[CRIU] Using CRIU to bypass SSL/TLS encryption

David Elliott delliott537 at gmail.com
Sat Sep 1 01:14:36 MSK 2018


CRIU allows you to migrate TCP connections. This also means that CRIU
allows you to migrate SSL/TLS encrypted connections, since encryption
happens at higher layers of network stack than TCP. SSL/TLS is also
session-based. While migrating encrypted connections, I noticed that I
don't have to have the certificates available on the receiving host during
the migration, and the connection will still restore properly and continue
communication.

Now consider the (somewhat contrived) example:

Attacker A is interested in determining the contents of a particular stream
of encrypted data traveling to company C. So A gets an employee inside C to
checkpoint the application receiving the data (leaving it running), as well
as capture a small section of the encrypted stream. The insider then sends
the checkpoint and the captured packets to A.

A doesn't have the certificates initially used to setup the encrypted
communication, and is able to reconstruct the application and successfully
restore the checkpoint, with TCP connection modified to receive from his
own IP address. A then replays the captured packet stream from his IP,
sending the packets to the restored application, and receives the output
from the application.

Is this a security problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20180831/dad4758d/attachment-0001.html>


More information about the CRIU mailing list