Scalable Scan­ning and Au­to­ma­tic Clas­si­fi­ca­ti­on of TLS Pad­ding Ora­cle Vul­nerabi­li­ties

Ro­bert Mer­get, Juraj So­mo­rovs­ky, Nim­rod Avi­ram, Craig Young, Janis Flie­gen­schmidt, Jörg Schwenk, Yuval Shavitt

28th USE­NIX Se­cu­ri­ty Sym­po­si­um (USE­NIX Se­cu­ri­ty '19)


Ab­stract

The TLS pro­to­col pro­vi­des en­cryp­ti­on, data in­te­gri­ty, and au­then­ti­ca­ti­on on the mo­dern In­ter­net. De­s­pi­te the pro­to­col's im­port­an­ce, cur­rent­ly-de­ploy­ed TLS ver­si­ons use ob­so­le­te cryp­to­gra­phic al­go­rith­ms which have been bro­ken using va­rious at­tacks. One pro­mi­nent class of such at­tacks is CBC pad­ding ora­cle at­tacks. These at­tacks allow an ad­versa­ry to de­crypt TLS traf­fic by ob­ser­ving dif­fe­rent ser­ver be­ha­vi­ors which de­pend on the va­li­di­ty of CBC pad­ding.

We pre­sent the first lar­ge-sca­le scan for CBC pad­ding ora­cle vul­nerabi­li­ties in TLS im­ple­men­ta­ti­ons on the mo­dern In­ter­net. Our scan re­vea­led vul­nerabi­li­ties in 1.​83% of the Alexa Top Mil­li­on web­sites, de­tec­ting ne­ar­ly 100 dif­fe­rent vul­nerabi­li­ties. Our scan­ner ob­ser­ves subt­le dif­fe­ren­ces in ser­ver be­ha­vi­or, such as re­spon­ding with dif­fe­rent TLS alerts, or with dif­fe­rent TCP hea­der flags.

We used a novel scan­ning me­tho­do­lo­gy con­sis­ting of three steps. First, we crea­ted a large set of pro­bes that de­tect vul­nerabi­li­ties at a con­s­i­dera­ble scan­ning cost. We then re­du­ced the num­ber of pro­bes using a preli­mi­na­ry scan, such that a smal­ler set of pro­bes has the same de­tec­tion rate but is small en­ough to be used in lar­ge-sca­le scans. Fi­nal­ly, we used the re­du­ced set to scan at scale, and clus­te­red our fin­dings with a novel ap­proach using graph drawing al­go­rith­ms.

Con­tra­ry to com­mon wis­dom, ex­ploit­ing CBC pad­ding ora­cles does not ne­ces­sa­ri­ly re­qui­re per­for­ming pre­cise ti­ming me­a­su­re­ments. We de­tec­ted vul­nerabi­li­ties that can be ex­ploi­ted sim­ply by ob­ser­ving the con­tent of dif­fe­rent ser­ver re­s­pon­ses. These vul­nerabi­li­ties pose a si­gni­fi­cant­ly lar­ger thre­at in prac­tice than pre­vious­ly as­su­med.

[Paper] [Ge­ne­ral In­for­ma­ti­on] [TLS-Scan­ner]

Tags: pad­ding ora­cle at­tack, scan­ning, TLS