Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations.

IF 2.9 4区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Security & Privacy Pub Date : 2014-01-01

Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, Vitaly Shmatikov

{"title":"Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations.","authors":"Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, Vitaly Shmatikov","doi":"","DOIUrl":null,"url":null,"abstract":"<p><p>Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is \"frankencerts,\" synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version 1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired-a low-risk, often ignored error-but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.</p>","PeriodicalId":13152,"journal":{"name":"IEEE Security & Privacy","volume":"2014 ","pages":"114-129"},"PeriodicalIF":2.9000,"publicationDate":"2014-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4232952/pdf/nihms612855.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Security & Privacy","FirstCategoryId":"94","ListUrlMain":"","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version 1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired-a low-risk, often ignored error-but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.

Abstract Image

本刊更多论文

使用Frankencerts对SSL/TLS实现中的证书验证进行自动对抗性测试。

现代网络安全依赖于安全套接字层(SSL)和传输层安全(TLS)协议。分布式系统、移动和桌面应用程序、嵌入式设备以及所有安全Web都依赖于SSL/TLS来防止网络攻击。这种保护主要取决于SSL/TLS客户端在SSL/TLS握手协议期间是否正确验证服务器提供的X.509证书。我们设计、实现并应用了第一种方法，用于在SSL/TLS实现中大规模测试证书验证逻辑。我们的第一个要素是“franencerts”，即从真实证书的某些部分随机变异而来的合成证书，因此包含了不寻常的扩展和约束组合。我们的第二个要素是差异测试:如果一个SSL/TLS实现接受证书，而另一个拒绝相同的证书，我们将差异用作查找单个实现中的缺陷的预言器。使用frankencerts进行差异测试，发现了流行的SSL/TLS实现(如OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL等)之间的208个差异。其中许多是由严重的安全漏洞引起的。例如，任何具有有效X.509版本1证书的服务器都可以充当流氓证书颁发机构，并为任何域颁发假证书，从而实现针对MatrixSSL和GnuTLS的中间人攻击。一些实现还接受由未经授权的颁发者创建的证书颁发机构，以及不打算用于服务器身份验证的证书。我们还发现了在证书验证错误警告用户的方式上存在严重漏洞。当出现过期的自签名证书时，NSS、Safari和Chrome(在Linux上)会报告证书已经过期——这是一个低风险、经常被忽略的错误——但不会报告该连接对于中间人攻击是不安全的。这些结果表明，使用franencerts进行自动对抗性测试是发现SSL/TLS实现中的安全缺陷的强大方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Security & Privacy 工程技术-计算机：软件工程

CiteScore

4.30

自引率

5.30%

发文量

159

审稿时长

6-12 weeks

期刊介绍： IEEE Security & Privacy’s primary objective is to stimulate and track advances in security, privacy, and dependability and present these advances in a form that can be useful to a broad cross-section of the professional community—ranging from academic researchers to industry practitioners. It provides articles with both a practical and research bent by the top thinkers in the field of security and privacy, along with case studies, surveys, tutorials, columns, and in-depth interviews and podcasts for the information security industry. Through special issues, the magazine explores other timely aspects of privacy in areas such as usable security, the Internet of Things, cloud computing, cryptography, and big data. Other popular topics include software, hardware, network, and systems security, privacy-enhancing technologies, data analytics for security and privacy, wireless/mobile and embedded security, security foundations, security economics, privacy policies, integrated design methods, sociotechnical aspects, and critical infrastructure. In addition, the magazine accepts peer-reviewed articles of wide interest under a general call, and also features regular columns on hot topics and interviews with luminaries in the field.