ã¯ããã«
é ããªãããä»å¹Žã®yoshi-campããã£ãŠããŸããã ä»åã¯yoshi-camp in æ±åãšããããšã§ãçŠå³¶çäŒæŽ¥è¥æŸåžã§éå¬ããã@kymn_, @meowricator, @y05h1k1ng, @ptrYudai, @theoremoonã®5人ãåå ããŸããã
yoshi-campã£ãŠãªãã«ïŒ
yoshi-campãšã¯ãyoshikingã®yoshikingã«ããyoshikingã®ããã®å匷äŒãã§ãã2幎åãããããå幎ã«1åãããã®ããŒã¹ã§æ¥æ¬ã®åå°ã§éå¬ãããŠããŸãã yoshi-campã¯ãæyoshikingãã»ãã¥ãªãã£ãã£ã³ãã«å¿åããŠèœã¡ãããšãåããŠãã»ãã¥ãªãã£ãã£ã³ãããé«é£æ床é«å質ã®å匷äŒãéãããšããã¢ãããŒã·ã§ã³ã§çãŸãããšããæŽå²ççµç·¯ããããŸãã æ £äŸçã«åå è ã¯å šå¡*1ã2æéã5æé以äžã®æŒç¿ä»ãè¬çŸ©ãããå¿ èŠããããå 容ã¯çºè¡šè ã®èªç±ã§ãããä»ã®åå è ããã®ãªã¯ãšã¹ããããã¯èªåãå匷ããããšæãããšãããŒãã«æ·±ãæ±ããŸãããããŸã§
- LLL, Coppersmith
- Forensics + Malware解æ
- æ¥åæ²ç·æå·
- angr
- Z3
ãªã©ãæ±ãããŠããŸããã
æ±å±±æž©æ³è¡ãšäŒå Ž
äŒæŽ¥è¥æŸé§ ããã¿ã¯ã·ãŒã§15åãæºæ³ããæµãã®æž©æ³ä»ãæ 通ãç«ã¡äžŠã¶æ±å±±æž©æ³è¡ããããŸãã äŒå Žã¯keymoon-universityã®éšæŽ»ãä¿æããŠããå匷äŒçšã¹ããŒã¹ãåããŸããããŸã 誰ã䜿ã£ãããšããªãã£ããããã§ãã
ãããããã€ã³ãïŒ
- ãã¹ã1ã2æéã«1æ¬
- é»è»ã1æéã«1æ¬
- åæ¥ã¯ãã¹ã«å€±æããŠäŒå ŽãŸã§æ©ããŠ1æé
- ãªãããã¹ã®é³å£°æ¡å ãå£ããŠã(?)ãšã®ããšã§é転æã代圹
- åæå±ã£ãœãäŒå Ž
- éšå±ã®åºããã®ãã§ééã倧ããã®ã§åŒã£ããã£ãŠè¶³ãæãã
1-1: AESã«å¯Ÿãããµã€ããã£ãã«æ»æ
åæ¥ã¯æããyoshikingã®è¬çŸ©ã§ãå 容ã¯çžé¢é»å解ææ»æã§ããã å 容ã¯ç解ããã€ããã ãã©å®è£ ãè¿œãã€ããŠãªãã®ã§ããã®è¬çŸ©ã®writeupã¯ä»ã®äººã«ä»»ããŸãã
解説ã¹ã©ã€ãã«AESã®å³ãå ¥ã£ãŠããã®ã§ãããå®ã¯ãããè¥å¹²ééã£ãå³ã«ãªã£ãŠãããšãããã©ããã§ãäºå課é¡ã®AESå éšæ§é ãã¡ãããšäºç¿ããŠããªã人ã¯å šå¡è±èœãããšããã¹ãã«ã¿è¬åž«ã®yoshikingãªãã§ã¯ã®ä»çµã¿ã«ãªã£ãŠããŸãããç§ã¯ç¡äºæ»äº¡ããŸããã æ»äº¡ããã®ã§mitsuåãšæåã®ãã¶ã®è²·ãåºãã«è¡ã£ãã®ã§ããããã®éã«ä»ã®äººã¯åé¡è§£ããŠãŠæ³£ãã¡ãã£ãã
1-2: Multivariate Coppersmith Methodã®ãæ°æã¡ãšå®è£
2ã³ãç®ã¯zer0ptsã§äžçªæã人ãtheoremoonçµé·ã«ããMultivariate Coppersmith Methodãå®è£ ããè¬çŸ©ã§ããã
ååã®yoshi-campã§univariateãªcoppersmithã¯ç解ããã®ã§ãããä»åã¯multivariateã«ãªããŸããã åå€æ°ã®å Žå
ãšããŠå°äœã®äžçããæãåºããŠæ¹çšåŒãå¢ãããŸããã å®ã¯ä»å€æ°ã§ãããããšã¯åãã§ãã®éšåãšããŠãå ã®æ¬¡æ°ãŸã§ã§èããããã®çµã¿åãããå ¥ããã°è¯ãã ãã§ãã
LLLã§ä¿æ°ãç°¡çŽåãããšããå€å€æ°ã®å Žåã¯1ã€ã®åŒã§ã¯æ¹çšåŒã解ããŸããã ãã®ããLLLã§è€æ°è§£ãæ¢ããã°ã¬ãããŒåºåºãçšããŠæ¹çšåŒã解ããŸãã ã¿ãªãããåç¥(?)Howgrave-Graham's Lemmaã¯å€å€æ°ããŒãžã§ã³ããããããã®ã§ããããªããŠãïŒäœèšãªã±ãŒã¹ãå ¥ãã ãã§ïŒå€§äžå€«ã ããã§ãã
äŸé¡ãšããŠzer0pts CTF 2021ã§åºé¡ãããeasy pseudo randomã解ããŸããã
import itertools def my_multivariate_small_roots(f, XYZ, m, t=0): """ My first multi-variate small_roots implementation Args: f: Polynomial XYZ: Maximum value of variables m: Extended degree t: Magic parameter (f^m, xf^m to x^(t-1)f^(m-1)) """ N = f.base_ring().cardinality() d = f.degree() f = f.change_ring(ZZ) xyz = f.parent().gens() """ Step 1. æ¹çšåŒãããå¢ããã """ gs = [] for i in range(m): for degs in itertools.product(range(d), repeat=len(xyz)): # degsã¯åå€æ°ã®æ¬¡æ°ãæã€ïŒx*z^3-->(1,0,3) g_ijk = N^(m-i) * f^i for v, deg in zip(xyz, degs): # äŸãã°x^1, y^0, z^3ãããåããã g_ijk *= v^deg # set X*x to x, Y*y to y, and so on gs.append(g_ijk(*list(map(lambda a: a[0]*a[1], zip(xyz, XYZ))))) for degs in itertools.product([i for i in range(t)], repeat=len(xyz)): h_ijk = f^m for v, deg in zip(xyz, degs): h_ijk *= v^deg gs.append(h_ijk(*list(map(lambda a: a[0]*a[1], zip(xyz, XYZ))))) """ Step 2. æ Œåãé¬æãã """ def coefficient_matrix(polys): # theoremoon's magic monomials = set() for p in polys: monomials = monomials.union(p.monomials()) monomials = sorted(list(monomials)) M = matrix(len(polys), len(monomials)) for i in range(len(polys)): m = polys[i].monomials() c = polys[i].coefficients() for j in range(len(m)): M[i, monomials.index(m[j])] = polys[i].monomial_coefficient( m[j] ) return M, monomials B, monomials = coefficient_matrix(gs) """ Step 3. LLLã§å°ããå€é åŒä¿æ°ãæ±ãã """ l = B.LLL() polys = [] for row in l: if row.is_zero(): continue # [TODO] Howgrave-Graham's theorem? """ Step 4. æ¹çšåŒãæ»ã """ poly = sum(map(lambda a: a[0]*a[1]/a[1](*XYZ), zip(row, monomials))) polys.append(poly.change_ring(QQ)) I = Ideal(polys) # ãã§ããã if I.dimension() == -1: # 倧æå polys.pop(0) # å€ãæ¹çšåŒããåªå ããŠæ¹æ¶ elif I.dimension() == 0: for root in I.variety(ring=ZZ): root = tuple(int(root[var]) for var in f.variables()) yield root # easy pseudo random nbits = 256 d = 2 k = ceil(nbits * (d / (d + 1))) # 171, nbits-k=85 p = 43343132318542115908109143315552470697591037366597387898555021129243891268321 b = 41626875266611172180637084755555430560267242697294225673939722754126407735314 m = 26949942292579858219052254038266486253954430094782895839375885288766769341049 w0 = 736213423532176860355024979639742034476924805552604 w1 = 453768168211027546342885075363551218230698462688285 w0 = w0 << (nbits - k) w1 = w1 << (nbits - k) PR.<x0,x1> = PolynomialRing(GF(p)) f = w0*w0 + 2*x0*w0 + x0*x0 - w1 + b - x1 for r in my_multivariate_small_roots(f, [2**85, 2**85], m=4, t=0): y0, y1 = r v0 = int(w0 + y0) v1 = int(w1 + y1) P.<v> = PolynomialRing(Zmod(p)) F = v^2 + b v = v1 for i in range(5): v = F(v) m ^^= int(v) print(bytes.fromhex(hex(m)[2:]))
å®è£ ãæ°žé ã«ãã°ãããã®ã§å çã«ãããã°ããŠããããŸããããªããã°ã¬ãããŒåºåºãç解ããŠãªãã£ãã®ãæªãã£ããããã
1-3: Linux Kernel Exploitå ¥é
3ã³ãç®ã¯ä»åã®campã§äžçªç°¡åãªLinux Kernel Exploitã®æŒç¿ã§ãã åå è ã«ã¯è匱æ§ã®ããã«ãŒãã«ãã©ã€ããæ»æããŠããããSMAP, SMEP, KPTI, KASLRã1ã€ãã€è¿œå ããŠåçš®ã»ãã¥ãªãã£æ©æ§ã®åœ¹å²ãåé¿æ³ãå匷ããŸããã æéã®éœåã§KASLRã¯çç¥ããŸããããå šå¡åãã®ã§SMAP, SMEP, KPTIãåé¿ããŠæš©éææ Œã§ããŠããŸããã
å°æ¥çã«å ¬éãããããããªããããªããããããªãã®ã§ãããçŸåšpwnãå匷ããããã®Webãµã€ããäœã£ãŠããŸãã å 容ã¯Linux Userland/Kernel, Windows Userland/Kernel, Browser, VMã§ããäžçå®æããªãããã
ä»åã¯è¬çŸ©è³æãšããŠãã®Webãµã€ãã®Linux Kernelã®éšåãå©çšããŸãããäžçå®æããªãããïŒäºåç®ïŒãªã®ã§äžéšãæ«é²ç®ããŠãããŸãã
äžçå®æããªããããïŒäžåç®ïŒ
2-1: ç«ã§ããããè¶ æ¥åæ²ç·
2æ¥ç®ã¯çã®æå·åŠè ã§ããmitsuåã«ããè¶ æ¥åæ²ç·ãšããã䜿ã£ãæå·ã®åçãšå®è£ ã§ãã æ¥åæ²ç·ã®(CTFåã)è¬çŸ©ã¯æç§ããããŸããããä»åã®ã¯ããæ·±ãæ°åŠçåŽé¢ããæå·ã«çµã³ã€ããã¬ãè¬çŸ©ã§ããã
ä»ãŸã§åœããåã®ããã«çš®æ°1ã®æ¥åæ²ç·ãã觊ã£ãŠããŸããã§ããããä»åã¯çš®æ°ããã倧ããè¶ æ¥åæ²ç·ãå匷ããŸããã ãŸãWeierstrassã®é¢æ°ã®ãã©ã¡ãŒã¿ããçæãããæ Œåãèãããšãããšè€çŽ ããŒã©ã¹äžã®ç¹ãååã§ãããšããå€ã®ç¥èã埩ç¿ããŸããã ããèãããšäœçžå¹Ÿäœã«ãããçš®æ°ã®èãæ¹ãæ¥åæ²ç·ã§äœ¿ã£ãŠãã®ãèªç¶ã ããããšãã話ã«ãªããŸããããŸãããªãã
ãŸãã¯è¶ æ¥åæ²ç·ã®æšæºåœ¢ã®ãå匷ã§ãã è¶ æ¥åæ²ç·ã«ã€ããŠãšããå€æãããŸãã ããã§åºãŠããåŒ
ãè¶ æ¥åæ²ç·ã®æšæºåœ¢ãšãªããŸããæ²ç·ãå®çŸ©ãããç¹ãå®çŸ©ããŸãã åºæ¬çã«ã¯æ¥åæ²ç·ãšå€ãããŸããããåæ°ã¯ãšãªããŸãã 次ã«åº§æšç°ãå€é åŒãæçé¢æ°ã«ã€ããŠå®çŸ©ããŸããããé·ããªãã®ã§çç¥ããŸãã
ãã®åŸWeil Pairingã§ããªãã¿å åã®è©±ãåºãŠããŸããè¶ æ¥åæ²ç·ã®ãŒãå å矀ããäž»å å矀ããšãããšããå°äœçŸ€
ãã€ã³ãã¢ã³ãšåŒã³ãŸãã什åã®ã€ã³ãã¢ã³ããšmitsuå ççŽäŒã®ã€ã³ãã¢ã³ã«äžåæåã
ãã®ä»£è¡šå ãè¡šçŸããææ³ãšããŠMumfordè¡šçŸããããŸãã Mumfordè¡šçŸã«å¯ŸããŠã¯é«éãªå ç®ã¢ã«ãŽãªãºã ãããã®ã§å¬ãããããã ãããMumfordè¡šçŸã¯å被çŽå åã«ã®ã¿äžããããŸããããã¯ã次ã®æ¡ä»¶ãæºããå åã®ããšãèšããŸãã
- ãåå²ç¹ãªãã°
1ã®ç¡éé ç¹ã¯å åã®æ¬¡æ°ã0ã«ããããã«æžç®ãããŠããŸãã2ã¯Pã®åæ°ãååšããªãããšãèšã£ãŠããŸãã3ã¯åå²ç¹ãè€æ°æããªããšããæ¡ä»¶ã§ãã ã¡ãªã¿ã«ãå¿ ãã®å ã®ä»£è¡šå ãšããŠå被çŽå åãæã£ãŠããããšãã§ãããããã ããã«å¯ŸããŠMumfordè¡šçŸã¯æ¬¡ã®ããã«å®çŸ©ã§ããŸãã
äœäžã®è¶ æ¥åæ²ç·ã«ãããå被çŽå åã®Mumfordè¡šçŸãšã¯ãã®çµã®ããšã§ããã ã¯ãšããããšãã次ãæºãããã®ã§ããã*2
ããããŠyoshikingã¯å被çŽå åéå®å£«ã«ãªã£ãã®ã§ãã£ãã»ã»ã»ïŒå®ïŒ
ãããæå·ã«äœ¿ãããåé¡ãªã®ã§ããã䜿ããŸããã ãªããªãå被çŽå åã¯ã®å ãäžæã«è¡šçŸã§ããªãããã§ãã ããã§è¢«çŽå åãšããã®ãç»å ŽããŸãã ããã¯å被çŽå åã«ã€ããŠã次æ°ãçš®æ°ããå°ãããããªãã¡ãšããæ¡ä»¶ãä»ãããã®ã§ãã
ããããããã§ããŸã åé¡ããããŸãã äžè¬ã«ãç¡éäœæ°ãªã®ã§ã€ã³ãã¢ã³ãç¡éäœæ°ãšãªã£ãŠããŸããæ²ããçµæã§çµãããŸãã ããã§ã€ã³ãã¢ã³ã®æééšå矀ãèããŸããçŸç¶
ã§ããã*3 ããã
ãšããŸããæå·ãšããŠã¯ãªã©ãšçœ®ããŸãã ããšã¯è¶ æ¥åæ²ç·æå·ã§ãããããã¯æ¥åæ²ç·åãããã€ã³ãã¢ã³äžã®é¢æ£å¯Ÿæ°åé¡ã«åºã¥ããŠå®çŸ©ã§ããŸãã æåŸã«è¶ æ¥åæ²ç·æå·ã§æå·åã»åŸ©å·ããã¹ã¯ãªãããæžããŠçµäºããã
ç§ã¯å®è£ ããŒããæ©ãçµãã£ãã®ã§yoshikingãšåèªãããã¶ã®è²·ãåºãã«è¡ã£ãŠããã®ã§ãããåž°ã£ãŠãããä»ã®äººãããçºå±çãªè©±é¡ãããŠãŠæ³£ãã¡ãã£ãã
2-2: å®è·µã»æççµè·¯åé¡
æåŸã¯key-å šåŒ·-moonããã®æççµè·¯åé¡ã®è¬çŸ©ã§ããã keymoonå çã¯åŒ·ãããããšãäžè¬ã«ç¥ãããŠããã®ã§ãåæ¥ã®å€ã«ã¿ããªã§è¬çŸ©è³æãäºç¿ããŠããŸããã ç§ã¯ç«¶æããã°ã©ãã³ã°ãèŠæã§ãã¶ãAtCoderãšããã£ããç°è²ãã転èœããå¯èœæ§ãããããŸãã ä»åã®ShortestPathã©ã€ãã©ãªã®ç¶æ é·ç§»ã®èãæ¹ã¯éåžžã«ããããããã競ããã£ãœãåé¡ã解ãããšãã§ããŸããã ãã€ãCTFã§äœ¿ããã°è¯ãã§ãããã§ãCTFã«ç«¶ããèŠçŽ ã¯ããŸãå ¥ããªãã§æ¬²ãã掟ã
å 容ã¯é女ã®ãè¶äŒã§keymoonãããçºè¡šããŠãã
ãšåãã§ããæ¬äººè§£èª¬ãããåè¥å¹²äžäœäºæããªãã ãããâã«æžããŠããã®ã§ç§ããæžãããšã¯ãªãã
ptrlibã§ã¯äŸ¿å©utilityã®PR/ææ¡IssueããåŸ ã¡ããŠããŸãã
ããŸãïŒæç«çæŠ
æ 通ã§ã¯zer0ptsæ匷ã®æ£å£«ã決ããæç«çæŠãéãããŸããã*4 èªåãé¢äžãã察å±ã®æŠåã¯ãããªæãã§ããïŒ
- 第äžå±ïŒè¹å²ãæ¥æŠ(mitsu) vs åéé£è»çŸæ¿(ptr)
- 第äºå±ïŒå³åéé£è»(mitsu) vs åéé£è»çŸæ¿(ptr)
- 第äžå±ïŒåéé£è»(mitsu) vs ãšã«ã¢æ¥æŠ(ptr)
- 第åå±ïŒåéé£è»(theoremoon) vs å± é£è»ç©Žç(ptr)
- 第äºå±ïŒå³åéé£è»å·ŠçŸæ¿(mitsu) vs éæš(ptr)
- 第å å±ïŒåæç¶æ æ©é£è§å šæ5ç§åãè² ã*5(yoshiking) vs æšæºç¶æ (ptr)
çé¢ç®ã«äººéãšå°æ£ãæããã®ã¯ä¹ ãã¶ãã§æ¥œããã£ãã§ããäžç€åãããªãã®ã§äžç€ã§å§åçå·®ãä»ããªããšèŠããããšã«ãªãã
*1:äŒå Žã貞ããŠããã人ã¯å®ã¯äœãããã«åå å¯èœ
*2:ããå æžã¯ãŠãªã®TeXèšæ³äœ¿ãã«ããããããçŽããŠãã
*3:ãã®æ°åŒãã¯ãŠãªTeXã§æ£ãã衚瀺ãããã®ã«3å幎ããã£ãã
*4:ãªããå°æ£ãç¡æ貞åºã ã£ãã®ã§éãã§ãã ããšãã説ããã
*5:æéåããŠãæãç¶ããã®ã§åãè² ãã§ã¯ãªã