Abstract
Research has revealed a number of pitfalls inherent in contemporary TLS libraries. Common mistakes when programming using their APIs include insufficient certificate verification and the use of weak cipher suites. These programmer errors leave applications susceptible to man-in-the-middle attacks. Furthermore, current TLS libraries encourage system designs which leave the confidentiality of secret authentication and session keys vulnerable to application flaws. This paper introduces libtlssep (pronounced lib.tē.el.sep), a new, open-source TLS library which provides a simpler API and improved security architecture. Applications that use libtlssep spawn a separate process whose role is to provide one or more TLS-protected communication channels; this child process assures proper certificate verification and isolates authentication and session keys in its separate memory space. We present a security, programmability, and performance analysis of libtlssep.
The rights of this work are transferred to the extent transferable according to title 17 U.S.C. 105.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Fedora system-wide crypto policy (accessed Mach 22, (2014), http://fedoraproject.org/wiki/Changes/CryptoPolicy
Barnes, R.L.: DANE: Taking TLS authentication to the next level using DNSSEC. IETF Journal, October 2011. http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec (accessed June 22, 2015)
Bates, A., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K.R., Alkhelaifi, A.: Securing SSL certificate verification through dynamic linking. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 394–405. ACM, New York (2014)
Beck, B.: LibreSSL: The first 30 days and the future. In: presentation at the 11th BSDCan Conference, May 2014
Bernstein, D.J.: CurveCP: Usable security for the Internet. CurveCP: Usable security for the Internet. http://curvecp.org (accessed July 9, 2015)
Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012)
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.Y., Zinzindohoue, J.K.: A messy state of the union: Taming the composite state machines of TLS. In: Proc. IEEE Symp. Security and Privacy. IEEE Computer Society Press, Washington, DC, May 2015
Bhargavan, K., Lavaud, A., Fournet, C., Pironti, A., Strub, P.: Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In: Proc. IEEE Symp. Security and Privacy, pp. 98–113. IEEE Computer Society Press, Washington, DC, May 2014
Bittau, A., Hamburg, M., Handley, M., Mazières, D., Boneh, D.: The case for ubiquitous transport-level encryption. In: Proceedings of the 19th USENIX Security Symposium. USENIX Association, Berkeley, August 2010
Cox, R., Grosse, E., Pike, R., Presotto, D., Quinlan, S.: Security in Plan 9. In: Proc. of the USENIX Security Symposium, pp. 3–16. USENIX Association, Berkeley (2002)
Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the HTTPS certificate ecosystem. In: Proceedings of the 2013 Conference on Internet Measurement, IMC 2013, pp. 291–304. ACM, New York (2013)
Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM, New York (2012)
Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 49–60. ACM, New York (2013)
Electronic Frontier Foundation: HTTPS everywhere. https://www.eff.org/https-everywhere (accessed August 26, 2013)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 38–49. ACM, New York (2012)
Guan, L., Lin, J., Luo, B., Jing, J., Wang, J.: Protecting private keys against memory disclosure attacks using hardware transactional memory. In: Proc. IEEE Symp. Security and Privacy. IEEE Computer Society Press, Washington, DC, May 2015
He, B., Rastogi, V., Cao, Y., Chen, Y., Venkatakrishnan, V., Yang, R., Zhang, Z.: Vetting SSL usage in applications with SSLint. In: Proc. IEEE Symp. Security and Privacy. IEEE Computer Society Press, Washington, DC, May 2015
Hoffman, P., Schlyter, J.: RFC 6698: The DNS-based Authentication of Named Entities (DANE) Transport Layer Security (TLS) protocol: TLSA, August 2012. http://www.ietf.org/rfc/rfc6698.txt (accessed June 22, 2015), status: PROPOSED STANDARD
IOerror: DigiNotar damage disclosure. The Tor Blog, September 2011. https://blog.torproject.org/blog/diginotar-damage-disclosure (accessed May 20, 2015)
Kneschke, J., et al.: lighttpd. http://www.lighttpd.net/ (accessed Jun 22, 2015)
Leavitt, N.: Internet security under attack: The undermining of digital certificates. Computer 44(12), 17–20 (2011)
Marlinspike, M.: Null-prefix attacks against SSL/TLS certificates. Presentation at Black Hat USA, July 2009. http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-PAPER1.pdf (accessed June 22, 2015)
Naylor, D., Finamore, A., Leontiadis, I., Grunenberger, Y., Mellia, M., Munafò, M., Papagiannaki, K., Steenkiste, P.: The cost of the ‘S’ in HTTPS. In: Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies, CoNEXT 2014, pp. 133–140. ACM, New York (2014)
NIST National Vulnerability Database: CVE-2014-0160, Decembe 2013. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 (accessed April 15, 2014)
OpenBSD manual pages: imsg_init(3). http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/imsg_init.3 (accessed July 8, 2015)
Petullo, W.M., Solworth, J.A.: Simple-to-use, secure-by-design networking in Ethos. In: Proceedings of the Sixth European Workshop on System Security, EUROSEC 2013. ACM, New York, April 2013
Petullo, W.M., Zhang, X., Solworth, J.A., Bernstein, D.J., Lange, T.: MinimaLT: Minimal-latency networking through better security. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013. ACM, New York, Novembe 2013
Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: Proc. of the USENIX Security Symposium, pp. 231–242. USENIX Association, Berkeley, August 2003
Schmidt, S.: Introducing s2n, a new open source TLS implementation. Amazon Web Services Security Blog, June 2015. https://blogs.aws.amazon.com/security/post/TxCKZM94ST1S6Y/Introducing-s2n-a-New-Open-Source-TLS-Implementation (accessed July 1, 2015)
Scrivano, G., et al.: wget. http://www.gnu.org/software/wget/ (accessed June 22, 2015)
Soghoian, C., Stamm, S.: Certified lies: Detecting and defeating government interception attacks against SSL (Short paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)
Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The inconvenient truth about web certificates. In: Proceedings of the 10th Workshop on the Economics of Information Security (June 2011)
Ylonen, T.: SSH—secure login connections over the Internet. In: Proc. of the USENIX Security Symposium, pp. 37–42. USENIX Association, San Jose (1996)
Zimmermann, P.R.: The Official PGP Users Guide. MIT Press, Boston (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Amour, L.S., Petullo, W.M. (2015). Improving Application Security through TLS-Library Redesign. In: Chakraborty, R., Schwabe, P., Solworth, J. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2015. Lecture Notes in Computer Science(), vol 9354. Springer, Cham. https://doi.org/10.1007/978-3-319-24126-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-24126-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24125-8
Online ISBN: 978-3-319-24126-5
eBook Packages: Computer ScienceComputer Science (R0)