Properly implementing network protocols is essential in securing any network-accessible device. Although there has been a substantial amount of work on detecting and preventing common programming mistakes such as buffer overflows and use-after-free's, less attention has been given to the detection of logical bugs. Unfortunately, the last few years it has been made clear that logical implementation bugs are more common than previously thought. Moreover, they can void any security that the protocol is supposed to provide.
One example is the Early CCS attack against OpenSSL, which an adversary can abuse to decrypt and/or modify transmitted data. Implementations of other protocols such as SSH and Wi-Fi can be affected by similar flaws. In this webcast, we explore how model-based testing can semi-automatically detect such flaws.
First, we illustrate how model-based testing was used to detect logical bugs in SSL/TLS implementations. Then, we demonstrate how a variant of their technique can be applied to detect logical flaws in Wi-Fi implementations, and discuss vulnerabilities we discovered in Windows, OpenBSD, Broadcom, and MediaTek.
Finally, we conclude with advice on how logical bugs can be avoided when implementing a protocol.
Mathy Vanhoef is a postdoctoral researcher at KU Leuven, where he currently performs research on automatically discovering logical vulnerabilities in network protocol implementations. Previously he performed research on streamciphers, and discovered a new attack on RC4 that made it possible to exploit RC4 as used in TLS in practice (the RC4 NOMORE attack). He also focuses on wireless security, where he turns commodity wifi cards into state-of-the art jammers, defeats MAC address randomization, and breaks protocols like WPA-TKIP. He also did research on information flow security to assure cookies don't fall in the hands of malicious individuals.
Cody Mercer is Senior Security Engineer w/ Concentration in Threat Intelligence Research. With more than a decade of experience in the cyber-security realm he has worked in the private, public, government, and military sector. While active duty military he worked at NSA Hawaii as a Signal Intelligence Operator and Cryptographer. Aside from his normal operations at NSFOCUS he is also a part-time Navy Reservist supporting cyber-security missions affiliated with SPAWAR and DISA.