petar tsankov, mohammad torabi dashti, david basin eth ......input universe motivation behaviors may...
TRANSCRIPT
-
SECFUZZ: Fuzz-testing Security Protocols
Petar Tsankov, Mohammad Torabi Dashti, David BasinETH Zurich
-
2Institute of Information Security / ETH Zurich19.09.2015
Input universeMotivation
BehaviorsMay expose vulnerabilities
Abnormal behaviors
Security protocol implementation
Well-formed inputs
Invalid inputs
-
3Institute of Information Security / ETH Zurich19.09.2015
Fuzz-testing Security Protocols
Collect well-formed inputs Internet Source code (white-box) Model (model-based)
Mutate the inputs Fuzz operators
Execute the inputs and check for failures E.g. memory errors, broken invariants
Step 1
Step 2
Step 3
-
4Institute of Information Security / ETH Zurich19.09.2015
ChallengesInitiator Responder
KEA, NA
KEB, NB
Enc(K, Auth)
Challenges: Encrypted messages Security protocols are stateful Messages are non-replayable
...
Fresh KEA, NA
Fresh KEB, NB
Compute key K = Hash(KEA, KEB, Secret)
-
5Institute of Information Security / ETH Zurich19.09.2015
Dynamicanalysis
SecFuzz: Setting
Initiator Responder
Log file
Fuzzer
Key advantages: Light-weight and modular approach Fresh messages Fuzzer can decrypt messages
SystemUnderTest
-
6Institute of Information Security / ETH Zurich19.09.2015
Input Mutation
A fuzz operator:
Mutates a well-formed input. The mutated input is likely to expose vulnerabilities.
The fuzz operators should produce mutated inputs that expose common programming mistakes.
-
7Institute of Information Security / ETH Zurich19.09.2015
Input Structure
An input consists of:
a sequence of messages
a message consists of fields
-
8Institute of Information Security / ETH Zurich19.09.2015
Fuzz operators
Message fuzz operators Insert random (well-formed) message
Field fuzz operator Insert random field Remove field Duplicate field Modify field
-
9Institute of Information Security / ETH Zurich19.09.2015
Fuzz-testing Security Protocols
Collect well-formed inputs Internet Source code (white-box) Model (model-based)
Mutate the inputs Fuzz operators
Execute the inputs and check for failures E.g. memory errors, broken invariants
Step 1
Step 2
Step 3
-
10Institute of Information Security / ETH Zurich19.09.2015
Detecting vulnerabilities
The dynamic analysis monitors the SUT and reports failures. Memory errors are a common source of vulnerabilities:
Tools: Valgrind's Memcheck, IBM's Purify
Dynamicanalysis
Initiator Responder
Log file
Fuzzer
SUT
-
11Institute of Information Security / ETH Zurich19.09.2015
Internet Key Exchange Case Study
Test subject: OpenSwan v2.6.35Results: Discovered a previously unknown use-after-free vulnerability.
Test subject: ShrewSoft's VPN Client for Windows v2.1.7Results: Discovered a previously unknown unhandled exception vulnerability.
Experiment 2
Experiment 1
-
12Institute of Information Security / ETH Zurich19.09.2015
Fuzz-testing OpenSwan
SUT: OpenSwan v2.6.35 A popular IPSec implementation for Linux.
Dynamic analysis: Valgrind's Memcheck Detects different types of memory access errors.
Fuzzer: SecFuzz, implemented using Python / Scapy.
OpenSwan(initiator)
OpenSwan(responder)
SecFuzz
Valgrind
Log file
SUT
-
13Institute of Information Security / ETH Zurich19.09.2015
OpenSwan: IKE Implementation details
Initiator Responder
Cryptohelper
Access
Done
Phase 1 Phase 1state
SAestablished
Propose SAs
Accepted SA
Ack
SUT
-
14Institute of Information Security / ETH Zurich19.09.2015
OpenSwan: Use-after-free Vulnerability
Initiator Responder
Cryptohelper
Access
Phase 1 Phase 1stateFreed
MemoryPropose SAs
Close Session
Invalid memory access
The vulnerability was reported and a securitypatch was released in CVE-2011-4073.
SUT
-
15Institute of Information Security / ETH Zurich19.09.2015
ShrewSoft's VPN Client: Unhandled Exception
Initiator Responder
SUT
Unhandledexception
Propose SAs
Accepted SA
KEI: ”0123”, NI
KER: “\0”, NR
The vulnerability details will appearin CVE-2012-0784.
-
16Institute of Information Security / ETH Zurich19.09.2015
Related Approaches
Key Requirements: Stateful exploration Encryption handling
ApproachTask
Model-based White-box SecFuzz
Generate inputs Needs a model Needs the source code
Needs a running implementation
Execute inputs Concretization Solve crypto constraints
Immediate
-
17Institute of Information Security / ETH Zurich19.09.2015
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17