A messy state of the union: taming the composite state machines of TLS

Benjamin Beurdouche; Karthikeyan Bhargavan; Antoine Delignat-Lavaud; Cédric Fournet; Markulf Kohlweiss; Alfredo Pironti; Pierre-Yves  Strub; Jean Karim Zinzindohoue

doi:10.1145/3023357

A messy state of the union: taming the composite state machines of TLS

Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue

Research output: Contribution to journal › Article › peer-review

Abstract

The Transport Layer Security (TLS) protocol supports various authentication modes, key exchange methods, and protocol extensions. Confusingly, each combination may prescribe a different message sequence between the client and the server, and thus a key challenge for TLS implementations is to define a composite state machine that correctly handles these combinations. If the state machine is too restrictive, the implementation may fail to interoperate with others; if it is too liberal, it may allow unexpected message sequences that break the security of the protocol. We systematically test popular TLS implementations and find unexpected transitions in many of their state machines that have stayed hidden for years. We show how some of these flaws lead to critical security vulnerabilities, such as FREAK. While testing can help find such bugs, formal verification can prevent them entirely. To this end, we implement and formally verify a new composite state machine for OpenSSL, a popular TLS library.

Original language	English
Pages (from-to)	99-107
Number of pages	9
Journal	Communications of the ACM
Volume	60
Issue number	2
DOIs	https://doi.org/10.1145/3023357
Publication status	Published - 23 Jan 2017

Access to Document

10.1145/3023357

https://dl.acm.org/citation.cfm?doid=3023357

Cite this

@article{5507133077e147b1bc1e3cc617c631bc,

title = "A messy state of the union: taming the composite state machines of TLS",

abstract = "The Transport Layer Security (TLS) protocol supports various authentication modes, key exchange methods, and protocol extensions. Confusingly, each combination may prescribe a different message sequence between the client and the server, and thus a key challenge for TLS implementations is to define a composite state machine that correctly handles these combinations. If the state machine is too restrictive, the implementation may fail to interoperate with others; if it is too liberal, it may allow unexpected message sequences that break the security of the protocol. We systematically test popular TLS implementations and find unexpected transitions in many of their state machines that have stayed hidden for years. We show how some of these flaws lead to critical security vulnerabilities, such as FREAK. While testing can help find such bugs, formal verification can prevent them entirely. To this end, we implement and formally verify a new composite state machine for OpenSSL, a popular TLS library.",

author = "Benjamin Beurdouche and Karthikeyan Bhargavan and Antoine Delignat-Lavaud and C{\'e}dric Fournet and Markulf Kohlweiss and Alfredo Pironti and Pierre-Yves Strub and Zinzindohoue, {Jean Karim}",

year = "2017",

month = jan,

day = "23",

doi = "10.1145/3023357",

language = "English",

volume = "60",

pages = "99--107",

journal = "Communications of the ACM",

issn = "0001-0782",

publisher = "Association for Computing Machinery (ACM)",

number = "2",

}

TY - JOUR

T1 - A messy state of the union: taming the composite state machines of TLS

AU - Beurdouche, Benjamin

AU - Bhargavan, Karthikeyan

AU - Delignat-Lavaud, Antoine

AU - Fournet, Cédric

AU - Kohlweiss, Markulf

AU - Pironti, Alfredo

AU - Strub, Pierre-Yves

AU - Zinzindohoue, Jean Karim

PY - 2017/1/23

Y1 - 2017/1/23

N2 - The Transport Layer Security (TLS) protocol supports various authentication modes, key exchange methods, and protocol extensions. Confusingly, each combination may prescribe a different message sequence between the client and the server, and thus a key challenge for TLS implementations is to define a composite state machine that correctly handles these combinations. If the state machine is too restrictive, the implementation may fail to interoperate with others; if it is too liberal, it may allow unexpected message sequences that break the security of the protocol. We systematically test popular TLS implementations and find unexpected transitions in many of their state machines that have stayed hidden for years. We show how some of these flaws lead to critical security vulnerabilities, such as FREAK. While testing can help find such bugs, formal verification can prevent them entirely. To this end, we implement and formally verify a new composite state machine for OpenSSL, a popular TLS library.

AB - The Transport Layer Security (TLS) protocol supports various authentication modes, key exchange methods, and protocol extensions. Confusingly, each combination may prescribe a different message sequence between the client and the server, and thus a key challenge for TLS implementations is to define a composite state machine that correctly handles these combinations. If the state machine is too restrictive, the implementation may fail to interoperate with others; if it is too liberal, it may allow unexpected message sequences that break the security of the protocol. We systematically test popular TLS implementations and find unexpected transitions in many of their state machines that have stayed hidden for years. We show how some of these flaws lead to critical security vulnerabilities, such as FREAK. While testing can help find such bugs, formal verification can prevent them entirely. To this end, we implement and formally verify a new composite state machine for OpenSSL, a popular TLS library.

U2 - 10.1145/3023357

DO - 10.1145/3023357

M3 - Article

SN - 0001-0782

VL - 60

SP - 99

EP - 107

JO - Communications of the ACM

JF - Communications of the ACM

IS - 2

ER -

A messy state of the union: taming the composite state machines of TLS

Abstract

Access to Document

Fingerprint

Cite this