The Department of Pervasive Computing was present at Tekniikanpäivät science fair with a security demo. The demo’s title was Bug Attacks. As with good jokes, also good security demos need only little or no explaining. But in case questions would arise anyway, Antti, Billy-Bob and Joona were standing at the demo desk in order to discuss the demo with the audience.
What are Bug Attacks?
Bug attacks are possible when an implementation fault manifests itself to outside world as unexpected behavior depending on the secret key and variable input. The attack is typically more effective when the variable input can be chosen by the attacker. In addition, the chance of the bug affecting output randomly should be relatively low.
To demo the Bug Attack, we took the code from the published attack and setup two Ubuntu workstations connected via ethernet, one to act as a TLS Client (attacker) and the other as a TLS Server (victim). The Server runs stunnel, TLS wrapping a server-side network application using a fixed key pair. The attacker steals (part of) the Server’s private key by:
- Iteratively initiating TLS handshakes.
- Adaptively choosing different clever public keys.
- Observing whether or not the TLS handshake fails.
The demo showed these repeated handshakes from both the Client and Server perspective, then finally comparing the Client’s guess at (part of) the private key to the Server’s actual private key.
Although the attack seems simple when looking at the presentation, Billy-Bob says that it originally took over a year to design. “For a long time it was not known how to exactly exploit this implementation fault.” In the end computing an attack tree consisting of fault triggering elliptic curve points was selected as the attack method. “The specific attack was the result of multiple people collaborating in different universities, and a lot of university computing resources were used to prepare the attack.” Indeed, as the figure below shows, a lot of work is needed to find a public key that triggers the implementation fault for a certain digit in the victim’s private key.
How the demo was received?
Even though the exact subject matter was challenging, the high level concept was understood by the audience. “People kind of understood it straight away from the name,” says Antti. Due to lack of a appropriate car analogy, Joona was comparing bug attacks to a faulty safe deposit box. ”Conceptually it resembles the way that a faulty safe gives away the combination number by number.” “As the attack code was run one step at a time, the demo showed the audience, how to iteratively figure out pieces of the puzzle,” says Antti. Unexpectedly, a few viewers asked whether we felt this particular OpenSSL bug was intentional — while the answer is subjective, the commit logs suggest the root cause is aggressive optimization.
The general message of the demo is that bugs in security related functions need to be taken seriously. Effort needs to be taken in fixing and finding such bugs across different platform specific optimizations. Antti thinks that “the audience was also relieved to know that the fault behind the attack has finally been fixed.” If public attacks like this would not exist, who knows if such attacks would still be exploitable in the wild?