2015 IEEE Symposium on Security and Privacy (SP) (2015)
San Jose, CA, USA
May 17, 2015 to May 21, 2015
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2015.38
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions -- Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.
application program interfaces, formal verification, Linux, program diagnostics, protocols, security of data
B. He et al., "Vetting SSL Usage in Applications with SSLINT," 2015 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 2015, pp. 519-534.