TLSAssistant is a fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks. It is open-source, released under Apache-2.0 license and and you can contribute by visiting the project’s repository.
TLSAssistant is written in Bash and can thus be invoked via command-line. Among the available parameters, the tool takes as input the target to be evaluated (e.g., the IP address of a server) and outputs a single report file. The content of the report depends on the detected weaknesses and on the level of verbosity the user chose. Being built on top of other works, our TLSAssistant has been designed to be modular and easily upgradable. The image above shows the current architecture with its two main components: Analyzer and Evaluator.
It takes as input a series of options depending on which analysis the user wants to run. By design, our tool has a flexible architecture that allows a continuous integration of newer and more sophisticated tools. Currently, the set of integrated tools consists of command-line scripts written either in Bash or Python.
TLSAssistant currently integrates five tools that provide state-of-the-art analysis:
- HTTP/HSTS checker is the first module built in house, it contains a set of simple commands that can detect lack of proper HSTS configuration and other minor checks.
It is the core of TLSAssistant and constitutes our main contribution. It is responsible for the enumeration of the detected vulnerabilities and the generation of the report that will guide the system administrator towards all the mitigations to be applied. It can be seen as the combination of two submodules:
Vulnerability enumerator collects and analyzes the reports generated by the Analyzer. By parsing the inputs, this module is able to compile a list containing all the discovered vulnerabilities. The mapping between reports’ content and enumeration is based on the attack trees’ prerequisites collection.
Report handler takes the vulnerability list and, in accordance with the system administrator’s choice, renders the final output. TLSAssistant is currently able to generate reports by combining the content of two modules: Mitigations and Graphic. The former consists of a shared database containing a list of all the known TLS vulnerabilities with their descriptions, CVE ID, CVSS score and related fixes while the latter contains a set of modeled attack trees written in the graph description language DOT. The Report Handler currently offers four kinds of report, each version provides the content of the previous one and adds more technical details. For every detected weakness, the main information contained in each version of the report is the following:
- v0 mitigations’ description. It is the most basic form of report, it contains a description of the vulnerability (along with its CVE and CVSS values) and a brief explanation of the actions to perform;
- v1 code snippet. It provides a fragment of code that can be copy-pasted into the webserver’s configuration to seamlessly fix the weakness. TLSAssistant can detect any webserver but is currently only able to provide snippets for Apache and nginx HTTP server. We plan to extend the code coverage to all the most common webservers available on the market. Together with the snippet, the report will provide a set of steps on how to find the correct file/line to edit;
- v2 tools’ individual reports. In addition to our detailed contribution, this kind of report also provides the full set of individual reports generated by each tool;
- v3 highlighted attack trees. It is the most complete version of the report that TLSAssistant offers to date. By automatically highlighting the exploitable components and compiling the DOT sources, the custom generated trees graphically show the attacks that can be mounted on the target system.
Thanks to the integrated analyzers, TLSAssistant is currently able to detect the following set of vulnerabilities:
- Bar Mitzvah
- Client-Initiated Renegotiation DoS
- HSTS not preloaded
- HSTS not set
- HTTPS not enforced
- Missing Certificate Transparency
- Unsecure Android TrustManagers
- Weak Algorithms
- Certificate or KeyStore Disclosure
- WebViews Ignoring SSL Errors
- Accepting ALL SSL Certificates
For each one of them, TLSAssistant is able to suggest an appropriate mitigation to easily fix the misconfiguration. These mitigations have been collected by fetching information from both scientific literature and each vendor’s technical documentation.
TLSAssistant is able to graphically represent the analysis result using a set of custom attack trees. Each tree consists of:
- A goal (root). indicating which security property would be broken;
- Protocol/infrastructure subgoals. displaying which protocol or infrastructure can be exploited in order to achieve the root goal;
- Technique subgoals. showing the technique an attacker has to use in order to exploit the aforementioned protocol;
- Attacks (leaves). is divided into boxes. The first one lists the prerequisites an attacker needs, the second one describes the steps needed to exploit the vulnerability and, if needed, a third one shows how the attack is concluded.
The following image shows a simplified version of the output
TLSAssistant is able to export the analysis result in STIX, a language used to share cyber threat intelligence (CTI) that can be represented with objects and their descriptive relationships. After every scan and for each discovered vulnerability, TLSAssistant generates a STIX bundle (JSON file) containing the following objects:
- course of action;
- observed data;
The following image shows an example for the Bar Mitzvah attack
Salvatore Manfredi, Silvio Ranise and Giada Sciarretta
TLSAssistant: uno strumento per mitigare i problemi di sicurezza di TLS
In: ICT Security Magazine (URL, news)
Salvatore Manfredi, Silvio Ranise and Giada Sciarretta
Lost in TLS? No More! Assisted Deployment of Secure TLS Configurations
In: Proceedings of the 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2019), vol. 11559, pp. 201-220 (DOI, news)