Transcript Vetting SSL Usage in Applications with SSLINT Boyuan He[1], Vaibhav Rastogi[2], Yinzhi Cao[3], Yan Chen[2][1], Venkat Venkatakrishnan[4], Runqing Yang[1], Zhenrui Zhang[1] Lab of Internet and.

Vetting SSL Usage in Applications
with SSLINT
Boyuan He[1], Vaibhav Rastogi[2], Yinzhi Cao[3], Yan
Chen[2][1], Venkat Venkatakrishnan[4], Runqing Yang[1],
Zhenrui Zhang[1]
Lab of Internet and Security Technology (LIST)
[1] Zhejiang University, China
[2] Northwestern University, USA
[3] Columbia University, USA
[4] University of Illinois, Chicago, USA
Motivation & Problem Statement
TCP
SSL/TLS
HTTP
SMTP
POP3
IMAP
Use an X509 certificate for
authentication
2
Motivation & Problem Statement
Many application vulnerabilities due to
improper usage of SSL/TLS are mentioned
in previous papers.
 Georgiev et al. [CCS’ 12] (Black-box testing)
Is it possible to automatically detect such
SSL vulnerabilities in large scale and in a
more general way with high efficiency and
accuracy?
3
Contributions
 Design a systematic approach to automatically
detect incorrect SSL API usage vulnerabilities.
 Implement SSLint, a scalable automated tool to
verify SSL usage in applications.
 Automated candidate app selection and
compilation.
 Results.
—— Automatically analyzed 22 million lines of code.
—— 27 previously unknown SSL/TLS vulnerable
apps.
4
Agenda
1. Motivation & Problem Statement
2. Background on SSL Vulnerabilities
3. SSLint Design and Implementation
4. Results
5
Background on SSL Vulnerabilities
How SSL/TLS works?
TCP SYN
TCP ACK
ClientHello
TCP SYN ACK
ServerHello
Certificate
ServerHelloDone
Client Key Exchange
Certificate Verify
[Change Cipher Spec]
Finished
[Change Cipher Spec]
Finished
Application Data
Application Data
Client
Server
(RFC 5246)
6
Background on SSL Vulnerabilities
Man-in-the-middle attacks caused by
incorrect certificate validation.
AAhijacked
secure SSL
SSLchannel
channel
Victim
Mail Server
Router(Gateway)
Web Server
7
Attacker
A Motivating Example
Vulnerable example (OpenSSL API)
ctx = SSL_CTX_new(method);
...
ssl = SSL_new(ctx);
...
SSL_connect(ssl);
…
if(SSL_get_verify_result(ssl)
==X509_V_OK){
//Validation succeeds.
}
else{
//Validation fails and
terminate connection
}
Create SSL context.
Create SSL session.
Launch SSL handshake
Check the built-in
certificate validation result
after handshake, but if no
certificate is presented,
X509_V_OK flag can still
be set.
8
A Motivating Example Cont’d
Fix of vulnerable example
ctx = SSL_CTX_new(method);
...
ssl = SSL_new(ctx);
...
SSL_connect(ssl);
…
cert = SSL_get_peer_certificate(ssl);
if (cert != NULL){
if(SSL_get_verify_result(ssl)
==X509_V_OK){
//Validation succeeds.
}
else{
//Validation fails and
terminate connection
}
}
else{
//Validation fails and
terminate connection
}
Check if server’s
certificate is
presented (is NULL?)
together with the
validation result.
9
SSLint Framework
SSL Client Apps
 Check whether
validation APIs are
called correctly.
 Encode “correct”
usage in a signature
and match this
signature.
Pass if match succeeds
Static Analyzer
Code
Representation
Signatures
Matcher
Vulnerability
Report
10
SSLint Signatures
Fixed vulnerable example
1 ctx = SSL_CTX_new(method);
...
2 ssl = SSL_new(ctx);
...
3 SSL_connect(ssl);
…
4 cert =
SSL_get_peer_certificate(ssl);
5 if (cert != NULL){
6
if(SSL_get_verify_result(ssl)
==X509_V_OK){
7
//Validation succeeds.
8 SSL_read(ssl…) or SSLwrite(ssl,…)
9
}
10
else{
11
//Validation fails and
terminate connection
12
}
13 }
14 else{
15
//Validation fails and
terminate connection
}
@1 SSL_CTX_new
@2 SSL_new
@3 SSL_connect
@4:
SSL_get_peer
_certificate
@6:
SSL_get_verify
_result
@5: If condition
(cert!=NULL)
@6: If condition
(==X509_V_OK)
@8: SSL_read/SSL_write
Data Flow & Control Flow
11
SSLint Signatures
We use Program dependence graphs (PDGs)
as code representation as well as signature
representation, in order to capture both
control flow and data flow
SSL_connect()
<function call>
(x3)(y3)
SSL_new()
<function call>
(x2)(y2)
SSL_get_peer_certificate()
<function call>
(y4)
SSL_CTX_new()
<function call>
(x1)(y1)
SSL_CTX_set_verify()
<function call>
(x4)
SSL_get_verify_result()
<function call>
(y5)
OR
<condition-point>
(==NULL)?
(y6)
SSL_read()/SSL_write()
<function call>
(x6)
<condition-point>
(==X509_V_OK)?
(y7)
SSL_read()/SSL_write()
<function call>
(y8)
Signature for OpenSSL APIs
SSL_VERIFY_PEER
<Const>
(x5)
Data dependence
Control dependence
12
SSLint Implementation
Technical Challenges:
 Defining and representing
correct use.
SSL_new()
 Identifying the preliminary
condition for signature
matching.
 Automated candidate app
selection and compilation.
SSL_read()
or
SSL_write()
13
SSLint Implementation
• Certificate Validation Vulnerability Scanner
• CodeSurfer provides static analysis
• 2.6K LoC (in C++)
• Generated PDGs matched with signatures
– Signature Expressions motivated from
Cypher, a graph query language
– Custom algorithm to perform the matches
14
Results
• Signatures implemented for OpenSSL and
GnuTLS
– the most popular two SSL/TLS libraries
• Scanned the entire Ubuntu distribution
– Scanned 22 million LoC in static analysis.
– 485 applications using OpenSSL and GnuTLS
• Detected 27 vulnerabilities
– All reported and confirmed
– 4 fixed, 14 responses from developers
15
Results
 Vulnerable E-mail Software
– Xfce4-Mailwatch-Plugin, Mailfilter, Exim,
DragonFly Mail Agent, spamc
 Vulnerable IRC Software
– Enhanced Programmable ircII client (EPIC), Scrollz
 Other Vulnerable Software
Web(https): Prayer front end, xxxterm
Database: FreeTDS
Admin tool: nagircbot, nagios-nrpe-plugin, syslog-ng
Performance testing tool: siege, httperf, httping
16
Results
App Name
LoC
Vulnerability
Type
SSL
library
Dynamic
Auditing
Developer
Feedback
dma
12,504
Certificate Validation
OpenSSL
Proved
Confirmed
exim4
94,874
Hostname Validation
OpenSSL
GnuTLS
Proved
Fixed
xfce4-mailwatchplugin
9,830
Certificate Validation
Hostname Validation
GnuTLS
Proved
spamc
5,472
Certificate Validation
OpenSSL
Confirmed
prayer
45,555
Certificate Validation
OpenSSL
Confirmed
epic4
56,168
Certificate Validation
OpenSSL
Proved
Fixed
epic5
65,155
Certificate Validation
OpenSSL
Proved
Fixed
scrollz
78,390
Certificate Validation
Hostname Validation
OpenSSL
GnuTLS
Proved
Confirmed
xxxterm
23,126
Hostname Validation
GnuTLS
Proved
Confirmed
httping
1,400
Certificate Validation
OpenSSL
Proved
Confirmed
pavuk
51,781
Certificate Validation
OpenSSL
Confirmed
crtmpserver5
57,377
Certificate Validation
OpenSSL
Confirmed
freetds-bin
80,203
Certificate Validation
Hostname Validation
GnuTLS
Proved
Confirmed
17
Results
App Name
LoC
Vulnerability
Type
SSL
library
Dynamic
Auditing
Developer
Feedback
nagircbot
3,307
Certificate Validation
OpenSSL
Proved
picolisp
14,250
Certificate Validation
OpenSSL
Fixed
nagios-nrpeplugin
3,145
Certificate Validation
OpenSSL
Confirmed
citadel-client
56,866
Certificate Validation
OpenSSL
Proved
mailfilter
4,773
Certificate Validation
OpenSSL
Proved
suck
12,083
Certificate Validation
OpenSSL
Proved
proxytunnel
2,043
Certificate Validation
Hostname Validation
GnuTLS
Proved
siege
8,581
Certificate Validation
OpenSSL
Proved
httperf
6,692
Certificate Validation
OpenSSL
Proved
syslog-ng
115,513
Certificate Validation
OpenSSL
Proved
medusa
18,811
Certificate Validation
OpenSSL
Proved
hydra
23,839
Certificate Validation
OpenSSL
Proved
ratproxy
4,069
Certificate Validation
OpenSSL
Proved
dsniff
24,625
Certificate Validation
OpenSSL
Proved
18
Conclusion & Ongoing work
 Conclusion
– We design and implement SSLint to verify SSL
API usage in large scale.(22M LoC)
– We discover 27 previously unknown
vulnerable apps due to misuse
 Ongoing work
– SSLint is our 1st step to verify API usage by
static analysis. (A generic approach?)
– Fix failed applications in analysis by
automatically identify SSL-relevant
modules in application code.
19
Demo
Attack Demo Video
against
Xfce4-mailwatch-plugin
20
Thank you!
http://list.zju.edu.cn/
http://list.cs.northwestern.edu/
Questions?
21
BackUp
22
A Motivating Example
Vulnerable example (OpenSSL API)
const SSL_METHOD *method;
SSL_CTX *ctx;
SSL *ssl;
…
method =
TLSv1_client_method();
...
ctx = SSL_CTX_new(method);
...
ssl = SSL_new(ctx);
...
SSL_CTX_set_verify(ctx,
SSL_VERIFY_NONE,...);
...
SSL_connect(ssl);
Specify the protocol: TLSv1
Create SSL context.
Create SSL session.
Configure OpenSSL built-in
certificate validation, but
fail to enforcement this
validation during
handshake
Launch SSL handshake
23
A Motivating Example Cont’d
Fix of Vulnerable example
const SSL_METHOD *method;
SSL_CTX *ctx;
SSL *ssl;
…
method =
TLSv1_client_method();
...
ctx = SSL_CTX_new(method);
...
ssl = SSL_new(ctx);
...
SSL_CTX_set_verify(ctx,
SSL_VERIFY_PEER,...);
...
SSL_connect(ssl);
Use SSL_VERIFY_PEER
flag instead of
SSL_VERIFY_NONE to
enforce OpenSSL built-in
certificate validation
during handshake.
24
OpenSSL API
Start
SSL/TLS
handshake
Global
initialization
Authentication
Create SSL_METHOD
(select protocol version)
PASS
Create SSL_CTX
(context for SSL)
Data transmission over SSL
FAIL
Configure SSL_CTX
(set up certificates, keys, etc)
SSL shutdown
Create SSL
Set up sockets
for SSL
End
25
Incorrect use of SSL API
Server Certificate
CommonName: www.google.com
https://www.google.com
Issuer: Google CA
Signature:****************
Poisoned DNS cache
Victim
Router(Gateway)
Web Server
Server Certificate
CommonName:www.attacker.com
Man-in-the-middle
attacks caused by
incorrect hostname
validation.
Issuer: Verisign
Signature:****************
Attacker
26
Measurement results
SSL/TLS apps in
Ubuntu 12.04
104
138
349
OpenSSL app
Analysis Coverage
GnuTLS app
381
App sucesseed analyzed
App failed in analysis
27
Accuracy
28
Static Analysis
29