Vetting SSL usage in applications with SSLINT

Boyuan He, Vaibhav Rastogi, Yinzhi Cao, Yan Chen, V. N. Venkatakrishnan, Runqing Yang, Zhenrui Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

34 Scopus citations

Abstract

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions - Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages519-534
Number of pages16
ISBN (Electronic)9781467369497
DOIs
StatePublished - Jul 17 2015
Event36th IEEE Symposium on Security and Privacy, SP 2015 - San Jose, United States
Duration: May 18 2015May 20 2015

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2015-July
ISSN (Print)1081-6011

Other

Other36th IEEE Symposium on Security and Privacy, SP 2015
CountryUnited States
CitySan Jose
Period5/18/155/20/15

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Vetting SSL usage in applications with SSLINT'. Together they form a unique fingerprint.

Cite this