Automated Attack Trees for TLS Vulnerabilities: Improving Cryptosense Discovery

Cryptosense
November 8, 2019

What's new?

Cryptosense Discovery is our free tool to test a host’s usage of cryptography for common configuration mistakes and vulnerabilities. Discovery's new version discovers more hosts and more vulnerabilities, and improves the visual representation of attacks. We achieve this by using a well-known visualization method called attack trees. Attack trees do not simply report scores: they explain why a host is vulnerable and what the user must fix first. This greatly eases the hard job of correctly configuring TLS servers -- especially at scale, when prioritizing tasks is not always trivial.

A broader attack surface

The complex structure of the modern web has lead to the success of attacks such as DROWN and ROBOT. These attacks rely on bugs and misconfigurations of web servers and allow attackers to decrypt HTTPS traffic and even impersonate trusted entities. Modern websites often have many dependencies and related hosts, so these attacks can have serious consequences. For instance, a perfectly configured host may be compromisable because of a vulnerable host that shares some information with it. Discovery's new version checks for these subtle vulnerable relationships by making inferences on information from many different hosts.

Discovering and testing more hosts

Finding a greater number of related hosts allows us to analyze previously unexplored areas of the main host's attack surface. Whenever a website includes elements from external sources, it exposes itself to possible vulnerabilities present on these hosts. For instance, if the main host and a host vulnerable to DROWN share the same certificate, the main host would be exploitable because of the vulnerable one. It is thus fundamental to not only check single hosts, but also the many interconnections between them.[caption id="attachment_5915" align="aligncenter" width="684"]

Visual representation of a website and its dependencies

A modern website imports images, scripts, etc. from many different sources. The striped ones are vulnerable and therefore the communication between them and the main host could be compromised. Image taken from this paper, which inspired all of this work.[/caption]

Understanding and visualizing attacks

To better understand complex attacks we implemented a well-known visualization technique called attack trees. Attack trees combine information on hosts to form intuitive, high-level representations of complex attacks.[caption id="attachment_5904" align="aligncenter" width="777"]

"Learn Master Secret by decrypting RSA key exchange" attack tree

A successful attack tree. An attacker is able to learn the Master Secret by exploiting an RSA decryption oracle.[/caption]Attack trees break known attacks down into simpler and simpler conditions regarding both the main host and its related ones. These conditions are easy to evaluate and understand: the user can thus clearly see what he has to fix. This allows users to prioritize urgent fixes to be done and to avoid the risk of being vulnerable because of some related host that does not appear on standard analysis tools.

Try it

Why not try your domain.