Developing a Xen hypervisor based alternate defense against cipher suite downgrade attacks for virtual TLS servers

TLS is a commonly used protocol that provides a secure communication channel through the use of encryption and is widely used by HTTPS websites. TLS allows client/server applications to communicate securely in a way that is “designed to prevent eavesdropping, tampering and message forgery” [1]. However, there are possible ways an attacker can break the security offered by TLS, one of which is a cipher suite downgrade attack, which can take the form of a FREAK attack or a Logjam, both discovered in 2015, wherein a man in the middle can force the client and the server to use a weaker cipher suite which can be broken, thus allowing the attacker access to the communication between the client and the server. In this project, I attempted to defend a TLS virtual server running on a Xen Hypervisor against downgrade attack attempts by intercepting the TLS Client Hello, which is the first message in a TLS communication, and examining the client’s preferred cipher suite, dropping the client hello if the cipher suite is not of the desired standard, thus ensuring that a TLS connection does not take place. This is done by monitoring incoming network packets from the Hypervisor’s netback driver. This solution has the benefit of the user of the virtual machine or virtual server not having to modify or worry about placing restrictions on their TLS server, as TLS Security is handled by the Hypervisor without the interference of the virtual machine. This solution can have positive implications, especially considering that the world is moving more towards virtualization and virtualized servers.