Overview
Explore an automated black-box analysis technique for hostname verification in SSL/TLS implementations through this IEEE conference talk. Dive into the HVLearn framework, which utilizes automata learning algorithms to test and analyze various SSL/TLS libraries and applications. Understand the importance of hostname verification in certificate validation, the challenges involved in testing complex implementations, and how HVLearn leverages certificate templates and Deterministic Finite Automaton (DFA) models to identify discrepancies and potential vulnerabilities. Learn about the framework's effectiveness in achieving higher code coverage compared to existing fuzzing techniques and discover the critical violations of RFC specifications uncovered during testing. Gain insights into topics such as POS host notification, subject autotuned name, terminal learning, testing paths and certificates, model comparison, and international domain name handling in SSL/TLS implementations.
Syllabus
Introduction
Background
POS Host Notification
Subject Autotuned Name
Testing Approach
Terminal Learning
Testing Paths
Testing Certificate
How to Inspect
Model Comparison
Evaluation
Comparison
Resolution
IFC violation
International domain name
Cache sensitive vs insensitive matching
Taught by
IEEE Symposium on Security and Privacy