Program Analysis of Cryptographic Implementations for Security Sazzadur Rahaman Danfeng (Daphne) Yao Department of Computer Science Department of Computer Science Virginia Tech Virginia Tech [email protected] [email protected] Abstract—Cryptographic implementation errors in popular leads to another [4]. In general, these vulnerabilities due to open source libraries (e.g., OpenSSL, GnuTLS, BotanTLS, simple programming errors in cryptographic implementa- etc.) and the misuses of cryptographic primitives (e.g., as in tions affect millions of devices, rendering millions of users Juniper Network) have been the major source of vulnerabili- vulnerable to adversarial attacks. ties in the wild. These serious problems prompt the need for new compile-time security checking. Such security enforce- Listing 1: The core ScreenOS 6.2 PRNG functions [2]. prng_temporary prng_output_index ments demand the study of various cryptographic properties Here, and prng_reseed and their mapping into enforceable program analysis rules. are global variables. When is called (Line 19), the loop control variable (prng_output_index) We refer to this new security approach as cryptographic of function, prng_generate is set to 32, causing program analysis (CPA). In this paper, we show how cryp- prng_generate to output prng_seed from Line 5. tographic program analysis can be performed effectively and In Section 3, We show how static taint analysis can be its security applications. Specifically, we systematically inves- employed to detect these types of sensitive data leakage. tigate different threat categories on various cryptographic 1 void prng_reseed(void){ implementations and their usages. Then, we derive various 2 blocks_generated_since_reseed = 0; 3 if (dualec_generate(prng_temporary, 32) != 32) security rules, which are enforceable by program analysis 4 error_handler("FIPS ERROR: PRNG failure, unable to reseed", 11); tools during code compilation. We also demonstrate the capa- 5 memcpy(prng_seed, prng_temporary, 8); 6 prng_output_index = 8; bilities of static taint analysis to enforce most of these security 7 memcpy(prng_key, &prng_temporary[prng_output_index], 24); rules and provide a prototype implementation. We point out 8 prng_output_index = 32; 9 } promising future research and development directions in this 10 11 void prng_generate(int is_one_stage) { new area of cryptographic program analysis. 12 int time[2]; 13 time[0] = 0; 14 time[1] = get_cycles(); 1. Introduction 15 prng_output_index = 0; 16 ++blocks_generated_since_reseed; In contrast to the multi-decade advancement of modern 17 cryptography, the practical task of securing cryptographic 18 if (!one_stage_rng(is_one_stage)) { 19 prng_reseed(); implementation is still in its infancy. This gap became par- 20 } ticularly alarming, after multiple recent high-profile discov- 21 22 for (; prng_output_index <= 0x1F; prng_output_index += 8) { eries of cryptography-related vulnerabilities in widely used 23 // FIPS checks... 24 x9_31_generate_block(time, prng_seed, prng_key, prng_block); network libraries and tools (e.g., heartbleed vulnerability in 25 // FIPS checks... OpenSSL [1], seed leaking in Juniper Network [2]). 26 memcpy(&prng_temporary[prng_output_index], prng_block, 8); 27 } Surprisingly, most of these vulnerabilities occur due to 28 } programming mistakes rather than their underlying crypto algorithms [3]. For example, during the investigation of With the increase of computational power, fuzzing and Juniper incident in 2015 (CVE-2015-7756) [2], researchers symbolic execution based approaches are being popular discovered that, Juniper Network code did not only contain to automatically discover vulnerabilities [5], [6]. In [7], backdoor-able cryptographic primitives, but also a fatal pro- researchers presented a mechanism to infer client behaviors gramming error that could leak PRNG seeds. In Listing 1, by leveraging symbolic executions of client-side codes. The we see that the logical error incorporated due to the shared work also demonstrated how such prediction can be used use of global variables (e.g.,prng_temporary and to filter malicious traffics to the server. However, these prng_output_index) causes the leak of prng_seed techniques are limited to find only the input guided vulner- (Line 5 in prng_reseed) in immediate post-seed (Line abilities with externally visible behaviors (e.g., triggering 19) output of prng_generate function. In OpenSSL, a program crashes [8] or anomalous protocol states [7], [9]). memory disclosure vulnerability named heartbleed (CVE- It is still unclear how to use them to enforce security rules 2014-0160) had the potential to leak sensitive informa- in a code base, where the violations are not externally tion (e.g., cryptographic keys, PRNG seeds, etc.). One visible. For example, guarding against buffer over-read can observe that similar types of bugs (or vulnerabilities) (Heartbleed), use of “improper” IVs in ciphers, “poor” appear from time to time. Sometimes fixing one problem random number generation or use of legacy cryptographic primitives, etc. cations with millions of lines of code, more development Although effort to close the gap between the theory work is still ahead. Our work reported in this paper ad- and practice of cryptography has been recognized previ- dresses the fundamental challenge of mapping theoretical ously [10], most of the work was on using and deploy- cryptographic concepts to practical code structures, which ing provable cryptographic solutions in emerging applica- will guide future development effort of the community. tions, not on ensuring the correct implementation/use [11]. Our paper is organized as follows. In Section 2, In [12], researchers presented an empirical study on An- we present different genres of vulnerabilities appeared in droid applications analyzing some cryptographic misuses various cryptographic implementations. In Section 3, we using lightweight control flow analysis. However, its capa- present how different security rules can be enforced using bility is limited to detecting hard-coded seeds, keys, and static program analysis. We point out several promising IVs, the use of AES in ECB mode and using too few future research and development directions in Section 4. iterations for password-based encryption. Static code analysis has been a central focus in scientific 2. Crypto Vulnerabilities studies regarding malware analysis [13], [14], vulnerability In this section, we present different state-of-the-art discoveries [15], [16], [17], data leak detections [18], etc. cryptographic vulnerabilities. We also categorize them into It also has the potential to check and report whether a several broad groups. In Table 1, we present a set of piece of code complies with certain rules or not [19], security rules those are needed to be enforced to defend [20]. In this paper, we describe our initial efforts towards crypto implementations against these vulnerabilities. statically screening source code (namely C/C++ code) us- ing static taint analysis to ensure the correct implemen- 2.1. Chosen-plaintext attacks on IVs tation of cryptographic properties (i.e.., secrecy, pseudo- randomness, etc.). We refer to this new security approach Electronic Codebook (ECB) mode encryption is not as cryptographic program analysis (CPA). semantically secured [3]. Bard et al. [21] showed that, the Although appearing intuitive, this effort requires the determinism of IVs can make cipher block chaining (CBC) challenging task of mapping abstract cryptography concepts mode encryption unsecured too. However, the vulnerability to concrete program properties. We illustrate how to close was theoretical until late 2011. Doung and Rizzo [22] this semantic gap by translating cryptographic concepts demonstrated a live attack (known as BEAST) against into properties those can be verified by taint-based pro- Paypal by exploiting the vulnerability. Row 1 in Table 1 gram analysis tools. First, we study various state-of-the-art corresponds to the security enforcement rule to avoid the vulnerabilities to derive different security rules those are use of ECB mode cipher and Row 2 corresponds to the necessary to be complied by any cryptographic libraries, attacks related to the predictability of IVs in CBC mode protocol implementations and any code that uses these encryption. In Section 3, we discuss static taint analysis cryptographic implementations. Then, we discuss static based mechanisms to detect these vulnerabilities. taint analysis-based methodology to enforce these security rules. We also provide a prototype implementation and 2.2. Attacks on PRNG demonstrate the effectiveness of this approach. Unlike [12], our static analysis tool is capable of path sensitive and Historically, random number generators have been a context sensitive analysis, hence capable of enforcing a rich major source of vulnerabilities [23], [24], [25]. This is set of cryptographic properties. because many of the cryptographic schemes depend on Our technical contributions are summarized as follows. a cryptographically secure random number generator for • We provide a taxonomy of 25 types of exploitable key and cryptographic nonce generation (Row 11), if a vulnerabilities on cryptographic implementations. random number generator can be made predictable (e.g., We categorize these vulnerabilities under 12 types use of predictable seeds (Row 9), backdoor-able PRNG of attacks. We derived 25 enforceable rules from (Row 10)), it can be used as a backdoor by an attacker this vulnerability analysis
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-