Author :
Brubaker, Chad ; Jana, Suman ; Ray, Baishakhi ; Khurshid, Sarfraz ; Shmatikov, Vitaly
Author_Institution :
Univ. of Texas at Austin, Austin, TX, USA
Abstract :
Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired - a low-risk, often ignored error - but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencert- is a powerful methodology for discovering security flaws in SSL/TLS implementations.
Keywords :
authorisation; computer network security; online front-ends; protocols; Chrome; CyaSSL; Frankencerts; GnuTLS; MatrixSSL; NSS; OpenSSL; PolarSSL; SSL-TLS clients; SSL-TLS handshake protocol; SSL-TLS implementations; Safari; X.509 certificates; automated adversarial testing; certificate validation errors; certificate validation logic; differential testing; man-in-the-middle attacks; modern network security; network attacks; oracle; secure sockets layer protocols; security vulnerabilities; self-signed certificate; server authentication; synthetic certificates; transport layer security protocols; Authentication; Browsers; Computer bugs; Protocols; Servers; Testing; SSL; automated testing; certificate validation;
