Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spectreについて

Yuki Saito
August 03, 2018

 Spectreについて

すみだセキュリティ勉強会にて

Yuki Saito

August 03, 2018
Tweet

More Decks by Yuki Saito

Other Decks in Programming

Transcript

  1. ࣗݾ঺հ w ໊લɿᴡ౻༔ر 4BJUP:VLJ  w झຯɿ w ϦόʔεΤϯδχΞϦϯάͳͲͷηΩϡϦςΟશൠ w

    ػցֶश w ܦྺ w ηΩϡϦςΟɾΩϟϯϓશࠃେձ w ݩ.JDSPTPGU4UVEFOU1BSUOFST w ݱηΩϡϦςΟΤϯδχΞʁ ηΩϡϦςΟؔ࿈ۀ຿  w ࠷ۙ΍ͬͯΈ͍ͨ͜ͱ w ϋχʔϙοτͷࣗ୐ӡ༻ w ηΩϡϦςΟؔ࿈ͷ044ͷ։ൃ  
  2. 4QFDUSFͷҰ࿈ͷ૽ಈ 2018೥ਖ਼݄ૣʑɺϓϩηοαۀքʹ૽ಈ͕ى͖ͨʂ SpectreʢεϖΫλʔʣͱMeltdownʢϝϧτμ΢ϯʣͱݺ͹ΕΔϓϩηοαͷ੬ऑੑ͕ൃݟ͞Εͨɻ Meltdown͸Intel੡CPUͱARM ੡ CPU ͷҰ෦͕ӨڹͰɺSpectre͸IntelɾAMDɾARMͳͲͷ͢΂ͯͷ ϓϩηοαʹ಺ࡏ͢ΔՄೳੑ͕͋Δͱൃද͞Εͨɻ GoogleͷηΩϡϦςΟରࡦ෦໳Project Zero͸ɺʮ౤ػత࣮ߦʯʹΑͬͯҾ͖ى͜͞ΕΔਂࠁͳη

    ΩϡϦςΟ্ͷ੬ऑੑΛ2017೥6݄ͷஈ֊Ͱ೺Ѳ͠ɺIntelɺAMDɺARMͳͲͷνοϓϕϯμʔʹ௨஌ ͍ͯͨ͠ɻ
 ͦ͜ͰɺMircosoft͸1݄9೔ͷPatch TuesdayͰdisclose͞ΕΔ༧ఆͰͨ͠ɻ
 ͔͠͠ɺΠΪϦεͷITࢽʮThe Registerʯ͕1݄2೔ʹ
 ʮϋʔυ΢ΣΞͷมߋ͕ඞཁͰ͋Γɺιϑτ΢ΣΞͰͷηΩϡϦςΟରࡦ͸ύϑΥʔϚϯεͷେ෯ͳ ௿ԼΛҾ͖ى͜͢ʯ
 ͱൃදͨ͠ͷͰɺۀքΛࠞཚͤͨ͞!  
  3. ൃݟ͞Εͨ੬ऑੑ • Variant 1: bounds check bypass (CVE-2017-5753)
 • Variant

    2: branch target injection (CVE-2017-5715)
 • Variant 3: rogue data cache load (CVE-2017-5754)
 • Variant 3a: Rogue System Register Read (CVE-2018-3640)
 • Variant 4: Speculative store bypass (CVE-2018-3639)
 ʮVariant 1ʯͱʮVariant 2ʯ͕Spectre
 ʮVariant 3ʯ͕Meltdownͱݺ͹ΕΔ੬ऑੑͰ͢ɻ
 CPUੑೳ޲্ͷͨΊͷʮ౤ػత࣮ߦ(Speculative Execution)ʯͱ͍͏࢓૊Έ͕ݪҼ Ͱɺ͍ͣΕͷ੬ऑੑ΋αΠυνϟωϧ߈ܸʹ෼ྨ͞Ε·͢ɻ  
  4. ެදޙʹى͖ͨࣄ݅ w ʮ.FMUEPXOʯʮ4QFDUSFʯΛૂ͏Ϛϧ΢ΣΞαϯϓϧɺେྔʹൃݟ w "75&45*OTUJUVUF͸ɺ$16ʹଘࡏ͢Δʮ.FMUEPXOʯ͓Αͼʮ4QFDUSFʯ੬ऑੑΛѱ༻͠Α͏ ͱ͢ΔϚϧ΢ΣΞͷઌۦ͚ͱݟΒΕΔαϯϓϧݸΛൃݟͨ͠ɻ
 IUUQTKBQBODOFUDPNBSUJDMF
 w ʮ4QFDUSFʯʮ.FMUEPXOʯͷύονΛِ૷ͨ͠Ϛϧ΢ΣΞʹ஫ҙ w

    ύονΛِ૷ͨ͠Ϛϧ΢ΣΞ͕ଘࡏ͠ʮ4NPLF-PBEFSʯ΁ͷײછΛଅ͢
 IUUQTOFXTNZOBWJKQBSUJDMF
 w Πϯςϧɺ4QFDUSFɾ.FMUEPXOରԠͰϓϩηοαʔઃܭΛมߋ w Πϯςϧ͸੬ऑੑΛܰࢹ͍͗ͯͨ͢͠ͱͯ͠ɺถࠃٞձ͔Βઆ໌ΛٻΊΒΕɺ͞Βʹ໿݅΋ ͷूஂૌুΛى͜͞Εͨ
 IUUQTKBQBOFTFFOHBEHFUDPNTQFDUSFNFMUEPXO  
  5. 4QFDUSFͱ͸ • Variant 1: bounds check bypass (CVE-2017-5753)
 ͋Δ໋ྩͰຊདྷɺಡΈࠐΉ͜ͱ͕Ͱ͖ͳ͍ଞϓϩηεͷϝϞϦʔྖҬΛΩϟογϡ ʹಡΈͩͤ͞ɺผͷ໋ྩͰʰΩϟογϡྖҬʱͷϝϞϦͷread଎౓ΛνΣοΫ͢Δ

    ͜ͱͰϝϞϦྖҬͷ಺༰ΛਪఆͰ͖Δɻ
 
 • Variant 2: branch target injection (CVE-2017-5715)
 ʮؒ઀෼ذ༧ଌثʯΛར༻͢Δ΋ͷͰɺยํͷVMͰ෼ذΛෆਖ਼ͳϓϩάϥϜΛݺ ͼग़ͨ͢Ίʹௐઅ͠·͢ɻௐઅͨ͠༧ଌςʔϒϧΛ΋͏ยํͷVMͰϝϞϦΞυϨ ε͔Β౤ػ࣮ߦͤ͞Δɻ  
  6. 4QFDUSFͷ੬ऑੑ֓ཁ ι ϑ τ ΢ Σ Ξ ϋ c υ

    ΢ Σ Ξ ΞϓϦέʔγϣϯ" ΞϓϦέʔγϣϯ# ɾɾɾ 04 $16 ੬ऑੑ ௨ৗ͸ΞΫηεͰ͖ͳ͍ϝϞϦྖҬಡΈࠐΉ ϝϞϦྖҬɹϝϞϦྖҬɹϝϞϦྖҬ  
  7. ౤ػ࣮ߦͱ͸ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ

    ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 'FUDI %FDPEF &YFDVUF 8SJUF#BDL ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ ໋ྩ 5JNFMPTT ௨ৗ ౤ػ࣮ߦ  
  8. bounds check bypass (CVE-2017-5753)  JGจͷ಺༰͕USVFʹͳ͍ͬͯΔύλʔϯ͕ଟ͚Ε͹ɺJGจͷ಺༰͕GBMTFͰ΋౤ػ࣮ ߦʹΑΓ෼ذ໋ྩΛ௒͑ͯઌʹ࣮ߦ͞ΕΔ  Yͷ஋Λࣗ༝ʹૢ࡞ͯ͠ɺBSSBZ<Y>Ͱݺͼग़͍ͨ͠ϝϞϦΞυϨεʹ͢Δ 

    BSSB<Y> ͰBSSBZͷΩϟογϡϥΠϯ෼ΛBSSBZͰࢦఆ͠ϝϞϦʔʹอଘ ͠Ωϟογϡ͢Δ  BSSBZ@TJ[Fͷॲཧ͕GBMTFͱΘ͔Ε͹ɺBSSBZ͸ϝϞϦʔ͔Βഁغ͞ΕΔ͕-- -౳Ωϟογϡʹ͸࢒Δ  BSSBZ͸---౳ʹΩϟογϡʹ৐͍ͬͯΔͷͰɺ͔ΒͰ૬౰͢ΔΞυϨ εʹॱংʹΞΫηε͠ɺSFBE଎౓͕ૣ͔ͬͨͱ͜Ζ͕BSSBZͷϝϞϦͷ஋ʹͳΔ if (x < array1_size) y = array2[array1[x] * 256];  
  9. branch target injection (CVE-2017-5715) ౤ػ࣮ߦͱ#5# ෼ذઌόοϑΝ ͱؒ઀෼ذ໋ྩΛར༻ͨ͠߈ܸͰ͢ ؒ઀෼ذ໋ྩͱ͸
 ෼ذઌ͕Ϩδελ΍ϝϞϦͷ஋ʹΑͬͯࢦఆ͞ΕΔ໋ྩ
 YͰ͸DBMMͱKNQͳͲ


    ౤ػ࣮ߦʹΑ࣮ͬͯߦ͞ΕΔ໋ྩ͸ʁɹ὎#5#Λ֬ೝʂ #5##SBODI5BSHFU#V⒎FSͱ͸
 ෼ذઌΛ෼ذݩΞυϨεͰอଘ͢ΔόοϑΝ
 ෼ذݩͷϝϞϦΞυϨεͷ಺ͷCJUΛݩʹ෼ذઌͷ
 ɹɹϝϞϦΞυϨεΛ༧ଌ͍ͯ͠Δ
 ͭͷ෺ཧίΞΛͭͷ࿦ཧίΞʹ෼ׂͯ͠΋ؒ઀෼ذ༧ଌʹ࢖ΘΕΔ༧ଌ
 ςʔϒϧ #5# ͸ڞ༗͞ΕΔ  
  10. ֤04͝ͱͷରࡦ w 8JOEPXT
 8JOEPXT޲͚ͷߋ৽ϓϩάϥϜʮ,#ʯΛެ։ w .BD
 lNBD04)JHI4JFSSB4VQQMFNFOUBM6QEBUFzͰɺ.FMUEPXO ରࡦʹՃ͑ɺ4QFDUSFରࡦ͕ద༻͞Ε͍ͯΔ w -JOVY


    -JOVYΧʔωϧͷ࠷৽൛ʢʣ͕ϦϦʔε͞Εͨɻ͜ͷόʔδϣϯͰ ͸ɺʮ4QFDUSF.FMUEPXOʯͷ੬ऑੑ΁ͷରࡦ΋௥Ճ͞Ε͍ͯΔɻ w "OESPJE J04 $FOU04 3FE)BU΋Ξοϓσʔτ͕ϦϦʔε͞Ε͍ͯΔ  
  11. ࢀߟจݙ w 4QFDUSF#VTUFST͋Δ͍͸-JOVYʹ͓͚Δ4QFDUSFରࡦ
 IUUQTXXXTMJEFTIBSFOFUNIJSBNBUTQFDUSFCVTUFSTMJOVYTQFDUSF w ʮϝϧτμ΢ϯʯͱʮεϖΫλʔʯɺڪΖ͍ۙ͠୅$16ͷ੬ऑੑΛղઆ
 IUUQTMPHNJKQ w 1SPKFDU;FSP
 IUUQTHPPHMFQSPKFDU[FSPCMPHTQPUDPNSFBEJOHQSJWJMFHFENFNPSZXJUITJEFIUNM

    w ୈճେ૽͗ͷ4QFDUSFͱ.FMUEPXOͷ੬ऑੑΛͬ͘͟Γͱղઆ
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXTIUNM w ʲਤղʳ$16ͷ੬ऑੑ<4QFDUSF><.FMUEPXO>͸۩ମతʹͲͷΑ͏ͳ࢓૊ΈͰ߈ܸ͢ Δʁ
 IUUQTNJMFTUPOFPGTFOFTVLFDPNTWBEWBODFETWTFDVSJUZNFMUEPXOTQFDUSF w ੈؒΛ૽͕͢ʮϓϩηοα੬ऑੑʯɹԿ͕ຊ౰ͷ໰୊ͳͷ͔
 IUUQXXXJUNFEJBDPKQQDVTFSBSUJDMFTOFXTIUNM