securely implementing
play

Securely Implementing Network Protocols: Detecting and Preventing - PowerPoint PPT Presentation

Oct 24, 2023 •372 likes •692 views

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

  1. Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm

  2. Introduction Many protocols have been affected by logical bugs Design flaws Implementation flaws BEAST 11 Early CCS attack 5 POODLE 12 FREAK 8 TLS Lucky 13 13 Logjam 10 … … Bad state machine 4 WEP Protected setup 7 No downgrade check 4 Wi-Fi Key reinstallations 1 Bad randomness 6,7 … … CBC plaintext recovery 2 Bad state machine 3 SSH 2

  3. Introduction Many protocols have been affected by logical bugs Implementation flaws Early CCS attack 5 FREAK 8 Logjam 10 We focus on logical … implementation flaws Bad state machine 4 No downgrade check 4 Bad randomness 6,7 … Bad state machine 3 3

  4. How were TLS flaws detected? Several works audited state machines: • Kikuchi discovered the early CCS attack 5 • Manual inspection of CCS transitions in implementations 2014 • Beurdouche et al: manually define state machine of TLS 8 • Use state machine to generate invalid handshakes 2015 • de Ruiter and Poll: extract state machine automatically 9 • Manually inspect state machine for anomalies 2016 4

  5. Lesson: use model-based testing!  Model-based testing!  Test if program behaves according to some abstract model  Proved successful against TLS  We applied model-based approach on the Wi-Fi handshake  Our technique can be used to test other protocols! 5

  6. Background: the Wi-Fi handshake Main purposes:  Network discovery  Mutual authentication & negotiation of pairwise session key  Securely select cipher to encrypt data frames WPA-TKIP AES-CCMP Short-term solution: reduced security Long-term solution based on so it could run on old hardware modern cryptographic primitives 6

  7. Wi-Fi handshake (simplified) 7

  8. Wi-Fi handshake (simplified) 8

  9. Wi-Fi handshake (simplified) 9

  10. Wi-Fi handshake (simplified) Defined using EAPOL frames 10

  11. EAPOL frame layout 11

  12. EAPOL frame layout ≈ … header replay counter MIC key data encrypted 12

  13. Model-based testing: our approach Model: normal Set of test handshake cases Test generation rules: (in)correct modifications Test generation rules:  Test various edge cases, allows some creativity  Are assumed to be independent (avoid state explosion) A test case defines: 1. Messages to send & expected replies 2. Results in successful connection? 13

  14. Executing test cases For every test case unexpected reply Execute test case unexpected result Check if connection Save failed test successful All OK Reset Afterwards inspect failed test cases  Experts determines impact and exploitability 14

  15. Test generation rules Test generation rules manipulating messages as a whole: 1. Drop a message 2. Inject/repeat a message Test generation rules that modify fields in messages: 1. Bad EAPOL replay counter 2. Bad EAPOL header (e.g. message ID) 3. Bad EAPOL Message Integrity Check (MIC) 4. Mismatch in selected cipher suite 5. … 15

  16. Evaluation We tested 12 access points:  Open source: OpenBSD , Linux’s Hostapd  Leaked source: Broadcom, MediaTek (home routers)  Closed source: Windows, Apple, …  Professional equipment: Aerohive, Aironet Discovered several issues! 16

  17. Missing downgrade checks 1. MediaTek & Telenet don’t verify selected cipher in message 2 2. MediaTek also ignores supported ciphers in message 3  Trivial downgrade attack against MediaTek clients 17

  18. Windows 7 targeted DoS Client AP Client 2 … 18

  19. Windows 7 targeted DoS Client AP Client 2 PoC @ github.com/vanhoefm/blackhat17-pocs … 19

  20. Broadcom downgrade Broadcom cannot distinguish message 2 and 4  Can be abused to downgrade the AP to TKIP Hence message 4 is essential in preventing downgrade attacks  This highlights incorrect claims in the 802.11 standard: “ While Message 4 serves no cryptographic purpose , it serves as an acknowledgment to Message 3. It is required to ensure reliability and to inform the Authenticator that the Supplicant has installed the PTK and GTK and hence can receive encrypted frames. ” 20

  21. OpenBSD: client man-in-the-middle Bug in state machine of AP  we also inspected client: State machine missing!  Man-in-the-middle against client 21

  22. OpenBSD: client man-in-the-middle 22

  23. OpenBSD: client man-in-the-middle 23

  24. OpenBSD: client man-in-the-middle 24

  25. OpenBSD: client man-in-the-middle 25

  26. OpenBSD: client man-in-the-middle PoC @ github.com/vanhoefm/blackhat17-pocs 26

  27. More results See Black Hat & AsiaCCS paper 4 :  Benign irregularities  fingerprint  Permanent DoS attack against Broadcom and OpenBSD  DoS attack against Windows 10, Broadcom, Aerohive  Inconsistent parsing of supported cipher suite list  … 27

  28. Future work! Current limitations:  Amount of code coverage is unknown  Only used well-formed (albeit invalid) packets  Test generation rules applied independently But already a promising technique  Black-box testing mechanism: no source code needed  Fairly simple handshake, but still several logical bugs! 28

  29. Conclusion: avoiding logical bugs What helps:  Try to generalize known bugs (in your/other products)  Model-based testing (e.g. this presentation)  Write rigorous requirements (specification) and review them  Detailed code reviews (e.g. by domain experts) Does not help:  Standard code review (only detects common mistakes)  Traditional static or dynamic testing 29

  30. Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm

  31. References 1. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 2. M. R. Albrecht, K. G. Paterson and G. J. Watson. Plaintext Recovery Attacks Against SSH. In IEEE S&P, 2009. 3. E. Poll and A. Schubert. Verifying an implementation of SSH. In WITS, 2007. 4. M. Vanhoef, D. Schepers, and F. Piessens. Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing. In ASIA CCS, 2017. 5. M. Kikuchi. How I discovered CCS Injection Vulnerability (CVE-2014-0224). Retrieved 20 August 2017 from http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html 6. M. Vanhoef and F. Piessens. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys. In USENIX Security, 2016. 7. D. Bongard. Offline bruteforce attack on WiFi Protected Setup. In Hack Lu, 2014. 8. Beurdouche et al. A Messy State of the Union: Taming the Composite State Machines of TLS. In IEEE S&P, 2015. 9. J. de Ruiter and E. Poll. Protocol State Fuzzing of TLS Implementations. In USENIX Security, 2015. 10. D. Adrian et al. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In CCS, 2015. 11. T. Duong and J. Rizzo. Here come the xor ninjas. In Ekoparty Security Conference, 2011. 12. B. Möller, T. Duong, and K. Kotowicz. This POODLE Bites: Exploiting The SSL 3.0 Fallback. In Google Security Blog, 2014. 13. N. J. Al Fardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE S&P, 2013. 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic for Securely Securely Managing Managing for Employability & Healthcare Employability &

161 views • 14 slides
Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

813 views • 16 slides
Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely

Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely

Disaster Preparedness Checklist General Preparedness Secure your roof: - Ensure roof is securely fixed to walls - Ensure that galvanized sheets are in good order & securely fastened - Seal spaces between roof & supports Secure windows

178 views • 3 slides
Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and integrity/authenticity Both know each others public key Example: A->B: E Bob (M), S Alice (M) Works, but expensive Recall hybrid encryption

488 views • 16 slides
Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? -

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? -

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low

697 views • 30 slides
Multi Party secure communication C D A B E F N parties want to communicate securely with

Multi Party secure communication C D A B E F N parties want to communicate securely with

1 Key Establishment Chester Rebeiro IIT Madras 2 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If U sends a message to V (U V and U,V {a,b,c,d,e,f})

721 views • 55 slides
Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance Public

297 views • 11 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
Implementing Perl 6 Jonathan Worthington Dutch Perl Workshop 2008 Implementing Perl 6 I

Implementing Perl 6 Jonathan Worthington Dutch Perl Workshop 2008 Implementing Perl 6 I

Implementing Perl 6 Jonathan Worthington Dutch Perl Workshop 2008 Implementing Perl 6 I didnt know I was giving this talk until yesterday. Implementing Perl 6 I could have written my slides last night, but Implementing Perl 6

537 views • 52 slides
Implementing Generalised Alt Gavin Lowe Implementing Generalised Alt 02 CSO for dummies

Implementing Generalised Alt Gavin Lowe Implementing Generalised Alt 02 CSO for dummies

Implementing Generalised Alt 01 Implementing Generalised Alt Gavin Lowe Implementing Generalised Alt 02 CSO for dummies Communicating Scala Objects (CSO) is a library of CSP-like communication primitives for the Scala programming language,

724 views • 34 slides
Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2

Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2

Securely accessing remote sensors in critical infrastructures. SUPERVISORS: RESEARCH PROJECT 2 CEDRIC BOTH PAVLOS LONTORFOS JEROEN DO BOER 1 SECURITY AND NETWORK ENGINEERING The use of sensors Transportation Power grid networks

729 views • 24 slides
AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely July 15, 2013

AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely July 15, 2013

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap AAMVA Region I Conference E-ID, DLDV, and Privacy Conducting Business Securely July 15, 2013 Chad Grant, Senior

659 views • 18 slides
Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP,

Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP,

Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP, ISSEP, ISSMP, CISA, PMP, SSE-CMM Team Chief, IRS Penetration Testing and Code Analysis Tuesday, March 18, 2014,11:05 -11:40 Three Types of Security

566 views • 31 slides
TRESOR Runs Encryption Securely Outside RAM 20th USENIX Security Symposium August 8 12, 2011

TRESOR Runs Encryption Securely Outside RAM 20th USENIX Security Symposium August 8 12, 2011

TRESOR Runs Encryption Securely Outside RAM 20th USENIX Security Symposium August 8 12, 2011 San Francisco, CA Tilo Mller Felix C. Freiling Andreas Dewald Department of Computer Science University of Erlangen Who we are Chair

504 views • 29 slides
OA2 Overview and Site Planning Building collaboration sites to communicate securely, share assets

OA2 Overview and Site Planning Building collaboration sites to communicate securely, share assets

OA2 Overview and Site Planning Building collaboration sites to communicate securely, share assets & accomplish work together online. John Studdard Managing Partner Big Couch Media Group Full service South Florida based Digital Agency To

314 views • 19 slides
Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic Number of Middleboxes

1.31k views • 44 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3,

Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3,

Parallelism and Ellipsis in Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3, July 2020 The Project in a Nutshell Comparative constructions can have a range of syntactic continuations, from

519 views • 35 slides
Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55 OpenSSL CCS bug 24-10-2015 4/55 gotofail 24-10-2015 5/55 Certifjcate handling 24-10-2015 6/55 CVE-2014-6321 in schannel a.k.a. Winshock

774 views • 55 slides
Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet

Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet

Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet you, Michael." puts "Michael, welcome to CS 105!" puts "The name of your instructor is Michael

677 views • 26 slides
Kirkwood at Westheimer Kirkwood at Overbrook Kirkwood at Southlake Kirkwood at Poplar Creek

Kirkwood at Westheimer Kirkwood at Overbrook Kirkwood at Southlake Kirkwood at Poplar Creek

Kirkwood at Westheimer Kirkwood at Overbrook Kirkwood at Southlake Kirkwood at Poplar Creek Kirkwood at Waldemar Kirkwood at The Steeples Kirkwood at The Abbey Kirkwood at Briar Forest Kirkwood at Kirkwood Plaza Kirkwood at Highgrove

447 views • 18 slides
Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS Pupil Accommodation

Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS Pupil Accommodation

Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS Pupil Accommodation Review Working Meeting #1 February 2, 2017 Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS PARC Agenda Welcome and

625 views • 34 slides
Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh

Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh

Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh Gawande, Lan Wang Computer Science, U. Memphis Autonomous vehicles need reliable, trustworthy real-time data Car B can help Car A and C avoid

489 views • 6 slides
Regulation 1.17 Remote-Control Devices and Powered Models or Toys FAIRFAX COUNTY PARK

Regulation 1.17 Remote-Control Devices and Powered Models or Toys FAIRFAX COUNTY PARK

Regulation 1.17 Remote-Control Devices and Powered Models or Toys FAIRFAX COUNTY PARK AUTHORITY NORTHERN VIRGINIA REGIONAL PARK AUTHORITY THURSDAY, SEPTEMBER 6, 2018 Virginia Code Alignment Dillons Rule Justice John Dillon,

506 views • 14 slides

More recommend