research-article

Free access

A messy state of the union: taming the composite state machines of TLS

Authors:

Benjamin Beurdouche,

Karthikeyan Bhargavan,

Antoine Delignat-Lavaud,

Cédric Fournet,

Markulf Kohlweiss,

Alfredo Pironti,

Pierre-Yves Strub,

Jean Karim ZinzindohoueAuthors Info & Claims

Communications of the ACM, Volume 60, Issue 2

Pages 99 - 107

https://doi.org/10.1145/3023357

Published: 23 January 2017 Publication History

All formats PDF

Abstract

The Transport Layer Security (TLS) protocol supports various authentication modes, key exchange methods, and protocol extensions. Confusingly, each combination may prescribe a different message sequence between the client and the server, and thus a key challenge for TLS implementations is to define a composite state machine that correctly handles these combinations. If the state machine is too restrictive, the implementation may fail to interoperate with others; if it is too liberal, it may allow unexpected message sequences that break the security of the protocol. We systematically test popular TLS implementations and find unexpected transitions in many of their state machines that have stayed hidden for years. We show how some of these flaws lead to critical security vulnerabilities, such as FREAK. While testing can help find such bugs, formal verification can prevent them entirely. To this end, we implement and formally verify a new composite state machine for OpenSSL, a popular TLS library.

References

[1]

Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., Zimmermann, P. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In ACM CCS (2015), 5--17.

[2]

Avalle, M., Pironti, A., Pozza, D., Sisto, R. JavaSPI: A framework for security protocol implementation. Int. J. Sec. Softw. Eng. 2 (2011), 34--48.

Digital Library

[3]

Beurdouche, B., Delignat-Lavaud, A., Kobeissi, N., Pironti, A., Bhargavan, K. FlexTLS: A tool for testing TLS implementations. In USENIX Workshop on Offensive Technologies (WOOT) (2015).

[4]

Bhargavan, K., Delignat-Lavaud, A., Pironti, A., Langley, A., Ray, M. Transport Layer Security (TLS) session hash and extended master secret extension. IETF RFC 7627, 2014.

[5]

Bhargavan, K., Fournet, C., Corin, R., Zălinescu, E. Verified cryptographic implementations for TLS. ACM TISSEC 15, 1 (2012), 1--32.

Digital Library

[6]

Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P. Implementing TLS with verified cryptographic security. In IEEE S&P (Oakland) (2013), 445--459.

Digital Library

[7]

Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S. Proving the TLS handshake secure (as it is). In CRYPTO (2014), 235--255.

[8]

Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A., Strub, P.-Y. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In IEEE S&P (Oakland) (2014), 98--113.

[9]

Cavallar, S., Dodson, B., Lenstra, A., Lioen, W., Montgomery, P., Murphy, B., te Riele, H., Aardal, K., Gilchrist, J., Guillerm, G., Leyland, P., Marchand, J., Morain, F., Muffett, A., Putnam, C., Zimmermann, P. Factorization of a 512-bit RSA modulus. In EUROCRYPT (2000), 1--18.

[10]

Chaki, S., Datta, A. ASPIER: An automated framework for verifying security protocol implementations. In IEEE CSF (2009), 172--185.

[11]

Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B. Frama-C. In Software Engineering and Formal Methods (2012), 233--247.

Digital Library

[12]

de Ruiter, J., Poll, E. Protocol state fuzzing of TLS implementations. In USENIX Security (2015), 193--206.

[13]

Dierks, T., Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246, 2008.

[14]

Dierks, T., Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.3. Internet Draft, 2014.

[15]

Durumeric, Z., Wustrow, E., Halderman, J.A. ZMap: Fast Internet-wide scanning and its security applications. In USENIX Security (2013), 605--620.

Digital Library

[16]

Jager, T., Kohlar, F., Schäge, S., Schwenk, J. On the security of TLS-DHE in the standard model. In CRYPTO (2012), 273--293.

Digital Library

[17]

Jager, T., Paterson, K.G., Somorovsky, J. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In NDSS (2013).

[18]

Jager, T., Schwenk, J., Somorovsky, J. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption. In ACM CCS (2015), 1185--1196.

[19]

Krawczyk, H., Paterson, K.G., Wee, H. On the security of the TLS protocol: A systematic analysis. In CRYPTO (2013), 429--448.

[20]

Langley, A., Modadugu, N., Moeller, B. Transport Layer Security (TLS) False Start. IETF RFC 7918, 2010.

[21]

Lawall, J., Laurie, B., Hansen, R.R., Palix, N., Muller, G. Finding error handling bugs in OpenSSL using Coccinelle. In European Dependable Computing Conference (2010), 191--196.

Digital Library

[22]

Li, Y., Schäge, S., Yang, Z., Kohlar, F., Schwenk, J. On the security of the pre-shared key ciphersuites of TLS. In Public-Key Cryptography (2014), 669--684.

Digital Library

[23]

Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B. A cross-cprotocol attack on the TLS protocol. In ACM CCS (2012), 62--72.

[24]

Meyer, C., Schwenk, J. Lessons learned from previous SSL/TLS attacks - A brief chronology of attacks and weaknesses. IACR Cryptology ePrint Archive, Report 2013/049, 2013.

[25]

Paterson, K.G., Ristenpart, T., Shrimpton, T. Tag size does matter: Attacks and proofs for the TLS record protocol. In ASIACRYPT (2011), 372--389.

[26]

Ray, M., Dispensa, S. Renegotiating TLS, 2009.

[27]

Soghoian, C., Stamm, S. Certified lies: Detecting and defeating government interception attacks against SSL. In Financial Cryptography (2012), 250--259.

Digital Library

[28]

Wagner, D., Schneier, B. Analysis of the SSL 3.0 protocol. In USENIX Workshop on Electronic Commerce (1996), 29--40.

Digital Library

Cited By

Frank ASteinke MHommel W(2024)Lowcaf: A Low-Code Protocol Analysis Framework2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814380(1-7)Online publication date: 28-Oct-2024
https://doi.org/10.23919/CNSM62983.2024.10814380
Martínek TMalý M(2024)Evaluation of the I-Voting System for Remote Primary Elections of the Czech Pirate PartyActa Informatica Pragensia10.18267/j.aip.24913:3(395-417)Online publication date: 22-Aug-2024
https://doi.org/10.18267/j.aip.249
Asadian HFiterau-Brostean PJonsson BSagonas K(2024)Monitor-based Testing of Network Protocol Implementations Using Symbolic ExecutionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664521(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664521
Show More Cited By

Index Terms

A messy state of the union: taming the composite state machines of TLS
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Software verification
2. Theory of computation
  1. Logic
    1. Verification by model checking
  2. Semantics and reasoning
    1. Program reasoning
      1. Program verification

Recommendations

A Messy State of the Union: Taming the Composite State Machines of TLS
SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between ...
Generating finite state machines from abstract state machines
ISSTA '02: Proceedings of the 2002 ACM SIGSOFT international symposium on Software testing and analysis

We give an algorithm that derives a finite state machine (FSM) from a given abstract state machine (ASM) specification. This allows us to integrate ASM specs with the existing tools for test case generation from FSMs. ASM specs are executable but have ...
Generating finite state machines from abstract state machines

We give an algorithm that derives a finite state machine (FSM) from a given abstract state machine (ASM) specification. This allows us to integrate ASM specs with the existing tools for test case generation from FSMs. ASM specs are executable but have ...

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM

Communications of the ACM Volume 60, Issue 2

February 2017

106 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/3042068

Editor:
Moshe Y. Vardi
Association for Computing Machinery, New York, NY

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 January 2017

Published in CACM Volume 60, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed

Funding Sources

European Research Council

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
5,558
Total Downloads

Downloads (Last 12 months)717
Downloads (Last 6 weeks)69

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Frank ASteinke MHommel W(2024)Lowcaf: A Low-Code Protocol Analysis Framework2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814380(1-7)Online publication date: 28-Oct-2024
https://doi.org/10.23919/CNSM62983.2024.10814380
Martínek TMalý M(2024)Evaluation of the I-Voting System for Remote Primary Elections of the Czech Pirate PartyActa Informatica Pragensia10.18267/j.aip.24913:3(395-417)Online publication date: 22-Aug-2024
https://doi.org/10.18267/j.aip.249
Asadian HFiterau-Brostean PJonsson BSagonas K(2024)Monitor-based Testing of Network Protocol Implementations Using Symbolic ExecutionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664521(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664521
Luo YLi CWang ZYang J(2024)IPREDS: Efficient Prediction System for Internet-wide Port and Service ScanningProceedings of the ACM on Networking10.1145/36494702:CoNEXT1(1-24)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649470
Linvill KKaki GWustrow E(2023)Verifying Indistinguishability of Privacy-Preserving ProtocolsProceedings of the ACM on Programming Languages10.1145/36228497:OOPSLA2(1442-1469)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622849
Song GHe LZhao TLuo YWu YFan LLi CWang ZYang J(2023)Which Doors Are Open: Reinforcement Learning-based Internet-wide Port Scanning2023 IEEE/ACM 31st International Symposium on Quality of Service (IWQoS)10.1109/IWQoS57198.2023.10188692(1-10)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWQoS57198.2023.10188692
Hu BZhang XLin ZFang YZhu YCao JZhang L(2023)A Cryptographic Protocol Vulnerability Analysis Framework based on Fuzz Testing and Model Learning2023 3rd International Symposium on Computer Technology and Information Science (ISCTIS)10.1109/ISCTIS58954.2023.10213038(219-226)Online publication date: 7-Jul-2023
https://doi.org/10.1109/ISCTIS58954.2023.10213038
Schiavone A(2023)Municipality2HTTPS: A study on HTTPS protocol's usage in Italian municipalities’ websitesComputers & Security10.1016/j.cose.2023.103592(103592)Online publication date: Nov-2023
https://doi.org/10.1016/j.cose.2023.103592
Sultana NShands DYegneswaran V(2022)A case for remote attestation in programmable dataplanesProceedings of the 21st ACM Workshop on Hot Topics in Networks10.1145/3563766.3564100(122-129)Online publication date: 14-Nov-2022
https://dl.acm.org/doi/10.1145/3563766.3564100
Asadian HFiterau-Brostean PJonsson BSagonas K(2022)Applying Symbolic Execution to Test Implementations of a Network Protocol Against its Specification2022 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST53961.2022.00019(70-81)Online publication date: Apr-2022
https://doi.org/10.1109/ICST53961.2022.00019
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents