• search hit 14 of 31
Back to Result List

Maximizing and Leveraging Behavioral Discrepancies in TLS Implementations using Response-Guided Differential Fuzzing

  • The Transport Layer Security (TLS) protocol is a cornerstone of secure network communication, not only for online banking, e-commerce, and social media, but also for industrial communication and cyber-physical systems. Unfortunately, implementing TLS correctly is very challenging, as becomes evident by considering the high frequency of bugfixes filed for many TLS implementations. Given the highThe Transport Layer Security (TLS) protocol is a cornerstone of secure network communication, not only for online banking, e-commerce, and social media, but also for industrial communication and cyber-physical systems. Unfortunately, implementing TLS correctly is very challenging, as becomes evident by considering the high frequency of bugfixes filed for many TLS implementations. Given the high significance of TLS, advancing the quality of implementations is a sustained pursuit. We strive to support these efforts by presenting a novel, response-distribution guided fuzzing algorithm for differential testing of black-box TLS implementations. Our algorithm generates highly diverse and mostly-valid TLS stimulation messages, which evoke more behavioral discrepancies in TLS server implementations than other algorithms. We evaluate our algorithm using 37 different TLS implementations and discuss―by means of a case study―how the resulting data allows to assess and improve not only implementations of TLS but also to identify underspecified corner cases. We introduce suspiciousness as a per-implementation metric of anomalous implementation behavior and find that more recent or bug-fixed implementations tend to have a lower suspiciousness score. Our contribution is complementary to existing tools and approaches in the area, and can help reveal implementation flaws and avoid regression. While being presented for TLS, we expect our algorithm's guidance scheme to be applicable and useful also in other contexts. Source code and data is made available for fellow researchers in order to stimulate discussions and invite others to benefit from and advance our work.show moreshow less

Export metadata

Additional Services

Share in Twitter Search Google Scholar
Metadaten
Author:Andreas Walz, Axel SikoraGND
Contributing Corporation:IEEE
Year of Publication:2018
Pagenumber:5
ISBN:978-1-5386-7931-9
Language:English
Parent Title (English):Proceedings of the 52nd IEEE International Carnahan Conference on Security Technology (ICCST 2018), 22-25 October 2018, Montréal, Canada
Document Type:Conference Proceeding
Institutes:Hochschule Offenburg / Bibliografie
Acces Right:Zugriffsbeschränkt
Release Date:2019/01/17
Licence (German):License LogoEs gilt das UrhG
DOI:https://doi.org/10.1109/CCST.2018.8585565