![Page 1: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/1.jpg)
Verified Secure Implementationsfor the HTTPS Ecosystem
miTLS & Everest*
*th
e E
vere
st V
ER
ifie
dEn
d-t
o-e
nd
Secu
re T
ran
spo
rt
![Page 2: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/2.jpg)
Services & Applications
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
HTTPS Ecosystem
![Page 3: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/3.jpg)
4
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 4: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/4.jpg)
Buffer overflowsIncorrect state machinesLax certificate parsingWeak or poorly implemented cryptoSide channels
Informal security goalsDangerous APIsFlawed standards
OpenSSL, SChannel, NSS, …Still patched every month!
5
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 5: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/5.jpg)
Threat modelSecurity Goal
connect(server,port);
send “GET…”;
data = recv();
send “POST…”;
…
accept(port);
request = recv();
send “<html>…”;
order = recv();
…
authentication
infrastructure
![Page 6: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/6.jpg)
Client Server
![Page 7: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/7.jpg)
(some of them broken)Client Server
![Page 8: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/8.jpg)
Excluding corecrypto algorithms
Not fully automated(paper proofs too)
Not production code(poor performance)
1. Internet Standard compliance & interoperability
2. Verified security
3. Experimental platform
![Page 9: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/9.jpg)
miTLS v0.9 released in Nov’15
using F# & F7 (stable)including testing tools
using F* (in progress)with early support for TLS 1.3
![Page 10: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/10.jpg)
Application security (API, configuration) (1) data streams
Cryptographic schemes & assumptions (2) main theorem
Protocol design (3) state-machine attacks
Implementation safety
Information control (leakage, privacy)
Verification tools (F#, F7, F*, Z3, Lean)
![Page 11: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/11.jpg)
// F* definition of Application Data
abstract type data (i:id) = bytes
let ghost #(i:id) (d:data i): GTot bytes = d
type fragment (i:id) (rg:range) = d:data i {within (ghost d) rg}
val repr: i:id{¬safe i}→ rg:range → d:fragment i rg→ Tot (b:bytes {b = ghost d})
val make: i:id{¬safe i} → rg:range→ b:bytes{within b rg}→ Tot (d:fragment i rg {b = ghost d})
![Page 12: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/12.jpg)
Stream (i:id)state shared betweena reader and a writer
data
data
data
data
data
warning
close
TLS.read
TLS.write
i:idconnection info
Connection
Data i#3
Data i#1
Data i#0
Data i #0
Data i #1
Data i #2
Data i #3Warning i
Error i
duplex streams
when“safe i”
i:id connectioninfo(how we got here)
writer
read
er
reader
writer
PeerConnection
![Page 13: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/13.jpg)
concrete TLS & ideal TLSare computationally indistinguishable
miTLS
implementation
miTLS typed API
Bytes, Network
lib.fs
Cryptographic Provider
cryptographic assumptions
any program
representing the
adversary
applicationdata stream
miTLS ideal
implementation
miTLS typed API
application
Safe, except for a
negligible probabilitySafe by typing
(info-theoretically)
![Page 14: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/14.jpg)
7,000 lines of F# verified against3,000 lines of F7type annotations
The security statement is precisebut complex, roughly the size of the TLS API and cryptographic assumptions
miTLS
implementation
miTLS typed API
Bytes, Network
lib.fs
Cryptographic Provider
cryptographic assumptions
any program
representing the
adversary
applicationdata stream
miTLS ideal
implementation
miTLS typed API
application
![Page 15: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/15.jpg)
miTLS clean, modular implementationsupports rapid prototyping against others
• One line of F# script for each TLS message, with good cryptographic defaults
• Simple setup for “man-in-the-middle”attacks and concurrent connections
• Built-in library of recent vulnerabilities
• Fuzzing on the TLS state machine
Focus on ease of use (but still for experts)
![Page 16: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/16.jpg)
https://www.secure-resumption.com/
flaw in the standard
now patched in TLS
![Page 17: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/17.jpg)
deviant traces
new attacks against all mainstream implementations
Test results
for OpenSSL:
each colored
arrow is a bug
![Page 18: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/18.jpg)
deviant traces
Many many exploitable bugs
new attacks against all mainstream implementations
An attack
against TLS
Java Library
(open for
10 years)
![Page 19: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/19.jpg)
Man-in-the-middle attack against:
• servers that support RSA_EXPORT (512bit keys obsoleted in 2000) from 40% to 8.5%
• clients that accept ServerKeyExchange in RSA (state machine bug) almost all browsers have been patched
Factoring
in 7-10h
![Page 20: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/20.jpg)
![Page 21: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/21.jpg)
![Page 22: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/22.jpg)
We found & fixed flaws in legacy implementations of TLS… probably many others still in there. Can we be more constructive?
![Page 23: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/23.jpg)
Much discussionsIETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, …
Much improvements• Modern design
• Fewer roundtrips
• Stronger security
New implementationsrequired for all
• Be first & verified too!
• Find & fix flaws before it’s too late
![Page 24: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/24.jpg)
IETF TLS WG95 (April’16)
• 13th draft discussed
• Finalized in 6 months?
![Page 25: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/25.jpg)
Everest (2016—2021):Verified Drop-In Replacements for the HTTPSecosystem
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Crypto Algorithms
4Q
ASN.1
![Page 26: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/26.jpg)
27
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 27: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/27.jpg)
Redmond
Paris
Cambridge
Chris
Hawblitzel
Cédric
Fournet
Antoine
Delignat-Lavaud
Nick Benton
Karthik Bhargavan
Rustan Leino
Bryan Parno
Manos Kapritsos
Jay Lorch
Markulf
Kohlweiss
Samin Ishtiaq
Srinath Setty
Michael Roberts
Jean Karim
Zinzindohoue
Santiago
Zanella-Beguelin
Nik Swamy
Jonathan
Protzenko
Aseem Rastogi
Bangalore
Leonardo de Moura
Catalin Hritcu
Nadim Kobeissi
Barry Bond
![Page 28: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/28.jpg)
Demo: tracing https://www.visualstudio.com/
• Trust is transitive
• Trust is implicit
• Trust is a matter of state
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Crypto Algorithms
4Q
ASN.1
![Page 29: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/29.jpg)
https://letsencrypt.org/ ***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Crypto Algorithms
4Q
ASN.1
![Page 30: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/30.jpg)
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Crypto Algorithms
4Q
ASN.1
![Page 31: Verified Secure Implementations for the HTTPS Ecosystem ... · Application security (API, configuration) (1) data streams Cryptographic schemes & assumptions (2) main theorem Protocol](https://reader034.vdocument.in/reader034/viewer/2022050123/5f535d40f093513f1d7d4000/html5/thumbnails/31.jpg)
Verified Secure Implementationsfor the HTTPS Ecosystem
miTLS & Everest*
*th
e E
vere
st V
ER
ifie
dEn
d-t
o-e
nd
Secu
re T
ran
spo
rt