skip to main content
10.1145/3508398.3511505acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
short-paper

A Modular and Extensible Framework for Securing TLS

Published: 15 April 2022 Publication History

Abstract

While being both extremely powerful and popular, TLS is a protocol that is hard to securely deploy. On the one hand, system administrators are required to grasp several security concepts to fully understand the impact of each option and avoid misconfigurations. On the other hand, app developers should use cryptographic libraries in a secure way avoiding dangerous default settings or other subtleties (e.g., padding or modes of operations). To help secure TLS, we propose a modular framework, extensible with new features and capable of streamlining the mitigation process of known and newly discovered TLS attacks even for non-expert users.

Supplementary Material

MP4 File (CODASPY22-coda054s.mp4)
In this video, Matteo and Salvatore (two of the co-authors of the related paper) describe their work on TLSAssistant. They begin by providing an overview of TLS, a suite of cryptographic protocols that ensures Confidentiality, Integrity, and Authentication between the two parties involved, before focusing on the lack of mitigations in state-of-the-art TLS analyzers' report. They continue by introducing TLSAssistant -a standalone tool created in 2019- and the various upgrades it had, until getting to the technical limitations discovered during the years. The authors then detail how they transitioned from a standalone tool to a modular framework, emphasizing the new architecture, their approach to achieve modularity, and the two flows they built to make the framework easier to use for both users and developers.

References

[1]
, Karthikeyan Bhargavan and Gaë tan Leurent. 2016. Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH. In 23rd Annual Network and Distributed System Security Symposium, NDSS. https://doi.org/10.14722/ndss.2016.23418
[2]
Marcus Brinkmann, Christian Dresen, Robert Merget, Damian Poddebniak, Jens Müller, Juraj Somorovsky, Jörg Schwenk, and Sebastian Schinzel. 2021. ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 4293--4310. https://www.usenix.org/conference/usenixsecurity21/presentation/brinkmann
[3]
Datanyze. 2021. OpenSSL Market Share and Competitor Report https://www.datanyze.com/market-share/other-it-infrastructure-software .
[4]
Anthony Desnos. 2020. Github: androguard https://github.com/androguard/androguard .
[5]
Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumg"artner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security . 50--61. https://doi.org/10.1145/2382196.2382205
[6]
Google. 2021. HSTS List https://www.chromium.org/hsts .
[7]
Jeff Hodges, Collin Jackson, and Adam Barth. 2012. HTTP Strict Transport Security (HSTS) http://www.rfc-editor.org/rfc/rfc6797.txt . Internet Requests for Comments.
[8]
Hubert Kario. 2021. SSL and TLS protocol test suite and fuzzer: tlsfuzzer https://github.com/tlsfuzzer/tlsfuzzer .
[9]
Salvatore Manfredi, Mariano Ceccato, Silvio Ranise, and Giada Sciarretta. 2021 a. Do Security Reports Meet Usability? -- Lessons Learned from Using Actionable Mitigations for Patching TLS Misconfigurations. https://doi.org/10.1145/3465481.3469187
[10]
Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, and Alessandro Tomasi. 2021 b. TLSAssistant Goes FINSEC - A Security Platform Integration Extending Threat Intelligence Language. In Cyber-Physical Security for Critical Infrastructures Protection. Springer International Publishing, Cham, 16--30. https://doi.org/10.1007/978--3-030--69781--5_2
[11]
Bodo Mö ller, Thai Duong, and Krzysztof Kotowicz. 2014. This POODLE Bites: Exploiting The SSL 3.0 Fallback http://www.bmoeller.de/pdf/ssl-poodle.pdf .
[12]
Mozilla. 2019. HSTS List https://wiki.mozilla.org/SecurityEngineering/HTTP_Strict_Transport_Security_%28HSTS%29_Preload_List .
[13]
Mozilla Security. 2020. Server Side TLS https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS .
[14]
A structured language for cyber threat intelligence . https://oasis-open.github.io/cti-documentation/stix/intro .
[15]
OpenSSL. 2021. Changelog https://www.openssl.org/news/changelog.html .
[16]
Bruce Schneier. 1999. Attack Trees. https://www.schneier.com/academic/archives/1999/12/attack_trees.html .
[17]
Security and Trust Research Unit. 2022. TLSAssistant. https://github.com/stfbk/tlsassistant .
[18]
, SUPERAndroidAnalyzer. 2018. Github: Secure, Unified, Powerful and Extensible Rust Android Analyzer. https://github.com/SUPERAndroidAnalyzer/super .
[19]
Dirk Wetter. 2021. /bin/bash based SSL/TLS tester: testssl.sh https://testssl.sh .

Cited By

View all
  • (2023)A Framework for TLS Implementation Vulnerability Testing in 5GApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_16(284-298)Online publication date: 19-Jun-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '22: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy
April 2022
392 pages
ISBN:9781450392204
DOI:10.1145/3508398
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 April 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. assisted mitigations
  2. tls misconfiguration
  3. vulnerability detection

Qualifiers

  • Short-paper

Conference

CODASPY '22
Sponsor:

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)A Framework for TLS Implementation Vulnerability Testing in 5GApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_16(284-298)Online publication date: 19-Jun-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media