Coverage-directed Differential Testing of X.509 Certificate Validation in SSL/TLS Implementations
Authors: 
Pengbo Nie, Chengcheng Wan, Jiayu Zhu, Ziyi Lin, Yuting Chen, 
Zhendong SuAuthors Info & Claims
Article No.: 3, Pages 1 - 32
Abstract
Secure Sockets Layer (SSL) and Transport Security (TLS) are two secure protocols for creating secure connections over the Internet. X.509 certificate validation is important for security and needs to be performed before an SSL/TLS connection is established. Some advanced testing techniques, such as frankencert, have revealed, through randomly mutating Internet accessible certificates, that there exist unexpected, sometimes critical, validation differences among different SSL/TLS implementations. Despite these efforts, X.509 certificate validation still needs to be thoroughly tested as this work shows.
This article tackles this challenge by proposing transcert, a coverage-directed technique to much more effectively test real-world certificate validation code. Our core insight is to (1) leverage easily accessible Internet certificates as seed certificates and (2) use code coverage to direct certificate mutation toward generating a set of diverse certificates. The generated certificates are then used to reveal discrepancies, thus potential flaws, among different certificate validation implementations.
We implement transcert and evaluate it against frankencert, NEZHA, and RFCcert (three advanced fuzzing techniques) on five widely used SSL/TLS implementations. The evaluation results clearly show the strengths of transcert: During 10,000 iterations, transcert reveals 71 unique validation differences, 12×, 1.4×, and 7× as many as those revealed by frankencert, NEZHA, and RFCcert, respectively; it also supplements RFCcert in conformance testing of the SSL/TLS implementations against 120 validation rules, 85 of which are exclusively covered by transcert-generated certificates. We identify 17 root causes of validation differences, all of which have been confirmed and 11 have never been reported previously. The transcert-generated X.509 certificates also reveal that the primary goal of certificate chain validation is stated ambiguously in the widely adopted public key infrastructure standard RFC 5280.
References
[1]
Andrea Arcuri and Lionel Briand. 2014. A hitchhiker’s guide to statistical tests for assessing randomized algorithms in software engineering. Softw. Test. Verif. Reliabil. 24, 3 (2014), 219–250.
[2]
Richard L. Barnes, Martin Thomson, Alfredo Pironti, and Adam Langley. 2015. Deprecating secure sockets layer version 3.0. RFC 7568 (2015), 1–7.
[3]
Michail Basios, Lingbo Li, Fan Wu, Leslie Kanthan, and Earl T. Barr. 2017. Optimising darwinian data structures on google guava. In Search Based Software Engineering, Tim Menzies and Justyna Petke (Eds.). Springer International Publishing, Cham, 161–167.
[4]
Adam Bates, Joe Pletcher, Tyler Nichols, Braden Hollembaek, Dave Tian, Kevin R. B. Butler, and Abdulrahman Alkhelaifi. 2014. Securing SSL certificate verification through dynamic linking. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 394–405.
[5]
Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. 2015. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE Computer Society, 535–552.
[6]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based greybox fuzzing as markov chain. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1032–1043.
[7]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2019. Coverage-based greybox fuzzing as markov chain. IEEE Trans. Softw. Eng. 45, 5 (2019), 489–506.
[8]
Ella Bounimova, Patrice Godefroid, and David Molnar. 2013. Billions and billions of constraints: Whitebox fuzz testing in production. In Proceedings of the 35th International Conference on Software Engineering (ICSE’13). 122–131.
[9]
Mark Brown and Russell Housley. 2010. Transport layer security (TLS) authorization extensions. RFC 5878 (2010), 1–19.
[10]
Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. 2014. Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In Proceedings of the IEEE Symposium on Security and Privacy (SP’14). IEEE Computer Society, 114–129.
[11]
Sze Yiu Chau, Omar Chowdhury, Md. Endadul Hoque, Huangyi Ge, Aniket Kate, Cristina Nita-Rotaru, and Ninghui Li. 2017. SymCerts: Practical symbolic execution for exposing noncompliance in X.509 certificate validation implementations. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE Computer Society, 503–520.
[12]
Chao Chen, Wenrui Diao, Yingpei Zeng, Shanqing Guo, and Chengyu Hu. 2018. DRLgencert: Deep learning-based automated testing of certificate verification in SSL/TLS implementations. In Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME’18). IEEE Computer Society, 48–58.
[13]
Chu Chen, Cong Tian, Zhenhua Duan, and Liang Zhao. 2018. RFC-directed differential testing of certificate validation in SSL/TLS implementations. In Proceedings of the 40th International Conference on Software Engineering (ICSE’18). ACM, 859–870.
[14]
Yuting Chen, Ting Su, and Zhendong Su. 2019. Deep differential testing of JVM implementations. In Proceedings of the 41st International Conference on Software Engineering (ICSE’19). IEEE/ACM, 1257–1268.
[15]
Yuting Chen and Zhendong Su. 2015. Guided differential testing of certificate validation in SSL/TLS implementations. In Proceedings of the 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’15). Association for Computing Machinery, New York, NY, 793–804.
[16]
Santosh Chokhani and Warwick Ford. 1999. Internet X.509 public key infrastructure certificate policy and certification practices framework. RFC 2527 (1999), 1–45.
[17]
Santosh Chokhani, Warwick Ford, Randy Sabett, Charles R. Merrill, and Stephen S. Wu. 2003. Internet X.509 public key infrastructure certificate policy and certification practices framework. RFC 3647 (2003), 1–94.
[18]
David Cooper, Stefan Santesson, Stephen Farrell, Sharon Boeyen, Russell Housley, and W. Timothy Polk. 2008. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280 (2008), 1–151.
[19]
Matt Cooper, Yuriy Dzambasow, Peter Hesse, Susan Joseph, and Richard Nicholas. 2005. Internet X.509 public key infrastructure: Certification path building. RFC 4158 (2005), 1–81.
[20]
Tim Dierks and Christopher Allen. 1999. The TLS protocol version 1.0. RFC 2246 (1999), 1–80.
[21]
Tim Dierks and Eric Rescorla. 2006. The transport layer security (TLS) protocol version 1.1. RFC 4346 (2006), 1–87.
[22]
Tim Dierks and Eric Rescorla. 2008. The transport layer security (TLS) protocol version 1.2. RFC 5246 (2008), 1–104.
[23]
Dr. Taher Elgamal and Kipp E. B. Hickman. 1995. The SSL Protocol. Internet-Draft draft-hickman-netscape-ssl-00. Internet Engineering Task Force (unpublished).
[24]
Alan O. Freier, Philip Karlton, and Paul C. Kocher. 2011. The secure sockets layer (SSL) protocol version 3.0. RFC 6101 (2011), 1–67.
[25]
Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The most dangerous code in the world: Validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). Association for Computing Machinery, New York, NY, 38–49.
[26]
Patrice Godefroid. 2020. Fuzzing: Hack, art, and science. Commun. ACM 63, 2 (2020), 70–76.
[27]
Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’08), Vol. 8. The Internet Society, 151–166.
[28]
Keith J. Goulden. 2006. Effect sizes for research: A broad practical approach.
[29]
Alex Groce, Gerard Holzmann, and Rajeev Joshi. 2007. Randomized differential testing as a prelude to formal verification. In Proceedings of the 29th International Conference on Software Engineering (ICSE’07). IEEE, 621–631.
[30]
Mark Harman. 2007. The current state and future of search based software engineering. In Proceedings of the Annual Conference on the Future of Software Engineering (FOSE’07). 342–357.
[31]
Mark Harman and Bryan F. Jones. 2001. Search-based software engineering. Inf. Softw. Technol. 43, 14 (2001), 833–839.
[32]
Russ Housley. 2018. Internationalization updates to RFC 5280. RFC 8399 (2018), 1–9.
[33]
Russell Housley, W. Timothy Polk, Warwick Ford, and David Solo. 2002. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 3280 (2002), 1–129.
[34]
International Telecommunication Union. 2019. Recommendation ITU-T X.509 (Open Systems Interconnection: The Directory: Public-key and attribute certificate frameworks).
[35]
Kristoffer Kleine and Dimitris E. Simos. 2017. Coveringcerts: Combinatorial methods for X.509 certificate testing. In Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST’17). IEEE Computer Society, 69–79.
[36]
William B. Langdon and Mark Harman. 2014. Optimizing existing software with genetic programming. IEEE Trans. Evol. Comput. 19, 1 (2014), 118–135.
[37]
Nancy L. Leech and Anthony J. Onwuegbuzie. 2002. A call for greater use of nonparametric statistics. (2002).
[38]
Lingbo Li, Mark Harman, Fan Wu, and Yuanyuan Zhang. 2016. The value of exact analysis in requirements selection. IEEE Trans. Softw. Eng. 43, 6 (2016), 580–596.
[39]
H. B. Mann and D. R. Whitney. 1947. On a test of whether one of two random variables is stochastically larger than the other. Ann. Math. Stat. 18, 1 (1947), 50–60.
[40]
William M. McKeeman. 1998. Differential testing for software. Dig. Techn. J. 10, 1 (1998), 100–107.
[41]
Alexey Melnikov and Weihaw Chuang. 2018. Internationalized email addresses in X.509 certificates. RFC 8398 (2018), 1–12.
[42]
Leandro L. Minku, Dirk Sudholt, and Xin Yao. 2012. Evolutionary algorithms for the project scheduling problem: Runtime analysis and improved design. In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO’12). Association for Computing Machinery, New York, NY, 1221–1228.
[43]
Theofilos Petsios, Adrian Tang, Salvatore J. Stolfo, Angelos D. Keromytis, and Suman Jana. 2017. NEZHA: Efficient domain-independent differential testing. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE Computer Society, 615–632.
[44]
Eric Rescorla. 2018. The transport layer security (TLS) protocol version 1.3. RFC 8446 (2018), 1–160.
[45]
Peter Saint-Andre and Jeff Hodges. 2011. Representation and verification of domain-based application service identity within internet public key infrastructure using X.509 (PKIX) certificates in the context of transport layer security (TLS). RFC 6125 (2011), 1–57.
[46]
Stefan Santesson. 2016. Authentication context certificate extension. RFC 7773 (2016), 1–16.
[47]
Stefan Santesson and Russell Housley. 2005. Internet X.509 public key infrastructure authority information access certificate revocation list (CRL) extension. RFC 4325 (2005), 1–7.
[48]
Stefan Santesson, Russ Housley, and Trevor Freeman. 2004. Internet X.509 public key infrastructure: Logotypes in X.509 certificates. RFC 3709 (2004), 1–21.
[49]
Suphannee Sivakorn, George Argyros, Kexin Pei, Angelos D. Keromytis, and Suman Jana. 2017. HVLearn: Automated black-box analysis of hostname verification in SSL/TLS implementations. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE Computer Society, 521–538.
[50]
Cong Tian, Chu Chen, Zhenhua Duan, and Liang Zhao. 2019. Differential testing of certificate validation in SSL/TLS implementations: An RFC-guided approach. ACM Trans. Softw. Eng. Methodol. 28, 4 (2019), 24:1–24:37.
[51]
Sean Turner. 2014. The NSA (No Secrecy Afforded) certificate extension. RFC 7169 (2014), 1–3.
[52]
Sean Turner and Tim Polk. 2011. Prohibiting secure sockets layer (SSL) version 2.0. RFC 6176 (2011), 1–4.
[53]
András Vargha and Harold D. Delaney. 2000. A critique and improvement of the CL common language effect size statistics of McGraw and Wong. J. Educ. Behav. Stat. 25, 2 (2000), 101–132.
[54]
Andreas Walz and Axel Sikora. 2018. Maximizing and leveraging behavioral discrepancies in TLS implementations using response-guided differential fuzzing. In Proceedings of the International Carnahan Conference on Security Technology (ICCST’18). IEEE, 1–5.
[55]
Peter E. Yee. 2013. Updates to the internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 6818 (2013), 1–8.
Index Terms
- Coverage-directed Differential Testing of X.509 Certificate Validation in SSL/TLS Implementations
Recommendations
SBDT: Search-Based Differential Testing of Certificate Parsers in SSL/TLS Implementations
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and AnalysisCertificate parsers, which are critical components of Secure Sockets Layer or Transport Layer Security (SSL/TLS) implementations, parse incomprehensible certificates into comprehensible inputs to certificate validators and humans. Thus, certificate ...
Differential Testing of Certificate Validation in SSL/TLS Implementations: An RFC-guided Approach
Certificate validation in Secure Sockets Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet security. Thus, it is significant to check whether certificate validation in SSL/TLS implementations is correctly implemented. With ...
Guided differential testing of certificate validation in SSL/TLS implementations
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringCertificate validation in SSL/TLS implementations is critical for Internet security. There is recent strong effort, namely frankencert, in automatically synthesizing certificates for stress-testing certificate validation. Despite its early promise, it ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
January 2023
954 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 22 February 2023
Online AM: 19 April 2022
Accepted: 03 January 2022
Revised: 26 November 2021
Received: 23 January 2021
Published in TOSEM Volume 32, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Natural Science Foundation of China
- Alibaba Group through Alibaba Innovative Research (AIR) programme
- CCF-Huawei Innovative Research programme
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 722Total Downloads
- Downloads (Last 12 months)337
- Downloads (Last 6 weeks)25
Reflects downloads up to 22 Sep 2024
Other Metrics
Citations
Cited By
View allView Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format