![Page 1: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/1.jpg)
UsingFrankencertsforAutomatedAdversarialTes7ngofCer7ficate
Valida7oninSSL/TLSImplementa7ons
UniversityofTexasatAus7nUniversityofCaliforniaatDavis
![Page 2: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/2.jpg)
Internetsecurity=SSL/TLS
![Page 3: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/3.jpg)
SSL/TLSsecurityobjec7ves
• End-to-endsecurityevenifthenetworkisinsecure– Authen7ca7on=cer&ficatevalida&on!!– Confiden7ality– Integrity
![Page 4: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/4.jpg)
Cer7ficatevalida7oninSSL/TLSimplementa7ons
![Page 5: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/5.jpg)
Howtocheckifimplementa7onsarecorrect?
bool is_cert_valid (cert_t *cert) {
return true; }
HowdopeopletestSSL/TLSimplementa7ons?
![Page 6: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/6.jpg)
Currentstateoftheart
Implementa&on Testcer&ficatecount
NSS 54GnuTLS 51OpenSSL 44PolarSSL 18CyaSSL 9
MatrixSSL 9Mostofthesearejustwell-formedcer7ficates!
![Page 7: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/7.jpg)
• Testinputgenera7on– Fuzzing-hugeinputspace,afuzzedstringwon'tevenparseasanX.509cert
– Symbolicanalysis-doesnotscaletothecomplexityanddepthofcer7ficatevalida7oncode,falseposi7ves
Tes7ngcer7ficatevalida7oncode
![Page 8: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/8.jpg)
Interpre7ngtestresults
testcer7ficate
SSL/TLSimplementa7on
accept/reject
Howdoyouknowthattheresultiscorrect?
![Page 9: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/9.jpg)
Tes7ngSSL/TLScertvalida7oncode
Testcer7ficategenera7on
Testresultinterpreta7on
Wetacklebothoftheseproblemsin
thiswork
![Page 10: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/10.jpg)
Howtogeneratetestcer7ficates?X.509standards…ugh!
![Page 11: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/11.jpg)
Howtogeneratetestcer7ficates?
• Requirements– Mustgenerate“seman7callybad”cer7ficates– Shouldbesyntac7callycorrect,otherwisewon’texercisemostofthecertvalida7oncode
– Mustscaletomillionsofcerts
• Idea– X.509certscontainstructureddata,canweexploitthat?
![Page 12: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/12.jpg)
X.509cer7ficatestructure
• Mul7layeredstructureddata• Syntac7cconstraintsforeachpiece– Ex:Versionmustbeaninteger
• Seman7cconstraintsforindividualpieceoracrossmul7plepieces– Ex:Versionmustbe0,1,or2– Ex:ifversion!=2,extensionsmustbeNULL
VersionSerialNumber
SignatureAlgorithmIden7fier
IssuerNameValidityPeriodSubjectNamePublicKeyInforma7on
IssuerUniqueIDSubjectUniqueID
Extensions
![Page 13: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/13.jpg)
Howtogeneratetestcer7ficates?
CreateX.509certsusingrandomlypickedsyntac7callyvalidpieces
Likelytoviolatesomeseman7cconstraintsi.e.willgenerate“bad”
testcertsjustaswewanted
Wait,buthowcanwegeneratealargesetofsuchsyntac7callyvalidpieceswithout
readingX.509specs?
![Page 14: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/14.jpg)
Scantheinternetforcer7ficatesCollect243,246X.509servercer7ficates
![Page 15: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/15.jpg)
Extractsyntac7callyvalidpieces
versionfromcert1
keyUsageextensionfromcert3
keyUsageextensionfromcert2
ExtendedkeyUsageextensionfromcert4
![Page 16: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/16.jpg)
Generate8millionfrankencertsfromrandomcombina7onsofcer7ficatepieces
![Page 17: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/17.jpg)
Interpretfrankencerttestresults
• Differen7altes7ngofSSL/TLSimplementa7ons
• Mul7pleimplementa7onsofSSL/TLSshouldimplementthesamecer7ficatevalida7onlogic
• Ifacer7ficateisacceptedbysomeandrejectedbyothers,whatdoesthismean?
![Page 18: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/18.jpg)
Whichoneisrojen?
Nofalseposi7vesthoughsomeinstancesmightbedifferentinterpreta7onsofX.509
![Page 19: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/19.jpg)
Testresultssummary
• Tested14differentSSL/TLSimplementa7ons• 208discrepanciesdueto15rootcauses• Mul7plebugs– Accep7ngfakeandunauthorizedintermediateCer7ficateAuthori7es(CAs)
– Accep7ngcer7ficatesnotauthorizedforuseinSSLornotvalidforserverauthen7ca7on
– Severalotherissues
ajackercanimpersonateanywebsite!
![Page 20: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/20.jpg)
Sometestresults
![Page 21: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/21.jpg)
Exhibits
![Page 22: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/22.jpg)
Version1CAcer7ficates
IfanSSL/TLSimplementa0onencountersaversion1(v1)CAcer0ficatethatcannotbevalidatedoutofband,itmustrejectit
RFC5280Sec7on6.1.4(k)
v1CAcertsdonotsupporttheCAbit:anybodywithavalidv1cer7ficatecan
pretendtobeaCA
![Page 23: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/23.jpg)
Exhibit1:GnuTLS/*DisableV1CAflagtopreventversion1cer7ficatesinasuppliedchain.*/flags&=˜(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);ret=_gnutls_verify_cer7ficate2(flags,..))int_gnutls_verify_cer7ficate2(flags,..){if(!(flags&GNUTLS_VERIFY_DISABLE_CA_SIGN)&&((flags&GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)||issuer_version!=1)){/*checktheCAbit*/}}
![Page 24: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/24.jpg)
Exhibit2:GoogleChrome
OKtoclickthrough?
![Page 25: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/25.jpg)
Exhibit2:GoogleChrome
untrustedCA
![Page 26: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/26.jpg)
Exhibit2:underlyingcause
• ChromeusesamodifiedversionofNSSforSSLcer7ficatevalida7on
• Ifacer7ficateisissuedbyauntrustedCAandisexpired,thevalida7oncodeonlyreturnstheexpirederror
• FirefoxusesagluelayercalledPersonalSecurityManager(PSM)overNSSandthusisnotaffected
![Page 27: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/27.jpg)
Checkthepaperformoresuchgoodies!!
![Page 28: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/28.jpg)
Conclusions
• Differen7altes7ngwithfrankencertsisaneffec7vetechniqueforfindingflawsinSSL/TLSimplementa7ons
• Startintegra7ngfrankencertswiththetestharnessofyourSSL/TLSimplementa7on.Thecodeisavailableat:hjps://github.com/sumanj/frankencert
![Page 29: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/29.jpg)
BackupSlides
![Page 30: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/30.jpg)
Frankencertfeatures
• Frankencertsarerandom,yetsyntac7callycorrectX.509cer7ficateswith…– Unusualextensions– Rareandmalformedvaluesfortheseextensions
– Strangekeyusageconstraints– Rarecombina7onofextensions– ...andmanyotherunusualfeatures
![Page 31: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/31.jpg)
Mutateafewpiecesrandomly
![Page 32: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million](https://reader034.vdocument.in/reader034/viewer/2022042407/5f22693944acc6729f7e927e/html5/thumbnails/32.jpg)
Exhibit2:MatrixSSL
/*Cer7ficateauthorityconstraintonlyavailableinversion3certs*/if((ic->version>1)&&(ic->extensions.bc.ca<=0)){psTraceCrypto(“noCApermissions\n");sc->authStatus=PS_CERT_AUTH_FAIL_BC;returnPS_CERT_AUTH_FAIL_BC;}