Visible to the public TWC: Small: Collaborative: Automated Detection and Repair of Error Handling Bugs in SSL/TLS ImplementationsConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2016 - Aug 31, 2019


Columbia University

Award Number

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols are critical to internet security. However, the software that implements SSL/TLS protocols is especially vulnerable to security flaws and the consequences can be disastrous. A large number of security flaws in SSL/TLS implementations (such as man-in-the-middle attacks, denial-of-service attacks, and buffer overflow attacks) result from incorrect error handling. These errors are often hard to detect and localize using existing techniques because many of them do not display any obvious erroneous behaviors (e.g., crash, assertion failure, etc.) but they cause subtle inaccuracies that completely violate the security and privacy guarantees of SSL/TLS. This project aims to improve error handling mechanisms in SSL/TLS implementations by building novel tools that reduce developer effort in writing and maintaining correct error handling code while making SSL/TLS implementations more secure and robust.

This project develops a framework for improving the robustness of error handling code in SSL/TLS implementations. The framework has three main objectives. First, error specifications for different SSL/TLS functions are automatically inferred to learn how they communicate the failures. Next, the inferred specifications are used to build a tool for automatically detecting error handling bugs. Finally, the framework also provides new program repair tools that can automatically fix the detected bugs. Therefore, the framework provides end-to-end assistance in maintaining error-handling code in SSL/TLS implementations and thus significantly improves internet security.