SSL/TLS, a 20-year old security protocol, has become a major component securing network communications, from HTTPS e-commerce and social network sites to Virtual Private Networks, from e-mail protocols to virtually every possible protocol. In the recent years, SSL/TLS has received a lot of attentions, leading to the discovery of many security vulnerabilities, and to protocol improvements. In this thesis, we explore the SSL/TLS ecosystem at large using IPv4 HTTPS scans, while proposing collection and analysis methodologies to obtain reproducible and comparable results across different measurement campaigns. Beyond these observations, we focus on two key aspects of TLS security: how to mitigate Record Protocol attacks, and how to write safe and efficient parsers. We also build on the numerous implementation flaws in almost all TLS stacks in the last years, and we propose some thoughts about the challenges in writing a secure TLS library.
The first part presents a brief history of SSL/TLS and contains a state of the art of the known attacks devised on the SSL/TLS protocols. It then focuses on the Record protocol. By analysing cryptographic attacks affecting this layer published since 2011, we show a pattern common to all of the underlying flaws: the repetition of a secret within and across different TLS sessions. We also propose generic countermeasures to defend against this kind of attacks in the case of HTTPS connections; to this aim, we mask the targeted secret values with random values. Even if our mechanisms are not supposed to replace structural fixes added to the protocol by updates, they allow to save time against an attacker in the meantime. As a matter of fact, after we proposed our defense-in-depth countermeasures, the POODLE attack was published, and would have been thwarted.
In the second part, we describe a set of campaigns we launched between 2010 and 2015 to scan and analyse the IPv4 HTTPS server at wild. Before discussing the results across the different campaigns, we first present our collection methodology; we also compare our way of enumerating hosts, i.e. using full IPv4 scans, with other techniques. Moreover, we propose a framework to analyse SSL/TLS data in a reproducible manner, called concerto. This proved useful to compare results between our first article published in 2012 and those compiled for this manuscript, even though several analyses had evolved in this period of time. Concerning the results themselves, our work has two distinctive features. First, we sent multiple stimuli to each contacted hosts in 2011 and 2014, allowing us to get an interesting insight into servers behaviour. Next, we studied several subsets of the TLS servers, based on trusted hosts according to different certificate trust stores.
The third part presents several aspects of the implementation challenges a developer has to face when writing a TLS stack. We first describe our approach concerning the parsing step for TLS messages and X.509 certificates. To this aim, we show different ways of writing binary parsers, and then focus on a framework, parsifal, that we developed to produce robust and efficient parsers. This part also contains an extensive analysis of recent implementation bugs affecting TLS stacks. This inventory allows us to identify the root causes of recurring flaws and to propose possible responses to improve the situation in the long term.
The thesis is a study of the TLS ecosystem, considered from different points of view: first an analysis based on the specifications, then an experimental observation of HTTPS servers world-wide, between 2010 and 2015, and finally several thoughts and proposals regarding the implementation aspects. Beyond our work, these three axis offer several perspectives. Concerning the specifications, TLS 1.3 and its security analysis will be an important step. Building on our collection and reproducible analysis framework, new and regular TLS campaigns could be launched; they should include multiple stimuli to help observe the evolution of the ecosystem in practice. Finally, to improve the security of implementations, more work could be done on programming languages and on the related software engineering.
Soutenue à Télécom ParisTech, Paris, France le 23 septembre 2016BibTeX Synthèse Manuscrit Liste des publications Présentation