Practical Symbolic Execution for Exposing Noncompliance

CERIAS The Center for Education and Research in Information Assurance and Security

SymCerts: Practical Symbolic Execution For Exposing Noncompliance in X.509 Certiﬁcate Validation Implementations § ‡ Sze Yiu Chau Omar Chowdhury Endadul Hoque Huangyi Ge Aniket Kate Cristina Nita-Rotaru Ninghui Li § ‡ Purdue University The University of Iowa Northeastern University

(1) The need for secure communications (2) Why do we care about X.509 certiﬁcates?

Conﬁdentiality SSL/TLS is now the de facto standard for achiving secure communication X.509 is used in SSL/TLS SSL & Integrity • • Percentage of Web Pages Loaded by Firefox Using HTTPS For Authentication and Key Distribution Key Distribution (14 day moving average, as reported by Firefox Telemetry) → 54 52 The security guarantees of SSL/TLS hinge on a 50 • Authentication 48 correct implementation of the X.509 PKI 46 44

Percentage 42 40 38 36 (4) Implications of bugs in X.509 implementations 15-Oct 15-Dec 16-Feb 16-Apr 16-Jun 16-Aug 16-Oct 16-Dec 17-Feb

Overly Permissive Overly Restrictive Violating speciﬁcations can lead • (3) How does X.509 work? to 2 contrasting pitfalls

Root CAs Signs (6) Research Problem Intermediate CAs Signs Goal: Find RFC Violations in X.509 implementations made for IoT. End Entities (e.g. Servers) RFC 5280 Related Work • SSL/TLS protocol state machine and bug ﬁnder → Cryptographic proofs and reworked state machine → (5) Small Footprint SSL/TLS libraries for IoT Detect incorrect SSL/TLS API usage in applications →

SSL SSL SSL (8) Making Symbolic Execution practical

Focus our analysis on small-footprint, small code-base libraries • Adding domain speciﬁc optimizations • Does not check cryptographic correctness → Concrete Length values in encoded SymCerts → Simplify strings (e.g. in name matching) (7) Our approach →

X.509 Certificate Chain Input Universe A1 (approx.) R2 (approx.) SymCert Sets of Logical (P∧Q)→Y X∨Y→¬P Formulas X∨Y→¬P ¬X→¬Q T/2+3=K (P∧Q)→Y T/2+3=K S=T-5 A⊕B=1 (10) Notable findings and their implications ... ¬X→¬Q A⊕B=1 S=T-5 Misintrept UTCTime (MatrixSSL 3.7.2, axTLS 1.4.3 and 1.5.3, tropicSSL) SSL SMT Solver • e.g. in MatrixSSL 3.7.2 expiration date can shift by 100 years SSL (P∧Q)→Y X∨Y→¬P Symbolic Accepting Rejecting ¬X→¬Q T/2+3=K → Accepting Rejecting Execution Engine Universe Universe S=T-5 A⊕B=1 Misinterpret OID of ExtKeyUsage (wolfSSL 3.6.6, MatrixSSL 3.7.2) Universe Universe (approx.) (approx.) A2 (approx.) R1 (approx.) • Overly Permissive (and compatibility issues with custom OID) → Incorrect Extension Parsing (CyaSSL 2.7.0) Crash • → (9) Summary of Experiments and Findings Rejects GeneralizedTime (tropicSSL, axTLS 1.4.3) Overly Restrictive • → Incomplete Extension Handling (various libraries) Overly Permissive • → We tested 9 implmentations from 4 families of SSL/TLS libraries. • Library - version Released RFC Violations Library - version Released RFC Violations Takeaway axTLS - 1.4.3 Jul 2011 7 CyaSSL - 2.7.0 Jun 2013 7 X.509 handling in IoT SSL/TLS libraries all deviate from speci fication axTLS - 1.5.3 Apr 2015 6 wolfSSL - 3.6.6 Aug 2015 2 • ’s hopeless for Applications tropicSSL - (Github) Mar 2013 10 MatrixSSL - 3.4.2 Feb 2013 6 If there is a vulnerability in the library, it • PolarSSL - 1.2.8 Jun 2013 4 MatrixSSL - 3.7.2 Apr 2015 5 We provide automated approach and toolchain for finding violations mbedTLS - 2.1.4 Jan 2016 1 Total: 48 • fic many problems are fixed Our experiments turn out to be quite proli → Findings have been reported and well-received by library developers. • Patch often! • New versions of SSL/TLS libraries are generally better → Many of the problems are fixed in new releases following our reports. • → * We thank the Purdue Research Foundation and the National Science Foundation for funding this project.