A Messy State of the Union: Taming the Composite State Machines of TLS

Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that correctly multiplexes between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to our disclosures. Several of these vulnerabilities, including the recently publicized FREAK flaw, enable a network attacker to break into TLS connections between authenticated clients and servers. We argue that state machine bugs stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported cipher suites. Our attacks expose the need for the formal verification of core components in cryptographic protocol libraries, our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.

[1]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[2]  Cédric Fournet,et al.  Verified Cryptographic Implementations for TLS , 2012, TSEC.

[3]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[4]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[5]  Renegotiating TLS , 2009 .

[6]  Alfredo Pironti,et al.  Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension , 2015, RFC.

[7]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[8]  Alfredo Pironti,et al.  The Java SPI Framework for Security Protocol Implementation , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[9]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[10]  Alfredo Pironti,et al.  Formally-Based Black-Box Monitoring of Security Protocols , 2010, ESSoS.

[11]  Jörg Schwenk,et al.  Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol , 2014, CCS.

[12]  Jan Jürjens,et al.  Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[13]  Eric Rescorla,et al.  Transport Layer Security (TLS) Renegotiation Indication Extension , 2010, RFC.

[14]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[15]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[16]  Jörg Schwenk,et al.  Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses , 2013, IACR Cryptol. ePrint Arch..

[17]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[18]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[19]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL , 2010 .

[20]  Alfredo Pironti,et al.  FLEXTLS: A Tool for Testing TLS Implementations , 2015, WOOT.

[21]  Tiziana Margaria,et al.  Software engineering and formal methods , 2008, CACM.

[22]  Joeri de Ruiter,et al.  Protocol State Fuzzing of TLS Implementations , 2015, USENIX Security Symposium.

[23]  Nikolai Kosmatov,et al.  Frama-C - A Software Analysis Perspective , 2012, SEFM.

[24]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[25]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper) , 2011, Financial Cryptography.

[26]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[27]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[28]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[30]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[31]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[32]  Kenneth G. Paterson,et al.  One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography , 2013, NDSS.

[33]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[34]  Jeff Gilchrist,et al.  Factorization of a 512-Bit RSA Modulus , 2000, EUROCRYPT.

[35]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[36]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[37]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[38]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[39]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[40]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[41]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[42]  Julia L. Lawall,et al.  Finding Error Handling Bugs in OpenSSL Using Coccinelle , 2010, 2010 European Dependable Computing Conference.

[43]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[44]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[45]  Alfredo Pironti,et al.  JavaSPI: A Framework for Security Protocol Implementation , 2011, Int. J. Secur. Softw. Eng..

[46]  Gilles Barthe,et al.  Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations , 2013, IACR Cryptol. ePrint Arch..

[47]  Zheng Yang,et al.  On the Security of the Pre-shared Key Ciphersuites of TLS , 2014, Public Key Cryptography.

[48]  Bodo Möller,et al.  Transport Layer Security (TLS) False Start , 2016, RFC.