In:
ACM Transactions on Software Engineering and Methodology, Association for Computing Machinery (ACM), Vol. 28, No. 4 ( 2019-10-31), p. 1-37
Abstract:
Certificate validation in Secure Sockets Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet security. Thus, it is significant to check whether certificate validation in SSL/TLS implementations is correctly implemented. With this motivation, we propose a novel differential testing approach that is based on the standard Request for Comments (RFC). First, rules of certificates are extracted automatically from RFCs. Second, low-level test cases are generated through dynamic symbolic execution. Third, high-level test cases, i.e., certificates, are assembled automatically. Finally, with the assembled certificates being test cases, certificate validations in SSL/TLS implementations are tested to reveal latent vulnerabilities or bugs. Our approach named RFCcert has the following advantages: (1) certificates of RFCcert are discrepancy-targeted, since they are assembled according to standards instead of genetics; (2) with the obtained certificates, RFCcert not only reveals the invalidity of traditional differential testing but also is able to conduct testing that traditional differential testing cannot do; and (3) the supporting tool of RFCcert has been implemented and extensive experiments show that the approach is effective in finding bugs of SSL/TLS implementations. In addition, by providing seed certificates for mutation approaches with RFCcert, the ability of mutation approaches in finding distinct discrepancies is significantly enhanced.
Type of Medium:
Online Resource
ISSN:
1049-331X
,
1557-7392
Language:
English
Publisher:
Association for Computing Machinery (ACM)
Publication Date:
2019
detail.hit.zdb_id:
2006459-7
Permalink