Security Verification with F* Cdric Fournet Catalin Hritcu Aseem - - PowerPoint PPT Presentation

security verification with f
SMART_READER_LITE
LIVE PREVIEW

Security Verification with F* Cdric Fournet Catalin Hritcu Aseem - - PowerPoint PPT Presentation

Jan 05, 2024 123 likes •469 views

Computer-Aided Security Proofs, Aarhus, Oct 9 13 2017 Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

slide-1
SLIDE 1

Computer-Aided Security Proofs, Aarhus, Oct 9—13 2017

Security Verification with F*

Cédric Fournet Catalin Hritcu Aseem Rastogi

slide-2
SLIDE 2

Everest*: Verified Drop-in Replacements for TLS/HTTPS

*the Everest VERified End-to-end Secure Transport

slide-3
SLIDE 3

Services & Applications Servers Clients

cURL WebKit IIS Apache Skype Nginx Edge

HTTPS Ecosystem

slide-4
SLIDE 4

4 *** TLS

X.509

HTTPS RSA SHA

ECDH

Network buffers Untrusted network (TCP, UDP, …)

Crypto Algorithms

4Q Services & Applications

ASN.1 Certification

Authority Servers Clients

cURL WebKit IIS Apache Skype Nginx Edge

slide-5
SLIDE 5

Buffer overflows Incorrect state machines Lax certificate parsing Weak or poorly implemented crypto Side channels Implicit security goals Dangerous APIs Flawed standards OpenSSL, SChannel, NSS, … Monthly security patches

5 *** TLS

X.509

HTTPS RSA SHA

ECDH

Network buffers Untrusted network (TCP, UDP, …)

Crypto Algorithms

4Q Services & Applications

ASN.1

Certification Authority

Servers Clients

cURL WebKit IIS Apache Skype Nginx Edge

slide-6
SLIDE 6

*** TLS X.509 HTTPS RSA SHA ECDH Network buffers Untrusted network (TCP, UDP, …) Crypto Algorithms AES Services & Applications ASN.1

Certification Authority

Servers Clients

cURL WebKit IIS Apache Skype Nginx Edge

Verified Components for the HTTPS Ecosystem

slide-7
SLIDE 7

Redmond Paris (INRIA) Cambridge

Chris Hawblitzel Cédric Fournet Antoine Delignat-Lavaud Karthik Bhargavan Bryan Parno Markulf Kohlweiss Jean Karim Zinzindohoue Santiago Zanella-Beguelin Nik Swamy Jonathan Protzenko Aseem Rastogi

Bangalore

Leonardo de Moura Catalin Hritcu Nadim Kobeissi Tahina Ramanandro Barry Bond

Pittsburgh (CMU)

Kenji Maillard Benjamin Beurdouche Christoph Wintersteiger Patrice Godefroid Danel Ahman Victor Dumitrescu

slide-8
SLIDE 8
slide-9
SLIDE 9

By implementing standardized components and proving them secure, we validate both their design and our code. kreMLin

source code, specs, security definitions, crypto games & constructions, proofs…

interop with rest of TLS/HTTPS ecosystem verify all properties (using automated provers) then erase all proofs extract low-level code, with good performance & (some) side-channel protection

production code

C/C++

slide-10
SLIDE 10

The TLS/HTTPS ecosystem

***

TLS X.509 HTTPS RSA SHA ECDH Network buffers

Crypto Algorithms

4Q ASN.1

slide-11
SLIDE 11

2008 TLS 1.2 2017? TLS 1.3

OpenSSL SChannel NSS SecureTransport PolarSSL JSSE GnuTLS miTLS

https://github.com/openssl/openssl https://openssl.org/news/vulnerabilities.html

slide-12
SLIDE 12

Threat model Security Goal

connect(server,port); send “GET…”; data = recv(); send “POST…”; … accept(port); request = recv(); send “<html>…”;

  • rder = recv();

Public Key Infrastructure

slide-13
SLIDE 13

Client Server

slide-14
SLIDE 14

(some of them broken)

Client Server

slide-15
SLIDE 15

Excluding crypto algorithms, X.509, … Not fully mechanized (paper proofs too) Not production code (poor performance)

1.

  • 1. Internet

net Standa dard d co comp mplianc nce e & i & interope perabi rabilit lity y

2.

  • 2. Verified

rified se secu curit rity

3.

  • 3. Expe

periment rimental al pl platfo form rm

slide-16
SLIDE 16

https://www.secure-resumption.com/ flaw in the standard now patched in TLS

slide-17
SLIDE 17

deviant traces new attacks against all mainstream implementations Test t resul ults ts for OpenSSL: SSL: each colored red arrow row is a bug

slide-18
SLIDE 18

deviant traces Many many exploitable bugs new attacks against all mainstream implementations

An attack against TLS Java Library (open for 10 years)

slide-19
SLIDE 19

Man-in-the-middle attack against:

  • servers that support RSA_EXPORT (512bit keys obsoleted in 2000) from 40% to 8.5%
  • clients that accept ServerKeyExchange in RSA (state machine bug) almost all browsers

have been patched Factoring in 7-10h

slide-20
SLIDE 20

Crypto failures

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Protocol weaknesses Implementation bugs

EarlyCCS Heartbleed POODLE Triple Handshake SKIP FREAK Logjam SLOTH DROWN Renegotiation Attack ECDHE Cross- protocol Attack BEAST (Rogaway 02) Lucky13 RC4 MD5 OpenSSL entropy CRIME RSA 512 bit SHA1

slide-21
SLIDE 21

Much discussions

IETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, …

Much improvements

  • Modern design
  • Fewer roundtrips
  • Stronger security

New implementations required for all

  • Be first & verified too!
  • Find & fix flaws before it’s too late
slide-22
SLIDE 22

Client has no guarantee the server is present or unique. Server has no guarantee the client agrees on the connection Trading performance for security

slide-23
SLIDE 23 https://www.secure-resumption.com/

IETF WG9599 1321st draft including some of our proposals RFC finalized this month?

slide-24
SLIDE 24

***

TLS X.509 HTTPS RSA SHA ECDH Network buffers

Crypto Algorithms

4Q ASN.1

slide-25
SLIDE 25
slide-26
SLIDE 26

Example: tracing

https://www.visualstudio.com/

  • Trust is transitive
  • Trust is implicit
  • Trust is a matter of state

***

TLS X.509 HTTPS RSA SHA ECDH Network buffers

Crypto Algorithms

4Q ASN.1

slide-27
SLIDE 27

Unsolved issues with HTTPS

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

SSL Stripping (Marlinspike) Cookie-based Attacks (various variants) CRIME / BREACH (Rizzo, Duong et al.) Virtual Host Confusion (Delignat-Lavaud)

TLS is optional in HTTP and can be disabled by an active attacker Shared cookie database for HTTP and HTTPS can be used to mount various session fixation and login CSRF attacks. Attackers can easily mount adaptive chosen-plaintext

  • attacks. Encryption after

compression can leak secrets through length. HTTPS servers do not correlate transport-layer and HTTP identities, leading to origin confusion Mitigated by correct use of HTTP Strict Transport Security (HSTS) Mitigated by new binding proposals (ChannelID, Token Binding). Mitigation is not widely implemented. Mitigated by refreshing secrets (e.g. CSRF tokens). Some protocol-specific mitigations (QUICK, HTTP2) Mitigated by configuration

  • f HTTPS servers with strict

host rules Mitigation not widely used. and vulnerability is still widespread in practice. Difficult to mitigate in browsers with current

  • technologies. Can be used

to attack many websites. Ad-hoc mitigation; attack is still widespread in practice as HTTP compression remains popular. Ad-hoc mitigation. Attack still widespread in practice.

slide-28
SLIDE 28

https://letsencrypt.org/

***

TLS X.509 HTTPS RSA SHA ECDH Network buffers

Crypto Algorithms

4Q ASN.1

slide-29
SLIDE 29

Crypto failures

A Timeline of Recent PKI Failures

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 HashClash rogue CA (MD5 collision) Stevens et al. Flame malware NSA/GCHQ attack against Windows CA Bleichenbacher’s e=3 attack on PKCS#1 signatures 512 bit Korean School CAs TÜRKTRUST BERSerk (MSR—Inria) DigiNotar hack Usage-unrestricted VeriSign certificates ANSSI Comodo hack Trustwave VeriSign NetDiscovery Debian OpenSSL entropy bug Basic constraints not enforced (recurring catastrophic bug) OpenSSL null prefix The SHAppening DROWN KeyUsage Name constraints failures VeriSign hack OpenSSL CVE- 2015-1793 GnuTLS X509v1

Formatting & semantics CA failures

slide-30
SLIDE 30

Side Channel Challenge (Attacks)

2000 … 2006 2007 2008 2009 2010 2011 2012 2013 2014

Protocol-level side channels Traffic analysis Timing attacks against cryptographic primitives Memory & Cache

TLS messages may reveal information about the internal protocol state or the application data Combined analysis of the time and length distributions

  • f packets leaks information

about the application A remote attacker may learn information about crypto secrets by timing execution time for various inputs Memory access patterns may expose secrets, in particular because caching may expose sensitive data (e.g. by timing)

  • Hello message contents

(e.g. time in nonces, SNI)

  • Alerts (e.g. decryption vs.

padding alerts)

  • Record headers
  • CRIME/BREACH (adaptive

chosen plaintext attack)

  • User tracking
  • Auto-complete input theft
  • Bleichenbacher attacks

against PKCS#1 decryption and signatures

  • Timing attacks against RC4

(Lucky 13)

  • OpenSSL key recovery in

virtual machines

  • Cache timing attacks

against AES AES cache timing Bleichenbacher CRIME Lucky13 DROWN -> Remote timing attacks are practical BREACH Tag size Side-channel leaks in Web applications ECDSA timing Vaudenay

slide-31
SLIDE 31

Demo

slide-32
SLIDE 32

miTLS, protocol layer: 16K lines of code and proofs Compiled to Ocaml. Partially verified. AEAD record-layer crypto 14K lines of code and proofs Verified & compiled to C

slide-33
SLIDE 33

A high performance server for HTTP, reverse proxy, mail,… We replace OpenSSL with miTLS & its crypto: the modified server supports TLS 1.3 with tickets and 0-RTT requests. We integrate miTLS & its verified crypto with Internet Explorer. We run TLS 1.3 sessions with 0RTT without changing their application code.

slide-34
SLIDE 34

Worker Thread Master Process . . . (IP1, Port1) (IP2, Port2) (IPk, Portk)

Virtual Server Virtual Server Virtual Server Certificate TLS Certificate TLS Certificate TLS

Worer Thread Worker Thread

Backends Application servers Memory Caches Local Files

HTTP FastCGI Sendfile mmap AIO Unix sockets

Nginx Architecture