Thursday, September 24, 2015

Neverbleed - RSAの秘密鍵演算を別プロセスに分離する話

機能毎にプロセスを分割し、それらを別個の権限のもとで実行することで、脆弱性があった場合の影響を抑え込むというのは、一定以上の規模をもつプログラムでは、しばしば見られるデザインパターンです。

qmailは、そのような設計がなされたメール配送デーモンとして名高いですし、OpenSSHもまた、認証プロセスと通信プロセスを分離することで、外部との通信を担当するコードにバグがあったとしても、ルート権限が奪われないように設計されています(参照: Privilege Separated OpenSSH)。

一方で、OpenSSLにはそのような権限分離は実装されていません。Heartbleedの際にサーバの秘密鍵が漏洩したのも、秘密鍵の取り扱いと、その他の通信の取り扱いを同一のメモリ空間の中で行っていたからだと考えることができます。

ないのなら、自分で作ればいいじゃない…ということで作りました。それが、Neverbleedです。

Neverbleedは、OpenSSLの拡張インターフェイスであるEngineを利用して、RSA秘密鍵を用いる処理を専用プロセスに分離します。OpenSSLの初期化時に専用プロセスを起動し、秘密鍵の読み込みと関連演算は全て専用プロセスで行われるため、OpenSSLを利用するサーバプロセスに脆弱性があったとしても秘密鍵が漏洩することはありません。

OpenSSLの拡張インターフェイスを利用しているため、OpenSSLへの変更は不要ですし、サーバプログラムへの変更もごく少量ですみます。また、専用プロセスとの通信のオーバーヘッドはRSAの秘密鍵演算と比べると非常に小さいため、そのオーバーヘッドは問題になりません。

そんな感じでうまく動いているので、Neverbleedは、今月リリース予定のH2Oバージョン1.5に組み込まれる予定です。

参照: http://www.citi.umich.edu/u/provos/ssh/privsep.html

54 comments:

  1. check out..! Here you get the Sp Flash Tools or Sp Flash Tools Links For Download


    http://www.spflashtooldownload.com/

    ReplyDelete

  2. Pega is a Java-based BPM tool which is used to build enterprise applications. Among all the BPM tools in the market Pega is the leading and No-1 BPM tool according to market standards far

    beyond its competitors. Pega enables in creating and managing web-based applications with less effort and faster deadlines using Agile or Scrum methodology.


    Pega Training |
    AWS Training |
    Informatica MDM Training |
    PlSQL Training |
    Qlikview Training |
    Teradata Training

    ReplyDelete
  3. Rio 2016 is a major international multi-sport event in the tradition of the Olympic Games due to take place in Rio de Janeiro, Brazil.
    rio olympics 2016 schedule pdf

    ReplyDelete
  4. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!
    play now :
    al3ab-banat01
    العاب طبخ ، العاب طبخ بنات ، العاب طبخ جديدة

    ReplyDelete
  5. http://www.howtoremovepcvirus.com/way-remove-ransom32nw-js-ransomware

    ReplyDelete
  6. Thanks for this great post, i find it very interesting and very well thought out and put together. I look forward to reading your work in the future
    شركة نقل اثاث بالخبر
    ارخص شركة نقل اثاث بالدمام
    شركة نقل الاثاث بالدمام
    شركة نقل عفش بالدمام

    ReplyDelete
  7. Hey – great blog, just looking around some blogs, seems a really nice platform you are using. I’m currently using WordPress for a few of my blogs but looking to change one of them over to a platform similar to yours as a trial run. Anything in particular you would recommend about it?
    ارخص شركة نقل اثاث بالدمام
    شركة نقل عفش بالدمام
    شركة نقل اثاث بالخبر
    شركة نقل اثاث بالدمام

    ReplyDelete
  8. After exploring a handful of the blog articles on your web site, I really like your technique of blogging. I added it to my bookmark webpage list and will be checking back in the near future
    شركة تنظيف بالخبر
    شركة تنظيف بالجبيل
    شركة تنظيف بالدمام
    شركة تنظيف بالقطيف
    نفخر بخدمتكم في المنطقة الشرقية بالكامل الدمام والخبر والجبيل والاحساء باستخدام افضل وامهر فنيين التنظيف الداخلي للمنازل و البيوت وكذلك نقدم خدمات افضل شركة تنظيف بالدمام وتشمل التنظيف الخارجي ويشمل ذلك تنظيف واجهات الزجاج – تنظيف واجهات حجر وذلك عن طريق خدمات تنظيف الواجهات الحجر باستخدام ( ضرب الرمل – مسدس المياه ) من افضل شركة تنظيف بالدمام

    ReplyDelete
  9. start and stop the vacuums. Previously,strikingly.com/ this feature had only been readily Click Here available with its top-of-the-line Ideal essential oil diffuser reviews Roomba. The Roomba 690, which is the successor.

    ReplyDelete
  10. your streams and filter films or networks Live Net TV you want based on the language or Get More subject.Live NetTV has variations of the application, Live NetTV App particularly variation Freemium as well as Premium.

    ReplyDelete
  11. If You Want Watch IPL Live Stream Then Visit www.crickspo.com, it also provide IPL Live ScoreCheck IPL Updates, IPL News, Ball By Ball Score, Men of the atch, men of the series, who won the toss today etc.

    ReplyDelete
  12. Hi Bru,

    Thanks so much for this article! I tried to follow some instructions from few other article and got in over my head. This worked so quickly and your instructions were very easy to follow. Really appreciate this.

    I successfully import an example table from Teradata.

    Table definition in Teradata is:

    CREATE MULTISET TABLE STAGEP.PRUEBAS2 ,NO FALLBACK ,
    NO BEFORE JOURNAL,
    NO AFTER JOURNAL,
    CHECKSUM = DEFAULT,
    DEFAULT MERGEBLOCKRATIO
    (
    LIC40120 DECIMAL(15,0),
    LIC40130 DECIMAL(15,0),
    LOAD_CYCLE_ID TIMESTAMP(6) WITH TIME ZONE)
    PRIMARY INDEX ( LIC40120 );
    I can see it in powercenter as:


    My eyes keep watching the 32 length for the timestamp for a while, but I assume its ok.

    I export it to an XML file. It works great

    Now I try to import it again, and it fails.




    I can fix it manually changing the XML definition to timestamp 26.

    But this is not a solution because we manage multiple sources with timestamp with or without timezone.

    Is there any option for fix this bug? I need to export multiple tables and be able to import it again without issues.


    I'm using Teradata 15.01 and Informatica Powercenter 10.1.1 Hotfix1




    By the way do you have any YouTube videos, would love to watch it. I would like to connect you on LinkedIn, great to have experts like you in my connection (In case, if you don’t have any issues).
    Please keep providing such valuable information.
    Muchas Gracias,
    Ishanth

    ReplyDelete
  13. http://thearousedproject.com/june-2018-calendar/
    http://thearousedproject.com/fathers-day-quotes/
    http://global-trade-news.com/june-2018-calendar/
    http://global-trade-news.com/fathers-day-quotes/
    http://calendartemplatefree.com/june-2018-calendar/
    http://calendartemplatefree.com/fathers-day-quotes/
    http://calendartemplatefree.com/eid-mubarak-quotes/
    http://global-trade-news.com/eid-mubarak-wishes/
    http://thearousedproject.com/eid-mubarak-images/

    ReplyDelete
  14. If your system has been infected with malignant threats then you are suggested to follow the link below. It contains all the essential information which will help you to protect your PC quickly.

    Uninstall malware and virus quickly from PC
    Protect your PC from harmful malware
    Remove Spyware from PC
    Delete virus or malware from system
    Easiest way to remove PC threats

    ReplyDelete
  15. I hope to hear more updates from you. Thank you for sharing!
    hotmail com login

    ReplyDelete
  16. SVR Technologies provide Mulesoft Training with Mulesoft Video Tutorials, Live Project, Practicals - Realtime scenarios, CV, Interview and Certification Guidance.

    SVR Technologies MuleSoft training is designed according to the latest features of Mule 4.It will enable you to gain in-depth knowledge on concepts of Anypoint Studio Integration techniques, testing and debugging of Mule applications, deploying and managing the Mule applications on the cloud hub, dataweave transformations, etc. You will also get an opportunity to work on two real-time projects under the guidance of skilled trainers during this training.

    Enquire Now: +91 9885022027
    Enroll Now: https://bit.ly/2OCYVgv

    https://svrtechnologies.com/contact-us/

    Angular Training,
    AWS Training Online,
    Best Online Training,
    Devops Training,
    Machine Learning Training,
    Mulesoft Training,
    Online Training Institute,
    Python Training,
    Salesforce Training,
    SAP Training,
    Tableau Training,
    Tibco Training

    ReplyDelete
  17. If your system has been infected with malicious threats then you need to take immediate action in its permanent removal. You are advised to follow the link to read the simple removal instructions of malicious threats completely from PC.

    Read More information: http://www.pcprotection-tips.com

    ReplyDelete
  18. If your system has been infected with malicious threats then you need to take immediate action in its permanent removal. You are advised to follow the link to read the simple removal instructions of malicious threats completely from PC.

    Read More information: http://www.pcprotection-tips.com

    ReplyDelete
  19. Are you unable to access your saved PST files? Do you get error messages at the time of sending or receing emails? Are you unable to work on MS Outlook? If you are facing all these issues and wants to get rid of it completely then you should use PST Repair Tool. You can click on the link to read more information about the tool.

    http://www.pcprotection-tips.com/repair-damaged-pst-files

    ReplyDelete

Note: Only a member of this blog may post a comment.