Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 - - PowerPoint PPT Presentation

systematic fuzzing and testing of tls
SMART_READER_LITE
LIVE PREVIEW

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 - - PowerPoint PPT Presentation

Jan 10, 2024 37 likes •472 views

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 1 Transport Layer Security The most important crypto protocol HTTP, SMTP,

slide-1
SLIDE 1

1

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Systematic Fuzzing and Testing of TLS Libraries

Juraj Somorovsky

1

slide-2
SLIDE 2

2

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Transport Layer Security

  • The most important crypto protocol
  • HTTP, SMTP, IMAP …

2

slide-3
SLIDE 3

3

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

3

TLS History

Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport Layer Security TLS 1.1 TLS 1.2 TLS 1.3 Wagner, Schneier: Analysis of SSLv3 Bleichenbacher’s attack Padding oracle attack

BEAST, CRIME, BREACH, Lucky 13

1995 2000 2005 2010 2015

slide-4
SLIDE 4

5

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Questions

  • How can we test these attacks?
  • Can we find such attacks automatically?

5

slide-5
SLIDE 5

6

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Approach [SP2-17]

  • 1. Collect TLS libraries

2.

  • 3. Profit

6

slide-6
SLIDE 6

7

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Approach [SP2-17]

  • 1. Collect TLS libraries

2.

  • 3. Profit

7

slide-7
SLIDE 7

8

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Contributions

  • Flexible TLS framework
  • Fuzzing, testing, writing attacks …
  • High impact vulnerability in OpenSSL
  • Additional vulnerabilities in Botan, MatrixSSL…
  • https://github.com/RUB-NDS/TLS-Attacker

8

slide-8
SLIDE 8

9

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

9

slide-9
SLIDE 9

10

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

TLS RSA Handshake

10

ClientHello ServerHello Certificate ServerHelloDone ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished ClientKeyExchange Application Application

slide-10
SLIDE 10

11

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

TLS is complex …

  • Different versions
  • Crypto primitives: RSA, EC, AES, 3DES, RC4,

Chacha, Poly1305, New Hope

  • Extensions
  • Protocol flows

11

slide-11
SLIDE 11

12

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

TLS is complex …

12

ClientHello ServerHello Certificate ServerHelloDone ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished ClientKeyExchange Application Application ServerKeyExchange Heartbeat Heartbeat Certificate CertificateVerify

slide-12
SLIDE 12

13

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

13

slide-13
SLIDE 13

14

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

14

TLS History

Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport Layer Security TLS 1.1 TLS 1.2 TLS 1.3 Wagner, Schneier: Analysis of SSLv3 Bleichenbacher’s attack

BEAST, CRIME, BREACH, Lucky 13

1995 2000 2005 2010 2015 Padding oracle attack

slide-14
SLIDE 14

15

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Early CCS

15

ClientHello ServerHello Certificate ServerHelloDone ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished ClientKeyExchange

Server computes the master key based on a zero value

slide-15
SLIDE 15

16

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Early CCS

  • Man-in-the-Middle attacks
  • Further state machine attacks in 2015:

– Beurdouche et al.: FREAK – de Ruiter and Poll

16

slide-16
SLIDE 16

17

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

17

Heartbleed

Server

[TLS Handshake]

Heartbeat Heartbeat

00 07 DeepSec 00 07 DeepSec

slide-17
SLIDE 17

18

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

18

Heartbleed

Server

[TLS Handshake]

Heartbeat Heartbeat

10 00 DeepSec 10 00 DeepSec ………. … [rsa key] ….

slide-18
SLIDE 18

20

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Padding oracle attacks

  • Adaptive chosen-ciphertext attacks
  • AES-CBC: Vaudenay’s attack
  • RSA-PKCS#1: Bleichenbacher’s attack

20

Ciphertext C = Enc(M) C1 valid/invalid M = Dec(C) C2 valid/invalid … (repeated several times)

slide-19
SLIDE 19

21

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

21

slide-20
SLIDE 20

22

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Recent Attacks on TLS

  • Not only crypto attacks …
  • Attacks on TLS state machines

– FREAK – Early CCS

  • Buffer overflows / overreads

– Heartbleed – CVE-2016-6307 (High) -> CVE-2016-6309 (Critical)

  • Tool for flexible protocol executions needed

22

slide-21
SLIDE 21

23

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Framework Prerequisites

  • Flexible protocol flow

definition

  • Message modifications
  • Invalid behavior

detection

  • Protocol flow

reproduction

ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished ClientKeyExchange Application Application

slide-22
SLIDE 22

24

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

24

slide-23
SLIDE 23

25

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

25

High-Level Overview

slide-24
SLIDE 24

26

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Modifiable variables

  • Define basic data types (integer, byte, arrays)

with modifications

  • Example:
  • Further modifications: xor, shuffle, delete, …

26

ModifiableInteger i = new ModifiableInteger(); i.setValue( 30 ); i.setModification(new AddModification( 20 )); System.out.println(i.getValue()); // 50

slide-25
SLIDE 25

27

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Protocol messages

  • ClientHello
  • Stored in a message list
  • Serializable in XML

27

ClientHelloMessage cipherSuites: ModifiableByteArray cipherSuiteLength: ModifiableInteger … getCipherSuites() getCipherSuiteLength()

slide-26
SLIDE 26

29

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

29

Defining a protocol flow

<protocolMessages> <ClientHello> <supportedCipherSuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedCipherSuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Application/> </protocolMessages>

slide-27
SLIDE 27

30

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

30

Defining a protocol flow

<protocolMessages> <ClientHello> <supportedCipherSuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedCipherSuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Heartbeat/> </protocolMessages> <Heartbeat> <payloadLength> <integerAddModification> 20000 </integerAddModification> </payloadLength> </Heartbeat>

slide-28
SLIDE 28

32

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

32

slide-29
SLIDE 29

33

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Vulnerability detection

  • How do we detect invalid server behavior?
  • 1. Different TLS alerts

– Useful by padding oracle attacks

  • 2. Address Sanitizer (ASan)

– Detects memory errors at runtime – Available in recent compilers, e.g. GCC

  • Vulnerability found -> protocol stored in XML

33

slide-30
SLIDE 30

34

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Two-stage concept

  • Currently only server evaluation
  • 1. Crypto

– Padding oracles, Bleichenbacher attack, invalid curve attacks, POODLE …

  • 2. Fuzzing for boundary violations

– 3 phases

34

slide-31
SLIDE 31

35

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Fuzzing for boundary violations

  • 1. Variable filtering

– Not all variables suitable

  • 2. Fuzzing with filtered variables

– Random modifications (add, delete, xor) – Boundary values (-128, -1, 0, 32768, …)

  • 3. Fuzzing with modified protocol flows

35

ClientHelloMessage cipherSuites cipherSuiteLength clientRandom extensions extensionLength ….

slide-32
SLIDE 32

36

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

36

slide-33
SLIDE 33

37

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Results

  • Padding oracle attack

– OpenSSL (CVE-2016-2107) – Botan 1.11.21 (CVE-2015-7824) – MatrixSSL 3.8.2

  • Bleichenbacher attack

– MatrixSSL 3.8.2

  • Missing length checks

– GnuTLS 3.4.9 – OpenSSL 1.0.1

  • Out-of-bound reads / writes

– OpenSSL-1.1.0-pre1 (stack overflow) – Botan 1.11.28 (Out-of-bound read)

37

slide-34
SLIDE 34

38

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Server

Padding oracle attack

  • Applicable to AES-CBC
  • Challenge: not to reveal padding validity
  • 1. Same error message
  • 2. Constant time padding and HMAC validation

38

C

Valid / Invalid

Ciphertext Decryption failed

slide-35
SLIDE 35

41

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

AES-CBC in TLS

  • MAC-Pad-Encrypt
  • Example:

– Two blocks – Message: Hello – MAC size: 20 bytes (SHA-1) – Padding size: 32 – 5 – 20 = 7

H e l l

  • 06 06 06 06 06 06 06

pad mac

slide-36
SLIDE 36

42

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

AES-CBC in TLS

  • Challenge: not to reveal padding validity
  • Always:

– Padding validation – MAC validation

  • Same error message and timing

42

H e l l

  • 06 06 06 06 06 06 06

pad mac

slide-37
SLIDE 37

43

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

43

Constant Time Validation

H e l l

  • 06 06 06 06 06 06 06

H e l l

  • 06 06 06 06 06 06 06

Decrypted data Mask data pad mac

slide-38
SLIDE 38

44

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

44

Constant Time Validation

H e l l

  • 06 06 06 06 06 06 06

H e l l

  • 06 06 06 06 06 06 06

Decrypted data Mask data

16

slide-39
SLIDE 39

45

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

45

OpenSSL Vulnerability

Decrypted data Mask data

1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F

slide-40
SLIDE 40

46

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

OpenSSL Vulnerability (CVE-2016-2107)

  • Introduced by patching Lucky 13
  • Only when using AES-NI
  • Leads to a different server response

46

Can this be even worse?

C

RECORD OVERFLOW / BAD RECORD MAC

http://web-in-security.blogspot.co.at/2016/05/curious- padding-oracle-in-openssl-cve.html

slide-41
SLIDE 41

47

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Yes

  • MatrixSSL 3.8.2
  • Timing attack -> buffer overflow

47

slide-42
SLIDE 42

48

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

  • 1. TLS Protocol
  • 2. Attacks
  • 3. Framework Prerequisites
  • 4. TLS-Attacker Design
  • 5. Fuzzing
  • 6. Results
  • 7. Conclusions

Overview

slide-43
SLIDE 43

49

Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es

Conclusions and future work

  • Maintaining a crypto library is hard
  • New code / patches can introduce new flaws
  • Systematic fuzzing and evaluation needed
  • TLS-Attacker

– For researchers, pentesters – For developers

  • Development / fuzzing improvements needed

– TLS client-side tests – Better fuzzing strategies

49