Protocol state fuzzing of TLS implementations

Joeri De Ruiter; Erik Poll

Protocol state fuzzing of TLS implementations

Joeri De Ruiter, Erik Poll

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

97 Citations (Scopus)

181 Downloads (Pure)

Abstract

We describe a largely automated and systematic analysis of TLS implementations by what we call ‘protocol state fuzzing’: we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed.

We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations.

Original language	English
Title of host publication	24th USENIX Security Symposium (USENIX Security 15)
Publisher	USENIX
Pages	193-206
Number of pages	14
ISBN (Electronic)	978-1-931971-232
Publication status	Published - 2015
Event	Usenix Security Symposium - Washington, United States Duration: 10 Aug 2015 → 14 Aug 2015

Conference

Conference	Usenix Security Symposium
Country/Territory	United States
City	Washington
Period	10/08/15 → 14/08/15

Access to Document

usenix15Accepted author manuscript, 1.63 MB

https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/de-ruiterLicence: None: All rights reserved

Cite this

@inproceedings{b3b8dec37ef14b1a813362911cea134c,

title = "Protocol state fuzzing of TLS implementations",

abstract = "We describe a largely automated and systematic analysis of TLS implementations by what we call {\textquoteleft}protocol state fuzzing{\textquoteright}: we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed.We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations.",

author = "{De Ruiter}, Joeri and Erik Poll",

year = "2015",

language = "English",

pages = "193--206",

booktitle = "24th USENIX Security Symposium (USENIX Security 15)",

publisher = "USENIX ",

note = "Usenix Security Symposium ; Conference date: 10-08-2015 Through 14-08-2015",

}

TY - GEN

T1 - Protocol state fuzzing of TLS implementations

AU - De Ruiter, Joeri

AU - Poll, Erik

PY - 2015

Y1 - 2015

N2 - We describe a largely automated and systematic analysis of TLS implementations by what we call ‘protocol state fuzzing’: we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed.We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations.

AB - We describe a largely automated and systematic analysis of TLS implementations by what we call ‘protocol state fuzzing’: we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed.We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations.

M3 - Conference contribution

SP - 193

EP - 206

BT - 24th USENIX Security Symposium (USENIX Security 15)

PB - USENIX

T2 - Usenix Security Symposium

Y2 - 10 August 2015 through 14 August 2015

ER -

Protocol state fuzzing of TLS implementations

Abstract

Conference

Access to Document

Fingerprint

Cite this