Paul Fiterau-Brostean (Uppsala University, Sweden), Bengt Jonsson (Uppsala University, Sweden), Konstantinos Sagonas (Uppsala University, Sweden and National Technical University of Athens, Greece), Fredrik Tåquist (Uppsala University, Sweden)

Implementations of stateful security protocols
must carefully manage the type and order of exchanged messages and cryptographic material,
by maintaining a state machine which keeps track of protocol progress.
Corresponding implementation flaws, called
emph{state machine bugs}, can constitute serious security vulnerabilities.
We present an automated black-box technique for detecting state machine bugs in implementations of stateful network protocols.
It takes as input a catalogue of state machine bugs for the protocol, each specified as a finite automaton which accepts
sequences of messages that exhibit the bug, and a (possibly inaccurate) model of the implementation under test,
typically obtained by model learning.
Our technique constructs the set of sequences that (according to the model) can be performed by the implementation and
that (according to the automaton) expose the bug.
These sequences are then transformed to test cases on the actual implementation to find a witness for the bug or filter out false alarms.
We have applied our technique on three widely-used implementations of SSH servers and nine different DTLS server and client implementations, including their most recent versions.
Our technique easily reproduced all bugs identified by security researchers before,
and produced witnesses for them.
More importantly, it revealed several previously unknown bugs in the same implementations,
two new vulnerabilities, and a variety of new bugs and non-conformance issues
in newer versions of the same SSH and DTLS implementations.

View More Papers

Exploiting Transport Protocol Vulnerabilities in SAE J1939 Networks

Rik Chatterjee, Subhojeet Mukherjee, Jeremy Daily (Colorado State University)

Read More

How to Count Bots in Longitudinal Datasets of IP...

Leon Böck (Technische Universität Darmstadt), Dave Levin (University of Maryland), Ramakrishna Padmanabhan (CAIDA), Christian Doerr (Hasso Plattner Institute), Max Mühlhäuser...

Read More

CHKPLUG: Checking GDPR Compliance of WordPress Plugins via Cross-language...

Faysal Hossain Shezan (University of Virginia), Zihao Su (University of Virginia), Mingqing Kang (Johns Hopkins University), Nicholas Phair (University of...

Read More

DARWIN: Survival of the Fittest Fuzzing Mutators

Patrick Jauernig (Technical University of Darmstadt), Domagoj Jakobovic (University of Zagreb, Croatia), Stjepan Picek (Radboud University and TU Delft), Emmanuel...

Read More