CERIAS The Center for Education and Research in Information Assurance and Security SymCerts: PrACTICAL Symbolic ExECUTION For Exposing Noncompliance IN X.509 CertifiCATE VALIDATION IMPLEMENTATIONS § ‡ Sze Yiu Chau Omar ChoWDHURY Endadul Hoque Huangyi Ge AnikET Kate Cristina Nita-Rotaru Ninghui Li § ‡ PurDUE University The University OF IOWA Northeastern University (1) The NEED FOR SECURE COMMUNICATIONS (2) Why DO WE CARE ABOUT X.509 CERTIficates? Confidentiality SSL/TLS IS NOW THE DE FACTO STANDARD FOR ACHIVING SECURE COMMUNICATION X.509 IS USED IN SSL/TLS SSL & Integrity • • Percentage of Web Pages Loaded by Firefox Using HTTPS For Authentication AND KeY Distribution Key Distribution (14 day moving average, as reported by Firefox Telemetry) ! 54 52 The SECURITY GUARANTEES OF SSL/TLS HINGE ON A 50 • Authentication 48 CORRECT IMPLEMENTATION OF THE X.509 PKI 46 44 Percentage 42 40 38 36 (4) IMPLICATIONS OF BUGS IN X.509 IMPLEMENTATIONS 15-Oct 15-Dec 16-Feb 16-Apr 16-Jun 16-Aug 16-Oct 16-Dec 17-Feb Overly Permissive Overly Restrictive Violating SPECIfiCATIONS CAN LEAD • (3) HoW DOES X.509 work? TO 2 CONTRASTING PITFALLS Root CAs Signs (6) ResearCH PrOBLEM Intermediate CAs Signs Goal: Find RFC Violations IN X.509 IMPLEMENTATIONS MADE FOR IoT. End Entities (e.g. Servers) RFC 5280 Related WORK • SSL/TLS PROTOCOL STATE MACHINE AND BUG fiNDER ! CryptogrAPHIC PROOFS AND REWORKED STATE MACHINE ! (5) Small Footprint SSL/TLS LIBRARIES FOR IoT Detect INCORRECT SSL/TLS API USAGE IN APPLICATIONS ! SSL SSL SSL (8) Making Symbolic ExECUTION PRACTICAL Focus OUR ANALYSIS ON small-footprint, SMALL code-base LIBRARIES • Adding DOMAIN SPECIfiC OPTIMIZATIONS • Does NOT CHECK CRYPTOGRAPHIC CORRECTNESS ! ConcrETE Length VALUES IN ENCODED SymCerts ! Simplify STRINGS (e.g. IN NAME matching) (7) Our APPROACH ! X.509 Certificate Chain Input Universe A1 (approx.) R2 (approx.) SymCert Sets of Logical (P∧Q)→Y X∨Y→¬P Formulas X∨Y→¬P ¬X→¬Q T/2+3=K (P∧Q)→Y T/2+3=K S=T-5 A⊕B=1 (10) Notable fiNDINGS AND THEIR IMPLICATIONS ... ¬X→¬Q A⊕B=1 S=T-5 MisintrEPT UTCTime (MatrixSSL 3.7.2, axTLS 1.4.3 AND 1.5.3, TRopicSSL) SSL SMT Solver • e.g. IN MatrixSSL 3.7.2 EXPIRATION DATE CAN SHIFT BY 100 YEARS SSL (P∧Q)→Y X∨Y→¬P Symbolic Accepting Rejecting ¬X→¬Q T/2+3=K ! Accepting Rejecting Execution Engine Universe Universe S=T-5 A⊕B=1 MisinterprET OID OF ExtKeyUsage (wolfSSL 3.6.6, MatrixSSL 3.7.2) Universe Universe (approx.) (approx.) A2 (approx.) R1 (approx.) • Overly Permissive (and COMPATIBILITY ISSUES WITH CUSTOM OID) ! INCORRECT Extension Parsing (CyaSSL 2.7.0) CrASH • ! (9) Summary OF Experiments AND Findings Rejects GeneralizedTime (tropicSSL, axTLS 1.4.3) Overly Restrictive • ! INCOMPLETE Extension Handling (various LIBRaries) Overly Permissive • ! WE TESTED 9 IMPLMENTATIONS FROM 4 FAMILIES OF SSL/TLS LIBRaries. • LibrARY - VERSION Released RFC Violations LibrARY - VERSION Released RFC Violations TAKEAWAY axTLS - 1.4.3 Jul 2011 7 CyaSSL - 2.7.0 Jun 2013 7 X.509 HANDLING IN IoT SSL/TLS LIBRARIES ALL DEVIATE FROM SPECI fiCATION axTLS - 1.5.3 Apr 2015 6 wolfSSL - 3.6.6 Aug 2015 2 • ’S HOPELESS FOR Applications TRopicSSL - (Github) Mar 2013 10 MatrixSSL - 3.4.2 Feb 2013 6 IF THERE IS A VULNERABILITY IN THE LIBRARY, IT • PolarSSL - 1.2.8 Jun 2013 4 MatrixSSL - 3.7.2 Apr 2015 5 WE PROVIDE AUTOMATED APPROACH AND TOOLCHAIN FOR fiNDING VIOLATIONS mbedTLS - 2.1.4 Jan 2016 1 Total: 48 • fiC MANY PROBLEMS ARE fiXED Our EXPERIMENTS TURN OUT TO BE QUITE PROLI ! Findings HAVE BEEN REPORTED AND well-rECEIVED BY LIBRARY DEvelopers. • Patch often! • NeW VERSIONS OF SSL/TLS LIBRARIES ARE GENERALLY BETTER ! Many OF THE PROBLEMS ARE fiXED IN NEW RELEASES FOLLOWING OUR Reports. • ! * WE THANK THE PurDUE ResearCH Foundation AND THE National Science Foundation FOR FUNDING THIS PRoject..