Browse > Article

Attacking OpenSSL Shared Library Using Code Injection  

Ahn, Woo-Hyun (광운대학교 컴퓨터소프트웨어학과)
Kim, Hyung-Su (지앤비영어전문교육 소프트웨어팀)
Publication Information
Journal of KIISE:Computer Systems and Theory / v.37, no.4, 2010 , pp. 226-238 More about this Journal
Abstract
OpenSSL is an open-source library implementing SSL that is a secure communication protocol. However, the library has a severe vulnerability that its security information can be easily exposed to malicious software when the library is used in a form of shared library on Linux and UNIX operating systems. We propose a scheme to attack the vulnerability of the OpenSSL library. The scheme injects codes into a running client program to execute the following attacks on the vulnerability in a SSL handshake. First, when a client sends a server a list of cryptographic algorithms that the client is willing to support, our scheme replaces all algorithms in the list with a specific algorithm. Such a replacement causes the server to select the specific algorithm. Second, the scheme steals a key for data encryption and decryption when the key is generated. Then the key is sent to an outside attacker. After that, the outside attacker decrypts encrypted data that has been transmitted between the client and the server, using the specified algorithm and the key. To show that our scheme is realizable, we perform an experiment of collecting encrypted login data that an ftp client using the OpenSSL shared library sends its server and then decrypting the login data.
Keywords
system security; Secure Socket Layer; OpenSSL; shared library; code injection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 StackShield home page. Website: http://www.angelfire.com/sk/stackshield.
2 S. Cesare, "Shared Library Call Redirection via ELF PLT Infection," Phrack Magazine, vol.0x0a, no.0x38, May 2000.
3 A. Chuvakin, "An Overview of UNIX Rootkits," iALERT White Paper, iDefense Labs, http://www.megasecurity.org/papers/Rootkits.pdf, February 2003.
4 Plaguez, "Weakening the Linux Kernel," Phrack Magazine, vol.8, no.52, January 1998.
5 K. Jones, "Loadable Kernel Modules," USENIX login: Magazine, http://www.usenix.org/publications/login/2001-11/pdfs/jones2.pdf, November 2001.
6 Sd and Devik, "'Linux On-The-Fly Kernel Patching without LKM," Phrack Magazine, vol.0x0b, no.0x3a, December 2001.
7 Linux malware: an incident and some solutions. Web site: https://lwn.net/Articles/367874.
8 Badbunny (computer worm). Web site: http://en.wikipedia.org/wiki/Badbunny.
9 klamav anti-virus home page. Web Site: http://klamav.sourceforge.net/klamavwiki/index.php/Main_Page.
10 P. Kocher, "Timing Attacks on Implementations of Diffie-hellman, RSA, DSS, and Other Systems," Advances in Cryptology, pp.104-113, 1996.
11 Debian OpenSSL Predictable PRNG Toys. Web Site: http://metasploit.com/users/hdm/tools/debian-openssl.
12 C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," In Proc. of the 7th USENIX Security Conference, pp.63-78, January 1998.
13 L. Dorrendorf, Z. Gutterman, and B. Pinkas, "Cryptanalysis of the random number generator of the Windows operating system," ACM Transactions on Information and System Security, vol.13, no.1, pp.1-32, 2009.
14 Fedora home page. Web Site: http://fedoraproject.org.
15 lftp program home page. Web Site: http://lftp.yar.ru or http://en.wikipedia.org/wiki/Lftp
16 J. R. Levine, Linkers and Loaders, Morgan Kaufmann, 2000.
17 S. A. Thomas, SSL and TLS Essentials: Securing the Web, John Wiley & Sons, 2000.
18 A. Baliga, P. Kamat, and L. Iftode, "Lurking in the Shadows: Identifying Systemic Threats to Kernel Data," In Proc. of the 2007 IEEE Symposium on Security and Privacy, pp.246-251, May 2007.
19 B. Jeffrey, R. O'Hare, A. Baliga, Arati, V. Ganapathy, and L. Iftode, "Rootkits on smart phones: attacks, implications and opportunities," In Proc. of the 11th ACM HotMobile, pp.49-54, February 2010.
20 Ninja-Privilege escalation detection system for GNU/Linux, http://www.ubuntugeek.com/ninja-privilege-escalation-detection-system-for-gnulinux.html.
21 wireshark program home page. Web Site: http://www.wireshark.org.
22 P. Padala, "Playing with ptrace, Part III," Linux Journal, vol.2002 no.104, p.5, December 2002.
23 G. Hoglund and J. Butler, Rootkits: Subverting the Windows Kernel, Addison-Wesley, 2005.
24 vsftpd program home page. Web Site: http://vsftpd.beasts.org.
25 ssldump program home page. Web Site: http://www.rtfm.com/ssldump.
26 avast anti-virus home page. Web Site: http://www.avast.com/eng/avast-for-linux-work station.html
27 R. Love, Linux Kernel Development, 2nd Ed., Novell, 2005.
28 G. Altekar, I. Bagrak, P. Burstein, and A. Schultz. "OPUS: Online Patches and Updates for Security," In Proc. of the 14th USENIX Security Symposium, pp.287-302, August 2005.
29 J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt, "Automatic Diagnosis and Response to Memory Corruption Vulnerabilities," In Proc. of the 12th ACM Conference on Computer and Communications Security, pp.223-234, October 2007.
30 "Runtime Process Infection," Phrack Magazine, vol.0x0b, no.0x3b, July 2002.
31 Cert Vulnerability Note VU#102795, "OpenSSL Servers Contain a Buffer Overflow during the SSL2 Handshake Process," http://www.kb.cert.org/vuls/id/102795.
32 Cert Vulnerability Note VU#561275, "OpenSSL Servers Contain a Remotely Exploitable Buffer Overflow Vulnerability during the SSL3 Handshake Process, http://www.kb.cert.org/vuls/id/561275.
33 ptrace(2) - Linux man page. Web site: http://linux.die.net/man/2/ptrace.
34 A. Pellegrini, V. Bertacco, and T. Austin, "Fault- Based Attack of RSA Authentication," In Proc. of the Conference on Design Automation and Test in Europe (DATE), March 2010.
35 OpenSSL: The Open Source Toolkit for SSL/TLS. Web Site: http://www.openssl.org.
36 R. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-key Cryptosystems," Communications of the ACM, vol.21, pp.120-126, February 1978.   DOI   ScienceOn
37 D. Brumley and D. Boneh, "Remote Timing Attacks are Practical," In Proc. of the 12th USENIX Security Symposium, pp.1-14, August 2003.
38 N. P. Smith, "Stack Smashing Vulnerabilities in the UNIX Operating System," http://destroy.net/machines/security/nate-buffer.pdf, 1997.