Sökning: id:"swepub:oai:DiVA.org:uu-428755" >
Analysis of DTLS Im...
Analysis of DTLS Implementations Using Protocol State Fuzzing
-
- Fiterau-Brostean, Paul (författare)
- Uppsala universitet,Datorteknik
-
- Jonsson, Bengt, 1957- (författare)
- Uppsala universitet,Datorteknik,Datalogi,Avdelningen för datorteknik
-
- Merget, Robert (författare)
- Ruhr-University Bochum
-
visa fler...
-
- de Ruiter, Joeri (författare)
- SIDN Labs
-
- Sagonas, Konstantinos (författare)
- Uppsala universitet,Datalogi
-
- Somorovsky, Juraj (författare)
- Paderborn University
-
visa färre...
-
(creator_code:org_t)
- 2020
- 2020
- Engelska.
-
Ingår i: Proceedings of the 29th USENIX Security Symposium. - 9781939133175 ; , s. 2523-2540
- Relaterad länk:
-
https://www.usenix.o...
-
visa fler...
-
https://uu.diva-port... (primary) (Raw object)
-
https://urn.kb.se/re...
-
visa färre...
Abstract
Ämnesord
Stäng
- Recent years have witnessed an increasing number of protocols relying on UDP. Compared to TCP, UDP offers performance advantages such as simplicity and lower latency. This has motivated its adoption in Voice over IP, tunneling technologies, IoT, and novel Web protocols. To protect sensitive data exchange in these scenarios, the DTLS protocol has been developed as a cryptographic variation of TLS. DTLS’s main challenge is to support the stateless and unreliable transport of UDP. This has forced protocol designers to make choices that affect the complexity of DTLS, and to incorporate features that need not be addressed in the numerous TLS analyses.We present the first comprehensive analysis of DTLS implementations using protocol state fuzzing. To that end, we extend TLS-Attacker, an open source framework for analyzing TLS implementations, with support for DTLS tailored to the stateless and unreliable nature of the underlying UDP layer. We build a framework for applying protocol state fuzzing on DTLS servers, and use it to learn state machine models for thirteen DTLS implementations. Analysis of the learned state models reveals four serious security vulnerabilities, including a full client authentication bypass in the latest JSSE version, as well as several functional bugs and non-conformance issues. It also uncovers considerable differences between the models, confirming the complexity of DTLS state machines.
Ämnesord
- TEKNIK OCH TEKNOLOGIER -- Elektroteknik och elektronik -- Datorsystem (hsv//swe)
- ENGINEERING AND TECHNOLOGY -- Electrical Engineering, Electronic Engineering, Information Engineering -- Computer Systems (hsv//eng)
Nyckelord
- software testing
- automata learning
- network security
- Computer Science
- Datavetenskap
Publikations- och innehållstyp
- ref (ämneskategori)
- kon (ämneskategori)
Hitta via bibliotek
Till lärosätets databas