6. EXPERIMENTAL TESTBED
Our primary methodology for the initial discovery of SSL certificate validation bugs is black-box fuzzing. We test applications
and libraries implementing SSL client functionality on two Dell
laptops running Microsoft Windows 7 Professional Service Pack
1 and Ubuntu Linux 10.04, respectively. Mobile applications are
tested on a Nexus One smartphone running Android 2.3.6 and an
iPad 2 running iOS 4.2.1.
We use local DNS cache poisoning to divert clients’ connections
to a simulated attack server executing on an old Dell laptop with
Ubuntu Linux 10.04. To simulate a man-in-the-middle attacker, we
built two prototypes: one in Java, using JKS keystore to manage
the attacker’s certificates and keys, the other in C, using OpenSSL
for certificate and key management. We also used Fiddler, a Web
debugging proxy [9]. If Fiddler encounters a connection request
to a server it has not seen before, it creates a new certificate with
the common name matching the requested name and stores it in
its repository; otherwise, it retrieves an existing certificate from
its repository. Fiddler then presents the certificate to the client,
allowing us to simulate a man-in-the-middle attacker who presents
self-signed certificates with correct common names. In addition,
we enabled Fiddler to capture and decrypt HTTPS connections.
Our simulated “man-in-the-middle” server presents the client with
several certificates: (1) a self-signed certificate with the same common name as the host the client is attempting to connect to, (2) a
self-signed certificate with an incorrect common name, and (3) a
valid certificate issued by a trusted certificate authority to a domain
called AllYourSSLAreBelongTo.us. If the client establishes
an SSL connection, the attack server decrypts traffic sent by the
client. It can then establish its own SSL connection to any legitimate server specified by the attacker and forward the client’s traffic.
The attack server also listens for the legitimate server’s response,
decrypts and logs it, re-encrypts it with the symmetric key the attacker shares with the client and forwards it to the client.
If we observed a particular client successfully establishing an
SSL connection when presented with any of the attack certificates,
we analyzed the source code of the client or, in the case of closedsource applications, the results of reverse-engineering, decompilation, and runtime traces (focusing in particular on calls to SSL
libraries) in order to find the root cause of the vulnerability.
In Sections 7 through 10, we describe the vulnerabilities in specific programs, arranged by error type.
6. EXPERIMENTAL TESTBED
Our primary methodology for the initial discovery of SSL certificate validation bugs is black-box fuzzing. We test applications
and libraries implementing SSL client functionality on two Dell
laptops running Microsoft Windows 7 Professional Service Pack
1 and Ubuntu Linux 10.04, respectively. Mobile applications are
tested on a Nexus One smartphone running Android 2.3.6 and an
iPad 2 running iOS 4.2.1.
We use local DNS cache poisoning to divert clients’ connections
to a simulated attack server executing on an old Dell laptop with
Ubuntu Linux 10.04. To simulate a man-in-the-middle attacker, we
built two prototypes: one in Java, using JKS keystore to manage
the attacker’s certificates and keys, the other in C, using OpenSSL
for certificate and key management. We also used Fiddler, a Web
debugging proxy [9]. If Fiddler encounters a connection request
to a server it has not seen before, it creates a new certificate with
the common name matching the requested name and stores it in
its repository; otherwise, it retrieves an existing certificate from
its repository. Fiddler then presents the certificate to the client,
allowing us to simulate a man-in-the-middle attacker who presents
self-signed certificates with correct common names. In addition,
we enabled Fiddler to capture and decrypt HTTPS connections.
Our simulated “man-in-the-middle” server presents the client with
several certificates: (1) a self-signed certificate with the same common name as the host the client is attempting to connect to, (2) a
self-signed certificate with an incorrect common name, and (3) a
valid certificate issued by a trusted certificate authority to a domain
called AllYourSSLAreBelongTo.us. If the client establishes
an SSL connection, the attack server decrypts traffic sent by the
client. It can then establish its own SSL connection to any legitimate server specified by the attacker and forward the client’s traffic.
The attack server also listens for the legitimate server’s response,
decrypts and logs it, re-encrypts it with the symmetric key the attacker shares with the client and forwards it to the client.
If we observed a particular client successfully establishing an
SSL connection when presented with any of the attack certificates,
we analyzed the source code of the client or, in the case of closedsource applications, the results of reverse-engineering, decompilation, and runtime traces (focusing in particular on calls to SSL
libraries) in order to find the root cause of the vulnerability.
In Sections 7 through 10, we describe the vulnerabilities in specific programs, arranged by error type.
การแปล กรุณารอสักครู่..