The security trust chain is broken (but we're working on it!)

The Security Trust Chain is Broken But we’re
working on it Kenneth White ShowMeCon Security 2015 St Louis June 9, 2015

Topics •  Open Crypto Audit Project •  Existing trust chains
•  OpenSSL audit •  Emerging •  Final thoughts

This is me Twitter @kennwhite Talks speakerdeck.com/kwhite OCAP https://opencryptoaudit.org/people

Open Crypto Audit Project •  OCAP originally formed to manage
community- funded TrueCrypt audit •  Independent technical research public interest organization •  Technical Advisory Board: academic, industry, and legal experts in security •  Mission: Research, analysis & education around technical security in open source software •  Focus: software security, cryptography engineering, public awareness •  Current project: OpenSSL audit

The Software Security Trust Chain 1 year post-Heartbleed • Most
serious CVEs are (rarely) about the crypto • But the (most widely deployed) crypto trust chain is fragile • Key pieces of the core Internet network stack are virtually unexamined, and little understood

The Software Security Trust Chain Questions How well do
you know the network stack you’ve deployed? How about your technical staff? Do you/they understand your core dependencies?

The Software Security Trust Chain Are you sure?

Mature network hardware

A $100K commercial load balancer compromised by a browser ID
string

Let’s really look at the whole security trust chain…

Internet Core Trust Chain For example: o  XML parsers (libxml2,
Expat, SimpleXML…) o  Image generators (libpng…) o  Internationalization libraries (libIDN) o  Compression (libzma) o  ASN.1 & x509 (everywhere) o  Middleware core: BouncyCastle, Spring, Struts… o  Deeper: libBFD, libCurl, IPSec netkey, pluto, l2tp

Internet Core Trust Chain Time to look really closely, at,
say: o  XML parsers (libxml2, Expat, SimpleXML…) o  Image generators (libpng…) o  Internationalization libraries (libIDN) o  Compression (libzma) o  ASN.1 & x509 (everywhere) o  Middleware core: BouncyCastle, Spring, Struts… o  Deeper: libBFD, libCurl, IPSec netkey, pluto, l2tp

BFD is a BFD

Are you kidding me?!

Wait, it gets better. Ever use the shell utility ‘less’?

BFD is a BFD.

BFD is a BFD. But most Linux admins have
never even heard of it

libcurl

Let’s go higher up

Basic server certificate deployment is a solved problem, yes?

Don’t underestimate the impact of applied research

Network transport has integrity, yes?

Network transport has integrity, yes? https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

Ad networks are trusted for arbitrary client code, yes?

But trust is complicated…

And this isn’t helping

The Security Trust Chain is Broken

working on it

The OpenSSL Audit

The OpenSSL Audit •  Commissioned by Linux Foundation’s Core Infrastructure
Initiative (CII) •  Ambitious Scope o Independent review o Coordinating closely with OpenSSL core team o Delayed for v. 1.1 maturity (significant refactor) o Diverse, complex codebase o Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) o Intel x86 (incl. AES-NI), ARMv7, MIPS, PowerPC, Alpha… o FIPS module

OpenSSL Audit •  Goals •  Thorough public security analysis of
the core code in the next major release of OpenSSL •  Demonstrate viability of a reusable open source test harness framework •  Foster web-scale peer-reviewed public tools & data sets for protocol & negotiation analysis

OpenSSL Audit Rough metrics: 412-494K total SLOC OpenSSL v. 1.1
master (2015-03-14)

OpenSSL Audit •  Phase 1 •  BigNum: multiprecision ints, constant
time, blinding •  BIO (focus on composition & file functions) •  ASN.1 & x509 (cert & key parsing, DER/PEM decoding, structs, subordinate chains) •  93M cert corpus, “Frankencert” fuzzing •  Phase 2 •  TLS state machine •  EVP (PKI constructions, H/MACs, envelopes) •  Protocol flows, core engine implementation •  Memory management •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)

OpenSSL Audit Caveats •  Schedule, funding, or quality: Pick 2
•  High Priority •  Major architectures •  Modern (TLS 1.3) protocols & primitives •  DH, ECC, signatures, ASN.1 & x509 •  Non-crypto constructions (data structures, memory management, core API/ABI hooks) •  Lower Priority •  AES implementation (finite field tables, matrix transformations, etc. TBD, possibly in phase 3 formal academic analysis) •  RC4 •  S/MIME •  OpenSSL s_server (smtp-aware web server!)

Emerging

Emerging •  Better primitives and core crypto •  TLS 1.3
•  NaCl/LibSodium, ChaCha20/Poly1305 (OpenSSL soon) •  Marlinspike et al’s work on OTR, axolotl ratchet •  Trevor Perrin’s work on public key pinning & TLS core •  Containers smaller surface (Docker, Rocket, LXC) •  Let’s Encrypt (Mozilla, Akamai, Cisco, EFF) •  USG: All fed websites & services HTTPS-only •  Open threat feeds (AlienVault Open Threat Exchange v2) •  Verizon Data Breach Investigation Report model

Parting Thoughts o  VZ DBIR: 99.9% of successful exploits last
year relied on a CVE more than a year old o  Intelligence & defense collaboration & sharing is critical o  Encryption isn’t a magic bullet o  Understand your threat model o  Stronger security chain will require better cooperation, more open exchanges, and trust

Parting Thoughts o  We are very much in the golden
age of web security o  We are beginning a serious re-examination of the core stack and fundamental trust chains

working on it

Be careful out there, folks

Contacts OCAP admin @ opencryptoaudit . org OCAP https://opencryptoaudit.org/people Twitter
@kennwhite Talks speakerdeck.com/kwhite

The security trust chain is broken (but we're w...

The security trust chain is broken (but we're working on it!)

More Decks by Kenn White

Other Decks in Technology

Featured

Transcript