Security Verification with F* Cdric Fournet Catalin Hritcu Aseem - PowerPoint PPT Presentation

Computer-Aided Security Proofs, Aarhus, Oct 9 — 13 2017 Security Verification with F* Cédric Fournet Catalin Hritcu Aseem Rastogi

*the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

Services & Applications Edge cURL Skype Apache Nginx WebKit IIS Clients Servers HTTPS Ecosystem

Services & Applications Edge cURL Skype Apache Nginx WebKit IIS Clients Servers HTTPS Certification X.509 ASN.1 Authority TLS *** RSA SHA 4Q ECDH Crypto Algorithms Network buffers Untrusted network (TCP, UDP, …) 4

Services & Applications Buffer overflows Edge cURL Skype Apache Nginx WebKit IIS Incorrect state machines Clients Servers Lax certificate parsing Weak or poorly implemented crypto HTTPS Side channels Certification X.509 ASN.1 Implicit security goals Authority Dangerous APIs TLS Flawed standards *** RSA SHA 4Q ECDH Crypto Algorithms OpenSSL, SChannel , NSS, … Network buffers Monthly security patches Untrusted network (TCP, UDP, …) 5

Verified Components for the HTTPS Ecosystem Services & Applications Edge cURL Skype Apache Nginx WebKit IIS Clients Servers HTTPS Certification ASN.1 X.509 Authority TLS *** RSA SHA ECDH AES Crypto Algorithms Network buffers Untrusted network (TCP, UDP, …)

Cambridge Bangalore Kenji Redmond Maillard Danel Ahman Aseem Paris (INRIA) Antoine Victor Dumitrescu Rastogi Delignat-Lavaud Pittsburgh (CMU) Chris Hawblitzel Nik Swamy Barry Bond Catalin Hritcu Bryan Parno Tahina Ramanandro Karthik Cédric Bhargavan Jonathan Fournet Protzenko Santiago Zanella-Beguelin Markulf Patrice Kohlweiss Godefroid Leonardo de Moura Christoph Wintersteiger Nadim Jean Karim Kobeissi Zinzindohoue Benjamin Beurdouche

source code, specs, security definitions, crypto games & constructions, proofs… verify all properties (using automated provers) then erase all proofs extract low-level code, kreMLin with good performance & (some) side-channel protection By implementing C/C++ standardized components and proving them secure, interop with rest of we validate both their TLS/HTTPS ecosystem design and our code. production code

The TLS/HTTPS ecosystem HTTPS ASN.1 X.509 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers

2008 TLS 1.2 2017? TLS 1.3 OpenSSL SChannel NSS SecureTransport PolarSSL JSSE GnuTLS miTLS https://github.com/openssl/openssl https://openssl.org/news/vulnerabilities.html

Public Key Infrastructure accept(port); connect(server,port); request = recv(); send “GET…”; send “<html>…”; data = recv(); order = recv(); send “POST…”; … … Security Goal Threat model

Client Server

(some of them broken) Client Server

1. Internet net Standa dard d co comp mplianc nce e & i & interope perabi rabilit lity y Excluding crypto 1. algorithms, X.509, … 2. Verified rified se secu curit rity 2. Not fully mechanized (paper proofs too) 3. Expe periment rimental al pl platfo form rm 3. Not production code (poor performance)

flaw in the standard now patched in TLS https://www.secure-resumption.com/

new attacks against all mainstream implementations deviant traces Test t resul ults ts for OpenSSL: SSL: each colored red arrow row is a bug

An attack against TLS Java Library new attacks against all mainstream implementations (open for 10 years) deviant traces Many many exploitable bugs

Man-in-the-middle attack against: • servers that support RSA_EXPORT (512bit keys obsoleted in 2000) from 40% to 8.5% • clients that accept ServerKeyExchange in RSA (state machine bug) almost all browsers have been patched Factoring in 7-10h

Crypto MD5 RC4 RSA 512 bit SHA1 failures SLOTH DROWN CRIME Renegotiation Triple Attack Handshake Protocol ECDHE Cross- weaknesses Logjam protocol Attack BEAST (Rogaway 02) Lucky13 POODLE FREAK OpenSSL entropy EarlyCCS Heartbleed Implementation bugs SKIP 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Much discussions IETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, … Much improvements • Modern design • Fewer roundtrips • Stronger security New implementations required for all • Be first & verified too! • Find & fix flaws before it’s too late

Client has no guarantee the server is present or unique. Server has no guarantee the client agrees on the connection Trading performance for security

IETF WG9599 1321 st draft including some of our proposals https://www.secure-resumption.com/ RFC finalized this month?

HTTPS ASN.1 X.509 TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers

Example: tracing https://www.visualstudio.com/ • Trust is transitive HTTPS X.509 ASN.1 • Trust is implicit TLS *** RSA SHA • Trust is a matter of state ECDH 4Q Crypto Algorithms Network buffers

Unsolved issues with HTTPS SSL Stripping Cookie-based Attacks CRIME / BREACH Virtual Host Confusion (Marlinspike) (various variants) (Rizzo, Duong et al.) (Delignat-Lavaud) TLS is optional in HTTP and Shared cookie database for Attackers can easily mount HTTPS servers do not can be disabled by an HTTP and HTTPS can be adaptive chosen-plaintext correlate transport-layer active attacker used to mount various attacks. Encryption after and HTTP identities, session fixation and login compression can leak leading to origin confusion CSRF attacks. secrets through length. Mitigated by correct use of Mitigated by new binding Mitigated by refreshing Mitigated by configuration HTTP Strict Transport proposals (ChannelID, secrets (e.g. CSRF tokens). of HTTPS servers with strict Security (HSTS) Token Binding). Mitigation Some protocol-specific host rules is not widely implemented. mitigations (QUICK, HTTP2) Mitigation not widely used. Difficult to mitigate in Ad-hoc mitigation; attack is Ad-hoc mitigation. and vulnerability is still browsers with current still widespread in practice Attack still widespread in widespread in practice. technologies. Can be used as HTTP compression practice. to attack many websites. remains popular. 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

HTTPS X.509 ASN.1 TLS *** https://letsencrypt.org/ RSA SHA ECDH 4Q Crypto Algorithms Network buffers

A Timeline of Recent PKI Failures The SHAppening Crypto failures HashClash rogue CA Flame malware 512 bit Korean Debian OpenSSL entropy bug (MD5 collision) NSA/GCHQ attack School CAs Stevens et al. against Windows CA Bleichenbacher’s DROWN BERSerk e=3 attack on KeyUsage (MSR — Inria) PKCS#1 signatures Basic constraints not enforced (recurring catastrophic bug) Name constraints failures OpenSSL GnuTLS X509v1 OpenSSL CVE- null prefix 2015-1793 Usage-unrestricted Formatting & semantics VeriSign certificates VeriSign Comodo hack Trustwave NetDiscovery ANSSI VeriSign hack DigiNotar hack TÜRKTRUST CA failures 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Side Channel Challenge (Attacks) Protocol-level Traffic analysis Timing attacks against Memory & Cache side channels cryptographic primitives TLS messages may reveal Combined analysis of the A remote attacker may learn Memory access patterns may information about the time and length distributions information about crypto expose secrets, in particular internal protocol state or the of packets leaks information secrets by timing execution because caching may expose application data about the application time for various inputs sensitive data (e.g. by timing) • • • • Hello message contents CRIME/BREACH (adaptive Bleichenbacher attacks OpenSSL key recovery in (e.g. time in nonces, SNI) chosen plaintext attack) against PKCS#1 decryption virtual machines • • • Alerts (e.g. decryption vs. User tracking and signatures Cache timing attacks • • padding alerts) Auto-complete input theft Timing attacks against RC4 against AES • Record headers (Lucky 13) ECDSA Bleichenbacher BREACH timing Side-channel Vaudenay AES cache timing leaks in Web Tag size CRIME Lucky13 DROWN -> applications Remote timing attacks are practical 2000 … 2006 2007 2008 2009 2010 2011 20 12 2013 2014

Demo

miTLS, protocol layer: 16K lines of code and proofs Compiled to Ocaml. Partially verified. AEAD record-layer crypto 14K lines of code and proofs Verified & compiled to C

A high performance server for We integrate miTLS & its verified crypto HTTP, r everse proxy, mail,… with Internet Explorer. We replace OpenSSL with miTLS & its crypto: We run TLS 1.3 sessions with 0RTT the modified server supports TLS 1.3 without changing their application code. with tickets and 0-RTT requests.