Commit 1f55622a authored by Paul Fiterau Brostean's avatar Paul Fiterau Brostean
Browse files

Merge branch 'master' of gitlab.science.ru.nl:pfiteraubrostean/Learning-SSH-Paper

parents e7b616ae ffb54644
......@@ -2,8 +2,8 @@
We have combined model learning with abstraction techniques to infer models of the OpenSSH, Bitvise and DropBear SSH server implementations. We have also
formalized several security and functional properties drawn from the SSH RFC specifications. We have verified these
properties on the learned models using model checking and have uncovered several minor inconsistencies, though crucially, the security critical properties were met
by all implementations.
properties on the learned models using model checking and have uncovered several minor standard violations.
The security critical properties were met by all implementations.
Abstraction was provided by a {\dmapper} component placed between the
{\dlearner} and the {\dsut}. The {\dmapper} was constructed from an
......@@ -15,15 +15,15 @@ full version for OpenSSH, and a restricted version for the other
implementations. The restricted alphabet was still sufficient to
explore most aforementioned behavior.
There were several challenges encountered. Firstly, building a {\dmapper} presented a considerable technical challenge, as it required re-structuring of an actual
We encountered several challenges. Firstly, building a {\dmapper} presented a considerable technical challenge, as it required re-structuring of an actual
SSH implementation. Secondly, because we used classical learning algorithms, we had to ensure that the abstracted implementation behaved
like a deterministic Mealy Machine. Here time-induced non-determinism was difficult to eliminate. Buffering also presented problems,
like a (deterministic) Mealy Machine. Here time-induced non-determinism was difficult to eliminate. Buffering also presented problems,
leading to a considerable increase in the number of states. Moreover, the systems analyzed were relatively slow, which meant learning took
several days\marginpar{\tiny Erik: For a single server, right??}. This was compounded by the size of the learning alphabet, and it forced us into using a reduced alphabet for two of the analyzed implementations.
Limitations of the work, hence possibilities for future work, are several. First of all, the {\dmapper} was not formalized, unlike in~\cite{TCP2016}, thus we did not
produce a concretization of the abstract models. Consequently, model checking results cannot be fully transferred to the actual implementations. Formal definition
of the mapper and concretization of the learned models would tackle this. The {\dmapper} also caused considerable redundancy in the learned models, re-tweaking the abstractions used, in particular those for managing channels, could alleviate this problem while also improving learning times. This in turn would facilitate learning using expanded alphabets instead of resorting to restricted alphabets.
of the mapper and concretization of the learned models (as defined in \cite{AJUV15}) would tackle this. The {\dmapper} also caused considerable redundancy in the learned models, re-tweaking the abstractions used, in particular those for managing channels, could alleviate this problem while also improving learning times. This in turn would facilitate learning using expanded alphabets instead of resorting to restricted alphabets.
Furthermore, the {\dmapper} abstraction could be refined, to give more
insight into the implementations. In particular, parameters,
such as the session identifier or data sent over channels, could be extracted from the {\dmapper} and potentially handled by existing Register Automata learners\cite{ralib2015,tomte2015}. These learners
......
......@@ -52,8 +52,6 @@ tabsize=2
\author{Paul Fiter\u{a}u-Bro\c{s}tean}
\authornote{Supported by NWO project 612.001.216, Active Learning of Security Protocols (ALSEP).}
\affiliation{%
\institution{Radboud University Nijmegen}
}
......@@ -87,17 +85,14 @@ tabsize=2
\affiliation{%
\institution{Radboud University Nijmegen}
}
\email{patrick.verleg@student.ru.nl}
\email{patrickverleg@gmail.com}
\renewcommand{\shortauthors}{Fiter\u{a}u-Bro\c{s}tean et al.}
\begin{abstract}
We apply model learning on three SSH implementations to infer state machine models, which
are then verified by a model checker for functional and security properties. Our results show that
all tested SSH servers satisfy the security properties, but
satisfy the functional properties
only to a varying degree. Moreover, the state machines of the
implementations differ significantly, allowing them to be
are then verified by a model checker for functional and security properties. Our analysis showed that
all tested SSH server models satisfy the security properties. Nevertheless, we uncovered several minor standard violations.
The state machines of the implementations differ significantly, allowing them to be
effectively fingerprinted.
%Various shortcomings with regards to the RFCs were found. Opening multiple channels is not properly implemented on CiscoSSH and PowerShell. OpenSSH contains a bug which can result in connection closure after rekeying in some circumstances. Both Tectia and OpenSSH implement a liberal message acceptance policy in the first phase of the protocol. Such a liberal policy is unwise in this error-prone stage.
......@@ -154,6 +149,7 @@ effectively fingerprinted.
\maketitle
\renewcommand{\shortauthors}{Fiter\u{a}u-Bro\c{s}tean et al.}
\input{introduction}
\input{preliminaries}
......
@inproceedings{NuSMV2,
author = {Alessandro Cimatti and
Edmund M. Clarke and
Enrico Giunchiglia and
Fausto Giunchiglia and
Marco Pistore and
Marco Roveri and
Roberto Sebastiani and
Armando Tacchella},
author = {A. Cimatti and
E.M. Clarke and
E. Giunchiglia and
F. Giunchiglia and
M. Pistore and
M. Roveri and
R. Sebastiani and
A. Tacchella},
title = {NuSMV 2: An OpenSource Tool for Symbolic Model Checking},
booktitle = {Computer Aided Verification, 14th International Conference, {CAV}
2002,Copenhagen, Denmark, July 27-31, 2002, Proceedings},
booktitle = {CAV},
pages = {359--364},
year = {2002},
editor = {Ed Brinksma and
Kim Guldstrand Larsen},
series = {Lecture Notes in Computer Science},
series = {LNCS},
volume = {2404},
publisher = {Springer},
}
......@@ -57,13 +54,12 @@
@inproceedings{SMJV15,
author = {W. Smeenk and J. Moerman and D.N. Jansen and F.W. Vaandrager},
booktitle = {Proceedings 17th International Conference on Formal Engineering Methods (ICFEM 2015), Paris, 3-6 November 2015},
booktitle = {ICFEM 2015},
series = {LNCS},
volume = 9407,
pages = {1--17},
publisher = {Springer},
year = 2015,
editor = {M. Butler and S. Conchon and F. Zaidi},
title = {Applying Automata Learning to Embedded Control Software}
}
......@@ -80,26 +76,24 @@ document_type = {Bachelor's Thesis},
title = {Rule-based static analysis of network protocol implementations},
volume = {206},
number = {2-4},
journal = {Information and Computation},
author = {Udrea, Octavian and Lumezanu, Cristian and Foster, Jeffrey S.},
month = feb,
journal = {Inf.\ and Comp.},
author = {Udrea, O. and Lumezanu, C. and Foster, J.S.},
year = {2008},
pages = {130--157},
}
@MastersThesis{Toon2016,
title={Improving Protocol State Fuzzing of SSH},
author={Lenaerts, Toon},
author={Lenaerts, T.},
year={2016},
document_type = {Bachelor's Thesis},
type = {Bachelor's Thesis},
type = {Bachelor's Thesis},
school = {Radboud University}
}
@phdthesis{Isberner2015,
author = {Malte Isberner},
author = {M. Isberner},
year = 2015,
school = {Technical University of Dortmund},
school = {TU Dortmund},
title = {Foundations of Active Automata Learning: An Algorithmic Perspective}
}
......@@ -123,20 +117,18 @@ document_type = {Bachelor's Thesis},
@article{Angluin1987Learning,
abstract = {The problem of identifying an unknown regular set from examples of its members and nonmembers is addressed. It is assumed that the regular set is presented by a minimally adequate Teacher, which can answer membership queries about the set and can also test a conjecture and indicate whether it is equal to the unknown set and provide a counterexample if not. (A counterexample is a string in the symmetric difference of the correct set and the conjectured set.) A learning algorithm L∗ is described that correctly learns any regular set from any minimally adequate Teacher in time polynomial in the number of states of the minimum dfa for the set and the maximum length of any counterexample provided by the Teacher. It is shown that in a stochastic setting the ability of the Teacher to test conjectures may be replaced by a random sampling oracle, {EX}( ). A polynomial-time learning algorithm is shown for a particular problem of context-free language identification.},
address = {Duluth, MN, USA},
author = {Angluin, Dana},
journal = {Information and Computation},
author = {Angluin, D.},
journal = {Inf.\ and Comp.},
month = nov,
number = {2},
pages = {87--106},
publisher = {Academic Press, Inc.},
title = {Learning regular sets from queries and counterexamples},
volume = {75},
year = {1987}
}
@incollection{Aarts2010Generating,
author = {Aarts, Fides and Jonsson, Bengt and Uijen, Johan},
author = {Aarts, F. and Jonsson, B. and Uijen, J.},
booktitle = {Testing Software and Systems},
citeulike-article-id = {13856840},
citeulike-linkout-0 = {http://dx.doi.org/10.1007/978-3-642-16573-3_14},
......@@ -186,7 +178,7 @@ machine learning algorithms},
@article{AJUV15,
author = {F. Aarts and B. Jonsson and J. Uijen and F.W. Vaandrager},
title = {Generating Models of Infinite-State Communication Protocols using Regular Inference with Abstraction},
journal= {Formal Methods in System Design},
journal= {FMSD},
year= {2015},
publisher= {Springer},
volume = 46,
......@@ -195,22 +187,19 @@ machine learning algorithms},
}
@article{FutoranskyAttack,
author = {Futoransky, Ariel and Kargieman, Emiliano},
citeulike-article-id = {13837770},
edition = {oct. 1998},
author = {Futoransky, A. and Kargieman, E.},
year={1998},
howpublished = {Online. \url{https://www.coresecurity.com/system/files/publications/2016/05/KargiemanPacettiRicharte_1998-CRC32.pdf}},
priority = {2},
title = {An attack on {CRC}-32 integrity checks of encrypted channels using {CBC} and {CFB} modes}
}
@article{GrinchteinJL10,
author = {Olga Grinchtein and
Bengt Jonsson and
Martin Leucker},
author = {O. Grinchtein and
B. Jonsson and
M. Leucker},
title = {Learning of event-recording automata},
journal = {Theor. Comput. Sci.},
journal = {TCS},
volume = {411},
number = {47},
pages = {4029--4054},
......@@ -218,16 +207,12 @@ machine learning algorithms},
}
@inproceedings{tomte2015,
author = {Fides Aarts and Paul Fiter\u{a}u-Bro\c{s}tean and Harco Kuppens and Frits W. Vaandrager},
author = {F. Aarts and P. Fiter\u{a}u-Bro\c{s}tean and H. Kuppens and F.W. Vaandrager},
title = {Learning Register Automata with Fresh Value Generation},
booktitle = {Theoretical Aspects of Computing - {ICTAC} 2015 - 12th International
Colloquium Cali, Colombia, October 29-31, 2015, Proceedings},
booktitle = {{ICTAC} 2015},
pages = {165--183},
year = {2015},
editor = {Martin Leucker and
Camilo Rueda and
Frank D. Valencia},
series = {Lecture Notes in Computer Science},
series = {LNCS},
volume = {9399},
publisher = {Springer}
}
......@@ -243,21 +228,16 @@ machine learning algorithms},
}
@inproceedings{Chalupar2014Automated,
author = {Chalupar, Georg and Peherstorfer, Stefan and Poll, Erik and de Ruiter, Joeri},
citeulike-article-id = {13837720},
booktitle = {Proceedings of the 8th USENIX workshop on
Offensive Technologies (WOOT'14)},
author = {Chalupar, G. and Peherstorfer, S. and Poll, E. and Ruiter, J. {de}},
booktitle = {Proc.\ USENIX workshop on Offensive Technologies (WOOT'14)},
pages = {1--10},
posted-at = {2015-11-13 14:58:54},
priority = {2},
title = {Automated Reverse Engineering using {LEGO}},
year = {2014}
}
@incollection{Aarts2010Inference,
author = {Aarts, Fides and Schmaltz, Julien and Vaandrager, Frits},
author = {Aarts, F. and Schmaltz, J. and Vaandrager, F.},
booktitle = {Leveraging Applications of Formal Methods, Verification, and Validation},
editor = {Margaria, Tiziana and Steffen, Bernhard},
pages = {673--686},
publisher = {Springer},
series = {LNCS},
......@@ -268,8 +248,7 @@ machine learning algorithms},
@article{Bellare2004Breaking,
abstract = {The secure shell ({SSH}) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current {SSH} authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the {SSH} protocol and, using techniques from modern cryptography, we prove that our modified versions of {SSH} meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the {SSH} protocol and to {SSH} implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.},
address = {New York, NY, USA},
author = {Bellare, Mihir and Kohno, Tadayoshi and Namprempre, Chanathip},
author = {Bellare, M. and Kohno, T. and Namprempre, C.},
journal = {ACM Trans. Inf. Syst. Secur.},
month = may,
number = {2},
......@@ -281,51 +260,47 @@ machine learning algorithms},
}
@misc{rfc4254,
author = {Ylonen, Tatu},
author = {Ylonen, T.},
month = jan,
title = {The Secure Shell ({SSH}) Connection Protocol. {RFC} 4254, The Internet Engineering Task Force, Network Working Group},
title = {The Secure Shell ({SSH}) Connection Protocol. {RFC} 4254, IETF, Network Working Group},
year = {2006}
}
@misc{rfc4252,
author = {Ylonen, Tatu},
author = {Ylonen, T.},
month = jan,
title = {The Secure Shell ({SSH}) Authentication Protocol. {RFC} 4252, The Internet Engineering Task Force, Network Working Group},
title = {The Secure Shell ({SSH}) Authentication Protocol. {RFC} 4252, IETF, Network Working Group},
year = {2006}
}
@misc{rfc4253,
author = {Ylonen, Tatu},
author = {Ylonen, T.},
month = jan,
title = {The Secure Shell ({SSH}) Transport Layer Protocol. {RFC} 4253, The Internet Engineering Task Force, Network Working Group},
title = {The Secure Shell ({SSH}) Transport Layer Protocol. {RFC} 4253, IETF, Network Working Group},
year = {2006}
}
@misc{rfc4251,
author = {Ylonen, Tatu},
author = {Ylonen, T.},
editor = {Lonvick, C.},
month = jan,
title = {The Secure Shell ({SSH}) Protocol Architecture. {RFC} 4251, The Internet Engineering Task Force, Network Working Group},
title = {The Secure Shell ({SSH}) Protocol Architecture. {RFC} 4251, IETF, Network Working Group},
year = {2006}
}
@article{Poll2007Verifying,
author = {Poll, Erik and Schubert, Aleksy},
citeulike-article-id = {13837644},
journal = {Proceedings of the 17th Workshop on Information Technology and Systems (WITS'07)},
month = dec,
pages = {164--177},
posted-at = {2015-11-13 12:29:00},
priority = {2},
publisher = {Concordia University},
title = {Verifying an implementation of {SSH}},
year = {2007}
}
@incollection{Paterson2010PlaintextDependent,
author = {Paterson, Kenneth G. and Watson, Gaven J.},
booktitle = {Advances in Cryptology – EUROCRYPT 2010},
editor = {Gilbert, Henri},
author = {Paterson, K.G. and Watson, G.J.},
booktitle = {EUROCRYPT 2010},
pages = {345--361},
publisher = {Springer},
series = {LNCS},
......@@ -335,20 +310,12 @@ machine learning algorithms},
}
@incollection{Williams2011Analysis,
author = {Williams, Stephen C.},
author = {Williams, S.C.},
booktitle = {Cryptography and Coding},
citeulike-article-id = {13837625},
citeulike-linkout-0 = {http://dx.doi.org/10.1007/978-3-642-25516-8_22},
citeulike-linkout-1 = {http://link.springer.com/chapter/10.1007/978-3-642-25516-8_22},
doi = {10.1007/978-3-642-25516-8_22},
editor = {Chen, Liqun},
pages = {356--374},
posted-at = {2015-11-13 12:16:22},
priority = {2},
publisher = {Springer},
series = {LNCS},
title = {Analysis of the {SSH} Key Exchange Protocol},
url = {http://dx.doi.org/10.1007/978-3-642-25516-8_22},
volume = {7089},
year = {2011}
}
......@@ -356,13 +323,10 @@ machine learning algorithms},
@inproceedings{Albrecht2009Plaintext,
abstract = {This paper presents a variety of plaintext-recovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability \$2^{-14}\$ and 32 bits of plaintext from an arbitrary block of ciphertext with probability \$2^{-18}\$. These attacks assume the default configuration of a 128-bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice.},
address = {Washington, DC, USA},
author = {Albrecht, Martin R. and Paterson, Kenneth G. and Watson, Gaven J.},
booktitle = {Security and Privacy, 2009 30th IEEE Symposium on},
institution = {Inf. Security Group, Univ. of London, Egham, UK},
month = may,
author = {Albrecht, M.R. and Paterson, K.G. and Watson, G.J.},
booktitle = {SP'09},
pages = {16--26},
publisher = {IEEE},
series = {SP '09},
title = {Plaintext Recovery Attacks against {SSH}},
year = {2009}
}
......@@ -394,12 +358,10 @@ machine learning algorithms},
}
@inproceedings{Aarts2013Formal,
author = {Aarts, Fides and de Ruiter, Joeri and Poll, Erik},
booktitle = {Software Testing, Verification and Validation Workshops (ICSTW), 2013 IEEE Sixth International Conference on},
month = mar,
author = {Aarts, F. and Ruiter, J. {de} and Poll, E.},
booktitle = {Software Testing, Verification and Validation Workshops (ICSTW)},
pages = {461--468},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
publisher = {IEEE CS},
title = {Formal Models of Bank Cards for Free},
year = {2013}
}
......@@ -408,10 +370,9 @@ machine learning algorithms},
author = {P. Fiter\u{a}u-Bro\c{s}tean and R. Janssen and F.W. Vaandrager},
title = {Combining Model Learning and Model Checking to Analyze {TCP} Implementations},
year = 2016,
booktitle = {Proceedings 28th International Conference on Computer Aided Verification (CAV'16), {\rm Toronto, Ontario, Canada}},
editor = {S. Chaudhuri and A. Farzan},
booktitle = {CAV'16},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
series = {LNCS},
volume = {9780},
pages = {454-471},
}
......@@ -445,14 +406,9 @@ machine learning algorithms},
@inproceedings{RuiterProtocol,
address = {Washington, D.C.},
author = {de Ruiter, Joeri and Poll, Erik},
booktitle = {24th USENIX Security Symposium (USENIX Security 15)},
citeulike-article-id = {13778669},
citeulike-linkout-0 = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/de-ruiter},
month = aug,
author = {Ruiter, J. {de} and Poll, E.},
booktitle = {USENIX Security},
pages = {193--206},
posted-at = {2015-09-30 08:03:40},
priority = {2},
publisher = {USENIX Association},
title = {Protocol State Fuzzing of {TLS} Implementations},
year = {2015}
......@@ -473,13 +429,8 @@ machine learning algorithms},
}
@techreport{Poll_rigorous_2011,
author = {Poll, Erik and Schubert, Aleksy},
citeulike-article-id = {13778664},
citeulike-linkout-0 = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.194.1815},
posted-at = {2015-09-30 08:00:15},
priority = {2},
author = {Poll, E. and Schubert, A.},
title = {Rigorous specifications of the {SSH} Transport Layer},
url = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.194.1815},
year = {2011},
institution = {Radboud University}
}
......@@ -511,9 +462,8 @@ machine learning algorithms},
}
@incollection{Wang2011Inferring,
author = {Wang, Yipeng and Zhang, Zhibin and Yao, Danfeng and Qu, Buyun and Guo, Li},
author = {Wang, Y. and Zhang, Z. and Yao, D. and Qu, B. and Guo, L.},
booktitle = {Applied Cryptography and Network Security},
editor = {Lopez, Javier and Tsudik, Gene},
pages = {1--18},
publisher = {Springer},
series = {LNCS},
......@@ -594,26 +544,24 @@ machine learning algorithms},
@article{Vaa17,
author = {F.W. Vaandrager},
journal = {Communications of the ACM},
journal = {CACM},
title = {Model Learning},
volume = {60},
number = {2},
year = {2017},
pages = {86--95},
publisher = {ACM},
address = {New York, NY, USA},
}
@article{Beurdouche:2017,
author = {Beurdouche, B. and Bhargavan, K. and Delignat-Lavaud, A. and Fournet, C. and Kohlweiss, M. and Pironti, A. and Strub, P.-Y. and Zinzindohoue, J. K.},
title = {A Messy State of the Union: Taming the Composite State Machines of TLS},
journal = {Communications of the ACM},
journal = {CACM},
volume = {60},
number = {2},
year = {2017},
pages = {99--107},
publisher = {ACM},
address = {New York, NY, USA},
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment