Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auditing OpenSSL and Beyond

Auditing OpenSSL and Beyond

Thoughts on the core internet security software trust chain
Circle City Con 2015

Kenn White

June 12, 2015
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Rethinking  the  Trust  Chain:  
    Auditing  OpenSSL  and  Beyond
    Kenneth White
    June 12, 2015

    View Slide

  2. Topics
    •  Bootstrapping Trust
    •  Digging deeper
    •  OpenSSL audit update
    •  Core infrastructure work
    •  Emerging

    View Slide

  3. Ping  me
    Twitter @kennwhite
    Talks speakerdeck.com/kwhite
    OCAP https://opencryptoaudit.org/people

    View Slide

  4. Open  Crypto  Audit  Project
    •  OCAP originally formed to manage community-
    funded TrueCrypt audit
    •  Independent technical research public interest
    organization
    •  Technical Advisory Board: academic, industry,
    and legal experts in security
    •  Mission: Research, analysis & education around
    technical security in open source software
    •  Focus: software security, cryptography
    engineering, public awareness
    •  Current project: OpenSSL audit

    View Slide

  5. The  Software  Security  
    Trust  Chain
    1 year post-Heartbleed
    • Most serious CVEs are rarely about
    the crypto
    • But the (most widely deployed)
    crypto trust chain is fragile
    • Key pieces of the core Internet
    network stack are virtually
    unexamined, and little understood

    View Slide

  6. The  Software  Security  
    Trust  Chain
    1 year post-Heartbleed
    • Most serious CVEs are (rarely) about
    the crypto
    • But the (most widely deployed)
    crypto trust chain is fragile
    • Key pieces of the core Internet
    network stack are virtually
    unexamined, and little understood

    View Slide

  7. The  Software  Security  
    Trust  Chain
    Questions
    How well do you know the network
    stack you’ve deployed?
    How about your technical staff?
    Do you/they understand your core
    dependencies?

    View Slide

  8. The  Software  Security  
    Trust  Chain
    Questions
    How well do you know the network
    stack you’ve deployed?
    How about your technical staff?
    Do you/they understand your core
    dependencies?

    View Slide

  9. The  Software  Security  
    Trust  Chain
    Are you sure?

    View Slide

  10. The  Software  Security  
    Trust  Chain
    Are you sure?
    First question: Explain the
    dependencies of init/systemd.

    View Slide

  11. View Slide

  12. View Slide

  13. Mature network hardware

    View Slide

  14. A $100K commercial load balancer compromised
    by a browser ID string

    View Slide

  15. The  Software  Security  
    Trust  Chain
    Questions
    How well do you know the network
    stack you’ve deployed?
    How about your technical staff?
    Do you/they understand your core
    dependencies?

    View Slide

  16. The  Software  Security  
    Trust  Chain
    Are you sure?

    View Slide

  17. The  Software  Security  
    Trust  Chain
    Are you sure?
    First question: Explain the
    dependencies of init/systemd.

    View Slide

  18. Let’s really look at the whole
    security trust chain…

    View Slide

  19. Internet  Core  Trust  Chain
    For example:
    o  XML parsers (libxml2, Expat, SimpleXML…)
    o  Image generators (libpng…)
    o  Internationalization libraries (libIDN)
    o  Compression (libzma)
    o  ASN.1 & x509 (everywhere)
    o  Middleware core: BouncyCastle, Spring, Struts…
    o  Deeper: libBFD, libCurl, IPSec netkey, pluto, l2tp

    View Slide

  20. Internet  Core  Trust  Chain
    Time to look really closely, at, say:
    o  XML parsers (libxml2, Expat, SimpleXML…)
    o  Image generators (libpng…)
    o  Internationalization libraries (libIDN)
    o  Compression (libzma)
    o  ASN.1 & x509 (everywhere)
    o  Middleware core: BouncyCastle, Spring, Struts…
    o  Deeper: libCurl, libBFD, IPSec netkey, pluto, l2tp

    View Slide

  21. libcurl

    View Slide

  22. View Slide

  23. libbfd

    View Slide

  24. View Slide

  25. BFD  is  a  BFD

    View Slide

  26. Are you kidding me?!

    View Slide

  27. “Wait, there’s more!”
    Let’s look at the shell utility ‘less’

    View Slide

  28. View Slide

  29. View Slide

  30. BFD  is  a  BFD.  
     

    View Slide

  31. BFD  is  a  BFD.  
    But  most  Linux  admins  have  
    never  even  heard  of  it

    View Slide

  32. “All  versions  of  Windows”

    View Slide

  33. Let’s go higher up

    View Slide

  34. Basic server certificate deployment is
    a solved problem, yes?

    View Slide

  35. Basic server certificate deployment is
    a solved problem, yes?

    View Slide

  36. Don’t underestimate the impact of applied research

    View Slide

  37. Don’t underestimate the impact of applied research

    View Slide

  38. Network transport has integrity, yes?

    View Slide

  39. Network transport has integrity, yes?

    View Slide

  40. Network transport has integrity, yes?
    https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

    View Slide

  41. Ad networks are trusted for arbitrary client code, yes?

    View Slide

  42. View Slide

  43. The  Komodia  case

    View Slide

  44. The  Komodia  case

    View Slide

  45. View Slide

  46. View Slide

  47. View Slide

  48. The  nuclear  option…

    View Slide

  49. View Slide

  50. But  trust  is  complicated…

    View Slide

  51. But  trust  is  complicated…

    View Slide

  52. But  trust  is  complicated…

    View Slide

  53. And  this  isn’t  helping

    View Slide

  54. The  Security  Trust  Chain  
    is  Broken  
    But  we’re  working  on  it

    View Slide

  55. PSA:  Encryption  is  rarely  
    the  problem

    View Slide

  56. View Slide

  57. View Slide

  58. The  Security  Trust  Chain  
    is  Broken  
    But  we’re  working  on  it

    View Slide

  59. 2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide

    View Slide

  60. 2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    MODE
    ECB
    CBC
    GCM
    AUTH
    ECDSA
    RSA

    View Slide

  61. 2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    MODE
    ECB
    CBC
    GCM
    AUTH
    ECDSA
    RSA

    View Slide

  62. 2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    KEYEX
    RSA
    DH
    DHE
    ECDH
    HMAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    SHA-512
    MODE
    ECB
    CBC
    GCM
    AUTH
    ECDSA
    RSA
    Also:
    HSTS (strict secure transport), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View Slide

  63. Just kidding.
    2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide

    View Slide

  64. Just kidding.
    Understand your install base, interop and
    threat model.
    Then read tactical guidance by Mozilla,
    SSLLabs, Robert Love, Adam Langley,
    Thomas Ptacek
    2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide

    View Slide

  65. Just kidding.
    Understand your install base, interop and
    threat model.
    Then read tactical guidance by Mozilla,
    SSLLabs, Robert Love, Adam Langley,
    Thomas Ptacek…
    2015  Mainstream  Distro  
    Apache/Nginx  SSL  in  1  Easy  Slide

    View Slide

  66. For example
    Adam Langley: Matching primitive strengths
    www.imperialviolet.org/2014/05/25/strengthmatching.html
    Ivan Ristic
    Introducing TLS Maturity Model
    community.qualys.com/blogs/securitylabs/2015/06/08/introducing-tls-maturity-
    model
    Bulletproof SSL and TLS
    www.feistyduck.com/books/bulletproof-ssl-and-tls
    Thomas Ptacek: Cryptographic Right Answers
    gist.github.com/tqbf/be58d2d39690c3b366ad
    Mozilla: Security/Sever Side TLS
    wiki.mozilla.org/Security/Server_Side_TLS

    View Slide

  67. The  OpenSSL  Audit

    View Slide

  68. The  OpenSSL  Audit
    •  Commissioned by Linux Foundation’s Core
    Infrastructure Initiative (CII)
    •  Ambitious Scope
    o Independent review
    o Coordinating closely with OpenSSL core team
    o Delayed for v. 1.1 maturity (significant refactor)
    o Diverse, complex codebase
    o Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX,
    Solaris)
    o Intel x86 (incl. AES-NI), ARMv7, MIPS, PowerPC,
    Alpha…
    o FIPS module

    View Slide

  69. OpenSSL  Audit
    •  Goals
    •  Thorough public security analysis of the core
    code in the next major release of OpenSSL
    •  Demonstrate viability of a reusable open
    source test harness framework
    •  Foster web-scale peer-reviewed public tools &
    data sets for protocol & negotiation analysis

    View Slide

  70. OpenSSL  Audit
    Rough metrics: 412-494K total SLOC
    OpenSSL v. 1.1 master (2015-03-14)

    View Slide

  71. OpenSSL  Audit
    •  Phase 1
    •  BigNum: multiprecision ints, constant time, blinding
    •  BIO (focus on composition & file functions)
    •  ASN.1 & x509 (cert & key parsing, DER/PEM
    decoding, structs, subordinate chains)
    •  93M cert corpus, “Frankencert” fuzzing
    •  Phase 2
    •  TLS state machine
    •  EVP (PKI constructions, H/MACs, envelopes)
    •  Protocol flows, core engine implementation
    •  Memory management
    •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)

    View Slide

  72. OpenSSL  Audit
    Caveats
    •  Schedule, funding, or quality: Pick 2
    •  High Priority
    •  Major architectures
    •  Modern (TLS 1.3) protocols & primitives
    •  DH, ECC, signatures, ASN.1 & x509
    •  Non-crypto constructions (data structures, memory
    management, core API/ABI hooks)
    •  Lower Priority
    •  AES implementation (finite field tables, matrix
    transformations, etc. TBD, possibly in phase 3 formal
    academic analysis)
    •  RC4
    •  S/MIME
    •  OpenSSL s_server (smtp-aware web server!)

    View Slide

  73. Emerging

    View Slide

  74. Better primitives and core crypto
    •  HTTP/2 & TLS 1.3
    •  NaCl/LibSodium, ChaCha20/Poly1305 (OpenSSL soon)
    •  Marlinspike et al’s work on OTR, axolotl ratchet
    •  Trevor Perrin’s work on public key pinning & TLS core
    Containers smaller surface (Docker, Rocket, LXC)
    Let’s Encrypt (Mozilla, Akamai, Cisco, EFF)
    USG: All fed websites & services HTTPS-only
    Open threat feeds (AlienVault Open Threat
    Exchange v2)
    Verizon Data Breach Investigation Report model
    Emerging

    View Slide

  75. Dan Bernstein: NaCL networking and cryptography library
    http://nacl.cr.yp.to
    Frank Denis: Sodium crypto library
    https://www.gitbook.com/book/jedisct1/libsodium/details
    Moxie Marlinspike and Trevor Perrin: Advanced
    cryptographic ratcheting
    https://whispersystems.org/blog/advanced-ratcheting
    Andrew Gerrand: The State of Go
    http://talks.golang.org/2015/state-of-go-may.slide
    Daniel Stenberg: TLS in HTTP/2
    http://daniel.haxx.se/blog/2015/03/06/tls-in-http2
    GoLang team: Go crypto library
    https://godoc.org/golang.org/x/crypto

    View Slide

  76. Docker: The tutorial
    www.docker.com/tryit
    CoreOS is building a container runtime, rkt
    coreos.com/blog/rocket
    Let's Encrypt: A public open certificate authority
    letsencrypt.org
    US CIO: HTTPS-Everywhere for Government
    cio.gov/https-everywhere-for-government
    Open Threat Exchange: OTX v. 2.0
    www.alienvault.com/blogs/security-essentials/otx-20-beta-finally-a-way-
    beyond-the-rhetoric-of-threat-intelligence
    Verizon DBIR 2015
    www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-
    report-2015_en_xg.pdf

    View Slide

  77. Parting  Thoughts
    o  Encryption is rarely the problem
    o  Understand your threat model
    o  VZ DBIR: 99.9% of successful exploits last year
    relied on a CVE more than a year old
    o  Intelligence & defense collaboration & sharing is
    critical
    o  Stronger security chain will require better
    cooperation, more open exchanges, and trust

    View Slide

  78. Parting  Thoughts
    We are very much in the golden age
    of web security.

    View Slide

  79. Parting  Thoughts
    We are very much in the golden age
    of web security.
    We are beginning a serious re-examination of the
    core stack and fundamental trust chains.

    View Slide

  80. The  Security  Trust  Chain  
    is  Broken  

    View Slide

  81. The  Security  Trust  Chain  
    is  Broken  
    But  we’re  working  on  it

    View Slide

  82. Special  thanks
    Paul Wouters (@letoams)
    Marsh Ray (@marshray)
    Chris Hoff (@Beaker)
    Wendy Nather (@451wendy)
    Thomas Ptacek (@tqbf)
    Filippo Valsorda(@FiloSottile)
    Scot Terban (@krypt3ia)
    Jeff Jarmoc (@jjarmoc)

    View Slide

  83. Be  careful  out  there,  folks

    View Slide

  84. Ping  me
    OCAP admin @ opencryptoaudit . org
    OCAP https://opencryptoaudit.org/people
    Twitter @kennwhite
    Talks speakerdeck.com/kwhite

    View Slide