| The importance of secure communication over the Internet cannot be overstated because of the implications it has for ensuring privacy and safety for users.Much research has been done in this field of study,leading to the creation of the Secure Socket Layer(SSL)protocol and its successor,the Transport Layer Security(TLS)protocol.These protocols serve as a guide for implementing secure connections across the web and as such,many libraries have been written to provide Application Programming Interfaces(API's)for their implementation.However,many security risks have arisen due to improper usage of these libraries mainly due to the wrong sequence of API calls steaming from the misunderstanding of proper usage.This problem is compounded by the fact that these libraries are sometimes hard to understand or lacking proper documentation and examples on proper usage.In some implementations of the SSL/TLS protocol,the sequence of API calls might differ because in most situations the use of API's is varied and proper usage can be arrived at by calling functions in different orders.This further adds to the level of complexity and increasing the chances of wrongful usage.Securing communication over the web is very important due to the nature of sensitive data that is shared online on a daily basis by end users who don't necessarily understand when they are vulnerable or not,so it falls on developers to ensure that applications written to communicate securely are correctly made.In this thesis,we present a method to detect proper API usage by defining them as usage patterns and testing them against proper implementation models.The purpose of which is to serve as a guideline for developers to help them determine where errors may exist in their code base.In this thesis,we propose a method for auditing applications to determine whether or not they follow the proper usage patterns outlines by the libraries developers by profiling the candidate application and comparing it directly with an extracted model of proper usage.We accomplish this by generating a callgraph from the application and analyzing the function call sequence to determine if it adheres to proper usage.In generating our model of proper usage,we first use a database of certificates which we generate through the help of frankencerts.By using both valid and invalid certificates,we can generate a generalized model of how the certificate validation process is carried out.We set our focus to the certificate chain validation in the protocol,but this does not limit the scope of our approach,because it is both library and language agnostic. |
PDF Full Text Request