Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Similar documents
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Practical Attacks on Implementations

Coming of Age: A Longitudinal Study of TLS Deployment

CSCE 715: Network Systems Security

Internet security and privacy

Findings for

DROWN - Breaking TLS using SSLv2

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

TLS1.2 IS DEAD BE READY FOR TLS1.3

ON THE SECURITY OF TLS RENEGOTIATION

SSL/TLS. Pehr Söderman Natsak08/DD2495

Plaintext-Recovery Attacks Against Datagram TLS

MTAT Applied Cryptography

32c3. December 28, Nick goto fail;

MTAT Applied Cryptography

Chapter 4: Securing TCP connections

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Authenticated Encryption in TLS

CS 161 Computer Security

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Transport Layer Security

Return Of Bleichenbacher s Oracle Threat (ROBOT)

CIS 5373 Systems Security

Securely Deploying TLS 1.3. September 2017

Security Protocols and Infrastructures

CS 356 Internet Security Protocols. Fall 2013

Overview of TLS v1.3 What s new, what s removed and what s changed?

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

TLS Security and Future

Security analysis of DTLS 1.2 implementations

One Year of SSL Internet Measurement ACSAC 2012

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

TLS 1.1 Security fixes and TLS extensions RFC4346

Security Protocols and Infrastructures. Winter Term 2010/2011

Secure Internet Communication

Overview. SSL Cryptography Overview CHAPTER 1

Transport Layer Security

Misuse Patterns for the SSL/TLS Protocol. Ali Alkazimi. A Dissertation Submitted to the Faculty of. College of Engineering & Computer Science

Defeating All Man-in-the-Middle Attacks

Transport Layer Security

On the (in-)security of JavaScript Object Signing and Encryption. Dennis Detering

Security Protocols and Infrastructures. Winter Term 2015/2016

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Summary on Crypto Primitives and Protocols

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

DROWN: Breaking TLS using SSLv2

Cryptography (Overview)

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

State of TLS usage current and future. Dave Thompson

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

DROWN: Breaking TLS using SSLv2

Overview of TLS v1.3. What s new, what s removed and what s changed?

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

E-commerce security: SSL/TLS, SET and others. 4.1

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

A messy state of the union:

Protecting TLS from Legacy Crypto

TLS 1.2 Protocol Execution Transcript

TLS Security Where Do We Stand? Kenny Paterson

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Version: $Revision: 1142 $

SSL/TLS Security Assessment of e-vo.ru

Secure Socket Layer. Security Threat Classifications

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Transport Level Security

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Lecture for February 10, 2016

concerto: A Methodology Towards Reproducible Analyses of TLS Datasets

SSL/TLS Server Test of

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Was ist neu bei TLS 1.3?

: Practical Cryptographic Systems March 25, Midterm

SSL/TLS FOR MORTALS.

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Auth. Key Exchange. Dan Boneh

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Securing IoT applications with Mbed TLS Hannes Tschofenig

TRANSPORT-LEVEL SECURITY

Institutionen för datavetenskap Department of Computer and Information Science

Chapter 8 Web Security

Introduction to cryptology (GBIN8U16) Introduction

Chapter 12 Security Protocols of the Transport Layer

Information Security CS 526

SSL Report: ( )

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

Chapter 5. Transport Level Security

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

SSL/TLS CONT Lecture 9a

Your Apps and Evolving Network Security Standards

SSL/TLS Server Test of grupoconsultorefe.com

Randomness Extractors. Secure Communication in Practice. Lecture 17

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Workshop Challenges Startup code in PyCharm Projects

Transcription:

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 1

Transport Layer Security The most important crypto protocol HTTP, SMTP, IMAP 2 2

Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport Layer Security TLS History 1995 2000 Wagner, Schneier: Analysis of SSLv3 Bleichenbacher s attack Padding oracle attack 2005 TLS 1.1 TLS 1.2 2010 BEAST, CRIME, BREACH, Lucky 13 TLS 1.3 2015 3 3

Questions How can we test these attacks? Can we find such attacks automatically? 5 5

Approach [SP2-17] 1. Collect TLS libraries 2. 3. Profit 6 6

Approach [SP2-17] 1. Collect TLS libraries 2. 3. Profit 7 7

Contributions Flexible TLS framework Fuzzing, testing, writing attacks High impact vulnerability in OpenSSL Additional vulnerabilities in Botan, MatrixSSL https://github.com/rub-nds/tls-attacker 8 8

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 9 9

TLS RSA Handshake ClientHello ServerHello Certificate ClientKeyExchange ChangeCipherSpec (Client-) Finished ServerHelloDone ChangeCipherSpec (Server-) Finished Application Application 10 10

TLS is complex Different versions Crypto primitives: RSA, EC, AES, 3DES, RC4, Chacha, Poly1305, New Hope Extensions Protocol flows 11 11

TLS is complex ClientHello Certificate ClientKeyExchange CertificateVerify ChangeCipherSpec (Client-) Finished ServerHello Certificate ServerKeyExchange ServerHelloDone ChangeCipherSpec (Server-) Finished Application Heartbeat Application Heartbeat 12 12

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 13

Secure Sockets Layer (SSL), SSLv2 SSLv3 TLS History 1995 Wagner, Schneier: Analysis of SSLv3 Bleichenbacher s attack Trasnsport Layer Security 2000 Padding oracle attack TLS 1.1 TLS 1.2 2005 2010 BEAST, CRIME, BREACH, Lucky 13 TLS 1.3 2015 14 14

Early CCS ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished Server computes the master key based on a zero value 15 15

Early CCS Man-in-the-Middle attacks Further state machine attacks in 2015: Beurdouche et al.: FREAK de Ruiter and Poll 16 16

Heartbleed [TLS Handshake] Server Heartbeat 00 07 DeepSec Heartbeat 00 07 DeepSec 17 17

Heartbleed [TLS Handshake] Server Heartbeat 10 00 DeepSec Heartbeat 18 10 00 DeepSec. [rsa key]. 18

Padding oracle attacks Adaptive chosen-ciphertext attacks Ciphertext C = Enc(M) C 1 valid/invalid C 2 valid/invalid M = Dec(C) (repeated several times) AES-CBC: Vaudenay s attack RSA-PKCS#1: Bleichenbacher s attack 20 20

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 21

Recent Attacks on TLS Not only crypto attacks Attacks on TLS state machines FREAK Early CCS Buffer overflows / overreads Heartbleed CVE-2016-6307 (High) -> CVE-2016-6309 (Critical) Tool for flexible protocol executions needed 22 22

Framework Prerequisites Flexible protocol flow definition Message modifications Invalid behavior detection Protocol flow reproduction ClientHello ClientKeyExchange ClientKeyExchange ChangeCipherSpec (Client-) Finished ServerHello Certificate ServerHelloDone ChangeCipherSpec (Server-) Finished Application Application 23

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 24

High-Level Overview 25 25

Modifiable variables Define basic data types (integer, byte, arrays) with modifications Example: ModifiableInteger i = new ModifiableInteger(); i.setvalue( 30 ); i.setmodification(new AddModification( 20 )); System.out.println(i.getValue()); // 50 Further modifications: xor, shuffle, delete, 26 26

Protocol messages ClientHello ClientHelloMessage ciphersuites: ModifiableByteArray ciphersuitelength: ModifiableInteger getciphersuites() getciphersuitelength() Stored in a message list Serializable in XML 27 27

Defining a protocol flow <protocolmessages> <ClientHello> <supportedciphersuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedciphersuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Application/> </protocolmessages> 29 29

Defining a protocol flow <protocolmessages> <ClientHello> <supportedciphersuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedciphersuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Heartbeat/> </protocolmessages> <Heartbeat> <payloadlength> <integeraddmodification> 20000 </integeraddmodification> </payloadlength> </Heartbeat> 30 30

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 32

Vulnerability detection How do we detect invalid server behavior? 1. Different TLS alerts Useful by padding oracle attacks 2. Address Sanitizer (ASan) Detects memory errors at runtime Available in recent compilers, e.g. GCC Vulnerability found -> protocol stored in XML 33 33

Two-stage concept Currently only server evaluation 1. Crypto Padding oracles, Bleichenbacher attack, invalid curve attacks, POODLE 2. Fuzzing for boundary violations 3 phases 34 34

Fuzzing for boundary violations 1. Variable filtering Not all variables suitable 2. Fuzzing with filtered variables ClientHelloMessage ciphersuites ciphersuitelength clientrandom extensions extensionlength. Random modifications (add, delete, xor) Boundary values (-128, -1, 0, 32768, ) 3. Fuzzing with modified protocol flows 35 35

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 36

Results Padding oracle attack OpenSSL (CVE-2016-2107) Botan 1.11.21 (CVE-2015-7824) MatrixSSL 3.8.2 Bleichenbacher attack MatrixSSL 3.8.2 Missing length checks GnuTLS 3.4.9 OpenSSL 1.0.1 Out-of-bound reads / writes OpenSSL-1.1.0-pre1 (stack overflow) Botan 1.11.28 (Out-of-bound read) 37 37

Padding oracle attack Ciphertext C Decryption failed Valid / Invalid Server Applicable to AES-CBC Challenge: not to reveal padding validity 1. Same error message 2. Constant time padding and HMAC validation 38 38

AES-CBC in TLS MAC-Pad-Encrypt Example: Two blocks Message: Hello MAC size: 20 bytes (SHA-1) Padding size: 32 5 20 = 7 pad mac H e l l o 06 06 06 06 06 06 06 41

AES-CBC in TLS Challenge: not to reveal padding validity Always: Padding validation MAC validation Same error message and timing pad mac H e l l o 06 06 06 06 06 06 06 42 42

Constant Time Validation pad mac Decrypted data H e l l o 06 06 06 06 06 06 06 Mask data H e l l o 06 06 06 06 06 06 06 43 43

Constant Time Validation Decrypted data H e l l o 16 06 06 06 06 06 06 06 Mask data H e l l o 06 06 06 06 06 06 06 44 44

OpenSSL Vulnerability Decrypted data 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F Mask data 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 45 45

OpenSSL Vulnerability (CVE-2016-2107) Introduced by patching Lucky 13 Only when using AES-NI Leads to a different server response C RECORD OVERFLOW / BAD RECORD MAC http://web-in-security.blogspot.co.at/2016/05/curiouspadding-oracle-in-openssl-cve.html Can this be even worse? 46 46

Yes MatrixSSL 3.8.2 Timing attack -> buffer overflow 47 47

Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 48

Conclusions and future work Maintaining a crypto library is hard New code / patches can introduce new flaws Systematic fuzzing and evaluation needed TLS-Attacker For researchers, pentesters For developers Development / fuzzing improvements needed TLS client-side tests Better fuzzing strategies 49 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback