OpenSSL Tracer getting started guide↑
This guide explains how to use the SandboxAQ OpenSSL Tracer to obtain a cryptography trace from an application.
Prerequisites↑
Before using the OpenSSL Tracer, make sure you’ve followed the installation instructions.
You’ll also need an application that uses OpenSSL libraries that you can run in a terminal.
Tracing the application↑
OpenSSL consists of two parts:
libssl
- this handles TLS connections.libcrypto
- this contains high-level and low-level cryptographic APIs.
The OpenSSL Tracer consists of two components to handle both parts: libssl_tracer.so
and evp_tracer.so
. These two components are explained in detail in the following sections.
It’s possible to intercept calls made
from an application to one of these dynamic libraries using the OpenSSL Tracer. This relies on the LD_PRELOAD
mechanism of the dynamic linker in Linux.
Cryptographic calls are interpreted, forwarded to the typical OpenSSL library (ensuring identical outcomes), and the parameters of these calls are stored in a trace file.
Libssl_tracer.so component↑
The libssl_tracer.so
component should be used to trace libssl
calls from
the application to the libssl.so
library of OpenSSL. The slot type must be OpenSSL libssl usage (libssl
in the API).
To trace the libssl
part of a program named foo
, you’d execute the following command when running the program:
This generates a trace file in the /tmp
directory named cs-trace-libssl-PID_TIMESTAMP.cst
.
You can configure the directory where the OpenSSL Tracer generates traces with the CS_TRACE_DIR
environment variable.
Evp_tracer.so component↑
The evp_tracer.so
component should be used to trace libcrypto
(or EVP) calls from the application to the libcrypto.so
library of OpenSSL. The slot type must be OpenSSL libcrypto usage (evp
in the API).
To trace the libcrypto
part of a program named foo
, you’d execute the following command when running the program:
This generates a trace file in the /tmp
directory named cs-trace-evp-PID_TIMESTAMP.cst
, where
PID
is the process ID of the program and TIMESTAMP
is the date and time in UTC
when the program was traced.
Note
If the traced application is terminated abruptly, the resulting gzip
file may be missing a trailer and appear to be corrupted. However, AQtive Guard should still be able to analyze the contents of the trace.
Upload the trace to AQtive Guard to run an analysis and generate a report. Refer to these instructions:
- Web Interface - Uploading a new trace
- API - Upload a trace using the API Client
Refer to Configuration in the OpenSSL Tracer reference for a list of available parameters and how to use them.
Tracing text encryption↑
OpenSSL ships with a command-line tool named openssl
. You can use it to encrypt text
with the following command:
$ echo some text | openssl enc -aes-256-cbc -k secret -base64
U2FsdGVkX181z6PWd25ZnqNUqhVXGiy+ka7bwSu1tqE=
Since the openssl
command-line tool uses libcrypto
in this scenario, select the evp_tracer.so
component of the OpenSSL Tracer. To obtain the trace for the execution
of this command, set the LD_PRELOAD
environment variable tracer’s path.
For instance, in an interactive shell session, the previous command would be modified to the following:
$ echo some text | LD_PRELOAD=/path/to/evp_tracer.so openssl enc -aes-256-cbc -k secret -base64
U2FsdGVkX1++v8mvWpXbogGGWV8NrE4LxWuQ/+0E/yw=
The encrypted text is still printed in the standard output. This also generates a trace file named
cs-trace-evp-PID_TIMESTAMP.cst
in the /tmp
directory, where PID
is the process ID.
Configuring where traces are stored↑
You can configure the directory where the OpenSSL Tracer generates traces with the CS_TRACE_DIR
environment variable:
$ mkdir cs-tracer
$ export CS_TRACE_DIR=cs-tracer
$ echo some text | LD_PRELOAD=/path/to/evp_tracer.so openssl enc -aes-256-cbc -k secret -base64
U2FsdGVkX1+Gwdr9Zs0OyteehJdK40UBJSwQ+BWrq3w=
$ ls cs-tracer
cs-trace-evp-944387_2022-06-14-13-56-53.cst
Combining trace files↑
As each program run generates a unique trace file, you’ll likely end up with a substantial number of these files over time. For simplicity, you can concatenate these files before uploading them to the AQtive Guard web interface:
$ ls cs-tracer
cs-trace-evp-944387_2022-06-14-13-56-53.cst
cs-trace-evp-947560_2022-06-14-14-44-49.cst
cs-trace-evp-947609_2022-06-14-14-44-50.cst
cs-trace-evp-947654_2022-06-14-14-44-51.cst
cs-trace-evp-947699_2022-06-14-14-44-53.cst
cs-trace-evp-947744_2022-06-14-14-44-54.cst
$ cat cs-trace-evp-*.cst > cryptosense-evp-joined.cst