Vetting SSL usage in applications with SSLINT

Boyuan He; Vaibhav Rastogi; Yinzhi Cao; Yan Chen; V. N. Venkatakrishnan; Runqing Yang; Zhenrui Zhang

doi:10.1109/SP.2015.38

Vetting SSL usage in applications with SSLINT

Boyuan He, Vaibhav Rastogi, Yinzhi Cao, Yan Chen, V. N. Venkatakrishnan, Runqing Yang, Zhenrui Zhang

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

34 Scopus citations

Abstract

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions - Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

Original language	English (US)
Title of host publication	Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	519-534
Number of pages	16
ISBN (Electronic)	9781467369497
DOIs	https://doi.org/10.1109/SP.2015.38
State	Published - Jul 17 2015
Event	36th IEEE Symposium on Security and Privacy, SP 2015 - San Jose, United States Duration: May 18 2015 → May 20 2015

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2015-July
ISSN (Print)	1081-6011

Other

Other	36th IEEE Symposium on Security and Privacy, SP 2015
Country	United States
City	San Jose
Period	5/18/15 → 5/20/15

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Access to Document

10.1109/SP.2015.38

Fingerprint Dive into the research topics of 'Vetting SSL usage in applications with SSLINT'. Together they form a unique fingerprint.

Cite this

He, B., Rastogi, V., Cao, Y., Chen, Y., Venkatakrishnan, V. N., Yang, R., & Zhang, Z. (2015). Vetting SSL usage in applications with SSLINT. In Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015 (pp. 519-534). [7163045] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2015-July). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2015.38

@inproceedings{62d782cc9c0e446782355734b75cb009,

title = "Vetting SSL usage in applications with SSLINT",

abstract = "Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions - Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.",

author = "Boyuan He and Vaibhav Rastogi and Yinzhi Cao and Yan Chen and Venkatakrishnan, {V. N.} and Runqing Yang and Zhenrui Zhang",

note = "Publisher Copyright: {\textcopyright} 2015 IEEE. Copyright: Copyright 2015 Elsevier B.V., All rights reserved.; 36th IEEE Symposium on Security and Privacy, SP 2015 ; Conference date: 18-05-2015 Through 20-05-2015",

year = "2015",

month = jul,

day = "17",

doi = "10.1109/SP.2015.38",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "519--534",

booktitle = "Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015",

address = "United States",

}

He, B, Rastogi, V, Cao, Y, Chen, Y, Venkatakrishnan, VN, Yang, R & Zhang, Z 2015, Vetting SSL usage in applications with SSLINT. in Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015., 7163045, Proceedings - IEEE Symposium on Security and Privacy, vol. 2015-July, Institute of Electrical and Electronics Engineers Inc., pp. 519-534, 36th IEEE Symposium on Security and Privacy, SP 2015, San Jose, United States, 5/18/15. https://doi.org/10.1109/SP.2015.38

Vetting SSL usage in applications with SSLINT. / He, Boyuan; Rastogi, Vaibhav; Cao, Yinzhi; Chen, Yan; Venkatakrishnan, V. N.; Yang, Runqing; Zhang, Zhenrui.

Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 519-534 7163045 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2015-July).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Vetting SSL usage in applications with SSLINT

AU - He, Boyuan

AU - Rastogi, Vaibhav

AU - Cao, Yinzhi

AU - Chen, Yan

AU - Venkatakrishnan, V. N.

AU - Yang, Runqing

AU - Zhang, Zhenrui

PY - 2015/7/17

Y1 - 2015/7/17

N2 - Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions - Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

AB - Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions - Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

UR - http://www.scopus.com/inward/record.url?scp=84945185076&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84945185076&partnerID=8YFLogxK

U2 - 10.1109/SP.2015.38

DO - 10.1109/SP.2015.38

M3 - Conference contribution

AN - SCOPUS:84945185076

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 519

EP - 534

BT - Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 36th IEEE Symposium on Security and Privacy, SP 2015

Y2 - 18 May 2015 through 20 May 2015

ER -