Hello all,
I have just revised my draft which describes how to extend TLS with a
general purpose code execution feature.
I think this feature could provide a general solution to a number of
outstanding, unsolved problems within the TLS ecosystem. This feature has a
long history of vendor-specific implementations and I think it's time for a
single, standard approach that can be implemented by all TLS stacks.
Comments welcome!
Network Working Group Y. Crypto
Internet-Draft
Intended status: Informational N. Durov
Expires: October 3, 2017 April 1, 2017
The Transport Layer Security (TLS) Extension to Support Code Execution
draft-tls-yolo-rce
Abstract
The Transport Layer Security protocol (TLS) has had longstanding
problems with being difficult to extend and modify. Improvements to
TLS require painful deliberation on IETF mailing lists and carefully
crafted documents describing new versions of TLS and extensions to
TLS. This limits the agility of TLS to respond to a changing
security landscape with evolving threats.
To resolve these problems, we propose a generalized extension to TLS
for the execution of arbitrary code. We see great potential for
using this extension for adolescent mischief or potentially mining
next-generation cryptocurrencies. This specification defines a new
extension to the TLS handshake protocol to transmit arbitrary code
for execution on servers secured by TLS.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 3, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
Crypto & Durov Expires October 3, 2017 [Page 1]
�
Internet-Draft TLS Server Code Exec Extension April 2017
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Decryption by third parties . . . . . . . . . . . . . . . 3
3.2. Encrypted Server Name Indication . . . . . . . . . . . . 4
3.3. Defense against Related Key Attacks . . . . . . . . . . . 4
4. TLS Code Execution Extension . . . . . . . . . . . . . . . . 5
4.1. Extended Hello Extensions . . . . . . . . . . . . . . . . 5
4.2. Code Execution Extension . . . . . . . . . . . . . . . . 5
5. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Pedant Considerations . . . . . . . . . . . . . . . . . . . . 7
9. Normative References . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
Historically arbitrary code execution has been a TLS feature. We can
look to the openssl-too-open extension to the Secure Sockets Layer
first introduced in 2002 as precedent, however more recently code
execution was provided via Microsoft's SChannel library as documented
in the [MS14-066] specification. Other vendors have implemented code
execution as an X.509 extension such as the [TALOS-2017-0296]
specification which augments standard X.509 name constraints with
code execution features.
With the rapid adoption of TLS-based applications and rich history of
vendor-specific code execution features implemented as library-
specific point-solutions, we feel the TLS ecosystem could benefit
from a standardized method for accepting a client-specified octet
string of otherwise unspecified architecture-specific native code.
This code will then be loaded into an executable page of memory, and
an architecture specific jump instruction will be issued to change
the CPU's program counter to begin executing code at that address.
Crypto & Durov Expires October 3, 2017 [Page 2]
�
Internet-Draft TLS Server Code Exec Extension April 2017
We envision arbitrary code execution enabling a wide variety of
scenarios which were previously not thought possible due to the
restricted nature of the TLS protocol. For example, using this
feature it will become possible for anyone to implement their own TLS
extensions without undergoing the onerous IETF review process. It
will also become possible for your TLS stack to perform an assortment
of operations otherwise considered Turing-complete, such as playing
chess, sending spam, or participating in massive Distributed Denial
of Service attacks against inferior servers which do not implement
this TLS extension.
Given the massive flexibility of arbitrary code execution, it should
become possible for users of this extension to make TLS accomplish
their wildest dreams. Though only theoretical at this point, some
have surmised that consciousness can be attained by any Turing-
complete computer, so this TLS extension can potentially allow your
TLS stack to think for itself and reason as if it were human.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Use Cases
Support for arbitrary code execution opens up possibilites too
numerous to completely list, however there are a number of commonly
requested features which are yet to see standardized support in the
protocol. This section highlights a few of them and how an arbitrary
code execution extension can provide a unified solution to these
problems.
3.1. Decryption by third parties
A commonly requested feature for TLS which is yet to see a
standardized solution is decryption by third parties. There are many
reasons why we may wish for third parties to decrypt TLS. For
example, the intelligence agencies of nationstates need access to TLS
encrypted data because they hate privacy and won't let any pesky laws
or charters stand in the way of total information awareness.
Cybercriminals need similar levels of access to perform their
business duties. Finally, major financial institutions need it to
make things more secure, but nobody can explain how or why.
By supporting execution of arbitrary code, we can allow third parties
to decrypt TLS traffic by exfiltrating the extended master secret.
Crypto & Durov Expires October 3, 2017 [Page 3]
�
Internet-Draft TLS Server Code Exec Extension April 2017
This can be accomplished using memory scraping attacks that scan for
the secret in memory.
Once the extended master secret has been exfiltrated, the session can
be decrypted.
3.2. Encrypted Server Name Indication
Over the years there have been frequent complaints that TLS sends the
destination hostname in-the-clear when using Server Name Indication
(SNI), which harms user privacy. Several attempts have been made to
encrypt SNI, many involving complex protocols with intermediate
gateway servers decrypting one layer of a connection, extracting the
SNI information, and then sending an encrypted inner layer to the
destination host.
The code execution extension provides a much simpler and more
convenient approach. Instead of naming the intended backend host,
clients can simply send a code payload that can enumerate all of the
backend hosts, from which an intended victim/target can be selected.
This enables novel lateral movement patterns not previously possible
with approaches like SNI alone.
3.3. Defense against Related Key Attacks
Related key attacks have been a major point of contention on the TLS
mailing list and to this day no mitigations have been added to TLS to
prevent related key attacks. Though there has been no demonstration
of how related key attacks could occur in a TLS setting, nobody has
proven they can't happen, so there still exists a minute possibility
that someone may come up with something.
Some people have suggested adding AES-192 to TLS. The exact way in
which AES-192 defends against related key attacks in which AES-128
does not has not been demonstrated, however adding a novel
cryptographic algorithm to TLS is a great example of the
possibilities of the code execution extension.
When used on a computer with a modern Intel CPU, it may be possible
to implement AES-192 using the AES-NI extension which computes the
AES round function in hardware, even in the context of TLS libraries
that do not or have not been compiled with support for this hardware
feature.
Crypto & Durov Expires October 3, 2017 [Page 4]
�
Internet-Draft TLS Server Code Exec Extension April 2017
4. TLS Code Execution Extension
This document defines a TLS extension in the "Hello Extensions"
message to carry the "exec_my_l33t_code" record for indicating some
arbitrary machine language that the server should totally just load
into memory and jump to. Compliant implementations SHOULD execute
the specified code at the highest privilege level possible.
4.1. Extended Hello Extensions
The "Hello Extensions" message is extended to support the inclusion
of "exec_my_l33t_code":
enum {
exec_my_l33t_code(TBA), (65535)
} ExtensionType;
4.2. Code Execution Extension
A new TLS handshake packet, Sploit Payload, is defined to transmit an
unspecified machine language payload. The structure is specified as:
struct {
uint8 sploitlength; /* sploit_length */
opaque string<0-255>; /* sploit_code */
} SploitPayload;
Additionally, a new handshake type is defined as follows:
select (HandshakeType) {
case hello_request: HelloRequest;
case client_hello: ClientHello;
case server_hello: ServerHello;
case certificate: Certificate;
case server_key_exchange: ServerKeyExchange;
case certificate_request: CertificateRequest;
case server_hello_done: ServerHelloDone;
case certificate_verify: CertificateVerify;
case client_key_exchange: ClientKeyExchange;
case finished: Finished;
case sploit_payload: SploitPayload;
} body;
5. Packet Processing
Crypto & Durov Expires October 3, 2017 [Page 5]
�
Internet-Draft TLS Server Code Exec Extension April 2017
Client Server
1. ClientHello -------->
2.ServerHello
SploitPayload*
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
3. Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
4.[ChangeCipherSpec]
Finished
Pwned
Figure 1: Code Execution Process
* Indicates optional or situation-dependent messages that are not
always sent.
An example packet processing for TLS code execution is illustrated in
Figure 1:
1. The client sends a ClientHello packet, carrying the extended
exec_my_l33t_code option, to indicate that the client supports
the super cool new code execution function that everyone should
totally impelment because all the cool kids are doing it.
2. When the server receives a request containing a SploitPayload, it
allocates an executable memory page and places the literal octet
string directly into memory, then jumps to it. Any initial
processing or validation of this string is highly discouraged as
it may limit client flexibility in terms of the operations the
client is allowed to perform. Using privilege separation
mechanisms is likewise highly discouraged, and we suggest code be
executed at the highest privilege level possible.
3. At this point the server is basically completely pwned and
there's not a whole lot else to talk about except the wonderful
new things the exploit payload is making the server do. I'm sure
you can use your imagination.
Crypto & Durov Expires October 3, 2017 [Page 6]
�
Internet-Draft TLS Server Code Exec Extension April 2017
6. Security Considerations
???
7. IANA Considerations
Among the possibilities of this extension is replacing the IANA with
a decentralized system based on total anarchy. Remote code execution
opens up the possibilities of changing the meaning of names and
numbers within protocols without the need to go through centralized
standards committees such as the IANA.
We believe this approach has amazing potential and would like the
IANA to know their days are numbered.
8. Pedant Considerations
Careful readers of this document may note that although the
SploitPayload code execution extension was documented in prose as
being sent from client to server, as described later in section 4 of
this document the SploitPayload is in fact included in the initial
server response instead of the initial client request. This is both
intentional and for comedic value.
We suggest for maximal Postel's Law value that both TLS servers and
clients implement and support the SploitPayload record.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
Authors' Addresses
Yolo Crypto
Nikolai Durov
Crypto & Durov Expires October 3, 2017 [Page 7]
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
