Skip to main content

A system to verify network behavior of known cryptographic clients

Publication ,  Conference
Chi, A; Cochran, RA; Nesfield, M; Reiter, MK; Sturton, C
Published in: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017
January 1, 2017

Numerous exploits of client-server protocols and applications involve modifying clients to behave in ways that untampered clients would not, such as crafting malicious packets. In this paper, we develop a system for verifying in near real-time that a cryptographic client’s message sequence is consistent with its known implementation. Moreover, we accomplish this without knowing all of the client-side inputs driving its behavior. Our toolchain for verifying a client’s messages explores multiple candidate execution paths in the client concurrently, an innovation useful for aspects of certain cryptographic protocols such as message padding (which will be permitted in TLS 1.3). In addition, our toolchain includes a novel approach to symbolically executing the client software in multiple passes that defers expensive functions until their inputs can be inferred and concretized. We demonstrate client verification on OpenSSL and BoringSSL to show that, e.g., Heartbleed exploits can be detected without Heartbleed-specific filtering and within seconds of the first malicious packet. On legitimate traffic our verification keeps pace with Gmail-shaped workloads, with a median lag of 0.85s.

Duke Scholars

Published In

Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017

ISBN

9781931971379

Publication Date

January 1, 2017

Start / End Page

177 / 195
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Chi, A., Cochran, R. A., Nesfield, M., Reiter, M. K., & Sturton, C. (2017). A system to verify network behavior of known cryptographic clients. In Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017 (pp. 177–195).
Chi, A., R. A. Cochran, M. Nesfield, M. K. Reiter, and C. Sturton. “A system to verify network behavior of known cryptographic clients.” In Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017, 177–95, 2017.
Chi A, Cochran RA, Nesfield M, Reiter MK, Sturton C. A system to verify network behavior of known cryptographic clients. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017. 2017. p. 177–95.
Chi, A., et al. “A system to verify network behavior of known cryptographic clients.” Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017, 2017, pp. 177–95.
Chi A, Cochran RA, Nesfield M, Reiter MK, Sturton C. A system to verify network behavior of known cryptographic clients. Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017. 2017. p. 177–195.

Published In

Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017

ISBN

9781931971379

Publication Date

January 1, 2017

Start / End Page

177 / 195