QUIC Record Layer

QUIC Record Layer

A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer Antoine Delignat-Lavaud∗, Cédric Fournet∗, Bryan Parnoy, Jonathan Protzenko∗, Tahina Ramananandro∗, Jay Bosamiyay, Joseph Lallemandz, Itsaka Rakotonirinaz, Yi Zhouy ∗Microsoft Research yCarnegie Mellon University zINRIA Nancy Grand-Est, LORIA Abstract—Drawing on earlier protocol-verification work, we investigate the security of the QUIC record layer, as standardized Application Application by the IETF in draft version 30. This version features major HTTP/2 HTTP/3 differences compared to Google’s original protocol and early IETF drafts. It serves as a useful test case for our verification TLS QUIC methodology and toolchain, while also, hopefully, drawing atten- tion to a little studied yet crucially important emerging standard. TCP UDP We model QUIC packet and header encryption, which uses IP IP a custom construction for privacy. To capture its goals, we propose a security definition for authenticated encryption with Fig. 1: Modularity of current networking stack vs. QUIC semi-implicit nonces. We show that QUIC uses an instance of a generic construction parameterized by a standard AEAD-secure scheme and a PRF-secure cipher. We formalize and verify the it is possible to combine both features in a single message, security of this construction in F?. The proof uncovers interesting saving a full network round-trip. limitations of nonce confidentiality, due to the malleability of short From a security standpoint, a fully-integrated secure trans- headers and the ability to choose the number of least significant port protocol offers the potential for a single, clean security bits included in the packet counter. We propose improvements theorem, which avoids the pitfalls that arise when composing that simplify the proof and increase robustness against strong attacker models. In addition to the verified security model, we adversary models from different layers. Mismatched assump- also give a concrete functional specification for the record layer, tions have caused several surprising cross-layer attacks against and prove that it satisfies important functionality properties HTTPS. For instance, the CRIME [47] and BREACH [43] (such as the correct successful decryption of encrypted packets) attacks illustrate the risk of composing application-layer com- after fixing more errors in the draft. We then provide a high- pression with transport-layer encryption against adversaries performance implementation of the record layer that we prove to that can both control the application plaintext and observe be memory safe, correct with respect to our concrete specification encrypted TLS traffic. Interestingly, transport compression (inheriting its functional correctness properties), and secure with exists in Google’s version of QUIC, but was removed entirely respect to our verified model. To evaluate this component, we by the IETF. Another example is cross-layer truncation attacks, develop a provably-safe implementation of the rest of the QUIC such as the Cookie Cutter attack [15], where applications may protocol. Our record layer achieves nearly 2 GB/s throughput, and our QUIC implementation’s performance is within 21% of perform dangerous side-effects based on incomplete received an unverified baseline. data due to a TCP error. With QUIC, it becomes possible to consider a single adversarial model for the application’s I. INTRODUCTION transport and, in principle, to show that an application is secure against the UDP/IP message interface, which is very hard to The majority of the Web today relies on the network stack achieve with TLS or IPSec. consisting of IP, TCP, TLS and HTTP. This stack is modular but inefficient: TLS starts only when the TCP handshake is Although QUIC was originally designed and implemented complete, and HTTP must wait for completion of the TLS by Google for its own products, it is currently undergoing handshake. There have been recent efforts to cut this latency standardization by the IETF [36]. An explicit goal of the overhead (using, e.g., TCP fast open and TLS 1.3 0-RTT), QUIC working group has been to ensure that QUIC inherits all but further gains require breaking the classic OSI model. the security properties of TLS 1.3, thus avoiding the lengthy QUIC was introduced by Google in 2012 [38] to increase formal protocol analysis effort that stretched out the TLS 1.3 performance by breaking layer abstractions, combining fea- standardization process for 4 years. tures that are part of TCP (fragmentation, re-transmission, Unfortunately, as we highlight in this paper (§II), the reliable delivery, flow control), TLS (key exchange, encryption working group has failed to achieve that goal; the latest and authentication), and application protocols (parallel data IETF drafts have progressively opened up many internal TLS streams) into a more integrated protocol, as shown in Figure1. abstractions, and thus, increasingly diverged from the context For example, consider two independent features that require under which TLS 1.3 is proved secure. Entire features of TLS an extra round-trip: source address validation (when a server (including the record layer [52], version negotiation, the end- wants to check that the source IP of an initial packet is not of-early-data message, hello retry, re-keying, and some key spoofed, currently part of the TCP handshake), and a TLS derivations) have been replaced in QUIC, often under different hello-retry request (when a server asks the client to send its assumptions; furthermore, new cryptographic constructions, key share over a different Diffie-Hellman group). Using QUIC, which have received little academic scrutiny, have been added. Handshake Alert App Data Q TLS Handshake 1 n 0 Messages Keys n … U Handshake Traffic … Stream Stream Stream Stream TLS Record Layer (stream 0) Messages Secrets Stream Records QUIC Protocol Logic Exporter Frames I QUIC Protocol Logic Frames Secrets QUIC Record Layer Packets C QUIC Record Layer Packets Fig. 2: Internal modularity between TLS 1.3 and QUIC before (left) and after (right) draft 12. In the latter, the QUIC Protocol Logic is responsible for deriving keys from the TLS Handshake’s traffic secrets. The standard has also drifted significantly away from Google’s C5 Fast, Provably Safe QUIC Implementation. Finally, we original version of QUIC, to the point that little of the early develop a proof-of-concept implementation (§V) of the security analysis work on Google’s QUIC ([40], [37], [30]) is QUIC protocol logic verified for memory safety, which relevant to the IETF version. Careful new analysis is required we use to evaluate (§VI) our verified implementation to capture the security properties of QUIC data streams. of the record layer (C4), leveraging previously verified Hence, the primary goal of this paper is to analyze and artifacts for the TLS handshake [17] and cryptographic address weaknesses in a protocol that is practically as im- primitives [44], to produce a verified implementation of portant as TLS but that has received little academic attention the full IETF QUIC protocol. (despite imminent standardization and deployment). We do While our work provides a better understanding of QUIC’s so by applying and extending methodologies and verification goals and the extent to which the current draft protocol toolchains developed in the context of TLS to this new setting, meets them, this is not yet an end-to-end verification of the thereby also validating their applicability to challenging non- protocol, as the proofs for the protocol logic would have to TLS constructions. be significantly expanded and strengthened to connect the Concretely, we model and mechanically verify the security guarantees from the TLS handshake with those of the record of the new features of the IETF’s QUIC, focusing on what layer and hence produce a single application-facing theorem we refer to as the QUIC “record layer”, i.e., the portion that for the entire implementation. handles packet formatting and encryption. This is an important While we prove strong correctness and security properties step towards full end-to-end verification of the soon-to-be- for QUIC, like any verification result, our guarantees rely on standardized protocol (we discuss remaining steps below). Our the correctness of our formalized cryptographic definitions contributions consist of: and of our verification tools. As we show in §VI, while the performance of our record layer implementation is quite C1 Security Model. We give a new security definition (build- strong (2 GB/s), our protocol logic limits the performance of ing on prior work [11], [41]) that captures the record our overall QUIC reference implementation, leaving us 21% layer’s security and privacy goals (§III-B). We found slower than our unverified baseline. that early drafts of QUIC failed to satisfy this definition; our feedback [42] resulted in updates to the construction All of our specifications, implementations, and proofs are (draft 17) and the explicit authentication of connection open source and available on GitHub at: identifiers [53] (draft 27) despite initial pushback (§III-D). ? https://github.com/project-everest/everquic-crypto C2 Formal Spec and Functional Properties. We use F [50], https://github.com/secure-foundations/everquic-dafny a functional language with a dependent type system for program verification, to develop a mechanized version of II. QUIC BACKGROUND our security definition (C1) as well as a detailed functional Because of its integrated nature, it is hard to summarize specification for QUIC’s new record layer construction QUIC. We introduce the aspects relevant to our security anal- (§IV-B). We also prove (§IV-C) correctness of the speci- ysis, focusing on confidentiality, integrity and authentication fication, e.g., non-malleability of the encoding of headers goals, but refer to the IETF drafts [36], [52] for details. We and that decryption inverts encryption. These proofs identi- also highlight deviations from QUIC’s original goal of treating fied two flaws in the IETF reference implementation, and TLS as a black box.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us