Protocol State Fuzzing of TLS Implementations

We describe a largely automated and systematic analysis of TLS implementations by what we call 'protocol state fuzzing': we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed. We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations.

[1]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Joeri de Ruiter,et al.  Lessons learned in the analysis of the EMV and TLS security protocols , 2015 .

[3]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[4]  Tsun S. Chow,et al.  Testing Software Design Modeled by Finite-State Machines , 1978, IEEE Transactions on Software Engineering.

[5]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[6]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Sean Turner,et al.  Prohibiting Secure Sockets Layer (SSL) Version 2.0 , 2011, RFC.

[9]  David A. Wheeler Preventing Heartbleed , 2014, Computer.

[10]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[11]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[12]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[13]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[14]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[15]  Sergey Bratus,et al.  A Patch for Postel's Robustness Principle , 2012, IEEE Security & Privacy.

[16]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[17]  Gavin Lowe,et al.  Analysing TLS in the strand spaces model , 2011, J. Comput. Secur..

[18]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[19]  Gregorio Díaz,et al.  Automatic verification of the TLS handshake protocol , 2004, SAC '04.

[20]  Joeri de Ruiter,et al.  Formal Models of Bank Cards for Free , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[21]  Joeri de Ruiter,et al.  Automated Reverse Engineering using Lego® , 2014, WOOT.

[22]  Michael Tüxen,et al.  Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension , 2012, RFC.

[23]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[24]  Peter Sewell,et al.  Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation , 2015, USENIX Security Symposium.

[25]  A. S. E C U R I T Y P R O B L E M M Ay B E T H E O R E T Vulnerable Compliance , 2022 .

[26]  原田 秀逸 私の computer 環境 , 1998 .

[27]  John C. Mitchell,et al.  A modular correctness proof of IEEE 802.11i and TLS , 2005, CCS '05.

[28]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[29]  David Lee,et al.  A model-based approach to security flaw detection of network protocol implementations , 2008, 2008 IEEE International Conference on Network Protocols.

[30]  Kazuhiro Ogata,et al.  Equational Approach to Formal Analysis of TLS , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[31]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[33]  Frits W. Vaandrager,et al.  Inference and Abstraction of the Biometric Passport , 2010, ISoLA.

[34]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[35]  Harald Raffelt,et al.  LearnLib: a library for automata learning and experimentation , 2005, FMICS '05.

[36]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[37]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.