UsingFrankencertsforAutomatedAdversarialTes7ngofCer7ficate
Valida7oninSSL/TLSImplementa7ons
UniversityofTexasatAus7nUniversityofCaliforniaatDavis
Internetsecurity=SSL/TLS
SSL/TLSsecurityobjec7ves
• End-to-endsecurityevenifthenetworkisinsecure– Authen7ca7on=cer&ficatevalida&on!!– Confiden7ality– Integrity
Cer7ficatevalida7oninSSL/TLSimplementa7ons
Howtocheckifimplementa7onsarecorrect?
bool is_cert_valid (cert_t *cert) {
return true; }
HowdopeopletestSSL/TLSimplementa7ons?
Currentstateoftheart
Implementa&on Testcer&ficatecount
NSS 54GnuTLS 51OpenSSL 44PolarSSL 18CyaSSL 9
MatrixSSL 9Mostofthesearejustwell-formedcer7ficates!
• Testinputgenera7on– Fuzzing-hugeinputspace,afuzzedstringwon'tevenparseasanX.509cert
– Symbolicanalysis-doesnotscaletothecomplexityanddepthofcer7ficatevalida7oncode,falseposi7ves
Tes7ngcer7ficatevalida7oncode
Interpre7ngtestresults
testcer7ficate
SSL/TLSimplementa7on
accept/reject
Howdoyouknowthattheresultiscorrect?
Tes7ngSSL/TLScertvalida7oncode
Testcer7ficategenera7on
Testresultinterpreta7on
Wetacklebothoftheseproblemsin
thiswork
Howtogeneratetestcer7ficates?X.509standards…ugh!
Howtogeneratetestcer7ficates?
• Requirements– Mustgenerate“seman7callybad”cer7ficates– Shouldbesyntac7callycorrect,otherwisewon’texercisemostofthecertvalida7oncode
– Mustscaletomillionsofcerts
• Idea– X.509certscontainstructureddata,canweexploitthat?
X.509cer7ficatestructure
• Mul7layeredstructureddata• Syntac7cconstraintsforeachpiece– Ex:Versionmustbeaninteger
• Seman7cconstraintsforindividualpieceoracrossmul7plepieces– Ex:Versionmustbe0,1,or2– Ex:ifversion!=2,extensionsmustbeNULL
VersionSerialNumber
SignatureAlgorithmIden7fier
IssuerNameValidityPeriodSubjectNamePublicKeyInforma7on
IssuerUniqueIDSubjectUniqueID
Extensions
Howtogeneratetestcer7ficates?
CreateX.509certsusingrandomlypickedsyntac7callyvalidpieces
Likelytoviolatesomeseman7cconstraintsi.e.willgenerate“bad”
testcertsjustaswewanted
Wait,buthowcanwegeneratealargesetofsuchsyntac7callyvalidpieceswithout
readingX.509specs?
Scantheinternetforcer7ficatesCollect243,246X.509servercer7ficates
Extractsyntac7callyvalidpieces
versionfromcert1
keyUsageextensionfromcert3
keyUsageextensionfromcert2
ExtendedkeyUsageextensionfromcert4
Generate8millionfrankencertsfromrandomcombina7onsofcer7ficatepieces
Interpretfrankencerttestresults
• Differen7altes7ngofSSL/TLSimplementa7ons
• Mul7pleimplementa7onsofSSL/TLSshouldimplementthesamecer7ficatevalida7onlogic
• Ifacer7ficateisacceptedbysomeandrejectedbyothers,whatdoesthismean?
Whichoneisrojen?
Nofalseposi7vesthoughsomeinstancesmightbedifferentinterpreta7onsofX.509
Testresultssummary
• Tested14differentSSL/TLSimplementa7ons• 208discrepanciesdueto15rootcauses• Mul7plebugs– Accep7ngfakeandunauthorizedintermediateCer7ficateAuthori7es(CAs)
– Accep7ngcer7ficatesnotauthorizedforuseinSSLornotvalidforserverauthen7ca7on
– Severalotherissues
ajackercanimpersonateanywebsite!
Sometestresults
Exhibits
Version1CAcer7ficates
IfanSSL/TLSimplementa0onencountersaversion1(v1)CAcer0ficatethatcannotbevalidatedoutofband,itmustrejectit
RFC5280Sec7on6.1.4(k)
v1CAcertsdonotsupporttheCAbit:anybodywithavalidv1cer7ficatecan
pretendtobeaCA
Exhibit1:GnuTLS/*DisableV1CAflagtopreventversion1cer7ficatesinasuppliedchain.*/flags&=˜(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);ret=_gnutls_verify_cer7ficate2(flags,..))int_gnutls_verify_cer7ficate2(flags,..){if(!(flags&GNUTLS_VERIFY_DISABLE_CA_SIGN)&&((flags&GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)||issuer_version!=1)){/*checktheCAbit*/}}
Exhibit2:GoogleChrome
OKtoclickthrough?
Exhibit2:GoogleChrome
untrustedCA
Exhibit2:underlyingcause
• ChromeusesamodifiedversionofNSSforSSLcer7ficatevalida7on
• Ifacer7ficateisissuedbyauntrustedCAandisexpired,thevalida7oncodeonlyreturnstheexpirederror
• FirefoxusesagluelayercalledPersonalSecurityManager(PSM)overNSSandthusisnotaffected
Checkthepaperformoresuchgoodies!!
Conclusions
• Differen7altes7ngwithfrankencertsisaneffec7vetechniqueforfindingflawsinSSL/TLSimplementa7ons
• Startintegra7ngfrankencertswiththetestharnessofyourSSL/TLSimplementa7on.Thecodeisavailableat:hjps://github.com/sumanj/frankencert
BackupSlides
Frankencertfeatures
• Frankencertsarerandom,yetsyntac7callycorrectX.509cer7ficateswith…– Unusualextensions– Rareandmalformedvaluesfortheseextensions
– Strangekeyusageconstraints– Rarecombina7onofextensions– ...andmanyotherunusualfeatures
Mutateafewpiecesrandomly
Exhibit2:MatrixSSL
/*Cer7ficateauthorityconstraintonlyavailableinversion3certs*/if((ic->version>1)&&(ic->extensions.bc.ca<=0)){psTraceCrypto(“noCApermissions\n");sc->authStatus=PS_CERT_AUTH_FAIL_BC;returnPS_CERT_AUTH_FAIL_BC;}