TY - GEN
T1 - A messy state of the union
T2 - 36th IEEE Symposium on Security and Privacy, SP 2015
AU - Beurdouche, Benjamin
AU - Bhargavan, Karthikeyan
AU - Delignat-Lavaud, Antoine
AU - Fournet, Cédric
AU - Kohlweiss, Markulf
AU - Pironti, Alfredo
AU - Strub, Pierre Yves
AU - Zinzindohoue, Jean Karim
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/7/17
Y1 - 2015/7/17
N2 - Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that correctly multiplexes between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to our disclosures. Several of these vulnerabilities, including the recently publicized FREAK flaw, enable a network attacker to break into TLS connections between authenticated clients and servers. We argue that state machine bugs stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported cipher suites. Our attacks expose the need for the formal verification of core components in cryptographic protocol libraries, our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
AB - Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that correctly multiplexes between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to our disclosures. Several of these vulnerabilities, including the recently publicized FREAK flaw, enable a network attacker to break into TLS connections between authenticated clients and servers. We argue that state machine bugs stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported cipher suites. Our attacks expose the need for the formal verification of core components in cryptographic protocol libraries, our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
KW - Transport Layer Security
KW - cryptographic protocols
KW - formal methods
KW - man-in-the-middle attacks
KW - software verification
UR - https://www.scopus.com/pages/publications/84940995903
U2 - 10.1109/SP.2015.39
DO - 10.1109/SP.2015.39
M3 - Conference contribution
AN - SCOPUS:84940995903
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 535
EP - 552
BT - Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 18 May 2015 through 20 May 2015
ER -