Skip to content

Usable-Security-and-Privacy-Lab/ssa-daemon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

980 Commits
docs
docs
 
 
examples
examples
 
 
extras
extras
 
 
test_files
test_files
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
Makefile-Old
Makefile-Old
 
 
README.md
README.md
 
 
certificate.c
certificate.c
 
 
certificate.h
certificate.h
 
 
cipher_selection.c
cipher_selection.c
 
 
cipher_selection.h
cipher_selection.h
 
 
config.c
config.c
 
 
config.h
config.h
 
 
config.yml
config.yml
 
 
connection_callbacks.c
connection_callbacks.c
 
 
connection_callbacks.h
connection_callbacks.h
 
 
crl.c
crl.c
 
 
crl.h
crl.h
 
 
crl_callbacks.c
crl_callbacks.c
 
 
crl_callbacks.h
crl_callbacks.h
 
 
ct_log_list.cnf
ct_log_list.cnf
 
 
daemon.c
daemon.c
 
 
daemon.h
daemon.h
 
 
daemon_structs.c
daemon_structs.c
 
 
daemon_structs.h
daemon_structs.h
 
 
error.c
error.c
 
 
error.h
error.h
 
 
getsockopt.c
getsockopt.c
 
 
getsockopt.h
getsockopt.h
 
 
hashmap.c
hashmap.c
 
 
hashmap.h
hashmap.h
 
 
hashmap_crl.c
hashmap_crl.c
 
 
hashmap_crl.h
hashmap_crl.h
 
 
hashmap_str.c
hashmap_str.c
 
 
hashmap_str.h
hashmap_str.h
 
 
hashqueue.c
hashqueue.c
 
 
hashqueue.h
hashqueue.h
 
 
in_tls.h
in_tls.h
 
 
inotify.c
inotify.c
 
 
inotify.h
inotify.h
 
 
install_packages.sh
install_packages.sh
 
 
log.c
log.c
 
 
log.h
log.h
 
 
main.c
main.c
 
 
netlink.c
netlink.c
 
 
netlink.h
netlink.h
 
 
ocsp.c
ocsp.c
 
 
ocsp.h
ocsp.h
 
 
ocsp_stapling_server.c
ocsp_stapling_server.c
 
 
ocsp_stapling_server.h
ocsp_stapling_server.h
 
 
revocation.c
revocation.c
 
 
revocation.h
revocation.h
 
 
sessions.c
sessions.c
 
 
sessions.h
sessions.h
 
 
setsockopt.c
setsockopt.c
 
 
setsockopt.h
setsockopt.h
 
 
socket_setup.c
socket_setup.c
 
 
socket_setup.h
socket_setup.h
 
 

Repository files navigation

Secure Socket API (SSA)

The SSA is a system that allows programmers to easily create secure TLS connections using the standard POSIX socket API. This allows programmers to focus more on the developement of their apps without having to interface with complicated TLS libraries. The SSA also allows system administrtors and other power users to customize TLS settings for all connections on the machines they manage, according to their own needs.

How it Works

The SSA has two components: a kernel module and a userspace daemon. The kernel module intercepts system calls for TLS-configured sockets and redirects them to the daemon, which does the heavy lifting of establishing a secure TLS connection.

When SSA is installed, application developers can configure POSIX sockets for TLS by using the IPPROTOTLS flag in the call to socket. They can then use the sockets with the regular socket system calls.

TLS settings are configured by the system administrator using a config file. SSA shifts the burden of choosing configurations from the application developer to the system administrator running the application. This makes the development process much simpler,and gives the adminstrator control over the security settings for applications running on the system.

Publication

You can read more about the SSA, it's design goals, and features in our USENIX Security 2018 paper

Our Vision

The SSA was created by Mark O'Neill for his Ph.D. dissertation, in which he demonstrated a need for an easier way to write secure software. He created the SSA as a prototype solution to meet that need. We are currently working to make this project fully-functional so that it can be adopted in real-world applications. We look forward to collaboration with the open-source community to make this vision a reality.

Status

The SSA is still undergoing large changes as we finalize certificate validation strategies and improve error reporting. As such, it should not yet be used in any mission critical environments. However, we are working toward release as a viable tool for the general public.

Guide to this repository

This repository contains the source code for the userspace daemon. Source code for the kernel module is in a separate repo. Documentation for both the daemon and the kernel module is found in this repository, in the docs directory, as described below:

  • install-documentation.md contains installation instructions.
  • user-documentation.md contains instructions for writing applications that use the SSA
  • admin-documentation.md contains instructions for managing the config file
  • The developer-documentation directory contains documentation for developers wanting to contribute to the SSA:
    • general.md contains an overview of how the system works as well as information that is relevant to both the daemon and the module.
    • daemon.md contains documentation specific to the ssa-daemon portion of the SSA
    • The testing directory contains various testing files
    • The diagrams directory contains images referenced in the documentation files.

We will be providing a formal API specicification in this repo and on owntrust.org in the very near future. Eager users are encouraged to see our publication (linked above), code, or to contact us directly with questions.

Contributions and Thanks

Thank you to Eliezer Colon for noting a compilation issue

About

User space daemon implementing the Secure Sockets API

owntrust.org/

Topics

tls encryption certificate-transparency certificate-manager

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 8

Languages