DRLgencert: Deep Learning-Based Automated Testing of Certificate Verification in SSL/TLS Implementations

Chen, Chao; Diao, Wenrui; Zeng, Yingpei; Guo, Shanqing; Hu, Chengyu

doi:10.1109/icsme.2018.00014

Cited by 16 publications

(5 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are 13 and 6 relevant papers published in ICSE and FSE, respectively. Meanwhile, in all journals, TSE and IST include the highest number of relevant papers (11).…”

Section: Distribution Of Publication Venuesmentioning

confidence: 99%

“…by back-propagation ( 14) and fine-tuning (11). Besides, some optimization methods are not often used, such as Adagrad and Adadelta.…”

Section: 21mentioning

confidence: 99%

“…7.5.7 Testing techniques. Many studies focus on new methods to perform testing, such as for apps [96], games [144], and other software systems [5,11]. There are also some studies using well-known testing techniques (e.g., fuzzing [17,30] and mutation testing [83]) for improving the quality of software artifacts.…”

Section: Program Analysismentioning

confidence: 99%

See 2 more Smart Citations

A Survey on Deep Learning for Software Engineering

Yang¹,

Xia²,

Lo³

et al. 2020

Preprint

View full text Add to dashboard Cite

In 2006, Geoffrey Hinton proposed the concept of training "Deep Neural Networks (DNNs)" and an improved model training method to break the bottleneck of neural network development. More recently, the introduction of AlphaGo in 2016 demonstrated the powerful learning ability of deep learning and its enormous potential. Deep learning has been increasingly used to develop state-of-the-art software engineering (SE) research tools due to its ability to boost performance for various SE tasks. There are many factors, e.g., deep learning model selection, internal structure differences, and model optimization techniques, that may have an impact on the performance of DNNs applied in SE. Few works to date focus on summarizing, classifying, and analyzing the application of deep learning techniques in SE. To fill this gap, we performed a survey to analyse the relevant studies published since 2006. We first provide an example to illustrate how deep learning techniques are used in SE. We then summarize and classify different deep learning techniques used in SE. We analyzed key optimization technologies used in these deep learning models, and finally describe a range of key research topics using DNNs in SE. Based on our findings, we present a set of current challenges remaining to be investigated and outline a proposed research road map highlighting key opportunities for future work.

show abstract

“…There are 13 and 6 relevant papers published in ICSE and FSE, respectively. Meanwhile, in all journals, TSE and IST include the highest number of relevant papers (11).…”

Section: Distribution Of Publication Venuesmentioning

confidence: 99%

“…by back-propagation ( 14) and fine-tuning (11). Besides, some optimization methods are not often used, such as Adagrad and Adadelta.…”

Section: 21mentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Deep Learning for Software Engineering

Yang¹,

Xia²,

Lo³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Other research problems: Other important research problems handled using deep learning are code search [51,52,53,54], security [55,56,57,58], and software language modelling [59,60,61,62]. The next most investigated research problems, with three papers each, are bug localization [63,64,65] and clone detection [66,67,68].…”

Section: Publication Venuesmentioning

confidence: 99%

Software Engineering Meets Deep Learning: A Mapping Study

Ferreira,

Silva,

Valente

2019

Preprint

View full text Add to dashboard Cite

Deep learning (DL) is being used nowadays in many traditional software engineering (SE) problems and tasks, such as software documentation, defect prediction, and software testing. However, since the renaissance of DL techniques is still very recent, we lack works that summarize and condense the most recent and relevant research conducted in the intersection of DL and SE. Therefore, in this paper we describe the first results of a literature review covering 81 papers about DL & SE.

show abstract

“…The authors (i) generated a corpus of synthetic test certificates by randomly combining and mutating parts of real certificates, and (ii) provided the corpus as input to multiple TLS libraries to use them as cross-referencing oracles to find differences in implementations (and bugs). Large body of prior research extends this line of work with the aim to improve the synthetic certificate generation process, including, but not limited to: Mucerts [20] that uses code coverage guidance, Coveringcerts [21] that uses combinatorial methods with theoretical guarantees, SymCerts [22] that adds symbolic execution, RFCcerts [23] that leverages certificate rules from protocol specification documents, Transcerts [24] that relies on coverage transfer graphs, NEZHA [25] that keeps track of behavioral asymmetries across multiple programs, and DRLgencert [26] that uses deep reinforcement learning to perform mutations on a certificate. Note that in contrast to these techniques that automatically generate synthetic certificates, Barenghi et al [27] work to first manually obtain a grammar for TLS certificates, and then build a parser to find legitimate issues in certificates that are missed by various implementations.…”

Section: Differential Testingmentioning

confidence: 99%

Measurement techniques to understand how diversity in TLS implementations & deployments influences protocol security

Paracha

View full text Add to dashboard Cite

TLS is a fundamental and widely-used network security protocol. On one hand, the protocol has undergone rigorous development over the past 25 years and offers sophisticated theoretical guarantees. At the same time, its adoption has grown from traditional computers to handheld devices and IoT ones, with these settings presenting varying constraints and caveats. As a consequence, a large number of TLS implementations and deployments exist and cater to different needs. Unfortunately, this results in a gap between what the protocol offers in theory vs how it works in practice; the diversity in the ecosystem not only increases the probability of a mistake during protocol development and use, but also leads to customizations with unexpected side effects.The thesis of this dissertation is that the rich diversity in TLS implementations & deployments introduces opportunities to harm protocol security, and that the harms can be identified (and mitigated) using rigorous measurement techniques.My work sheds light on previously unexplored aspects of TLS deployment in three different settings; web, mobile and IoT devices. More specifically, I (a) study web content availability and consistency over HTTP/S to better understand the obstacles to a TLS-by-default web, (b) conduct longitudinal experiments on a large number of consumer IoT devices to evaluate TLS effectiveness in that setting, and (c) revisit certificate pinning policies in mobile applications to examine implementations with advanced network security techniques that go beyond what the protocol offers.In addition to exploring diversity in deployments, my work leverages the diversity in TLS implementations alongside recent advances in generative language models to automate bug discovery. More specifically, I present a novel approach of generating synthetic TLS certificates using language models that reveal a wide range of previously unobserved and interesting implementation differences with security implications.My work has led to vulnerability disclosures, a security feature at a major CDN provider, a presentation at an IRTF body to inform protocol engineering, and novel auditing techniques that enable greater transparency about real-world protocol effectiveness. I believe the insights from my work can assist in better modeling of software security beyond TLS, the techniques proposed push state-of-the-art for network measurement, and the use of language models to generate synthetic test cases can prove valuable in domains where software inputs can be expressed in natural language.

show abstract

DRLgencert: Deep Learning-Based Automated Testing of Certificate Verification in SSL/TLS Implementations

Cited by 16 publications

References 18 publications

A Survey on Deep Learning for Software Engineering

A Survey on Deep Learning for Software Engineering

Software Engineering Meets Deep Learning: A Mapping Study

Measurement techniques to understand how diversity in TLS implementations & deployments influences protocol security

Contact Info

Product

Resources

About