Towards Validation of TLS 1.3 Formal Model and Vulnerabilities in Intel’s RA-TLS Protocol

Abstract

Read online

Transport Layer Security (TLS) is a widely used protocol for secure channel establishment. However, TLS lacks any inherent mechanism for validating the security state of the endpoint software and its platform. To overcome this limitation, recent works have combined remote attestation (RA) and TLS, named attested TLS. The most popular attested TLS protocol for confidential computing is Intel’s RA-TLS, which is used in multiple industrial projects. However, Intel has neither specified the protocol nor the desired properties. Moreover, despite its wide usage in security-critical use cases, there is no formal reasoning for the security of attested TLS for confidential computing in general and RA-TLS in particular. Using the state-of-the-art symbolic security analysis tool ProVerif, we formalized and found vulnerabilities in RA-TLS from both RA and TLS perspectives. We also propose mitigations for the vulnerabilities. During the formalization process, we found that despite several formal verification efforts for TLS to ensure its security, the validation of corresponding formal models has been largely overlooked. We demonstrate that a simple validation framework could discover crucial issues in state-of-the-art formalization of TLS 1.3 key schedule in ProVerif. Particularly, we found that 11 out of 14 keys in that formalization deviate from the corresponding TLS specifications. These issues have been acknowledged and fixed by the authors. Finally, we provide recommendations for protocol designers and the formal verification community based on the lessons learned in the formal verification and validation.

Keywords

• Confidential computing
• formal analysis
• ProVerif
• remote attestation (RA)
• symbolic security analysis
• transport layer security (TLS)