SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad - - PowerPoint PPT Presentation

secfuzz fuzz testing security protocols
SMART_READER_LITE
LIVE PREVIEW

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad - - PowerPoint PPT Presentation

May 23, 2023 277 likes •455 views

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose

slide-1
SLIDE 1

SECFUZZ: Fuzz-testing Security Protocols

Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich

slide-2
SLIDE 2

2 Institute of Information Security / ETH Zurich 19.09.2015

Input universe

Motivation

Behaviors

May expose vulnerabilities Abnormal behaviors

Security protocol implementation Well-formed inputs

Invalid inputs

slide-3
SLIDE 3

3 Institute of Information Security / ETH Zurich 19.09.2015

Fuzz-testing Security Protocols

Collect well-formed inputs

 Internet  Source code (white-box)  Model (model-based)

Mutate the inputs

 Fuzz operators

Execute the inputs and check for failures

 E.g. memory errors, broken invariants

Step 1 Step 2 Step 3

slide-4
SLIDE 4

4 Institute of Information Security / ETH Zurich 19.09.2015

Challenges

Initiator Responder

KEA, NA KEB, NB Enc(K, Auth)

Challenges:

 Encrypted messages  Security protocols are stateful  Messages are non-replayable

...

Fresh KEA, NA Fresh KEB, NB Compute key K = Hash(KEA, KEB, Secret)

slide-5
SLIDE 5

5 Institute of Information Security / ETH Zurich 19.09.2015

Dynamic analysis

SecFuzz: Setting

Initiator Responder

Log file Fuzzer

Key advantages:

 Light-weight and modular approach  Fresh messages  Fuzzer can decrypt messages

System Under Test

slide-6
SLIDE 6

6 Institute of Information Security / ETH Zurich 19.09.2015

Input Mutation

A fuzz operator:

  • Mutates a well-formed input.
  • The mutated input is likely to expose vulnerabilities.

The fuzz operators should produce mutated inputs that expose common programming mistakes.

slide-7
SLIDE 7

7 Institute of Information Security / ETH Zurich 19.09.2015

Input Structure

An input consists of:

  • a sequence of messages
  • a message consists of fields
slide-8
SLIDE 8

8 Institute of Information Security / ETH Zurich 19.09.2015

Fuzz operators

  • Message fuzz operators
  • Insert random (well-formed) message
  • Field fuzz operator
  • Insert random field
  • Remove field
  • Duplicate field
  • Modify field
slide-9
SLIDE 9

9 Institute of Information Security / ETH Zurich 19.09.2015

Fuzz-testing Security Protocols

Collect well-formed inputs

 Internet  Source code (white-box)  Model (model-based)

Mutate the inputs

 Fuzz operators

Execute the inputs and check for failures

 E.g. memory errors, broken invariants

Step 1 Step 2 Step 3

slide-10
SLIDE 10

10 Institute of Information Security / ETH Zurich 19.09.2015

Detecting vulnerabilities

  • The dynamic analysis monitors the SUT and reports failures.
  • Memory errors are a common source of vulnerabilities:
  • Tools: Valgrind's Memcheck, IBM's Purify

Dynamic analysis Initiator Responder

Log file Fuzzer

SUT

slide-11
SLIDE 11

11 Institute of Information Security / ETH Zurich 19.09.2015

Internet Key Exchange Case Study

Test subject: OpenSwan v2.6.35 Results: Discovered a previously unknown use-after-free vulnerability. Test subject: ShrewSoft's VPN Client for Windows v2.1.7 Results: Discovered a previously unknown unhandled exception vulnerability.

Experiment 2 Experiment 1

slide-12
SLIDE 12

12 Institute of Information Security / ETH Zurich 19.09.2015

Fuzz-testing OpenSwan

  • SUT: OpenSwan v2.6.35
  • A popular IPSec implementation for Linux.
  • Dynamic analysis: Valgrind's Memcheck
  • Detects different types of memory access errors.
  • Fuzzer: SecFuzz, implemented using Python / Scapy.

OpenSwan

(initiator) OpenSwan (responder) SecFuzz

Valgrind

Log file

SUT

slide-13
SLIDE 13

13 Institute of Information Security / ETH Zurich 19.09.2015

OpenSwan: IKE Implementation details

Initiator Responder Crypto helper Access Done Phase 1 Phase 1 state SA established Propose SAs Accepted SA Ack

SUT

slide-14
SLIDE 14

14 Institute of Information Security / ETH Zurich 19.09.2015

OpenSwan: Use-after-free Vulnerability

Initiator Responder Crypto helper Access Phase 1 Phase 1 state Freed Memory Propose SAs Close Session

Invalid memory access

The vulnerability was reported and a security patch was released in CVE-2011-4073. SUT

slide-15
SLIDE 15

15 Institute of Information Security / ETH Zurich 19.09.2015

ShrewSoft's VPN Client: Unhandled Exception

Initiator Responder

SUT

Unhandled exception

Propose SAs Accepted SA KEI: ”0123”, NI KER: “\0”, NR

The vulnerability details will appear in CVE-2012-0784.

slide-16
SLIDE 16

16 Institute of Information Security / ETH Zurich 19.09.2015

Related Approaches

Key Requirements:

 Stateful exploration  Encryption handling

Approach Task Model-based White-box SecFuzz Generate inputs

Needs a model Needs the source code Needs a running implementation

Execute inputs

Concretization Solve crypto constraints Immediate

slide-17
SLIDE 17

17 Institute of Information Security / ETH Zurich 19.09.2015