*the Everest VERified End-to-end Secure Transport. Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*

Transcription

1 *the Everest VERified End-to-end Secure Transport Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*

2 Edge Clients Services & Applications curl WebKit Skype IIS Apache HTTPS Ecosystem Servers Nginx

3 Edge Services & Applications curl WebKit Skype IIS Apache Clients HTTPS Servers Nginx Certification Authority X.509 ASN.1 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers Untrusted network (TCP, UDP, ) 4

4 Buffer overflows Incorrect state machines Lax certificate parsing Weak or poorly implemented crypto Side channels Informal security goals Dangerous APIs Flawed standards OpenSSL, SChannel, NSS, Still patched every month! Edge Certification Authority Services & Applications curl WebKit Skype IIS Apache Clients X.509 HTTPS ASN.1 *** RSA SHA ECDH 4Q Crypto Algorithms TLS Network buffers Servers Untrusted network (TCP, UDP, ) 5 Nginx

5 authentication infrastructure connect(server,port); send GET ; data = recv(); send POST ; accept(port); request = recv(); send <html> ; order = recv(); Security Threat model Goal

6 Client Server

7 (some of them broken) Client Server

8 1. Internet Standard compliance & interoperability 2. Verified security Excluding core crypto algorithms Not fully automated (paper proofs too) 3. Experimental platform Not production code (poor performance)

9 mitls v0.9 released in Nov 15 using F* (in progress) with early support for TLS 1.3 using F# & F7 (stable) including testing tools

10 Application security (API, configuration) Cryptographic schemes & assumptions Protocol design Implementation safety Information control (leakage, privacy) Verification tools (F#, F7, F*, Z3, Lean) (1) data streams (2) main theorem (3) state-machine attacks

11 // F* definition of Application Data abstract type data (i:id) = bytes let ghost #(i:id) (d:data i): GTot bytes = d type fragment (i:id) (rg:range) = d:data i {within (ghost d) rg} val repr: i:id{ safe i} rg:range d:fragment i rg Tot (b:bytes {b = ghost d}) val make: i:id{ safe i} rg:range b:bytes{within b rg} Tot (d:fragment i rg {b = ghost d})

12 reader TLS.read TLS.write Stream (i:id) state shared between a reader and a writer data data data warning data data close Connection i:id connection info writer Data i #0 Data i #1 Data i #2 Warning i Data i #3 Error i duplex streams when safe i reader Peer Connection Data i #3 Data i #1 Data i #0 i:id connection info (how we got here) writer

13 Bytes, Network lib.fs Cryptographic Provider cryptographic assumptions application data stream concrete TLS & ideal TLS are computationally indistinguishable mitls implementation mitls typed API mitls ideal implementation mitls typed API any program representing the adversary application Safe, except for a negligible probability Safe by typing (info-theoretically)

14 Bytes, Network lib.fs Cryptographic Provider cryptographic assumptions application data stream 7,000 lines of F# verified against 3,000 lines of F7 type annotations mitls implementation mitls typed API mitls ideal implementation mitls typed API The security statement is precise but complex, roughly the size of the TLS API and cryptographic assumptions any program representing the adversary application

15 mitls clean, modular implementation supports rapid prototyping against others One line of F# script for each TLS message, with good cryptographic defaults Simple setup for man-in-the-middle attacks and concurrent connections Built-in library of recent vulnerabilities Fuzzing on the TLS state machine Focus on ease of use (but still for experts)

16 flaw in the standard now patched in TLS

17 new attacks against all mainstream implementations deviant traces Test results for OpenSSL: each colored arrow is a bug

18 new attacks against all mainstream implementations An attack against TLS Java Library (open for 10 years) deviant traces Many many exploitable bugs

19 Man-in-the-middle attack against: servers that support RSA_EXPORT (512bit keys obsoleted in 2000) from 40% to 8.5% clients that accept ServerKeyExchange in RSA (state machine bug) almost all browsers have been patched Factoring in 7-10h

20

21

22 We found & fixed flaws in legacy implementations of TLS probably many others still in there. Can we be more constructive?

23 Much discussions IETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, Much improvements Modern design Fewer roundtrips Stronger security New implementations required for all Be first & verified too! Find & fix flaws before it s too late

24 IETF TLS WG95 (April 16) 13 th draft discussed Finalized in 6 months?

25 verest ( ): erified Drop-In eplacements or the HTTPS cosystem HTTPS X.509 ASN.1 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers

26 Edge Services & Applications curl WebKit Skype IIS Apache Clients HTTPS Servers Nginx Certification Authority X.509 ASN.1 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers Untrusted network (TCP, UDP, ) 27

27 Michael Roberts Manos Kapritsos Jay Lorch Antoine Delignat-Lavaud Aseem Rastogi Barry Bond Srinath Setty Chris Hawblitzel Bryan Parno Nik Swamy Catalin Hritcu Cambridge Redmond Bangalore Markulf Kohlweiss Jean Karim Zinzindohoue Nadim Kobeissi Santiago Zanella-Beguelin Cédric Fournet Karthik Bhargavan Jonathan Protzenko Rustan Leino Samin Ishtiaq Nick Benton Leonardo de Moura Paris

28 Demo: tracing Trust is transitive Trust is implicit Trust is a matter of state HTTPS X.509 ASN.1 *** RSA SHA ECDH 4Q Crypto Algorithms TLS Network buffers

29 HTTPS X.509 ASN.1 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers

30 HTTPS X.509 ASN.1 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers

31 *the Everest VERified End-to-end Secure Transport Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*