Vetting SSL Usage in Applications with SSLINT Boyuan He 1 Vaibhav Rastogi 2 Yinzhi Cao 3 Yan Chen 21 Venkat Venkatakrishnan 4 Runqing Yang 1 Zhenrui Zhang 1 ID: 773508
Download Presentation The PPT/PDF document "Vetting SSL Usage in" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Vetting SSL Usage in Applicationswith SSLINT Boyuan He[1], Vaibhav Rastogi[2], Yinzhi Cao[3], Yan Chen[2][1], Venkat Venkatakrishnan[4], Runqing Yang[1], Zhenrui Zhang[1] [1] Zhejiang University, China[2] Northwestern University, USA[3] Columbia University, USA [4] University of Illinois, Chicago, USA Lab of Internet and Security Technology (LIST)
Motivation & Problem Statement 2 TCPSSL/TLS HTTP SMTP POP3 IMAP Use an X509 certificate for authentication
3 3 Many application vulnerabilities due to improper usage of SSL/TLS are mentioned in previous papers.Georgiev et al. [CCS’ 12] (Black-box testing) Motivation & Problem StatementIs it possible to automatically detect such SSL vulnerabilities in large scale and in a more general way with high efficiency and accuracy?
4 4 ContributionsDesign a systematic approach to automatically detect incorrect SSL API usage vulnerabilities.Implement SSLint, a scalable automated tool to verify SSL usage in applications.Automated candidate app selection and compilation.Results. —— Automatically analyzed 22 million lines of code.—— 27 previously unknown SSL/TLS vulnerable apps.
Agenda 5 Motivation & Problem StatementBackground on SSL VulnerabilitiesSSLint Design and Implementation Results
6 6 How SSL/TLS works?Background on SSL VulnerabilitiesTCP SYNTCP SYN ACKTCP ACKClientHello ServerHelloCertificate ServerHelloDoneClient Key Exchange Certificate Verify [Change Cipher Spec] Finished [Change Cipher Spec] Finished Application Data Application Data Server Client (RFC 5246)
Background on SSL Vulnerabilities7 A hijacked SSL channel A secure SSL channel Man-in-the-middle attacks caused by incorrect certificate validation .
A Motivating Example 8 ctx = SSL_CTX_new(method);...ssl = SSL_new(ctx); ...SSL_connect(ssl);…if(SSL_get_verify_result ( ssl ) == X509_V_OK ){ //Validation succeeds.}else{ //Validation fails and terminate connection} V ulnerable example ( OpenSSL API) Create SSL context. Create SSL session. Launch SSL handshake Check the built-in certificate validation result after handshake, but if no certificate is presented , X509_V_OK flag can still be set.
A Motivating Example Cont’d9 ctx = SSL_CTX_new(method);...ssl = SSL_new(ctx); ...SSL_connect(ssl);…cert = SSL_get_peer_certificate ( ssl ); if ( cert != NULL ){ if(SSL_get_verify_result(ssl ) ==X509_V_OK){ //Validation succeeds. } else{ // Validation fails and terminate connection } } else{ // Validation fails and terminate connection } Fix of v ulnerable example Check if server’s certificate is presented (is NULL?) together with the validation result.
SSLint Framework 10 Check whether validation APIs are called correctly.Encode “correct” usage in a signature and match this signature. Pass if match succeeds SSL Client Apps Code Representation Vulnerability Report Static Analyzer Matcher Signatures
SSLint Signatures 11 1 ctx = SSL_CTX_new(method);...2 ssl = SSL_new(ctx);...3 SSL_connect ( ssl ); … 4 cert = SSL_get_peer_certificate( ssl);5 if (cert != NULL){ 6 if( SSL_get_verify_result(ssl) == X509_V_OK ){ 7 //Validation succeeds. 8 SSL_read ( ssl … ) or SSLwrite ( ssl ,… ) 9 } 10 else{ 11 // Validation fails and terminate connection 12 } 13 } 14 else{ 15 // Validation fails and terminate connection } Fixed vulnerable example @1 SSL_CTX_new @2 SSL_new @3 SSL_connect @8: SSL_read / SSL_write @6: SSL_get_verify_result @4: SSL_get_peer_certificate @6: If condition (==X509_V_OK) @5: If condition (cert!=NULL) Data Flow & Control Flow
12 We use Program dependence graphs (PDGs) as code representation as well as signature representation, in order to capture both control flow and data flow Signature for OpenSSL APIsSSLint Signatures
13SSLint Implementation Technical Challenges:Defining and representing correct use.Identifying the preliminary condition for signature matching.Automated candidate app selection and compilation. SSL_read () or SSL_write () SSL_new ()
14SSLint Implementation Certificate Validation Vulnerability ScannerCodeSurfer provides static analysis2.6K LoC (in C++) Generated PDGs matched with signatures– Signature Expressions motivated from Cypher, a graph query language– Custom algorithm to perform the matches
Results15 Signatures implemented for OpenSSL and GnuTLS – the most popular two SSL/TLS librariesScanned the entire Ubuntu distribution– Scanned 22 million LoC in static analysis.– 485 applications using OpenSSL and GnuTLS Detected 27 vulnerabilities – All reported and confirmed – 4 fixed, 14 responses from developers
Results16 Vulnerable E-mail Software – Xfce4-Mailwatch-Plugin, Mailfilter, Exim, DragonFly Mail Agent, spamcVulnerable IRC Software – Enhanced Programmable ircII client (EPIC), ScrollzOther Vulnerable Software Web(https): Prayer front end, xxxterm Database: FreeTDS Admin tool: nagircbot, nagios-nrpe-plugin, syslog-ng Performance testing tool: siege, httperf, httping
App Name LoC Vulnerability TypeSSL libraryDynamicAuditingDeveloperFeedbackdma12,504Certificate ValidationOpenSSLProvedConfirmedexim494,874Hostname Validation OpenSSLGnuTLSProvedFixedxfce4-mailwatch-plugin 9,830 Certificate Validation Hostname Validation GnuTLS Proved spamc 5,472 Certificate Validation OpenSSL Confirmedprayer 45,555 Certificate ValidationOpenSSLConfirmed epic4 56,168 Certificate Validation OpenSSL Proved Fixed epic5 65,155 Certificate Validation OpenSSL Proved Fixed scrollz 78,390 Certificate Validation Hostname Validation OpenSSL GnuTLS Proved Confirmed xxxterm 23,126 Hostname Validation GnuTLS Proved Confirmed httping 1,400 Certificate Validation OpenSSL Proved Confirmed pavuk 51,781 Certificate Validation OpenSSL Confirmed crtmpserver5 57,377 Certificate Validation OpenSSL Confirmed freetds -bin 80,203 Certificate Validation Hostname Validation GnuTLS Proved Confirmed R esults 17
Results18 App NameLoCVulnerability TypeSSL libraryDynamicAuditingDeveloperFeedbacknagircbot3,307Certificate ValidationOpenSSLProvedpicolisp 14,250Certificate ValidationOpenSSLFixed nagios - nrpe -plugin 3,145 Certificate Validation OpenSSL Confirmed citadel-client56,866 Certificate ValidationOpenSSLProvedmailfilter4,773 Certificate ValidationOpenSSL Provedsuck12,083 Certificate Validation OpenSSL Proved proxytunnel 2,043 Certificate Validation Hostname Validation GnuTLS Proved siege 8,581 Certificate Validation OpenSSL Proved httperf 6,692 Certificate Validation OpenSSL Proved syslog-ng 115,513 Certificate Validation OpenSSL Proved medusa 18,811 Certificate Validation OpenSSL Proved hydra 23,839 Certificate Validation OpenSSL Proved ratproxy 4,069 Certificate Validation OpenSSL Proved dsniff 24,625 Certificate Validation OpenSSL Proved
Conclusion & Ongoing work19 O ngoing work – SSLint is our 1st step to verify API usage by static analysis. (A generic approach?) – Fix failed applications in analysis by automatically identify SSL-relevant modules in application code. Conclusion – We design and implement SSLint to verify SSL API usage in large scale.(22M LoC) – We discover 27 previously unknown vulnerable apps due to misuse
Demo20 A ttack Demo Video against Xfce4-mailwatch-plugin
21 Thank you! http://list.zju.edu.cn/http://list.cs.northwestern.edu/Questions?
22 BackUp
A Motivating Example 23 const SSL_METHOD *method;SSL_CTX *ctx;SSL *ssl;…method = TLSv1_client_method();...ctx = SSL_CTX_new(method); ... ssl = SSL_new ( ctx );...SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,...);...SSL_connect( ssl); V ulnerable example ( OpenSSL API) Specify the protocol: TLSv1 Create SSL context. Create SSL session. Launch SSL handshake Configure OpenSSL built-in certificate validation, but fail to enforcement this validation during handshake
A Motivating Example Cont’d 24 const SSL_METHOD *method;SSL_CTX *ctx;SSL *ssl;…method = TLSv1_client_method(); ...ctx = SSL_CTX_new(method);...ssl = SSL_new ( ctx ); ... SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,...);...SSL_connect(ssl); Fix of Vulnerable example Use SSL_VERIFY_PEER flag instead of SSL_VERIFY_NONE to enforce OpenSSL built-in certificate validation during handshake .
25 OpenSSL API
Incorrect use of SSL API26 Poisoned DNS cache Man-in-the-middle attacks caused by incorrect hostname validation.
Measurement results27
28 Accuracy
29 Static Analysis