Skip to main content
SpringerLink
Log in

Improving Application Security through TLS-Library Redesign

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9354))

Abstract

Research has revealed a number of pitfalls inherent in contemporary TLS libraries. Common mistakes when programming using their APIs include insufficient certificate verification and the use of weak cipher suites. These programmer errors leave applications susceptible to man-in-the-middle attacks. Furthermore, current TLS libraries encourage system designs which leave the confidentiality of secret authentication and session keys vulnerable to application flaws. This paper introduces libtlssep (pronounced lib.tē.el.sep), a new, open-source TLS library which provides a simpler API and improved security architecture. Applications that use libtlssep spawn a separate process whose role is to provide one or more TLS-protected communication channels; this child process assures proper certificate verification and isolates authentication and session keys in its separate memory space. We present a security, programmability, and performance analysis of libtlssep.

The rights of this work are transferred to the extent transferable according to title 17 U.S.C. 105.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Fedora system-wide crypto policy (accessed Mach 22, (2014), http://fedoraproject.org/wiki/Changes/CryptoPolicy

  2. Barnes, R.L.: DANE: Taking TLS authentication to the next level using DNSSEC. IETF Journal, October 2011. http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec (accessed June 22, 2015)

  3. Bates, A., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K.R., Alkhelaifi, A.: Securing SSL certificate verification through dynamic linking. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 394–405. ACM, New York (2014)

    Google Scholar 

  4. Beck, B.: LibreSSL: The first 30 days and the future. In: presentation at the 11th BSDCan Conference, May 2014

    Google Scholar 

  5. Bernstein, D.J.: CurveCP: Usable security for the Internet. CurveCP: Usable security for the Internet. http://curvecp.org (accessed July 9, 2015)

  6. Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.Y., Zinzindohoue, J.K.: A messy state of the union: Taming the composite state machines of TLS. In: Proc. IEEE Symp. Security and Privacy. IEEE Computer Society Press, Washington, DC, May 2015

    Google Scholar 

  8. Bhargavan, K., Lavaud, A., Fournet, C., Pironti, A., Strub, P.: Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In: Proc. IEEE Symp. Security and Privacy, pp. 98–113. IEEE Computer Society Press, Washington, DC, May 2014

    Google Scholar 

  9. Bittau, A., Hamburg, M., Handley, M., Mazières, D., Boneh, D.: The case for ubiquitous transport-level encryption. In: Proceedings of the 19th USENIX Security Symposium. USENIX Association, Berkeley, August 2010

    Google Scholar 

  10. Cox, R., Grosse, E., Pike, R., Presotto, D., Quinlan, S.: Security in Plan 9. In: Proc. of the USENIX Security Symposium, pp. 3–16. USENIX Association, Berkeley (2002)

    Google Scholar 

  11. Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the HTTPS certificate ecosystem. In: Proceedings of the 2013 Conference on Internet Measurement, IMC 2013, pp. 291–304. ACM, New York (2013)

    Chapter  Google Scholar 

  12. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM, New York (2012)

    Google Scholar 

  13. Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 49–60. ACM, New York (2013)

    Chapter  Google Scholar 

  14. Electronic Frontier Foundation: HTTPS everywhere. https://www.eff.org/https-everywhere (accessed August 26, 2013)

  15. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 38–49. ACM, New York (2012)

    Chapter  Google Scholar 

  16. Guan, L., Lin, J., Luo, B., Jing, J., Wang, J.: Protecting private keys against memory disclosure attacks using hardware transactional memory. In: Proc. IEEE Symp. Security and Privacy. IEEE Computer Society Press, Washington, DC, May 2015

    Google Scholar 

  17. He, B., Rastogi, V., Cao, Y., Chen, Y., Venkatakrishnan, V., Yang, R., Zhang, Z.: Vetting SSL usage in applications with SSLint. In: Proc. IEEE Symp. Security and Privacy. IEEE Computer Society Press, Washington, DC, May 2015

    Google Scholar 

  18. Hoffman, P., Schlyter, J.: RFC 6698: The DNS-based Authentication of Named Entities (DANE) Transport Layer Security (TLS) protocol: TLSA, August 2012. http://www.ietf.org/rfc/rfc6698.txt (accessed June 22, 2015), status: PROPOSED STANDARD

  19. IOerror: DigiNotar damage disclosure. The Tor Blog, September 2011. https://blog.torproject.org/blog/diginotar-damage-disclosure (accessed May 20, 2015)

  20. Kneschke, J., et al.: lighttpd. http://www.lighttpd.net/ (accessed Jun 22, 2015)

  21. Leavitt, N.: Internet security under attack: The undermining of digital certificates. Computer 44(12), 17–20 (2011)

    Article  Google Scholar 

  22. Marlinspike, M.: Null-prefix attacks against SSL/TLS certificates. Presentation at Black Hat USA, July 2009. http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-PAPER1.pdf (accessed June 22, 2015)

  23. Naylor, D., Finamore, A., Leontiadis, I., Grunenberger, Y., Mellia, M., Munafò, M., Papagiannaki, K., Steenkiste, P.: The cost of the ‘S’ in HTTPS. In: Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies, CoNEXT 2014, pp. 133–140. ACM, New York (2014)

    Google Scholar 

  24. NIST National Vulnerability Database: CVE-2014-0160, Decembe 2013. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 (accessed April 15, 2014)

  25. OpenBSD manual pages: imsg_init(3). http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/imsg_init.3 (accessed July 8, 2015)

  26. Petullo, W.M., Solworth, J.A.: Simple-to-use, secure-by-design networking in Ethos. In: Proceedings of the Sixth European Workshop on System Security, EUROSEC 2013. ACM, New York, April 2013

    Google Scholar 

  27. Petullo, W.M., Zhang, X., Solworth, J.A., Bernstein, D.J., Lange, T.: MinimaLT: Minimal-latency networking through better security. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013. ACM, New York, Novembe 2013

    Google Scholar 

  28. Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: Proc. of the USENIX Security Symposium, pp. 231–242. USENIX Association, Berkeley, August 2003

    Google Scholar 

  29. Schmidt, S.: Introducing s2n, a new open source TLS implementation. Amazon Web Services Security Blog, June 2015. https://blogs.aws.amazon.com/security/post/TxCKZM94ST1S6Y/Introducing-s2n-a-New-Open-Source-TLS-Implementation (accessed July 1, 2015)

  30. Scrivano, G., et al.: wget. http://www.gnu.org/software/wget/ (accessed June 22, 2015)

  31. Soghoian, C., Stamm, S.: Certified lies: Detecting and defeating government interception attacks against SSL (Short paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  32. Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The inconvenient truth about web certificates. In: Proceedings of the 10th Workshop on the Economics of Information Security (June 2011)

    Google Scholar 

  33. Ylonen, T.: SSH—secure login connections over the Internet. In: Proc. of the USENIX Security Symposium, pp. 37–42. USENIX Association, San Jose (1996)

    Google Scholar 

  34. Zimmermann, P.R.: The Official PGP Users Guide. MIT Press, Boston (1995)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Northeastern University, Boston, Massachusetts, 02115, USA

    Leo St. Amour

  2. United States Military Academy, West Point, New York, 10996, USA

    W. Michael Petullo

Authors
  1. Leo St. Amour
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. W. Michael Petullo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Indian Inst of Tech Kharagpur, Kharagpur, West Bengal, India

    Rajat Subhra Chakraborty

  2. Digital Security Group, Radboud University Nijmegen, Nijmegen, Gelderland, The Netherlands

    Peter Schwabe

  3. Dept. of Computer Science, University of Illinois at Chicago, Chicago, Illinois, USA

    Jon Solworth

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Amour, L.S., Petullo, W.M. (2015). Improving Application Security through TLS-Library Redesign. In: Chakraborty, R., Schwabe, P., Solworth, J. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2015. Lecture Notes in Computer Science(), vol 9354. Springer, Cham. https://doi.org/10.1007/978-3-319-24126-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-24126-5_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-24125-8

  • Online ISBN: 978-3-319-24126-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation