systematic fuzzing and testing of tls
play

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 - PowerPoint PPT Presentation

Jan 10, 2024 •37 likes •467 views

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 1 Transport Layer Security The most important crypto protocol HTTP, SMTP,

  1. Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 1

  2. Transport Layer Security • The most important crypto protocol • HTTP, SMTP, IMAP … Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 2 2

  3. TLS History Secure Sockets Layer (SSL), SSLv2 Wagner, Schneier: Analysis of 1995 SSLv3 SSLv3 Bleichenbacher’s attack Trasnsport Layer Security 2000 Padding oracle attack 2005 TLS 1.1 TLS 1.2 2010 BEAST, CRIME, BREACH, Lucky 13 TLS 1.3 2015 3 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 3

  4. Questions • How can we test these attacks? • Can we find such attacks automatically? Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 5 5

  5. Approach [SP2-17] 1. Collect TLS libraries 2. 3. Profit Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 6 6

  6. Approach [SP2-17] 1. Collect TLS libraries 2. 3. Profit Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 7 7

  7. Contributions • Flexible TLS framework • Fuzzing, testing, w riting attacks … • High impact vulnerability in OpenSSL • Additional vulnerabilities in Botan, MatrixSSL … • https://github.com/RUB-NDS/TLS-Attacker Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 8 8

  8. Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 9 9

  9. TLS RSA Handshake ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished Application Application Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 10 10

  10. TLS is complex … • Different versions • Crypto primitives: RSA, EC, AES, 3DES, RC4, Chacha, Poly1305, New Hope • Extensions • Protocol flows Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 11 11

  11. TLS is complex … ClientHello ServerHello Certificate ServerKeyExchange Certificate ServerHelloDone ClientKeyExchange CertificateVerify ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished Heartbeat Application Heartbeat Application Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 12 12

  12. Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 13 13

  13. TLS History Secure Sockets Layer (SSL), SSLv2 Wagner, Schneier: Analysis of 1995 SSLv3 SSLv3 Bleichenbacher’s attack Trasnsport Layer Security 2000 Padding oracle attack 2005 TLS 1.1 TLS 1.2 2010 BEAST, CRIME, BREACH, Lucky 13 TLS 1.3 2015 14 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 14

  14. Early CCS ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished Server computes the master key based on a zero value Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 15 15

  15. Early CCS • Man-in-the-Middle attacks • Further state machine attacks in 2015: – Beurdouche et al.: FREAK – de Ruiter and Poll Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 16 16

  16. Heartbleed Server [TLS Handshake] Heartbeat 00 07 DeepSec Heartbeat 00 07 DeepSec 17 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 17

  17. Heartbleed Server [TLS Handshake] Heartbeat 10 00 DeepSec Heartbeat 10 00 DeepSec ………. … [rsa key] 18 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 18 ….

  18. Padding oracle attacks • Adaptive chosen-ciphertext attacks Ciphertext C = Enc(M) C 1 valid/invalid C 2 valid/invalid … (repeated several times) M = Dec(C) • AES-CBC: Vaudenay’s attack • RSA-PKCS#1: Bleichenbacher’s attack 20 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 20

  19. Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 21 21

  20. Recent Attacks on TLS • Not only crypto attacks … • Attacks on TLS state machines – FREAK – Early CCS • Buffer overflows / overreads – Heartbleed – CVE-2016-6307 (High) -> CVE-2016-6309 (Critical) • Tool for flexible protocol executions needed 22 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 22

  21. Framework Prerequisites • Flexible protocol flow ClientHello definition ServerHello Certificate • Message modifications ServerHelloDone • Invalid behavior ClientKeyExchange ClientKeyExchange detection ChangeCipherSpec • Protocol flow (Client-) Finished ChangeCipherSpec reproduction (Server-) Finished Application Application Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 23

  22. Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 24 24

  23. High-Level Overview Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 25 25

  24. Modifiable variables • Define basic data types (integer, byte, arrays) with modifications • Example: ModifiableInteger i = new ModifiableInteger(); i.setValue( 30 ); i.setModification(new AddModification( 20 )); System.out.println(i.getValue()); // 50 • Further modifications: xor , shuffle, delete, … Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 26 26

  25. Protocol messages • ClientHello ClientHelloMessage cipherSuites: ModifiableByteArray cipherSuiteLength: ModifiableInteger … getCipherSuites() getCipherSuiteLength() • Stored in a message list • Serializable in XML Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 27 27

  26. Defining a protocol flow <protocolMessages> <ClientHello> <supportedCipherSuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedCipherSuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Application/> </protocolMessages> 29 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 29

  27. Defining a protocol flow <protocolMessages> <ClientHello> <supportedCipherSuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedCipherSuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Heartbeat> <Finished/> <payloadLength> <ChangeCipherSpec/> <integerAddModification> <Finished/> 20000 <Heartbeat/> </integerAddModification> </protocolMessages> </payloadLength> </Heartbeat> 30 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 30

  28. Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 32 32

  29. Vulnerability detection • How do we detect invalid server behavior? 1. Different TLS alerts – Useful by padding oracle attacks 2. Address Sanitizer (ASan) – Detects memory errors at runtime – Available in recent compilers, e.g. GCC • Vulnerability found -> protocol stored in XML Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 33 33

  30. Two-stage concept • Currently only server evaluation 1. Crypto – Padding oracles, Bleichenbacher attack, invalid curve attacks, POODLE … 2. Fuzzing for boundary violations – 3 phases Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 34 34

  31. Fuzzing for boundary violations ClientHelloMessage 1. Variable filtering cipherSuites – Not all variables suitable cipherSuiteLength clientRandom extensions extensionLength …. 2. Fuzzing with filtered variables – Random modifications (add, delete, xor) – Boundary values (-128, -1, 0, 32768, …) 3. Fuzzing with modified protocol flows Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 35 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Systematic Analysis of testing-related Systematic Analysis of testing-related publications

Systematic Analysis of testing-related Systematic Analysis of testing-related publications

Systematic Analysis of testing-related Systematic Analysis of testing-related publications concerning reprocucibility publications concerning reprocucibility and comparability and comparability Bachelor's Thesis Defense by Artur Solomonik

920 views • 59 slides
Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with

Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with

Fuzzing and how to evaluate it Michael Hicks The University of Maryland UM Joint work with George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen,

1.25k views • 69 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1 2011 c 1 Overview Basic terminology A view of faults through failure Systematic versus randomised testing A systematic approach to

492 views • 32 slides
Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

1.17k views • 61 slides
CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

657 views • 39 slides
Detecting Concurrency Errors of Erlang Programs Using Systematic Testing Kostis Sagonas

Detecting Concurrency Errors of Erlang Programs Using Systematic Testing Kostis Sagonas

Detecting Concurrency Errors of Erlang Programs Using Systematic Testing Kostis Sagonas kostis@it.uu.se Outline Erlang Concurrency errors and their sources Systematic Concurrency Testing Concuerror &amp; Demo Techniques to

646 views • 20 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Learning objectives Understand rationale and basic approach for systematic combinatorial

Learning objectives Understand rationale and basic approach for systematic combinatorial

Learning objectives Understand rationale and basic approach for systematic combinatorial testing Learn how to apply some representative Combinatorial testing combinatorial approaches Category-partition testing Pairwise

558 views • 14 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

441 views • 28 slides
What is REASONABLE? Discussing the Accommodation Process within the College Environment By:

What is REASONABLE? Discussing the Accommodation Process within the College Environment By:

9/2/2017 What is REASONABLE? Discussing the Accommodation Process within the College Environment By: Tessa DiPerri &amp; Crystal Tenan 1 About Us Tessa DiPerri Tessa DiPerri, is a higher educational professional with experience in

223 views • 11 slides
Representing Knowledge Using Rules Procedural Versus Declarative Knowledge Logic

Representing Knowledge Using Rules Procedural Versus Declarative Knowledge Logic

Representing Knowledge Using Rules Procedural Versus Declarative Knowledge Logic Programming Forward versus Backward Reasoning Matching Control Knowledge Chapter 6

518 views • 10 slides
Top 10 Vulnerabilities in past 5 years. #10 - DROWN Vulnerability in downgrading to SSLv2

Top 10 Vulnerabilities in past 5 years. #10 - DROWN Vulnerability in downgrading to SSLv2

Top 10 Vulnerabilities in past 5 years. #10 - DROWN Vulnerability in downgrading to SSLv2 Can break encryption of TLS in ~8 hours Requires MITM March 2016 #9 - POODLE Vulnerability in downgrading to SSLv3 Decipher cipher

419 views • 20 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block &amp; stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
MacSeisApp: An Early Earthquake Warning System Shayan Mehrazarin October 28, 2015 California

MacSeisApp: An Early Earthquake Warning System Shayan Mehrazarin October 28, 2015 California

MacSeisApp: An Early Earthquake Warning System Shayan Mehrazarin October 28, 2015 California State University, Dominguez Hills Outline Introduction Background on Apples Sudden Motion Sensor (SMS) Background on Apples

436 views • 22 slides
BetterCrypto - three years in.. TROOPERS16, Heidelberg, DE | 2016-03-17 Aaron Zauner | @a_z_e_t |

BetterCrypto - three years in.. TROOPERS16, Heidelberg, DE | 2016-03-17 Aaron Zauner | @a_z_e_t |

BetterCrypto - three years in.. TROOPERS16, Heidelberg, DE | 2016-03-17 Aaron Zauner | @a_z_e_t | azet@azet.org TROOPERS16, Heidelberg, DE | 2016-03-17 BetterCrypto - three years in.. Timeline We start at the beginning. The year is 2013. June:

610 views • 48 slides
Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission

Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission

Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission Day 19: Web security, part 1 The web from a security perspective Stephen McCamant University of Minnesota, Computer Science &amp; Engineering SQL

492 views • 9 slides
CS615 - Aspects of System Administration HTTPS, Monitoring Department of Computer Science

CS615 - Aspects of System Administration HTTPS, Monitoring Department of Computer Science

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration HTTPS, Monitoring Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu

821 views • 70 slides

More recommend