session languages
play

& session languages Erik Poll Joeri de Ruiter - PowerPoint PPT Presentation

Jan 11, 2024 •129 likes •405 views

Protocol state machines & session languages Erik Poll Joeri de Ruiter Aleksy Schubert LangSec workshop @ IEEE Security & Privacy, 2015 Input languages: messages & sessions Handling inputs involves language of

  1. Protocol state machines & session languages Erik Poll Joeri de Ruiter Aleksy Schubert LangSec workshop @ IEEE Security & Privacy, 2015

  2. Input languages: messages & sessions • Handling inputs involves language of input messages • Often it also involves language of sessions, ie. sequences of messages • Do LangSec principles also apply at this session level? • when it comes to specification & implementation? Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 2

  3. Session language as message sequence chart This oversimplifies the session language because it only specifies one correct, happy flow Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 3

  4. Session language as protocol state machine This still oversimplifies : an implementation will have to be input-enabled, ie in every state every message may be received SSH transport layer Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 4

  5. typical input enabled state machine Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 5

  6. Security flaws due to broken state machines • MIDPSSH Open source Java implemention of SSH for Java feature phones No protocol state machine implemented at all. [Erik Poll at al., Verifying an implementation of SSH, WITS 2007] • e.dentifier2 USB-connected device for internet banking Strange sequence of USB commands by-passes user OK [Arjan Blom et al, Designed to Fail:...., NordSec 2012] • TLS Flawed state machines in many TLS implementations - more to come [Benjamin Beurdouche et al, A messy State of the union, IEEE Security & Privacy 2015] Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 6

  7. Typical prose specifications: SSH  “Once a party has sent a SSH_MSG_KEXINIT message for key exchange or re - exchange, until it has sent a SSH_MSG_NEWKEYS message, it MUST NOT send any messages other than: • Transport layer generic messages (1 to 19) (but SSH_MSG_ SERVICE_REQUEST and SSH_MSG_SERVICE_ACCEPT MUST NOT be sent); • Algorithm negotiation messages (20 to 29) (but further SSH_MSG KEXINIT messages MUST NOT be sent); • Specific key exchange method messages (30 to 49). The provisions of Section 11 apply to unrecognised messages” … “An implementation MUST respond to all unrecognised messages with an SSH_MSG_UNIMPLEMENTED. Such messages MUST be otherwise ignored. Later protocol versions may define other meanings for these message types .” Understanding state machine from prose is hard! Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 7

  8. Typical implementation: openssh Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 8

  9. Typical implementation: openssh  /** This array contains functions to handle protocol messages. * The type of the message is an index in this array. */ dispatch_fn *dispatch[255]; .... server_init_dispatch_20(void){ dispatch_init(&dispatch_protocol_error); dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_oclose); dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); dispatch_set(SSH_MSG_CHANNEL_EOF, &channel_input_ieof); dispatch_set(SSH_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); dispatch_set(SSH_MSG_CHANNEL_OPEN, &server_input_channel_open); dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH_MSG_CHANNEL_REQUEST, &server_input_channel_req); dispatch_set(SSH_MSG_GLOBAL_REQUEST, &server_input_global_request); dispatch_set(SSH_MSG_KEXINIT, &kex_input_kexinit); Understanding protocol state machine from code is hard! Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 9

  10. LangSec also for session languages! Protocol state machines deserve to be explicitly specified Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 10

  11. Extracting protocol state machine from code We can infer a finite state machine from implementation by black box testing using state machine learning • using L* algorithm, as implemented in eg. LearnLib This is effectively a form of ‘stateful’ fuzzing using a test harness that sends typical protocol messages This is a great way to obtain protocol state machine • without reading specs! • without reading code! Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 11

  12. State machine learning with L* Basic idea: compare response of a deterministic system to different input sequences, eg. 1. b … … b b 2. a ; b a If response is different, then … b otherwise a The state machine inferred is only an approximation of the system, and only as good as your set of test messages. Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 12

  13. Case study: EMV • Most banking smartcards implement a variant of EMV • EMV (Europay-Mastercard-Visa) defines set of protocols with lots of variants • Specification in 4 books totalling > 700 pages Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 13

  14. State machine learning of card Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 14

  15. State machine learning of card merging arrows with identical response Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 15

  16. State machine learning of card merging arrows with same start & end state We found no bugs, but lots of variety between cards. [Fides Aarts et al., Formal models of bank cards for free, SECTEST 2013] Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 16

  17. State machine learning of internet banking device State machines inferred for flawed & patched device [Georg Chalupar et al., .Automated reverse engineering using Lego, .WOOT 2014] Movie at http://tinyurl/legolearn Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 17

  18. Scary state machine complexity More complete state machine of the patched device, using a richer input alphabet No flaws found in patched device, but were the developers really confident that this complex behaviour is secure? Or necessary? Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 18

  19. TLS state machine extracted from NSS Comforting to see this is so simple! Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 19

  20. TLS state machine extracted from GnuTLS Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 20

  21. TLS state machine extracted from OpenSSL Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 21

  22. TLS state machine extracted from JSSE Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 22

  23. Which TLS implementations are correct? or secure? [Joeri de Ruiter et al., Protocol state fuzzing of TLS implementations, Usenix Security 2015] Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 23

  24. Conclusions LangSec principles not only apply to language of input messages but also for language of protocol sessions because in practice we see • unclear specifications of session languages without explicit state machines • messy & flawed implementations of session languages • security flaws as a result of this Open question: How common is this category of security flaws? Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 24

  25. Comparing session languages to message formats Bad news 1. even less likely to be rigorously specified • many specs provide EBNF but no protocol state machine 2. complete specification of state machine is tricky • input-enabled state machine becomes messy 3. generating code from spec is harder • handling state has to be interpersed with other functionality (cf. aspect) Good news 1. we can extract state machines from code! to find flaws in program logic, but not malicious backdoors 2. bugs in state machine can cause security problems, but no weird machines? Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 25

  26. Erik Poll, Joeri de Ruiter, Aleksy Schubert Protocol state machines & session languages 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Work in Progress: On Session Languages Prashant Anantharaman , Sean W. Smith Dartmouth College,

Work in Progress: On Session Languages Prashant Anantharaman , Sean W. Smith Dartmouth College,

Work in Progress: On Session Languages Prashant Anantharaman , Sean W. Smith Dartmouth College, NH, USA pa@cs.dartmouth.edu / https://prashant.at 1 What are Session Languages? The spirit of LangSec is to use formal tools to tighten up

238 views • 12 slides
Turing Machines Context-Free Languages n b n R a ww Regular Languages a * a * b * 1

Turing Machines Context-Free Languages n b n R a ww Regular Languages a * a * b * 1

Review Languages and Grammars Alphabets, strings, languages Regular Languages Deterministic Finite and Nondeterministic Automata Equivalence of NFA and DFA and Minimizing a DFA CS 301 - Lecture 19 Regular Expressions

513 views • 17 slides
Undecidability Almost all Languages are undecidable Set of all languages: Set of all dec. lang.:

Undecidability Almost all Languages are undecidable Set of all languages: Set of all dec. lang.:

15-251: Great Theoretical Ideas in Computer Science Lecture 8 Undecidability Almost all Languages are undecidable Set of all languages: Set of all dec. lang.: Most languages do not have a TM deciding them Question: Is it just weird languages

517 views • 51 slides
SOLUTIONS FOR THE FIRST REVIEW SESSION COSC 1306 Fall 2017 First Question Which of the

SOLUTIONS FOR THE FIRST REVIEW SESSION COSC 1306 Fall 2017 First Question Which of the

SOLUTIONS FOR THE FIRST REVIEW SESSION COSC 1306 Fall 2017 First Question Which of the following statements are true or false? Interpreted languages produce faster code than compiled languages. First Question Which of the

574 views • 42 slides
Review Languages and Grammars Alphabets, strings, languages Regular Languages CS

Review Languages and Grammars Alphabets, strings, languages Regular Languages CS

Review Languages and Grammars Alphabets, strings, languages Regular Languages CS 301 - Lecture 22 Deterministic Finite and Nondeterministic Automata Equivalence of NFA and DFA and Minimizing a DFA Non-Determinism,

267 views • 15 slides
Exercise Session 6 Andrei Vancea Todays Exercise Session Assignment VI Hints

Exercise Session 6 Andrei Vancea Todays Exercise Session Assignment VI Hints

Chair of Software Engineering Languages in Depth Series: Java Programming Prof. Dr. Bertrand Meyer Exercise Session 6 Andrei Vancea Todays Exercise Session Assignment VI Hints Questions Pattern of the Day The Abstract Factory

352 views • 17 slides
Exercise Session 4 Adriana Ispas Todays Exercise Session Assignment III Walkthrough the

Exercise Session 4 Adriana Ispas Todays Exercise Session Assignment III Walkthrough the

Chair of Software Engineering Languages in Depth Series: Java Programming Prof. Dr. Bertrand Meyer Exercise Session 4 Adriana Ispas Todays Exercise Session Assignment III Walkthrough the master solution (your solutions) Questions

600 views • 26 slides
Exercise Session 3 Todays Exercise Session Assignment 2 Walkthrough the master solution

Exercise Session 3 Todays Exercise Session Assignment 2 Walkthrough the master solution

Chair of Software Engineering Languages in Depth Series: Java Programming Prof. Dr. Bertrand Meyer Exercise Session 3 Todays Exercise Session Assignment 2 Walkthrough the master solution (your solutions) Questions Pattern of

609 views • 19 slides
= Languages Accepted by NPDAs Accept (Grammars) NPDAs Context-Free Languages 1 Proof - Step

= Languages Accepted by NPDAs Accept (Grammars) NPDAs Context-Free Languages 1 Proof - Step

Review Languages and Grammars Alphabets, strings, languages Regular Languages CS 301 - Lecture 13 Deterministic Finite and Nondeterministic Automata Equivalence of NFA and DFA Converting NPDAs to Grammars Regular

485 views • 15 slides
Review Languages and Grammars Alphabets, strings, languages Regular Languages CS 301

Review Languages and Grammars Alphabets, strings, languages Regular Languages CS 301

Review Languages and Grammars Alphabets, strings, languages Regular Languages CS 301 - Lecture 10 Deterministic Finite and Nondeterministic Automata Equivalence of NFA and DFA Chomsky and Greibach Regular Expressions

476 views • 9 slides
Languages & the Professions: URI as National Leader URI: A National Leader in Languages

Languages & the Professions: URI as National Leader URI: A National Leader in Languages

Department of Modern & Classical Languages & Literatures Languages & the Professions: URI as National Leader URI: A National Leader in Languages Over 700 majors in undergraduate languages Proficiency benchmarking and

71 views • 5 slides
Semantic Web Languages Basics Web Ontology Languages Wide variety of languages for Explicit

Semantic Web Languages Basics Web Ontology Languages Wide variety of languages for Explicit

Semantic Web Languages Basics Web Ontology Languages Wide variety of languages for Explicit Specification Graphical notations Semantic networks UML RDF/RDFS Logic based Description Logics (e.g., OIL, DAML+OIL, OWL,

408 views • 30 slides
Formal Languages CS 100: Introduction to the Profession Matthew Bauer & Michael Saelee Some

Formal Languages CS 100: Introduction to the Profession Matthew Bauer & Michael Saelee Some

Formal Languages CS 100: Introduction to the Profession Matthew Bauer & Michael Saelee Some languages - Natural languages: English, Chinese, Thai - Programming languages: Java, Lisp, Lambda calculus - Domain specific languages: SQL,

692 views • 39 slides
Session 1 SCRIPTING LANGUAGES 08-10-2018 WEN-CHI YANG Your first program Find the file 2.

Session 1 SCRIPTING LANGUAGES 08-10-2018 WEN-CHI YANG Your first program Find the file 2.

Session 1 SCRIPTING LANGUAGES 08-10-2018 WEN-CHI YANG Your first program Find the file 2. Click here 3. Copy the path 1. Find the file Find the file 4. Go to the folder where your file locates by using cd Check if your file is here by using

176 views • 15 slides
CSC 1800 Organization of Programming Languages Functional Languages 1 Introduction The

CSC 1800 Organization of Programming Languages Functional Languages 1 Introduction The

CSC 1800 Organization of Programming Languages Functional Languages 1 Introduction The design of the imperative languages is based directly on the von Neumann architecture Efficiency is the primary concern, rather than the suitability of

417 views • 24 slides
Big Ideas for CS 251 Theory of Programming Languages Principles of Programming Languages

Big Ideas for CS 251 Theory of Programming Languages Principles of Programming Languages

Big Ideas for CS 251 Theory of Programming Languages Principles of Programming Languages CS251 Programming Languages Fall 2016, Lyn Turbak Department of Computer Science Wellesley College Discussion: P rogramming L anguages Your

496 views • 30 slides
Protocol for Assignment of Local and Multicast Addresses (PALMA) Antonio de la Oliva

Protocol for Assignment of Local and Multicast Addresses (PALMA) Antonio de la Oliva

omniran-19-0030-02-CQ00 Protocol for Assignment of Local and Multicast Addresses (PALMA) Antonio de la Oliva InterDigital, UC3M omniran-19-0030-02-CQ00 IEEE 802.1CQ Scope As defined in the PAR: This standard specifies protocols,

306 views • 18 slides
Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY

Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY

Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY PROF. ABHIK ROYCHOUDHURY NATIONAL UNIVERSITY OF SINGAPORE ABHIK@COMP.NUS.EDU.SG Enhancing local Ongoing NRF Project Overall capabilities Outlook

407 views • 25 slides
Security Protocols Model Checking Standards David Basin ETH Zurich CASTOR Software Days

Security Protocols Model Checking Standards David Basin ETH Zurich CASTOR Software Days

Security Protocols Model Checking Standards David Basin ETH Zurich CASTOR Software Days October 2019 Thanks Tamarin Team Simon Meier Benedikt Schmidt Cas Cremers Ralf Sasse Jannik Dreier ISO/9798 (verified using precursor tools)

535 views • 35 slides
Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils Fleischhacker 2 Jonathan Katz 1 Anna Lysyanskaya 3 oder 2 Dominique Schr 1 University of Maryland, College Park 2 Saarland University 3 Brown

547 views • 39 slides
Stateful Services on Mesos Ankan Mukherjee (ankan@moz.com) Arunabha Ghosh (agh@moz.com) A

Stateful Services on Mesos Ankan Mukherjee (ankan@moz.com) Arunabha Ghosh (agh@moz.com) A

Stateful Services on Mesos Ankan Mukherjee (ankan@moz.com) Arunabha Ghosh (agh@moz.com) A deployment diagram Source: wikipedia Presentation Business Data Presentation Business Data Why run on Mesos? Services are decoupled from the

950 views • 50 slides
Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche University of Kiel November 10, 2017 @ SSP Holger Knoche Refactoring Kiekers I/O Infrastructure November 10, 2017 @ SSP 1 / 16 Agenda 1.

182 views • 16 slides
Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso, Rafael M. Gasca, Laurent Lefevre <pneira@us.es>, <gasca@us.es>, <lefevre@inria.fr> Quivir Research Group, University of Sevilla,

1.07k views • 17 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides

More recommend