using frankencerts for automated adversarial testing of
play

Using Frankencerts for Automated Adversarial Testing of Certificate - PowerPoint PPT Presentation

Jul 12, 2023 •21 likes •201 views

Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker Suman Jana Baishakhi Ray Sarfraz Khurshid Vitaly Shmatikov 116033910063 Content SSL/TLS

  1. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker Suman Jana Baishakhi Ray Sarfraz Khurshid Vitaly Shmatikov 116033910063 黄中月

  2. Content • SSL/TLS Protocol • Implementation Correctness • Certificate Generation • Differential Testing • Conclusion

  3. SSL/TLS Protocol • End-to-end security even if the network is insecure • Authentication = certificate validation • Confidentiality • Integrity

  4. SSL/TLS Protocol • Server authentication • X.509 certificate validation • Chain of trust • Basic constraints • Name constraints • Key usage • Hostname • Time • …

  5. Implementation Correctness • Problem1: generating test inputs • Structurally complex data = Huge input space • Approach • Simple automated technique (Ex: random fuzzing) • A fuzzed string won't even parse as an X.509 cert • Manually creating certificates • Manually creating a high-quality suite is simply infeasible

  6. Implementation Correctness • Problem2: interpreting test results test SSL/TLS accept/reject certificate implementation

  7. Implementation Correctness • Problem1: generating test inputs • Frankencerts • Problem2: interpreting test results • Differential Testing

  8. Certificate Generation • Requirements • Syntactically correct • Semantically bad • Scale to millions of certs • X.509 certificate structure • Multilayered structured data • Syntactic constraints • Ex: Version must be an integer • Semantic constraints • Ex: Version must be 0, 1, or 2

  9. Certificate Generation • Step 1: collect 243,246 certificates

  10. Certificate Generation • Step 2: generate 8,127,600 frankencerts

  11. Certificate Generation • Step 3: mutate a few pieces

  12. Differential Testing • 9 open-source SSL/TLS libraries • 6 Web browsers

  13. Differential Testing • Results • 15 root causes • 208 discrepancies • 62,022 frankencerts • Error Reporting • Expired (E) • Bad issuer (I) • Bad name (N)

  14. Differential Testing • Results

  15. Differential Testing • Error Reporting

  16. Differential Testing • Ex. Google Chrome

  17. Conclusion • Differential testing with frankencerts is an effective technique for finding flaws in SSL/TLS implementations • The code is available at: https://github.com/sumanj/frankencert

  18. Thanks Q&A

Recommend

Automated testing for multiplayer Game AI Automated testing for multiplayer Game AI in Sea of

Automated testing for multiplayer Game AI Automated testing for multiplayer Game AI in Sea of

Automated testing for multiplayer Game AI Automated testing for multiplayer Game AI in Sea of Thieves in Sea of Thieves Robert Masella Rare - Microsoft Studios About Me About Me Senior Gameplay Engineer Worked on: Banjo Kazooie:

785 views • 55 slides
Testing Testing one two, one two! Setting up an automated testing environment for Samba on

Testing Testing one two, one two! Setting up an automated testing environment for Samba on

Testing Testing one two, one two! Setting up an automated testing environment for Samba on Gluster Sachin Prabhu Michael Adam sprabhu@redhat.com obnox@samba.org 1 Agenda Setting up of an automated testing environment for Samba on Gluster

519 views • 23 slides
Combinatorial Testing Automated testing and J.P . Galeotti - Alessandra Gorla verification

Combinatorial Testing Automated testing and J.P . Galeotti - Alessandra Gorla verification

Combinatorial Testing Automated testing and J.P . Galeotti - Alessandra Gorla verification Wednesday, November 28, 12 Combinatorial testing: Basic idea Identify distinct attributes that can be varied In the data, environment, or

1.02k views • 52 slides
Enterprise Automated Testing System Integration North American Distributor ATaaS Technology

Enterprise Automated Testing System Integration North American Distributor ATaaS Technology

ATN-Emulator Enterprise Automated Testing System Integration North American Distributor ATaaS Technology Overview ATaaS (Automated Testing as a Service) is an end-to-end automated POS (Point of Sale) testing system with a robotic arm for

155 views • 14 slides
Eiffel Testing Framework (ETF): Automated Regression & Acceptance Testing EECS3311 A & E:

Eiffel Testing Framework (ETF): Automated Regression & Acceptance Testing EECS3311 A & E:

Eiffel Testing Framework (ETF): Automated Regression & Acceptance Testing EECS3311 A & E: Software Design Fall 2020 C HEN -W EI W ANG Learning Objectives Upon completing this lecture, you are expected to understand: 1. User Interface :

775 views • 22 slides
Towards Automated Testing of Web Service Choreographies Felipe Besson, Pedro Leal, Fabio Kon and

Towards Automated Testing of Web Service Choreographies Felipe Besson, Pedro Leal, Fabio Kon and

Towards Automated Testing of Web Service Choreographies Felipe Besson, Pedro Leal, Fabio Kon and Alfredo Goldman 6th International University of So Paulo Workshop on Automated Dejan Milojicic Software Testing Hewlett Packard Laboratories

248 views • 12 slides
Structural and dataflow testing (cont.) Automated testing and J.P . Galeotti - Alessandra Gorla

Structural and dataflow testing (cont.) Automated testing and J.P . Galeotti - Alessandra Gorla

Structural and dataflow testing (cont.) Automated testing and J.P . Galeotti - Alessandra Gorla verification Thursday, January 17, 13 Structural testing Judging test suite thoroughness based on the structure of the program itself Also

944 views • 80 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Web Applications Testing Automated testing and JP Galeotti, Alessandra Gorla verification

Web Applications Testing Automated testing and JP Galeotti, Alessandra Gorla verification

Web Applications Testing Automated testing and JP Galeotti, Alessandra Gorla verification Thursday, January 31, 13 Why are Web applications different Web 1.0: Static content Client and Server side execution Different components and

442 views • 33 slides
Integration, System and Regression Testing Automated testing and J.P .Galeotti Alessandra Gorla

Integration, System and Regression Testing Automated testing and J.P .Galeotti Alessandra Gorla

Integration, System and Regression Testing Automated testing and J.P .Galeotti Alessandra Gorla verification Thursday, January 31, 13 Actual Needs and Delivered User Acceptance (alpha, beta test) Constraints Package Review System

999 views • 69 slides
Required Tutorial Eiffel Testing Framework (ETF): Automated Regression & Acceptance Testing

Required Tutorial Eiffel Testing Framework (ETF): Automated Regression & Acceptance Testing

Required Tutorial Eiffel Testing Framework (ETF): Automated Regression & Acceptance Testing All technical details of ETF are discussed in this tutorial series: https://www.youtube.com/playlist?list=PL5dxAmCmjv_ EECS3311 A & E: Software

447 views • 6 slides
Software testing Software Testing Introduction Testing levels Automated testing Principles and

Software testing Software Testing Introduction Testing levels Automated testing Principles and

Introduction Testing levels Automated testing Principles and testability Coverage Criteria Points for thought Software testing Software Testing Introduction Testing levels Automated testing Principles and testability Coverage Criteria

892 views • 55 slides
Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial examples? Standard ML setup: We have training data; try to do well on withheld testing data. Adversarial/robust ML setup: We have training

672 views • 27 slides
Introduction to software testing and quality process Automated testing and J.P . Galeotti -

Introduction to software testing and quality process Automated testing and J.P . Galeotti -

Introduction to software testing and quality process Automated testing and J.P . Galeotti - Alessandra Gorla verification Engineering processes Engineering disciplines pair construction activities activities that check intermediate

801 views • 58 slides
Evolution of Automated Testing for Enterprise Systems BNSF BNSF Automation Time Line Automated

Evolution of Automated Testing for Enterprise Systems BNSF BNSF Automation Time Line Automated

P R E S E N T A T I O N Presentation Bios F8 Friday, November 2, 2001 11:15 AM E VOLUTION OF A UTOMATED T ESTING FOR E NTERPRISE S YSTEMS Cherie Coles BNSF Railroad International Conference On Software Testing Analysis & Review October

348 views • 22 slides
Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting Faults for Engine Management Development M t D l t Scott James Applied Dynamics International Sh Shaun Fuller Pickering Interfaces F ll

353 views • 18 slides
Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science & Engineering University of Washington Joint work with David Notkin July 2004 Motivation Existing automated test generation tools are

638 views • 43 slides
Automated Testing Gleb Bahmutov, VP of Engineering at Cypress Gary Schultz, Chief Marketing Officer

Automated Testing Gleb Bahmutov, VP of Engineering at Cypress Gary Schultz, Chief Marketing Officer

Automated Testing Gleb Bahmutov, VP of Engineering at Cypress Gary Schultz, Chief Marketing Officer at BrieBug What is Automated Testing? Software that automatically checks whether actual results match expected results to ensure that an

317 views • 10 slides
Automated Curses Testing Brett Lymn Introduction Curses is a terminal independent interface to a

Automated Curses Testing Brett Lymn Introduction Curses is a terminal independent interface to a

Automated Curses Testing file:///home/user/blymn/presentations/curses-test/curses-test.html Automated Curses Testing Brett Lymn Introduction Curses is a terminal independent interface to a terminal Optimises screen updates to minimise data

429 views • 3 slides
Automated Audio Testing Bernard Rodrigue Software Developer, Audiokinetic Agenda History of

Automated Audio Testing Bernard Rodrigue Software Developer, Audiokinetic Agenda History of

Automated Audio Testing Bernard Rodrigue Software Developer, Audiokinetic Agenda History of Audio Testing Optimizing human interventions RoboQA in details Other forms of testing Your game and tools History Designer Test

773 views • 45 slides
Automated Flashing and Testing for Continuous Integration Igor Stoppa Embedded Linux Conference

Automated Flashing and Testing for Continuous Integration Igor Stoppa Embedded Linux Conference

Automated Flashing and Testing for Continuous Integration Igor Stoppa Embedded Linux Conference North America 2015 1 Automated Flasher Tester AFT Tool for deploying and verifying a SW image on an appropriate target HW device. Easily

309 views • 17 slides
Automated Vehicle Development, Testing and Implementation Thomas J. Bamonte Program Manager,

Automated Vehicle Development, Testing and Implementation Thomas J. Bamonte Program Manager,

Automated Vehicle Development, Testing and Implementation Thomas J. Bamonte Program Manager, Automated Vehicles North Central Texas Council of Governments February 17, 2017 Monoculture Monoculture Diminishing Returns for Region (to 2040)

735 views • 20 slides
Conditional Independence Testing using Adversarial Neural Networks Alexis Bellot Mihaela van der

Conditional Independence Testing using Adversarial Neural Networks Alexis Bellot Mihaela van der

Conditional Independence Testing using Adversarial Neural Networks Alexis Bellot Mihaela van der Schaar From two-sample testing to independence testing X ~ Y ~ Two sample problem: Can we say whether = ? Independence

348 views • 8 slides
Automated Testing of Debian Packages Status Update Lucas Nussbaum lucas@debian.org Lucas

Automated Testing of Debian Packages Status Update Lucas Nussbaum lucas@debian.org Lucas

Introduction Tests Building packages more efficiently Piuparts State of the archive collab-qa Conclusion Automated Testing of Debian Packages Status Update Lucas Nussbaum lucas@debian.org Lucas Nussbaum Automated Testing of Debian

622 views • 34 slides

More recommend