΑ͏ͱ͢Δ΋ͷͰ͢ɻ
 
 αΠυνϟωϧͱ͸ɺਖ਼نͷೖग़ྗܦ࿏Ͱ͸ͳ͍͜ͱΛҙຯ͓ͯ͠Γɺ ΞϧΰϦζϜͱ͸ҟͳΔ෭࣍త৘ใͰ͋Δ͜ͱ͔Β͜ͷΑ͏ʹݺ͹Ε ͍ͯ·͢ɻ IUUQJPUKQDPNJPUTVNNBSZJPUUFDI &#&"&&&"&%&"#&## &&'#$TJEFDIBOOFMBUUBDL&'#$IUNM

   Ҿ༻ݩ
   

7. ΠϯύΫτ w Ϋϥ΢υαʔϏε΍.41
 Ϩϯλϧαʔό΍ɺ*BB41BB4౳ͷ7.Λಈ͔͢Ϋϥ΢υαʔϏεͷࣄۀ ऀ౳ʹ͸େ͖ͳΠϯύΫτΛ༩͑ͨɻ
 w ϓϩηοαۀք
 4QFDUSF͸*OUFM͚ͩͰͳ͘ɺ".%΍"3.ͳͲͷνοϓશൠʹؔ܎͢Δ੬ ऑੑͰ͋Γɺ1$͚ͩͰͳ͘"3.ϕʔεͷ$16Λ࠾༻͢ΔεϚʔτϑΥϯ ΛؚΊͨɺΑΓ޿͍୺຤ʹӨڹΛٴ΅͔͠Ͷͳ͍ͱ͍͏͜ͱͰେ͖ͳ࿩୊

   ͱͳͬͨɻ
   

8. ެදޙʹى͖ͨࣄ݅ w ʮ.FMUEPXOʯʮ4QFDUSFʯΛૂ͏Ϛϧ΢ΣΞαϯϓϧɺେྔʹൃݟ
   w "75&45
   *OTUJUVUF͸ɺ$16ʹଘࡏ͢Δʮ.FMUEPXOʯ͓Αͼʮ4QFDUSFʯ੬ऑੑΛѱ༻͠Α͏ ͱ͢ΔϚϧ΢ΣΞͷઌۦ͚ͱݟΒΕΔαϯϓϧݸΛൃݟͨ͠ɻ
 IUUQTKBQBODOFUDPNBSUJDMF
 w ʮ4QFDUSFʯʮ.FMUEPXOʯͷύονΛِ૷ͨ͠Ϛϧ΢ΣΞʹ஫ҙ
   w

   ύονΛِ૷ͨ͠Ϛϧ΢ΣΞ͕ଘࡏ͠ʮ4NPLF
   -PBEFSʯ΁ͷײછΛଅ͢
 IUUQTOFXTNZOBWJKQBSUJDMF
 w Πϯςϧɺ4QFDUSFɾ.FMUEPXOରԠͰϓϩηοαʔઃܭΛมߋ
   w Πϯςϧ͸੬ऑੑΛܰࢹ͍͗ͯͨ͢͠ͱͯ͠ɺถࠃٞձ͔Βઆ໌ΛٻΊΒΕɺ͞Βʹ໿݅΋ ͷूஂૌুΛى͜͞Εͨ
 IUUQTKBQBOFTFFOHBEHFUDPNTQFDUSFNFMUEPXO
   

9. 4QFDUSFͱ͸ • Variant 1: bounds check bypass (CVE-2017-5753)
 ͋Δ໋ྩͰຊདྷɺಡΈࠐΉ͜ͱ͕Ͱ͖ͳ͍ଞϓϩηεͷϝϞϦʔྖҬΛΩϟογϡ ʹಡΈͩͤ͞ɺผͷ໋ྩͰʰΩϟογϡྖҬʱͷϝϞϦͷread଎౓ΛνΣοΫ͢Δ

   ͜ͱͰϝϞϦྖҬͷ಺༰ΛਪఆͰ͖Δɻ
 
 • Variant 2: branch target injection (CVE-2017-5715)
 ʮؒ઀෼ذ༧ଌثʯΛར༻͢Δ΋ͷͰɺยํͷVMͰ෼ذΛෆਖ਼ͳϓϩάϥϜΛݺ ͼग़ͨ͢Ίʹௐઅ͠·͢ɻௐઅͨ͠༧ଌςʔϒϧΛ΋͏ยํͷVMͰϝϞϦΞυϨ ε͔Β౤ػ࣮ߦͤ͞Δɻ
   

10. 4QFDUSFͷ੬ऑੑ֓ཁ ι ϑ τ ΢ Σ Ξ ϋ
    c
    υ

    ΢ Σ Ξ ΞϓϦέʔγϣϯ" ΞϓϦέʔγϣϯ# ɾɾɾ 04 $16 ੬ऑੑ ௨ৗ͸ΞΫηεͰ͖ͳ͍ϝϞϦྖҬಡΈࠐΉ ϝϞϦྖҬ
    ɹϝϞϦྖҬɹ
    ϝϞϦྖҬ
    

11. ౤ػ࣮ߦͱ͸ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ

    ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 5JNF
    MPTT ௨ৗ ౤ػ࣮ߦ
    

12. bounds check bypass (CVE-2017-5753)  JGจͷ಺༰͕USVFʹͳ͍ͬͯΔύλʔϯ͕ଟ͚Ε͹ɺJGจͷ಺༰͕GBMTFͰ΋౤ػ࣮ ߦʹΑΓ෼ذ໋ྩΛ௒͑ͯઌʹ࣮ߦ͞ΕΔ
     Yͷ஋Λࣗ༝ʹૢ࡞ͯ͠ɺBSSBZ<Y>Ͱݺͼग़͍ͨ͠ϝϞϦΞυϨεʹ͢Δ
    

    BSSB<Y>
    
    
    ͰBSSBZͷΩϟογϡϥΠϯ෼ΛBSSBZͰࢦఆ͠ϝϞϦʔʹอଘ ͠Ωϟογϡ͢Δ
     BSSBZ@TJ[Fͷॲཧ͕GBMTFͱΘ͔Ε͹ɺBSSBZ͸ϝϞϦʔ͔Βഁغ͞ΕΔ͕-- -౳Ωϟογϡʹ͸࢒Δ
     BSSBZ͸---౳ʹΩϟογϡʹ৐͍ͬͯΔͷͰɺ͔ΒͰ૬౰͢ΔΞυϨ εʹॱংʹΞΫηε͠ɺSFBE଎౓͕ૣ͔ͬͨͱ͜Ζ͕BSSBZͷϝϞϦͷ஋ʹͳΔ if (x < array1_size) y = array2[array1[x] * 256];
    

13. branch target injection (CVE-2017-5715) ౤ػ࣮ߦͱ#5# ෼ذઌόοϑΝ ͱؒ઀෼ذ໋ྩΛར༻ͨ͠߈ܸͰ͢
    ؒ઀෼ذ໋ྩͱ͸
 
    ෼ذઌ͕Ϩδελ΍ϝϞϦͷ஋ʹΑͬͯࢦఆ͞ΕΔ໋ྩ
 
    YͰ͸DBMMͱKNQͳͲ


    
    ౤ػ࣮ߦʹΑ࣮ͬͯߦ͞ΕΔ໋ྩ͸ʁɹ὎
    #5#Λ֬ೝʂ
    #5#
    #SBODI
    5BSHFU
    #V⒎FSͱ͸
 
    ෼ذઌΛ෼ذݩΞυϨεͰอଘ͢ΔόοϑΝ

    
    
    
    
    ෼ذݩͷϝϞϦΞυϨεͷ಺ͷCJUΛݩʹ෼ذઌͷ
 ɹɹϝϞϦΞυϨεΛ༧ଌ͍ͯ͠Δ
 
    ͭͷ෺ཧίΞΛͭͷ࿦ཧίΞʹ෼ׂͯ͠΋ؒ઀෼ذ༧ଌʹ࢖ΘΕΔ༧ଌ

    
    ςʔϒϧ #5# ͸ڞ༗͞ΕΔ
    

14. #)#
    #SBODI
    )JTUPSZ
    #V⒎FSͱ͸ աڈͷ෼ذ༧૝݁Ռͷ౰ͨΓ֎ΕΛه࿥͢ΔόοϑΝ
    
    ௚ۙ໿ճ෼ͷཤྺΛอ؅͍ͯ͠Δ
 
    ෼ذύλʔϯΛ
    #)#Ͱݟ͚ͭΔͱɺ෼ذઌΛ#5#ʹ୳͠ʹߦ͘
    

15. branch target injection (CVE-2017-5715)  ϢʔβۭؒͰ#)#Λʮֶशʯͤ͞Δ
 
    #)#ͷֶशͷͨΊʹճ෼͸࠶ݱ͢Δ
     ผͷεϨουͰ༠ಋ͍ͨ͠ΞυϨε΁ͷ෼ذΛ܁Γฦ͠ɺ#5#ͷ෼ ذઌͷΞυϨεΛ࣮ߦ͍ͨ͠ෆਖ਼ͳ໋ྩͷΞυϨεʹઃఆ͢Δ
    

     ౤ػ࣮ߦʹΑͬͯෆਖ਼ͳ໋ྩΛ࣮ߦͤ͞Δ
    

16. ૝ఆ͞ΕΔ߈ܸ w ύεϫʔυ΍ΫοΩʔɺ҉߸ݤͷ಺༰Λ౪ௌ͞ΕΔՄೳੑ͕͋Δ
    w ϓϩάϥϜΛഁյ͞ΕΔՄೳੑ͕͋Δ
    ʲ૝ఆ͞ΕΔγφϦΦʳ
    
    944ʹΑΔ੬ऑੑ͔ΒJGSBNFΛ࢓ֻ͚Δ
    
    λϒ಺ͷJGSBNF΍ϙοϓΞοϓͰผͷαΠτ͕ಡΈࠐ·ΕΔ৔߹ ͸ϝΠϯλϒͱಉҰϓϩηεͰಈ͍͍ͯΔͷͰ4QFDUSFΛ࣮ߦ
    
    4QFDUSFʹΑͬͯɺΫοΩʔ΍ύεϫʔυͳͲͷ৘ใΛऔಘ


    ·ͨ͸ɺϓϩάϥϜͷఀࢭ
    

17. ରࡦ w (PPHMF
    $ISPNF
 ʮ4QFDUSFʯͱݺ͹ΕΔ੬ऑʢ͍ͥ͡Ό͘ʣੑ͕8FCϒϥ΢βܦ༝Ͱѱ༻ ͞ΕΔ͜ͱΛ๷͙ͨΊʮαΠτ෼཭ʢ4JUF
    *TPMBUJPOʣʯͱݺ͹ΕΔରࡦ ػೳΛσϑΥϧτͰ༗ޮʹͨ͠
 
 4JUF
    *TPMBUJPOΛ༗ޮʹ͢Ε͹ɺ֤8FCαΠτ͕ಠཱͨ͠ϓϩηεͰಡΈ ࠐ·ΕΔΑ͏ʹͳΓɺෆਖ਼ͳ8FCαΠτ͕ϢʔβʔͷΞΧ΢ϯτ΍ଞͷ 8FCαΠτʹΞΫηεͨ͠Γɺ৘ใΛ౪ΜͩΓ͢Δ͜ͱ͕೉͘͠ͳΔ
    

    "OESPJE޲͚ͷ$ISPNFʹ΋ର৅Λ֦େ͢Δํ਑
    

18. ֤04͝ͱͷରࡦ w 
    8JOEPXT
 8JOEPXT޲͚ͷߋ৽ϓϩάϥϜʮ,#ʯΛެ։
    w 
    .BD
 lNBD04
    )JHI
    4JFSSB
    
    4VQQMFNFOUBM
    6QEBUFz
    Ͱɺ.FMUEPXO ରࡦʹՃ͑ɺ4QFDUSFରࡦ͕ద༻͞Ε͍ͯΔ
    w 
    -JOVY


    -JOVYΧʔωϧͷ࠷৽൛ʢʣ͕ϦϦʔε͞Εͨɻ͜ͷόʔδϣϯͰ ͸ɺʮ4QFDUSF.FMUEPXOʯͷ੬ऑੑ΁ͷରࡦ΋௥Ճ͞Ε͍ͯΔɻ
    w "OESPJE
    J04
    $FOU04
    3FE)BU΋Ξοϓσʔτ͕ϦϦʔε͞Ε͍ͯΔ
    

19. ·ͱΊ w 4QFDUSFͷҰ࿈ͷ૽ಈ
 ɾൃݟ͞Εͨ੬ऑੑ
 ɾαΠυνϟωϧ߈ܸͱ͸
 ɾΠϯύΫτ
 ɾެදޙʹى͖ͨࣄ݅
    w 4QFDUSFͷ੬ऑੑͷ֓ཁ
    
    ౤ػ࣮ߦͱ͸
 ɾCPVOET
    DIFDL
    CZQBTT
    ($7&)


    ɾCSBODI
    UBSHFU
    JOKFDUJPO
    ($7&) • ૝ఆ͞ΕΔ߈ܸ / ରࡦ
 ɾChrome Site Isolationػೳ
 ɾOS͝ͱͷରࡦ
    

20. ࢀߟจݙ w 4QFDUSF#VTUFST͋Δ͍͸-JOVYʹ͓͚Δ4QFDUSFରࡦ
 IUUQTXXXTMJEFTIBSFOFUNIJSBNBUTQFDUSFCVTUFSTMJOVYTQFDUSF
    w ʮϝϧτμ΢ϯʯͱʮεϖΫλʔʯɺڪΖ͍ۙ͠୅$16ͷ੬ऑੑΛղઆ
 IUUQTMPHNJKQ
    w 1SPKFDU;FSP
 IUUQTHPPHMFQSPKFDU[FSPCMPHTQPUDPNSFBEJOHQSJWJMFHFENFNPSZXJUITJEFIUNM
    

    w ୈճ
    େ૽͗ͷ4QFDUSFͱ.FMUEPXOͷ੬ऑੑΛͬ͘͟Γͱղઆ
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM
    w ʲਤղʳ$16ͷ੬ऑੑ
    <4QFDUSF>
    <.FMUEPXO>
    ͸۩ମతʹͲͷΑ͏ͳ࢓૊ΈͰ߈ܸ͢ Δʁ
 IUUQTNJMFTUPOFPGTFOFTVLFDPNTWBEWBODFETWTFDVSJUZNFMUEPXOTQFDUSF
    w ੈؒΛ૽͕͢ʮϓϩηοα੬ऑੑʯɹԿ͕ຊ౰ͷ໰୊ͳͷ͔
 IUUQXXXJUNFEJBDPKQQDVTFSBSUJDMFTOFXTIUNM
    

21. ࢀߟจݙ w αΠυνϟωϧ߈ܸʢTJEFDIBOOFM
    BUUBDLʣ
 IUUQJPUKQDPNJPUTVNNBSZJPUUFDI &#&"&&&"&%& "#&##&&'#$TJEFDIBOOFM BUUBDL&'#$IUNM
    w ʮ4QFDUSFʯʮ.FMUEPXOʯͷରࡦޙͷύϑΥʔϚϯεൺֱ
 IUUQXXXQPSUXFMMDPKQCMPHTQFDUSF@NFMUEPXO