Pro Yearly is on sale from $80 to $50! »

Auditing OpenSSL and Beyond

Auditing OpenSSL and Beyond

Thoughts on the core internet security software trust chain
Circle City Con 2015

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

June 12, 2015
Tweet

Transcript

  1. Rethinking  the  Trust  Chain:   Auditing  OpenSSL  and  Beyond Kenneth

    White June 12, 2015
  2. Topics •  Bootstrapping Trust •  Digging deeper •  OpenSSL audit

    update •  Core infrastructure work •  Emerging
  3. Ping  me Twitter @kennwhite Talks speakerdeck.com/kwhite OCAP https://opencryptoaudit.org/people

  4. Open  Crypto  Audit  Project •  OCAP originally formed to manage

    community- funded TrueCrypt audit •  Independent technical research public interest organization •  Technical Advisory Board: academic, industry, and legal experts in security •  Mission: Research, analysis & education around technical security in open source software •  Focus: software security, cryptography engineering, public awareness •  Current project: OpenSSL audit
  5. The  Software  Security   Trust  Chain 1 year post-Heartbleed • Most

    serious CVEs are rarely about the crypto • But the (most widely deployed) crypto trust chain is fragile • Key pieces of the core Internet network stack are virtually unexamined, and little understood
  6. The  Software  Security   Trust  Chain 1 year post-Heartbleed • Most

    serious CVEs are (rarely) about the crypto • But the (most widely deployed) crypto trust chain is fragile • Key pieces of the core Internet network stack are virtually unexamined, and little understood
  7. The  Software  Security   Trust  Chain Questions How well do

    you know the network stack you’ve deployed? How about your technical staff? Do you/they understand your core dependencies?
  8. The  Software  Security   Trust  Chain Questions How well do

    you know the network stack you’ve deployed? How about your technical staff? Do you/they understand your core dependencies?
  9. The  Software  Security   Trust  Chain Are you sure?

  10. The  Software  Security   Trust  Chain Are you sure? First

    question: Explain the dependencies of init/systemd.
  11. None
  12. None
  13. Mature network hardware

  14. A $100K commercial load balancer compromised by a browser ID

    string
  15. The  Software  Security   Trust  Chain Questions How well do

    you know the network stack you’ve deployed? How about your technical staff? Do you/they understand your core dependencies?
  16. The  Software  Security   Trust  Chain Are you sure?

  17. The  Software  Security   Trust  Chain Are you sure? First

    question: Explain the dependencies of init/systemd.
  18. Let’s really look at the whole security trust chain…

  19. Internet  Core  Trust  Chain For example: o  XML parsers (libxml2,

    Expat, SimpleXML…) o  Image generators (libpng…) o  Internationalization libraries (libIDN) o  Compression (libzma) o  ASN.1 & x509 (everywhere) o  Middleware core: BouncyCastle, Spring, Struts… o  Deeper: libBFD, libCurl, IPSec netkey, pluto, l2tp
  20. Internet  Core  Trust  Chain Time to look really closely, at,

    say: o  XML parsers (libxml2, Expat, SimpleXML…) o  Image generators (libpng…) o  Internationalization libraries (libIDN) o  Compression (libzma) o  ASN.1 & x509 (everywhere) o  Middleware core: BouncyCastle, Spring, Struts… o  Deeper: libCurl, libBFD, IPSec netkey, pluto, l2tp
  21. libcurl

  22. None
  23. libbfd

  24. None
  25. BFD  is  a  BFD

  26. Are you kidding me?!

  27. “Wait, there’s more!” Let’s look at the shell utility ‘less’

  28. None
  29. None
  30. BFD  is  a  BFD.    

  31. BFD  is  a  BFD.   But  most  Linux  admins  have

      never  even  heard  of  it
  32. “All  versions  of  Windows”

  33. Let’s go higher up

  34. Basic server certificate deployment is a solved problem, yes?

  35. Basic server certificate deployment is a solved problem, yes?

  36. Don’t underestimate the impact of applied research

  37. Don’t underestimate the impact of applied research

  38. Network transport has integrity, yes?

  39. Network transport has integrity, yes?

  40. Network transport has integrity, yes? https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

  41. Ad networks are trusted for arbitrary client code, yes?

  42. None
  43. The  Komodia  case

  44. The  Komodia  case

  45. None
  46. None
  47. None
  48. The  nuclear  option…

  49. None
  50. But  trust  is  complicated…

  51. But  trust  is  complicated…

  52. But  trust  is  complicated…

  53. And  this  isn’t  helping

  54. The  Security  Trust  Chain   is  Broken   But  we’re

     working  on  it
  55. PSA:  Encryption  is  rarely   the  problem

  56. None
  57. None
  58. The  Security  Trust  Chain   is  Broken   But  we’re

     working  on  it
  59. 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1  Easy  Slide

  60. 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1  Easy  Slide

    PROTOCOL SSL v1 SSL v2 SSL v3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 MODE ECB CBC GCM AUTH ECDSA RSA
  61. 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1  Easy  Slide

    PROTOCOL SSL v1 SSL v2 SSL v3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 MODE ECB CBC GCM AUTH ECDSA RSA
  62. 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1  Easy  Slide

    PROTOCOL SSL v1 SSL v2 SSL v3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 MODE ECB CBC GCM AUTH ECDSA RSA Also: HSTS (strict secure transport), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  63. Just kidding. 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1

     Easy  Slide
  64. Just kidding. Understand your install base, interop and threat model.

    Then read tactical guidance by Mozilla, SSLLabs, Robert Love, Adam Langley, Thomas Ptacek 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1  Easy  Slide
  65. Just kidding. Understand your install base, interop and threat model.

    Then read tactical guidance by Mozilla, SSLLabs, Robert Love, Adam Langley, Thomas Ptacek… 2015  Mainstream  Distro   Apache/Nginx  SSL  in  1  Easy  Slide
  66. For example Adam Langley: Matching primitive strengths www.imperialviolet.org/2014/05/25/strengthmatching.html Ivan Ristic

    Introducing TLS Maturity Model community.qualys.com/blogs/securitylabs/2015/06/08/introducing-tls-maturity- model Bulletproof SSL and TLS www.feistyduck.com/books/bulletproof-ssl-and-tls Thomas Ptacek: Cryptographic Right Answers gist.github.com/tqbf/be58d2d39690c3b366ad Mozilla: Security/Sever Side TLS wiki.mozilla.org/Security/Server_Side_TLS
  67. The  OpenSSL  Audit

  68. The  OpenSSL  Audit •  Commissioned by Linux Foundation’s Core Infrastructure

    Initiative (CII) •  Ambitious Scope o Independent review o Coordinating closely with OpenSSL core team o Delayed for v. 1.1 maturity (significant refactor) o Diverse, complex codebase o Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) o Intel x86 (incl. AES-NI), ARMv7, MIPS, PowerPC, Alpha… o FIPS module
  69. OpenSSL  Audit •  Goals •  Thorough public security analysis of

    the core code in the next major release of OpenSSL •  Demonstrate viability of a reusable open source test harness framework •  Foster web-scale peer-reviewed public tools & data sets for protocol & negotiation analysis
  70. OpenSSL  Audit Rough metrics: 412-494K total SLOC OpenSSL v. 1.1

    master (2015-03-14)
  71. OpenSSL  Audit •  Phase 1 •  BigNum: multiprecision ints, constant

    time, blinding •  BIO (focus on composition & file functions) •  ASN.1 & x509 (cert & key parsing, DER/PEM decoding, structs, subordinate chains) •  93M cert corpus, “Frankencert” fuzzing •  Phase 2 •  TLS state machine •  EVP (PKI constructions, H/MACs, envelopes) •  Protocol flows, core engine implementation •  Memory management •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)
  72. OpenSSL  Audit Caveats •  Schedule, funding, or quality: Pick 2

    •  High Priority •  Major architectures •  Modern (TLS 1.3) protocols & primitives •  DH, ECC, signatures, ASN.1 & x509 •  Non-crypto constructions (data structures, memory management, core API/ABI hooks) •  Lower Priority •  AES implementation (finite field tables, matrix transformations, etc. TBD, possibly in phase 3 formal academic analysis) •  RC4 •  S/MIME •  OpenSSL s_server (smtp-aware web server!)
  73. Emerging

  74. Better primitives and core crypto •  HTTP/2 & TLS 1.3

    •  NaCl/LibSodium, ChaCha20/Poly1305 (OpenSSL soon) •  Marlinspike et al’s work on OTR, axolotl ratchet •  Trevor Perrin’s work on public key pinning & TLS core Containers smaller surface (Docker, Rocket, LXC) Let’s Encrypt (Mozilla, Akamai, Cisco, EFF) USG: All fed websites & services HTTPS-only Open threat feeds (AlienVault Open Threat Exchange v2) Verizon Data Breach Investigation Report model Emerging
  75. Dan Bernstein: NaCL networking and cryptography library http://nacl.cr.yp.to Frank Denis:

    Sodium crypto library https://www.gitbook.com/book/jedisct1/libsodium/details Moxie Marlinspike and Trevor Perrin: Advanced cryptographic ratcheting https://whispersystems.org/blog/advanced-ratcheting Andrew Gerrand: The State of Go http://talks.golang.org/2015/state-of-go-may.slide Daniel Stenberg: TLS in HTTP/2 http://daniel.haxx.se/blog/2015/03/06/tls-in-http2 GoLang team: Go crypto library https://godoc.org/golang.org/x/crypto
  76. Docker: The tutorial www.docker.com/tryit CoreOS is building a container runtime,

    rkt coreos.com/blog/rocket Let's Encrypt: A public open certificate authority letsencrypt.org US CIO: HTTPS-Everywhere for Government cio.gov/https-everywhere-for-government Open Threat Exchange: OTX v. 2.0 www.alienvault.com/blogs/security-essentials/otx-20-beta-finally-a-way- beyond-the-rhetoric-of-threat-intelligence Verizon DBIR 2015 www.verizonenterprise.com/resources/reports/rp_data-breach-investigation- report-2015_en_xg.pdf
  77. Parting  Thoughts o  Encryption is rarely the problem o  Understand

    your threat model o  VZ DBIR: 99.9% of successful exploits last year relied on a CVE more than a year old o  Intelligence & defense collaboration & sharing is critical o  Stronger security chain will require better cooperation, more open exchanges, and trust
  78. Parting  Thoughts We are very much in the golden age

    of web security.
  79. Parting  Thoughts We are very much in the golden age

    of web security. We are beginning a serious re-examination of the core stack and fundamental trust chains.
  80. The  Security  Trust  Chain   is  Broken  

  81. The  Security  Trust  Chain   is  Broken   But  we’re

     working  on  it
  82. Special  thanks Paul Wouters (@letoams) Marsh Ray (@marshray) Chris Hoff

    (@Beaker) Wendy Nather (@451wendy) Thomas Ptacek (@tqbf) Filippo Valsorda(@FiloSottile) Scot Terban (@krypt3ia) Jeff Jarmoc (@jjarmoc)
  83. Be  careful  out  there,  folks

  84. Ping  me OCAP admin @ opencryptoaudit . org OCAP https://opencryptoaudit.org/people

    Twitter @kennwhite Talks speakerdeck.com/kwhite