Upload File

using frankencerts for automated adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3...

  • Home
  • Documents
  • Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million
32
Using Frankencerts for Automated Adversarial Tes7ng of Cer7ficate Valida7on in SSL/TLS Implementa7ons University of Texas at Aus7n University of California at Davis

Upload: others

Post on 06-Jul-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

UsingFrankencertsforAutomatedAdversarialTes7ngofCer7ficate

Valida7oninSSL/TLSImplementa7ons

UniversityofTexasatAus7nUniversityofCaliforniaatDavis

Page 2: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Internetsecurity=SSL/TLS

Page 3: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

SSL/TLSsecurityobjec7ves

•  End-to-endsecurityevenifthenetworkisinsecure– Authen7ca7on=cer&ficatevalida&on!!– Confiden7ality–  Integrity

Page 4: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Cer7ficatevalida7oninSSL/TLSimplementa7ons

Page 5: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Howtocheckifimplementa7onsarecorrect?

bool is_cert_valid (cert_t *cert) {

return true; }

HowdopeopletestSSL/TLSimplementa7ons?

Page 6: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Currentstateoftheart

Implementa&on Testcer&ficatecount

NSS 54GnuTLS 51OpenSSL 44PolarSSL 18CyaSSL 9

MatrixSSL 9Mostofthesearejustwell-formedcer7ficates!

Page 7: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

•  Testinputgenera7on– Fuzzing-hugeinputspace,afuzzedstringwon'tevenparseasanX.509cert

– Symbolicanalysis-doesnotscaletothecomplexityanddepthofcer7ficatevalida7oncode,falseposi7ves

Tes7ngcer7ficatevalida7oncode

Page 8: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Interpre7ngtestresults

testcer7ficate

SSL/TLSimplementa7on

accept/reject

Howdoyouknowthattheresultiscorrect?

Page 9: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Tes7ngSSL/TLScertvalida7oncode

Testcer7ficategenera7on

Testresultinterpreta7on

Wetacklebothoftheseproblemsin

thiswork

Page 10: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Howtogeneratetestcer7ficates?X.509standards…ugh!

Page 11: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Howtogeneratetestcer7ficates?

•  Requirements– Mustgenerate“seman7callybad”cer7ficates– Shouldbesyntac7callycorrect,otherwisewon’texercisemostofthecertvalida7oncode

– Mustscaletomillionsofcerts

•  Idea– X.509certscontainstructureddata,canweexploitthat?

Page 12: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

X.509cer7ficatestructure

•  Mul7layeredstructureddata•  Syntac7cconstraintsforeachpiece–  Ex:Versionmustbeaninteger

•  Seman7cconstraintsforindividualpieceoracrossmul7plepieces–  Ex:Versionmustbe0,1,or2–  Ex:ifversion!=2,extensionsmustbeNULL

VersionSerialNumber

SignatureAlgorithmIden7fier

IssuerNameValidityPeriodSubjectNamePublicKeyInforma7on

IssuerUniqueIDSubjectUniqueID

Extensions

Page 13: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Howtogeneratetestcer7ficates?

CreateX.509certsusingrandomlypickedsyntac7callyvalidpieces

Likelytoviolatesomeseman7cconstraintsi.e.willgenerate“bad”

testcertsjustaswewanted

Wait,buthowcanwegeneratealargesetofsuchsyntac7callyvalidpieceswithout

readingX.509specs?

Page 14: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Scantheinternetforcer7ficatesCollect243,246X.509servercer7ficates

Page 15: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Extractsyntac7callyvalidpieces

versionfromcert1

keyUsageextensionfromcert3

keyUsageextensionfromcert2

ExtendedkeyUsageextensionfromcert4

Page 16: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Generate8millionfrankencertsfromrandomcombina7onsofcer7ficatepieces

Page 17: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Interpretfrankencerttestresults

•  Differen7altes7ngofSSL/TLSimplementa7ons

•  Mul7pleimplementa7onsofSSL/TLSshouldimplementthesamecer7ficatevalida7onlogic

•  Ifacer7ficateisacceptedbysomeandrejectedbyothers,whatdoesthismean?

Page 18: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Whichoneisrojen?

Nofalseposi7vesthoughsomeinstancesmightbedifferentinterpreta7onsofX.509

Page 19: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Testresultssummary

•  Tested14differentSSL/TLSimplementa7ons•  208discrepanciesdueto15rootcauses•  Mul7plebugs– Accep7ngfakeandunauthorizedintermediateCer7ficateAuthori7es(CAs)

– Accep7ngcer7ficatesnotauthorizedforuseinSSLornotvalidforserverauthen7ca7on

– Severalotherissues

ajackercanimpersonateanywebsite!

Page 20: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Sometestresults

Page 21: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Exhibits

Page 22: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Version1CAcer7ficates

IfanSSL/TLSimplementa0onencountersaversion1(v1)CAcer0ficatethatcannotbevalidatedoutofband,itmustrejectit

RFC5280Sec7on6.1.4(k)

v1CAcertsdonotsupporttheCAbit:anybodywithavalidv1cer7ficatecan

pretendtobeaCA

Page 23: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Exhibit1:GnuTLS/*DisableV1CAflagtopreventversion1cer7ficatesinasuppliedchain.*/flags&=˜(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);ret=_gnutls_verify_cer7ficate2(flags,..))int_gnutls_verify_cer7ficate2(flags,..){if(!(flags&GNUTLS_VERIFY_DISABLE_CA_SIGN)&&((flags&GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)||issuer_version!=1)){/*checktheCAbit*/}}

Page 24: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Exhibit2:GoogleChrome

OKtoclickthrough?

Page 25: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Exhibit2:GoogleChrome

untrustedCA

Page 26: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Exhibit2:underlyingcause

•  ChromeusesamodifiedversionofNSSforSSLcer7ficatevalida7on

•  Ifacer7ficateisissuedbyauntrustedCAandisexpired,thevalida7oncodeonlyreturnstheexpirederror

•  FirefoxusesagluelayercalledPersonalSecurityManager(PSM)overNSSandthusisnotaffected

Page 27: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Checkthepaperformoresuchgoodies!!

Page 28: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Conclusions

•  Differen7altes7ngwithfrankencertsisaneffec7vetechniqueforfindingflawsinSSL/TLSimplementa7ons

•  Startintegra7ngfrankencertswiththetestharnessofyourSSL/TLSimplementa7on.Thecodeisavailableat:hjps://github.com/sumanj/frankencert

Page 29: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

BackupSlides

Page 30: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Frankencertfeatures

•  Frankencertsarerandom,yetsyntac7callycorrectX.509cer7ficateswith…– Unusualextensions– Rareandmalformedvaluesfortheseextensions

– Strangekeyusageconstraints– Rarecombina7onofextensions–  ...andmanyotherunusualfeatures

Page 31: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Mutateafewpiecesrandomly

Page 32: Using Frankencerts for Automated Adversarial …suman/secure_sw_devel/frankencerts.pdffrom cert3 keyUsage extension from cert2 ExtendedkeyUsage extension from cert4 Generate 8 million

Exhibit2:MatrixSSL

/*Cer7ficateauthorityconstraintonlyavailableinversion3certs*/if((ic->version>1)&&(ic->extensions.bc.ca<=0)){psTraceCrypto(“noCApermissions\n");sc->authStatus=PS_CERT_AUTH_FAIL_BC;returnPS_CERT_AUTH_FAIL_BC;}


Secure Software Development: Theory and Practicesuman/secure_sw_devel/intro.pdf• Static analysis – Inspect code or run automated method to find errors or gain confidence about

official Cert3

Fuzzing - Columbia Universitysuman/secure_sw_devel/fuzzing.pdf · Blackbox fuzzing • Given a program simply feed random inputs and see whether it exhibits incorrect behavior (e.g.,

HCL APPRECIATION CERT3

EMC - bespump.hubespump.hu/wp-content/uploads/2018/06/tuv-cert4.pdf · EMC Page 4 / 33 Test report No.: 28220293 001 Measurement ref. No.: 28220293 001 Standard applied: EN 61000-6-3:2007+A1:2011

2015 Intro to 3d Module \ Cert4 IDM

Real World Bugs - Columbia Universitysuman/secure_sw_devel/Real_World_Bugs.pdf · Real World Bugs Suman Jana *Some slides are borrowed from Baishakhi Ray

Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,

Biodiesel Emissions Database - US EPA · graboski_00-cert2 base graboski_00 46 0 graboski_00-cert3 base graboski_00 46 0 graboski_00-cert4 base graboski_00 46 0 graboski_00-lffa graboski_00-cert2

CERT4 - Ceod · Title: CERT4 Created Date: 1/30/2017 9:56:21 AM

Control Flow Analysis - Columbia Universitysuman/secure_sw_devel/p1... · 2017. 9. 11. · Frances E. Allen IBM CORPORATION INTRODUCTION Any static, global analysis of the expression

Test Report issued under the responsibility ofbespump.hu/wp-content/uploads/2018/06/tuv-cert3.pdf · Page 9 of 113 Report No.: 28220948 001 IEC 60335-2-40 Clause Requirement + Test

SKM C45819020711420kkkft.hu/sertific/cert3.pdf · GMO free Certificate number: 0201/58646 SGS Austria Controll-Co. GesmbH performs annual certification audits at the company mentioned

Solder Connection · 2018. 1. 19. · RWK-OP-CERT4 Serial No. RR-S 5450 9 This certificate is your official notification ofmeeting all the neces a y Specialist (CIS) in the industry

Control Flow Analysis - Columbia Universitysuman/secure_sw_devel/p1-allen.pdfSIGPLAN Notices 1970 July Control Flow Analysis Frances E. Allen IBM CORPORATION INTRODUCTION Any static,

co O o o o o O s O O o o o o s x O o o s O o s ocopier-expert.ru/cert/cert4-kyocera.pdf · Created Date: 6/14/2016 9:48:51 AM

151368 - Duquesne University of the Holy Spirit - Cert4 G… · 1/13/2007  · GCERT2000 fp 1 Metropolitan Life Insurance Company 200 Park Avenue, New York, New York 10166 CERTIFICATE

Web Application Security - Columbia Universitysuman/secure_sw_devel/web_app_sec.pdf · 2017. 9. 11. · Goals of web security Safely browse the web n Users should be able to visit

120488 - Atlanta Public Schools - Cert3 Dental High … › cms › lib › GA01000924...2001/01/10  · YOUR BENEFIT PLAN Atlanta Public Schools All Active Full-Time Employees Dental

ESP Seed Certification On-Line User Guide · [Cert2, Cert7 and Cert7Summ] 44 13 Submitting applications that do not require payment [Cert3Summ, Cert4 and Cert10] 48 14 Viewing, editing

YOUR BENEFIT PLAN American Airlines, Inc. Non …c.hub.aa.com/careers/29920G Cert3 STD Legacy US Airways.pdf · YOUR BENEFIT PLAN American Airlines, Inc. Non-Contract Employees:

150560 - State of Georgia - 150560-1-G - Cert3 %28Life ADD ...doas.ga.gov › assets › Human Resources Administration... · 127,&(6 *&(57 &rpelqhg 1rwlfhv )25 ,1',$1$ 5(6,'(176