A Messy State of the Union: Taming the Composite State Machines of TLS

@article{Beurdouche2015AMS,
  title={A Messy State of the Union: Taming the Composite State Machines of TLS},
  author={Benjamin Beurdouche and Karthikeyan Bhargavan and Antoine Delignat-Lavaud and C{\'e}dric Fournet and Markulf Kohlweiss and Alfredo Pironti and Pierre-Yves Strub and Jean Karim Zinzindohou{\'e}},
  journal={2015 IEEE Symposium on Security and Privacy},
  year={2015},
  pages={535-552}
}
Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that correctly multiplexes between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs… 
View on ACM
alfredo.pironti.eu
197 Citations
Highly Influential Citations
20
Background Citations
109
Methods Citations
31
Results Citations
1

Figures and Tables from this paper

197 Citations

Citation Type

Citation Type

miTLS: Verifying Protocol Implementations against Real-World Attacks
TLDR
The miTLS project intends to solve the apparent contradiction between published proofs and real-world attacks, which reveals a gap between TLS theory and practice and sheds light on recent attacks, yields security guarantees for typical TLS usages, and informs the design of the protocol's next version.
STACCO: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves
TLDR
It is shown that the marriage between SGX and SSL may not be smooth sailing, and insufficient understanding of side-channel security in SGX settings is revealed, which will provoke discussions on the secure implementation and adoption of SSL/TLS in secure enclaves.
Protocol State Fuzzing of TLS Implementations
TLDR
This approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL).
Improving Application Security through TLS-Library Redesign
TLDR
This paper introduces libtlssep, a new, open-source TLS library which provides a simpler API and improved security architecture, and presents a security, programmability, and performance analysis of libtLSsep.
Measuring the Security Harm of TLS Crypto Shortcuts
TLDR
The results suggest that site operators need to better understand the tradeoffs between optimizing TLS performance and providing strong security, particularly when faced with nation-state attackers with a history of aggressive, large-scale surveillance.
Last-Mile TLS Interception: Analysis and Observation of the Non-Public HTTPS Ecosystem
TLDR
This study re-opens the neglected problem of privacy-invasive adware, by showing how adware evolves sometimes stronger than even advanced malware and poses significant detection and reverse-engineering challenges.
Content delivery over TLS: a cryptographic analysis of keyless SSL
TLDR
This paper investigates the security guarantees provided by Keyless SSL, a CDN architecture currently deployed by CloudFlare that composes two TLS 1.2 handshakes to obtain a proxied TLS connection and presents 3(S)ACCEsecurity, a generalization of the 2-party ACCE security definition that has been used in several previous proofs for TLS.
Protocol State Machines and Session Languages: Specification, implementation, and Security Flaws
TLDR
The possibility to automatically infer formal specifications of input languages, in the form of protocol state machines, from implementations by black box testing is discussed, to improve the situation of poorly specified input languages.
A System to Verify Network Behavior of Known Cryptographic Clients
TLDR
A system for verifying in near real-time that a cryptographic client’s message sequence is consistent with its known implementation, and includes a novel approach to symbolically executing the client software in multiple passes that defers expensive functions until their inputs can be inferred and concretized.
Exploiting Dissent: Towards Fuzzing-Based Differential Black-Box Testing of TLS Implementations
TLDR
A novel fuzzing algorithm is introduced for generating large and diverse corpuses of mostly-valid TLS handshake messages and is seen as the first step towards fully interactive differential testing of black-box TLS protocol implementations.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 65 REFERENCES
Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS
TLDR
This work designs and implements two new TLS extensions that strengthen the authentication guarantees of the handshake and develops an exemplary HTTPS client library that implements several mitigations, on top of a previously verified TLS implementation, and proves that their composition provides strong, simple application security.
Protocol State Fuzzing of TLS Implementations
TLDR
This approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL).
Implementing TLS with Verified Cryptographic Security
TLDR
A verified reference implementation of TLS 1.2 is developed, including security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake, and typecheck the protocol state machine.
Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses
TLDR
This paper presents an overview on theoretical and practical attacks of the last 15 years, in chronological order and four categories: Attacks on the TLS Handshake protocol, onThe TLS Record and Application Data Protocols, on the PKI infrastructure of TLS, and on various other attacks.
A cross-protocol attack on the TLS protocol
TLDR
The attack enables an adversary to successfully impersonate a server to a random client after obtaining 240 signed elliptic curve keys from the original server and proposes a fix that renders the protocol immune to this family of cross-protocol attacks.
On the Security of the Pre-shared Key Ciphersuites of TLS
TLDR
This work introduces a new and strong definition of ACCE security that covers protocols with pre-shared keys and proves that all ciphersuite families of TLS-PSK meet the strong notion ofACCE security.
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.
Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
TLDR
This paper presents distinguishing and plaintext recovery attacks against TLS and DTLS, based on a delicate timing analysis of decryption processing in the two protocols.
One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography
TLDR
This work shows the less obvious fact that even if users have the best of intentions to use only the most upto-date, vulnerability-free version of a system, the mere existence of support for old versions can have a catastrophic effect on security.
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks
TLDR
Four new Bleichenbacher side channels are presented, and two of them provide the first timing-based BleichenBacher attacks on SSL/TLS described in the literature, with timing differences between 1 and 23 microseconds.
...
1
2
3
4
5
...