systematic fuzzing and testing of tls libraries€¦ · juraj somorovsky. systematic fuzzing and...
TRANSCRIPT
![Page 1: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/1.jpg)
1Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Systematic Fuzzing and Testing of TLS Libraries
Juraj Somorovsky
1
![Page 2: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/2.jpg)
2Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Transport Layer Security
• The most important crypto protocol
• HTTP, SMTP, IMAP …
2
![Page 3: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/3.jpg)
3Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries3
TLS HistorySecure Sockets Layer (SSL), SSLv2
SSLv3
Trasnsport Layer Security
TLS 1.1
TLS 1.2
TLS 1.3
Wagner, Schneier: Analysis of SSLv3
Bleichenbacher’s attack
Padding oracle attack
BEAST, CRIME, BREACH, Lucky 13
1995
2000
2005
2010
2015
![Page 4: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/4.jpg)
5Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Questions
• How can we test these attacks?
• Can we find such attacks automatically?
5
![Page 5: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/5.jpg)
6Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Approach [SP2-17]
1. Collect TLS libraries
2.
3. Profit
6
![Page 6: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/6.jpg)
7Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Approach [SP2-17]
1. Collect TLS libraries
2.
3. Profit
7
![Page 7: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/7.jpg)
8Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Contributions
• Flexible TLS framework
• Fuzzing, testing, writing attacks …
• High impact vulnerability in OpenSSL
• Additional vulnerabilities in Botan, MatrixSSL…
• https://github.com/RUB-NDS/TLS-Attacker
8
![Page 8: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/8.jpg)
9Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
9
![Page 9: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/9.jpg)
10Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
TLS RSA Handshake
10
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished
ChangeCipherSpec
(Server-) Finished
ClientKeyExchange
Application
Application
![Page 10: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/10.jpg)
11Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
TLS is complex …
• Different versions
• Crypto primitives: RSA, EC, AES, 3DES, RC4, Chacha, Poly1305, New Hope
• Extensions
• Protocol flows
11
![Page 11: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/11.jpg)
12Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
TLS is complex …
12
ClientHelloServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished
ChangeCipherSpec
(Server-) Finished
ClientKeyExchange
Application
Application
ServerKeyExchange
Heartbeat
Heartbeat
Certificate
CertificateVerify
![Page 12: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/12.jpg)
13Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
13
![Page 13: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/13.jpg)
14Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries14
TLS HistorySecure Sockets Layer (SSL), SSLv2
SSLv3
Trasnsport Layer Security
TLS 1.1
TLS 1.2
TLS 1.3
Wagner, Schneier: Analysis of SSLv3
Bleichenbacher’s attack
BEAST, CRIME, BREACH, Lucky 13
1995
2000
2005
2010
2015
Padding oracle attack
![Page 14: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/14.jpg)
15Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Early CCS
15
ClientHelloServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished
ChangeCipherSpec
(Server-) Finished
ClientKeyExchange
Server computes the master key based on a zero value
![Page 15: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/15.jpg)
16Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Early CCS
• Man-in-the-Middle attacks
• Further state machine attacks in 2015:
– Beurdouche et al.: FREAK
– de Ruiter and Poll
16
![Page 16: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/16.jpg)
17Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 17
Heartbleed
Server
[TLS Handshake]
Heartbeat
Heartbeat
00 07 DeepSec
00 07 DeepSec
![Page 17: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/17.jpg)
18Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 18
Heartbleed
Server
[TLS Handshake]
Heartbeat
Heartbeat
10 00 DeepSec
10 00 DeepSec ……….…[rsa key]….
![Page 18: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/18.jpg)
20Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Padding oracle attacks
• Adaptive chosen-ciphertext attacks
• AES-CBC: Vaudenay’s attack
• RSA-PKCS#1: Bleichenbacher’s attack
20
Ciphertext C = Enc(M)
C1
valid/invalid
M = Dec(C)
C2
valid/invalid
…
(repeated several times)
![Page 19: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/19.jpg)
21Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
21
![Page 20: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/20.jpg)
22Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Recent Attacks on TLS
• Not only crypto attacks …
• Attacks on TLS state machines
– FREAK
– Early CCS
• Buffer overflows / overreads
– Heartbleed
– CVE-2016-6307 (High) -> CVE-2016-6309 (Critical)
• Tool for flexible protocol executions needed22
![Page 21: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/21.jpg)
23Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Framework Prerequisites
• Flexible protocol flow definition
• Message modifications
• Invalid behavior detection
• Protocol flow reproduction
ClientHello
ServerHello
Certificate
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
(Client-) Finished
ChangeCipherSpec
(Server-) Finished
ClientKeyExchange
Application
Application
![Page 22: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/22.jpg)
24Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
24
![Page 23: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/23.jpg)
25Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 25
High-Level Overview
![Page 24: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/24.jpg)
26Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Modifiable variables
• Define basic data types (integer, byte, arrays) with modifications
• Example:
• Further modifications: xor, shuffle, delete, …
26
ModifiableInteger i = new ModifiableInteger();
i.setValue( 30 );
i.setModification(new AddModification( 20 ));
System.out.println(i.getValue()); // 50
![Page 25: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/25.jpg)
27Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Protocol messages
• ClientHello
• Stored in a message list
• Serializable in XML
27
ClientHelloMessage
cipherSuites: ModifiableByteArraycipherSuiteLength: ModifiableInteger…
getCipherSuites()getCipherSuiteLength()
![Page 26: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/26.jpg)
29Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 29
Defining a protocol flow<protocolMessages>
<ClientHello>
<supportedCipherSuites>
<CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
</supportedCipherSuites>
</ClientHello>
<ServerHello/>
<Certificate/>
<ServerHelloDone/>
<RSAClientKeyExchange/>
<RSAClientKeyExchange/>
<ChangeCipherSpec/>
<Finished/>
<ChangeCipherSpec/>
<Finished/>
<Application/>
</protocolMessages>
![Page 27: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/27.jpg)
30Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 30
Defining a protocol flow<protocolMessages>
<ClientHello>
<supportedCipherSuites>
<CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
</supportedCipherSuites>
</ClientHello>
<ServerHello/>
<Certificate/>
<ServerHelloDone/>
<RSAClientKeyExchange/>
<ChangeCipherSpec/>
<Finished/>
<ChangeCipherSpec/>
<Finished/>
<Heartbeat/>
</protocolMessages>
<Heartbeat><payloadLength>
<integerAddModification>20000
</integerAddModification> </payloadLength>
</Heartbeat>
![Page 28: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/28.jpg)
32Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
32
![Page 29: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/29.jpg)
33Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Vulnerability detection
• How do we detect invalid server behavior?
1. Different TLS alerts
– Useful by padding oracle attacks
2. Address Sanitizer (ASan)
– Detects memory errors at runtime
– Available in recent compilers, e.g. GCC
• Vulnerability found -> protocol stored in XML33
![Page 30: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/30.jpg)
34Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Two-stage concept
• Currently only server evaluation
1. Crypto
– Padding oracles, Bleichenbacher attack, invalid curve attacks, POODLE …
2. Fuzzing for boundary violations
– 3 phases
34
![Page 31: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/31.jpg)
35Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Fuzzing for boundary violations
1. Variable filtering
– Not all variables suitable
2. Fuzzing with filtered variables
– Random modifications (add, delete, xor)
– Boundary values (-128, -1, 0, 32768, …)
3. Fuzzing with modified protocol flows35
ClientHelloMessage
cipherSuitescipherSuiteLengthclientRandomextensionsextensionLength….
![Page 32: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/32.jpg)
36Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
36
![Page 33: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/33.jpg)
37Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Results
• Padding oracle attack– OpenSSL (CVE-2016-2107)
– Botan 1.11.21 (CVE-2015-7824)
– MatrixSSL 3.8.2
• Bleichenbacher attack– MatrixSSL 3.8.2
• Missing length checks– GnuTLS 3.4.9
– OpenSSL 1.0.1
• Out-of-bound reads / writes– OpenSSL-1.1.0-pre1 (stack overflow)
– Botan 1.11.28 (Out-of-bound read)
37
![Page 34: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/34.jpg)
38Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Server
Padding oracle attack
• Applicable to AES-CBC
• Challenge: not to reveal padding validity
1. Same error message
2. Constant time padding and HMAC validation38
C
Valid / Invalid
Ciphertext
Decryption failed
![Page 35: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/35.jpg)
41Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
AES-CBC in TLS
• MAC-Pad-Encrypt
• Example:
– Two blocks
– Message: Hello
– MAC size: 20 bytes (SHA-1)
– Padding size: 32 – 5 – 20 = 7
H e l l o
06 06 06 06 06 06 06
pad
mac
![Page 36: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/36.jpg)
42Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
AES-CBC in TLS
• Challenge: not to reveal padding validity
• Always:
– Padding validation
– MAC validation
• Same error message and timing
42
H e l l o
06 06 06 06 06 06 06
pad
mac
![Page 37: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/37.jpg)
43Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 43
Constant Time Validation
H e l l o
06 06 06 06 06 06 06
H e l l o
06 06 06 06 06 06 06
Decrypted data
Mask data
pad
mac
![Page 38: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/38.jpg)
44Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 44
Constant Time Validation
H e l l o
06 06 06 06 06 06 06
H e l l o
06 06 06 06 06 06 06
Decrypted data
Mask data
16
![Page 39: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/39.jpg)
45Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 45
OpenSSL Vulnerability
Decrypted data
Mask data
1F 1F 1F 1F 1F 1F 1F1F 1F 1F 1F 1F 1F 1F1F 1F
1F 1F 1F 1F 1F 1F 1F1F 1F 1F 1F 1F 1F 1F1F 1F
1F 1F 1F 1F 1F 1F 1F1F 1F 1F 1F 1F 1F 1F1F 1F
1F 1F 1F 1F 1F 1F 1F1F 1F 1F 1F 1F 1F 1F1F 1F
![Page 40: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/40.jpg)
46Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
OpenSSL Vulnerability (CVE-2016-2107)
• Introduced by patching Lucky 13
• Only when using AES-NI
• Leads to a different server response
46
Can this be even worse?
C
RECORD OVERFLOW /
BAD RECORD MAC
http://web-in-security.blogspot.co.at/2016/05/curious-
padding-oracle-in-openssl-cve.html
![Page 41: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/41.jpg)
47Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Yes
• MatrixSSL 3.8.2
• Timing attack -> buffer overflow
47
![Page 42: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/42.jpg)
48Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
1. TLS Protocol
2. Attacks
3. Framework Prerequisites
4. TLS-Attacker Design
5. Fuzzing
6. Results
7. Conclusions
Overview
![Page 43: Systematic Fuzzing and Testing of TLS Libraries€¦ · Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries 35 Fuzzing for boundary violations 1. Variable filtering](https://reader033.vdocuments.net/reader033/viewer/2022060516/5ff9dc077b8bff46fc53d00f/html5/thumbnails/43.jpg)
49Juraj Somorovsky. Systematic Fuzzing and Testing of TLS Libraries
Conclusions and future work
• Maintaining a crypto library is hard
• New code / patches can introduce new flaws
• Systematic fuzzing and evaluation needed
• TLS-Attacker
– For researchers, pentesters
– For developers
• Development / fuzzing improvements needed
– TLS client-side tests
– Better fuzzing strategies
49