using frankencerts for automated adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3...

UsingFrankencertsforAutomatedAdversarialTes7ngofCer7ficate

Valida7oninSSL/TLSImplementa7ons

UniversityofTexasatAus7nUniversityofCaliforniaatDavis

Internetsecurity=SSL/TLS

SSL/TLSsecurityobjec7ves

•  End-to-endsecurityevenifthenetworkisinsecure– Authen7ca7on=cer&ficatevalida&on!!– Confiden7ality–  Integrity

Cer7ficatevalida7oninSSL/TLSimplementa7ons

Howtocheckifimplementa7onsarecorrect?

bool is_cert_valid (cert_t *cert) {

return true; }

HowdopeopletestSSL/TLSimplementa7ons?

Currentstateoftheart

Implementa&on Testcer&ficatecount

NSS 54GnuTLS 51OpenSSL 44PolarSSL 18CyaSSL 9

MatrixSSL 9Mostofthesearejustwell-formedcer7ficates!

•  Testinputgenera7on– Fuzzing-hugeinputspace,afuzzedstringwon'tevenparseasanX.509cert

– Symbolicanalysis-doesnotscaletothecomplexityanddepthofcer7ficatevalida7oncode,falseposi7ves

Tes7ngcer7ficatevalida7oncode

Interpre7ngtestresults

testcer7ficate

SSL/TLSimplementa7on

accept/reject

Howdoyouknowthattheresultiscorrect?

Tes7ngSSL/TLScertvalida7oncode

Testcer7ficategenera7on

Testresultinterpreta7on

Wetacklebothoftheseproblemsin

thiswork

Howtogeneratetestcer7ficates?X.509standards…ugh!

Howtogeneratetestcer7ficates?

•  Requirements– Mustgenerate“seman7callybad”cer7ficates– Shouldbesyntac7callycorrect,otherwisewon’texercisemostofthecertvalida7oncode

– Mustscaletomillionsofcerts

•  Idea– X.509certscontainstructureddata,canweexploitthat?

X.509cer7ficatestructure

•  Mul7layeredstructureddata•  Syntac7cconstraintsforeachpiece–  Ex:Versionmustbeaninteger

•  Seman7cconstraintsforindividualpieceoracrossmul7plepieces–  Ex:Versionmustbe0,1,or2–  Ex:ifversion!=2,extensionsmustbeNULL

VersionSerialNumber

SignatureAlgorithmIden7fier

IssuerNameValidityPeriodSubjectNamePublicKeyInforma7on

IssuerUniqueIDSubjectUniqueID

Extensions

Howtogeneratetestcer7ficates?

CreateX.509certsusingrandomlypickedsyntac7callyvalidpieces

Likelytoviolatesomeseman7cconstraintsi.e.willgenerate“bad”

testcertsjustaswewanted

Wait,buthowcanwegeneratealargesetofsuchsyntac7callyvalidpieceswithout

readingX.509specs?

Scantheinternetforcer7ficatesCollect243,246X.509servercer7ficates

Extractsyntac7callyvalidpieces

versionfromcert1

keyUsageextensionfromcert3

keyUsageextensionfromcert2

ExtendedkeyUsageextensionfromcert4

Generate8millionfrankencertsfromrandomcombina7onsofcer7ficatepieces

Interpretfrankencerttestresults

•  Differen7altes7ngofSSL/TLSimplementa7ons

•  Mul7pleimplementa7onsofSSL/TLSshouldimplementthesamecer7ficatevalida7onlogic

•  Ifacer7ficateisacceptedbysomeandrejectedbyothers,whatdoesthismean?

Whichoneisrojen?

Nofalseposi7vesthoughsomeinstancesmightbedifferentinterpreta7onsofX.509

Testresultssummary

•  Tested14differentSSL/TLSimplementa7ons•  208discrepanciesdueto15rootcauses•  Mul7plebugs– Accep7ngfakeandunauthorizedintermediateCer7ficateAuthori7es(CAs)

– Accep7ngcer7ficatesnotauthorizedforuseinSSLornotvalidforserverauthen7ca7on

– Severalotherissues

ajackercanimpersonateanywebsite!

Sometestresults

Exhibits

Version1CAcer7ficates

IfanSSL/TLSimplementa0onencountersaversion1(v1)CAcer0ficatethatcannotbevalidatedoutofband,itmustrejectit

RFC5280Sec7on6.1.4(k)

v1CAcertsdonotsupporttheCAbit:anybodywithavalidv1cer7ficatecan

pretendtobeaCA

Exhibit1:GnuTLS/*DisableV1CAflagtopreventversion1cer7ficatesinasuppliedchain.*/flags&=˜(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);ret=_gnutls_verify_cer7ficate2(flags,..))int_gnutls_verify_cer7ficate2(flags,..){if(!(flags&GNUTLS_VERIFY_DISABLE_CA_SIGN)&&((flags&GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)||issuer_version!=1)){/*checktheCAbit*/}}

Exhibit2:GoogleChrome

OKtoclickthrough?

Exhibit2:GoogleChrome

untrustedCA

Exhibit2:underlyingcause

•  ChromeusesamodifiedversionofNSSforSSLcer7ficatevalida7on

•  Ifacer7ficateisissuedbyauntrustedCAandisexpired,thevalida7oncodeonlyreturnstheexpirederror

•  FirefoxusesagluelayercalledPersonalSecurityManager(PSM)overNSSandthusisnotaffected

Checkthepaperformoresuchgoodies!!

Conclusions

•  Differen7altes7ngwithfrankencertsisaneffec7vetechniqueforfindingflawsinSSL/TLSimplementa7ons

•  Startintegra7ngfrankencertswiththetestharnessofyourSSL/TLSimplementa7on.Thecodeisavailableat:hjps://github.com/sumanj/frankencert

BackupSlides

Frankencertfeatures

•  Frankencertsarerandom,yetsyntac7callycorrectX.509cer7ficateswith…– Unusualextensions– Rareandmalformedvaluesfortheseextensions

– Strangekeyusageconstraints– Rarecombina7onofextensions–  ...andmanyotherunusualfeatures

Mutateafewpiecesrandomly

Exhibit2:MatrixSSL

/*Cer7ficateauthorityconstraintonlyavailableinversion3certs*/if((ic->version>1)&&(ic->extensions.bc.ca<=0)){psTraceCrypto(“noCApermissions\n");sc->authStatus=PS_CERT_AUTH_FAIL_BC;returnPS_CERT_AUTH_FAIL_BC;}