Paper Info
Title
Server-side verification of client behavior in cryptographic protocols.
Abstract
Numerous exploits of client-server protocols and applications involve modifying clients to behave in ways that untampered clients would not, such as crafting malicious packets. In this paper, we demonstrate practical verification of a cryptographic protocol clientu0027s messaging behavior as being consistent with the client program it is believed to be running. Moreover, we accomplish this without modifying the client in any way, and without knowing all of the client-side inputs driving its behavior. Our toolchain for verifying a clientu0027s messages explores multiple candidate execution paths in the client concurrently, an innovation that we show is both specifically useful for cryptographic protocol clients and more generally useful for client applications of other types, as well. In addition, our toolchain includes a novel approach to symbolically executing the client software in multiple passes that defers expensive functions until their inputs can be inferred and concretized. We demonstrate client verification on OpenSSL to show that, e.g., Heartbleed exploits can be detected without Heartbleed-specific filtering and within seconds of the first malicious packet, and that verification of legitimate clients can keep pace with, e.g., Gmail workloads.
Year
Venue
Field
2016
arXiv: Cryptography and Security
Server-side,Heartbleed,Client,Cryptographic protocol,Computer security,Computer science,Network packet,Filter (signal processing),Exploit,Toolchain
DocType
Volume
Citations 
Journal
abs/1603.04085
1
PageRank 
References 
Authors
0.36
12
5
Name
Order
Citations
PageRank
Andrew Chi1102.38
Robert A. Cochran2131.31
Marie Nesfield310.36
Michael K. Reiter48695764.03
Cynthia Sturton5858.56