Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations

Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired - a low-risk, often ignored error - but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.

[1]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[2]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[3]  Michael D. Ernst Static and dynamic analysis: synergy and duality , 2003 .

[4]  Brian A. Malloy,et al.  An Interpretation of Purdom's Algorithm forAutomatic Generation of Test Cases , 2001 .

[5]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[6]  Len Sassaman,et al.  PKI Layer Cake: New Collision Attacks against the Global X.509 Infrastructure , 2010, Financial Cryptography.

[7]  Patrick Traynor,et al.  An Empirical Evaluation of Security Indicators in Mobile Web Browsers , 2015, IEEE Transactions on Mobile Computing.

[8]  David Leon,et al.  Finding failures by cluster analysis of execution profiles , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[9]  Robin Sommer,et al.  No attack necessary: the surprising dynamics of SSL trust relationships , 2013, ACSAC.

[10]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[11]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[12]  Ralf Lämmel,et al.  Controllable Combinatorial Coverage in Grammar-Based Testing , 2006, TestCom.

[13]  Darko Marinov,et al.  Automated testing of refactoring engines , 2007, ESEC-FSE '07.

[14]  Bin Wang,et al.  Automated support for classifying software failure reports , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[15]  Dan S. Wallach,et al.  Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web , 2012, USENIX Security Symposium.

[16]  Julien Freudiger,et al.  The Inconvenient Truth about Web Certificates , 2011, WEIS.

[17]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[19]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[20]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[21]  Arjen K. Lenstra,et al.  Ron was wrong, Whit is right , 2012, IACR Cryptol. ePrint Arch..

[22]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[23]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[24]  Emin Gün Sirer,et al.  Using production grammars in software testing , 1999, DSL '99.

[25]  W. M. McKeeman,et al.  Differential Testing for Software , 1998, Digit. Tech. J..

[26]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[27]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[28]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[29]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[30]  Sarfraz Khurshid,et al.  TestEra: a novel framework for automated testing of Java programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[31]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[32]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[33]  John H. Holland,et al.  Adaptation in Natural and Artificial Systems: An Introductory Analysis with Applications to Biology, Control, and Artificial Intelligence , 1992 .

[34]  Jeffrey Overbey,et al.  Systematic Testing of Refactoring Engines on Real Software Projects , 2013, ECOOP.

[35]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[36]  Mary Jean Harrold,et al.  Debugging in Parallel , 2007, ISSTA '07.

[37]  Myra B. Cohen,et al.  An orchestrated survey of methodologies for automated software test case generation , 2013, J. Syst. Softw..

[38]  Patrick Traynor,et al.  VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security , 2012, ICISS.

[39]  Dawson R. Engler,et al.  Practical, Low-Effort Equivalence Verification of Real Code , 2011, CAV.

[40]  Jeff Hodges,et al.  Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) , 2011, RFC.

[41]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[42]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[43]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 2003, RFC.

[44]  Yinglian Xie,et al.  Web PKI: Closing the Gap between Guidelines and Practices , 2014, NDSS.

[45]  Paul Walton Purdom,et al.  A sentence generator for testing parsers , 1972 .

[46]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[47]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[48]  Rupak Majumdar,et al.  Directed test generation using symbolic grammars , 2007, ESEC-FSE companion '07.

[49]  Darko Marinov,et al.  Reducing the Costs of Bounded-Exhaustive Testing , 2009, FASE.

[50]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[51]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[52]  Arnis Parsovs Practical Issues with TLS Client Certificate Authentication , 2014, NDSS.

[53]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[54]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[55]  Vitaly Shmatikov,et al.  A security policy oracle: detecting security holes using multiple API implementations , 2011, PLDI '11.

[56]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[57]  Zhenkai Liang,et al.  Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[58]  Gary T. Leavens,et al.  A Simple and Practical Approach to Unit Testing: The JML and JUnit Way , 2002, ECOOP.

[59]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[60]  Peter M. Maurer,et al.  Generating test data with enhanced context-free grammars , 1990, IEEE Software.

[61]  Alessandro Orso,et al.  Precise interface identification to improve testing and analysis of web applications , 2009, ISSTA.

[62]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[63]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[64]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[65]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.