Abstract:
Developing a Transport Layer Security (TLS) library is a complicated and ongoing process. Different standards and attacks lead to many requirements for a TLS library. When adding new features or restructuring the library code, the developers must be aware of all these requirements. For each code change, there is a chance that the change conflicts with a requirement and leads to the introduction of a new flaw or vulnerability in the TLS library.
In this thesis, we propose a service, called TLS-Pipeline, that focuses on finding already known flaws and vulnerabilities in TLS libraries. It automatically performs regression tests on the newest TLS library version with the TLS-Scanner, TLS-StateVulnFinder, and TLS-Anvil. The service sends notifications about any test cases that differ in comparison to the latest tested version. This allows to observe introduced flaws and vulnerabilities along with security improvements. The TLS-Pipeline is built extensible so that further test tools can be added in the future.
During this work, we performed a seven-week evaluation where we observed six TLS libraries for changes on their main branches and in the tagged versions. Overall, we were able to observe mainly positive trends in the TLS libraries. During the evaluation, we observed three cases where TLS libraries became more standardcompliant and one case where an insecure cipher suite was removed. Despite the positive trend, we detected a newly introduced bug in LibreSSL. The bug discovery shows that our proposed method is capable of finding newly added flaws and vulnerabilities.