國立虎尾科技大學 |

Measurement Techniques to Understand How Diversity in TLS Implementations & Deployments Influences Protocol Security.

紀錄類型:	書目-語言資料,手稿 : Monograph/item
正題名/作者:	Measurement Techniques to Understand How Diversity in TLS Implementations & Deployments Influences Protocol Security./
作者:	Paracha, Muhammad Talha.
面頁冊數:	1 online resource (103 pages)
附註:	Source: Dissertations Abstracts International, Volume: 85-06, Section: B.
Contained By:	Dissertations Abstracts International85-06B.
標題:	Computer science. -
電子資源:	click for full text (PQDT)
ISBN:	9798381091274

Measurement Techniques to Understand How Diversity in TLS Implementations & Deployments Influences Protocol Security.
Paracha, Muhammad Talha.

Measurement Techniques to Understand How Diversity in TLS Implementations & Deployments Influences Protocol Security. - 1 online resource (103 pages)

Source: Dissertations Abstracts International, Volume: 85-06, Section: B.

Thesis (Ph.D.)--Northeastern University, 2023.

Includes bibliographical references

TLS is a fundamental and widely-used network security protocol. On one hand, the protocol has undergone rigorous development over the past 25 years and offers sophisticated theoretical guarantees. At the same time, its adoption has grown from traditional computers to handheld devices and IoT ones, with these settings presenting varying constraints and caveats. As a consequence, a large number of TLS implementations and deployments exist and cater to different needs. Unfortunately, this results in a gap between what the protocol offers in theory vs how it works in practice; the diversity in the ecosystem not only increases the probability of a mistake during protocol development and use, but also leads to customizations with unexpected side effects.The thesis of this dissertation is that the rich diversity in TLS implementations & deployments introduces opportunities to harm protocol security, and that the harms can be identified (and mitigated) using rigorous measurement techniques.My work sheds light on previously unexplored aspects of TLS deployment in three different settings; web, mobile and IoT devices. More specifically, I (a) study web content availability and consistency over HTTP/S to better understand the obstacles to a TLS-by-default web, (b) conduct longitudinal experiments on a large number of consumer IoT devices to evaluate TLS effectiveness in that setting, and (c) revisit certificate pinning policies in mobile applications to examine implementations with advanced network security techniques that go beyond what the protocol offers.In addition to exploring diversity in deployments, my work leverages the diversity in TLS implementations alongside recent advances in generative language models to automate bug discovery. More specifically, I present a novel approach of generating synthetic TLS certificates using language models that reveal a wide range of previously unobserved and interesting implementation differences with security implications.My work has led to vulnerability disclosures, a security feature at a major CDN provider, a presentation at an IRTF body to inform protocol engineering, and novel auditing techniques that enable greater transparency about real-world protocol effectiveness. I believe the insights from my work can assist in better modeling of software security beyond TLS, the techniques proposed push state-of-the-art for network measurement, and the use of language models to generate synthetic test cases can prove valuable in domains where software inputs can be expressed in natural language.

Electronic reproduction.
Ann Arbor, Mich. :
ProQuest,
2024

Mode of access: World Wide Web

ISBN: 9798381091274Subjects--Topical Terms:

573171
Computer science.
Subjects--Index Terms:

Network measurementIndex Terms--Genre/Form:

554714
Electronic books.

Measurement Techniques to Understand How Diversity in TLS Implementations & Deployments Influences Protocol Security.
LDR:03994ntm a22003977 4500 001 1143906
005 20240517105024.5
006 m o d
007 cr mn ---uuuuu
008 250605s2023 xx obm 000 0 eng d
020 $a 9798381091274
035 $a (MiAaPQ)AAI30814795
035 $a AAI30814795
040 $a MiAaPQ $b eng $c MiAaPQ $d NTU
100 1 $a Paracha, Muhammad Talha. $3 1468716
245 1 0 $a Measurement Techniques to Understand How Diversity in TLS Implementations & Deployments Influences Protocol Security.
264 0 $c 2023
300 $a 1 online resource (103 pages)
336 $a text $b txt $2 rdacontent
337 $a computer $b c $2 rdamedia
338 $a online resource $b cr $2 rdacarrier
500 $a Source: Dissertations Abstracts International, Volume: 85-06, Section: B.
500 $a Advisor: Choffnes, David.
502 $a Thesis (Ph.D.)--Northeastern University, 2023.
504 $a Includes bibliographical references
520 $a TLS is a fundamental and widely-used network security protocol. On one hand, the protocol has undergone rigorous development over the past 25 years and offers sophisticated theoretical guarantees. At the same time, its adoption has grown from traditional computers to handheld devices and IoT ones, with these settings presenting varying constraints and caveats. As a consequence, a large number of TLS implementations and deployments exist and cater to different needs. Unfortunately, this results in a gap between what the protocol offers in theory vs how it works in practice; the diversity in the ecosystem not only increases the probability of a mistake during protocol development and use, but also leads to customizations with unexpected side effects.The thesis of this dissertation is that the rich diversity in TLS implementations & deployments introduces opportunities to harm protocol security, and that the harms can be identified (and mitigated) using rigorous measurement techniques.My work sheds light on previously unexplored aspects of TLS deployment in three different settings; web, mobile and IoT devices. More specifically, I (a) study web content availability and consistency over HTTP/S to better understand the obstacles to a TLS-by-default web, (b) conduct longitudinal experiments on a large number of consumer IoT devices to evaluate TLS effectiveness in that setting, and (c) revisit certificate pinning policies in mobile applications to examine implementations with advanced network security techniques that go beyond what the protocol offers.In addition to exploring diversity in deployments, my work leverages the diversity in TLS implementations alongside recent advances in generative language models to automate bug discovery. More specifically, I present a novel approach of generating synthetic TLS certificates using language models that reveal a wide range of previously unobserved and interesting implementation differences with security implications.My work has led to vulnerability disclosures, a security feature at a major CDN provider, a presentation at an IRTF body to inform protocol engineering, and novel auditing techniques that enable greater transparency about real-world protocol effectiveness. I believe the insights from my work can assist in better modeling of software security beyond TLS, the techniques proposed push state-of-the-art for network measurement, and the use of language models to generate synthetic test cases can prove valuable in domains where software inputs can be expressed in natural language.
533 $a Electronic reproduction. $b Ann Arbor, Mich. : $c ProQuest, $d 2024
538 $a Mode of access: World Wide Web
650 4 $a Computer science. $3 573171
650 4 $a Computer engineering. $3 569006
650 4 $a Information technology. $3 559429
653 $a Network measurement
653 $a Network security
653 $a Protocol security
653 $a TLS deployments
653 $a TLS implementations
655 7 $a Electronic books. $2 local $3 554714
690 $a 0984
690 $a 0489
690 $a 0464
710 2 $a ProQuest Information and Learning Co. $3 1178819
710 2 $a Northeastern University. $b Computer Science. $3 1464678
773 0 $t Dissertations Abstracts International $g 85-06B.
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=30814795 $z click for full text (PQDT)