View article

Morpheus: Bringing the (pkcs) one to meet the oracle

Authors

Moosa Yahyazadeh, Sze Yiu Chau, Li Li, Man Hong Hue, Joyanta Debnath, Sheung Chiu Ip, Chun Ngai Li, Endadul Hoque, Omar Chowdhury

Publication date

2021/11/12

Book

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages

2474-2496

Description

This paper focuses on developing an automatic, black-box testing approach called Morpheus to check the non-compliance of libraries implementing PKCS#1-v1.5 signature verification with the PKCS#1-v1.5 standard. Non-compliance can not only make implementations vulnerable to Bleichenbacher-style RSA signature forgery attacks but also can induce interoperability issues. For checking non-compliance, Morpheus adaptively generates interesting test cases and then takes advantage of an oracle, a formally proven correct implementation of PKCS#1-v1.5 signature standard, to detect non-compliance in an implementation under test. We have used Morpheus to test 45 implementations of PKCS#1-v1.5 signature verification and discovered that 6 of them are susceptible to variants of the Bleichenbacher-style low public exponent RSA signature forgery attack, 1 implementation has a buffer overflow, 33 …

Total citations

Cited by 4

202320241 3

Scholar articles

Morpheus: Bringing the (pkcs) one to meet the oracle

M Yahyazadeh, SY Chau, L Li, MH Hue, J Debnath… - Proceedings of the 2021 ACM SIGSAC Conference on …, 2021