The Secure Socket API

Presented at SAINTCON 2019, Oct. 24, 2019, 11 a.m. (60 minutes).

The Secure Socket API: How to Make Secure Sockets with as little as one line of code SSL/TLS libraries are notoriously hard for developers to use, leaving system administrators at the mercy of buggy and vulnerable applications. We demonstrate a new API we have developed, which modifies the standard POSIX socket API to vastly simplify how a developer interacts with TLS, while also giving administrators the ability to control applications and tailor TLS configuration to their needs. We first assess OpenSSL and its uses in open source software, recommending how this functionality should be accommodated within the POSIX API. We then demonstrate the Secure Socket API (SSA), a minimalist TLS API built using existing network functions and show how it can be employed by existing network applications by modifications requiring as little as one line of code. We next describe our SSA implementation that leverages network system calls to provide privilege separation and support for other programming languages. We end with a discussion of the benefits and limitations of the SSA and our accompanying implementation, describing the status of our implementation and ongoing efforts to improve it.


Presenters:

  • Daniel Zappala - Brigham Young University
    Daniel Zappala is the director of the Internet Research Lab at BYU. He is primarily interested in usable security and privacy. Daniel's recent research includes developing a security layer for TLS, designing better usability for secure messaging apps, and improving risk communication. His students recently won second place in the Facebook Internet Defense Prize and Honorable Mention for Distinguished Paper at SOUPS. Daniel has taught classes on Internet Programming, Networking, Security, Usability, and Web Programming. He is currently serving on the organizing committees of ACSAC and SOUPS, and on the program committees of USENIX Security and PeTS. Daniel earned his Ph.D. in Computer Science at the University of Southern California.

Links:

Similar Presentations: