TLS clients testing

The paper presents a model-based approach to conformance testing of TLS implementations. It discusses the formal model of TLS protocol, the structure of the test suite. JavaTesK tool, based on UniTESK technology, was used to develop the test suite. A set of fuzz operators was developed for general data types and included in the test suite. We applied the test suite to a several popular implementations of TLS client, and present brief results. This approach has proved his efficiency, various errors and vulnerabilities had been found in all chosen TLS implementations.

testing, verification, formal methods, formal specifications, Model Based Testing, TLS, SSL, UniTESK, Fuzz Testing

1. Bourdonov I., Kossatchev A., Kuliamin V., and Petrenko A. UniTesK Test Suite Architecture. //Proceedings of FME 2002. LNCS 2391, pp. 77-88, Springer-Verlag, 2002

2. Nikeshin A.V., Pakulin N.V., Shnitman V.Z. Razrabotka testovogo nabora dlya verifikatsii realizatsiy protokola bezopasnosti TLS [Development of a test suite for the verification of implementations of the TLS security protocol], Trudyi Instituta sistemnogo programmirovaniya RAN [Proceedings of IPS RAS], 2012, Vol. 23, pp. 387–404 (in Russian).

3. Nikeshin A.V., Pakulin N.V., Shnitman V.Z. Avtomatizaciya testirovaniya sootvetstviya dla telecommunicacionnyh protocolov [Conformance testing automation for telecommunication protocols] // Trudyi Instituta sistemnogo programmirovaniya RAN [Proceedings of IPS RAS], 2014, Vol. 26 (Issue 1), pp. 109-148 (in Russian).

4. Nikeshin A.V., Pakulin N.V., Shnitman V.Z. Avtomatizacija testirovanija sootvetstvija realizacij standartu protocola bezopasnosti transportnogo urovnja TLS [Conformance testing automation for Transport Layer Security Protocol TLS], Naucno-tehnicheskie vedomosti SPbGPU. Informatika. Telekommunikacii. Upravlenie, Vol. 2(193)/2014, Pp. 180-188. ISSN 2304-9766 (in Russian).

5. OWASP Top Ten Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

6. Dave Whitelegg “Scan your app to find and fix OWASP Top 10 2013 vulnerabilities”, http://www.ibm.com/developerworks/security/library/se-owasp-top10/

7. JavaTESK - http://www.unitesk.ru/content/category/5/25/60/

8. IETF RFC 5246, T. Dierks and E. Rescorla “The Transport Layer Security (TLS) Protocol Version 1.2”, August 2008.

9. IETF RFC 5746, E. Rescorla, M. Ray, S. Dispensa, N. Oskov “Transport Layer Security (TLS) Renegotiation Indication Extension”, February 2010.

10. JavaTM Secure Socket Extension (JSSE), http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

11. OpenSSL Project, https://www.openssl.org/

12. Mozilla Firefox, https://www.mozilla.org/ru/

13. Opera, http://www.opera.com/ru/

14. SRWare Iron, http://www.srware.net/ru/software_srware_iron.php

15. Mozilla Thunderbird, https://www.mozilla.org/ru/

16. TheBat, https://www.ritlabs.com/ru/products/thebat/