Ana­ly­sis of DTLS Im­ple­men­ta­ti­ons Using Pro­to­col State Fuz­zing

Paul Fi­terau Bros­te­an, Bengt Jons­son, Ro­bert Mer­get, Joeri de Rui­ter, Kon­stan­ti­nos Sa­go­nas, Juraj So­mo­rovs­ky


Ab­stract

Re­cent years have wit­nes­sed an in­crea­sing num­ber of pro­to­cols re­ly­ing on UDP. Com­pa­red to TCP, UDP of­fers per­for­mance ad­van­ta­ges such as sim­pli­ci­ty and lower la­ten­cy. This has mo­ti­va­ted its ad­op­ti­on in Voice over IP, tun­ne­ling tech­no­lo­gies, IoT, and novel Web pro­to­cols. To pro­tect sen­si­ti­ve data ex­chan­ge in these sce­na­ri­os, the DTLS pro­to­col has been de­ve­lo­ped as a cryp­to­gra­phic va­ria­ti­on of TLS. DTLS’s main chal­len­ge is to sup­port the sta­te­l­ess and un­re­lia­ble trans­port of UDP. This has forced pro­to­col de­si­gners to make choices that af­fect the com­ple­xi­ty of DTLS, and to in­cor­po­ra­te fea­tures that need not be ad­dres­sed in the nu­me­rous TLS ana­ly­ses. We pre­sent the first com­pre­hen­si­ve ana­ly­sis of DTLS im­ple­men­ta­ti­ons using pro­to­col state fuz­zing. To that end, we ex­tend TLS-At­ta­cker, an open sour­ce frame­work for ana­ly­zing TLS im­ple­men­ta­ti­ons, with sup­port for DTLS tailo­red to the sta­te­l­ess and un­re­lia­ble na­tu­re of the un­der­ly­ing UDP layer. We build a frame­work for ap­p­ly­ing pro­to­col state fuz­zing on DTLS ser­vers, and use it to learn state ma­chi­ne mo­dels for thir­teen DTLS im­ple­men­ta­ti­ons. Ana­ly­sis of the le­ar­ned state mo­dels re­veals four se­rious se­cu­ri­ty vul­nerabi­li­ties, in­clu­ding a full cli­ent au­then­ti­ca­ti­on by­pass in the la­test JSSE ver­si­on,as well as se­ver­al func­tio­nal bugs and non-con­for­mance is-su­es. It also un­co­vers con­s­i­dera­ble dif­fe­ren­ces bet­ween the mo­dels, con­fir­ming the com­ple­xi­ty of DTLS state ma­chi­nes.

[LINK]

Tags: dtls, state le­arning, state ma­chi­ne, TLS