DSSSL - DSMIL-Grade OpenSSL

Post-Quantum Cryptography | Hardware-Backed Security | Multi-Profile Architecture

Note: This is DSSSL, a hardened OpenSSL fork for DSMIL-grade security. For original OpenSSL documentation, see docs/openssl-original/

---

🎯 Overview

DSSSL is a hardened OpenSSL 3.x fork implementing DSMIL-grade security requirements with:

• Post-Quantum Cryptography: ML-KEM (Kyber) and ML-DSA (Dilithium) integration
• Hybrid Cryptography: Classical + PQC for defense-in-depth
• Three Security Profiles: WORLD_COMPAT, DSMIL_SECURE, ATOMAL
• Hardware-Backed Security: TPM 2.0 integration (88 algorithms)
• Side-Channel Hardening: CSNA constant-time verification
• Event Telemetry: Real-time security monitoring
• DSLLVM Optimization: Built with hardened LLVM/Clang

---

⚡ Quick Start

# Clone and build
git clone https://github.com/SWORDIntel/DSSSL.git
cd DSSSL
./util/build-dsllvm-world.sh --clean

# Run tests
cd test/dsmil && ./run-all-tests.sh

# Check PQC support
cd examples && make && ./check-pqc

# Install as system OpenSSL (requires root)
sudo ./install-dsssl.sh

---

📚 Essential Documentation

Start Here:

1. docs/DOCUMENTATION_INDEX.md - Complete documentation guide
2. docs/core/OPENSSL_SECURE_SPEC.md - Full DSMIL specification
3. docs/core/IMPLEMENTATION_PLAN.md - 9-phase implementation roadmap

Implementation Phases:

• ✅ Phase 1-9: Complete (Build, Policy, Events, Config, Hybrid, CSNA, TPM, Testing, Deployment)
• ✅ Phase 3: TLS Full Integration - Complete (Hybrid KEM TLS 1.3 handshake)
• 🎉 Production Ready!

---

🔐 Security Profiles

Profile	Use Case	Crypto	TPM	Overhead
WORLD_COMPAT	Public internet	Classical + opportunistic PQC	Optional	1.0x
DSMIL_SECURE	Internal/allies	Hybrid mandatory (X25519+ML-KEM-768)	Recommended	1.2-1.5x
ATOMAL	Maximum security	Hybrid/PQC only (ML-KEM-1024)	Mandatory	1.5-2.0x

---

🚀 Key Features

Post-Quantum Cryptography

• ✅ ML-KEM-512/768/1024 (Kyber)
• ✅ ML-DSA-44/65/87 (Dilithium)
• ✅ Hybrid KEM (X25519+ML-KEM) - TLS 1.3 Integrated
• ✅ Hybrid Signatures (ECDSA+ML-DSA)
• ✅ TLS 1.3 Hybrid KEM Handshake - Full production support

Hardware Security

• ✅ TPM 2.0 (88 algorithms)
• ✅ Intel NPU/GNA acceleration
• ✅ Hardware-backed key storage
• ✅ AES-NI, AVX-512 support

Side-Channel Protection

• ✅ CSNA 2.0 annotations
• ✅ Constant-time operations
• ✅ Timing analysis testing
• ✅ Compiler verification

Testing

• ✅ 342+ automated tests
• ✅ Security score: 100%
• ✅ Performance benchmarking
• ✅ Fuzzing infrastructure
• ✅ CVE Detection & Mitigation - 2024-2025 high-impact CVEs
• ✅ Hybrid KEM TLS Testing - End-to-end handshake validation

---

🧪 Testing

cd test/dsmil

# Quick test (3-6 min)
./run-all-tests.sh

# Comprehensive (20-50 min)
./test-comprehensive.sh --all

# Security validation only
./test-security-validation.sh

# Performance benchmarks
./test-performance-benchmarks.sh

Test Coverage: 342+ tests across 7 suites, 100% security score achieved

---

📊 Performance

Benchmark Results (Intel Core Ultra 7 165H)

Operation	Throughput	Hardware
SHA-256	8,400 MB/s	SHA-NI
AES-256-GCM	3,800 MB/s	AES-NI
ECDSA P-256 sign	24,000 ops/s	-
ML-KEM-768 encap	~14,000 ops/s	-

Handshake Overhead

• WORLD_COMPAT: 1.5 ms (baseline)
• DSMIL_SECURE: 2.0 ms (+33%)
• ATOMAL: 2.5 ms (+67%)

---

🔧 Build Options

# Portable build (x86-64-v3)
./util/build-dsllvm-world.sh --clean

# Optimized build (Meteor Lake)
./util/build-dsllvm-dsmil.sh --clean

# With testing
./util/build-dsllvm-world.sh --clean --test

# Manual configuration
./Configure dsllvm-world
make -j$(nproc)
make test

With oqs-provider (built by default, extended PQC coverage)

# Build and stage oqs-provider + liboqs (falls back to local staging if /opt is not writable)
./util/build-dsllvm-world.sh --clean --test
# To skip oqs-provider: --without-oqs-provider

# After build, point OpenSSL to the staged provider
export OPENSSL_MODULES=$(find oqs-provider -name ossl-modules -type d | head -n1)
export OPENSSL_CONF=$(pwd)/configs/oqs-provider.cnf

# Quick smoke
./apps/openssl list -kem-algorithms -provider oqsprovider -provider-path "$OPENSSL_MODULES"

Notes: oqs-provider is built by default for extended PQC coverage (interop/research). Submodule is pinned to oqs-provider v0.10.0; override the liboqs branch with --liboqs-branch. OpenSSL ≥3.2 is required for TLS PQ signatures; OpenSSL ≥3.5 disables ML-KEM/ML-DSA inside oqs-provider because those are native.

---

📖 Documentation

Core Docs

• docs/DOCUMENTATION_INDEX.md - Master index
• docs/core/OPENSSL_SECURE_SPEC.md - Complete specification
• docs/core/IMPLEMENTATION_PLAN.md - 9-phase roadmap

Phase Guides

• docs/PHASES_2-5_SUMMARY.md - Policy, Events, Hybrid
• docs/PHASE8_COMPREHENSIVE_TESTING.md - Testing guide
• docs/PHASE9_DEPLOYMENT_SUMMARY.md - Deployment guide

Technical Guides

• docs/CSNA_SIDE_CHANNEL_HARDENING.md - Constant-time programming
• docs/TPM_INTEGRATION.md - TPM2 hardware integration
• docs/HYBRID_CRYPTO.md - Hybrid cryptography
• docs/CVE_DETECTION_AND_MITIGATION.md - CVE detection & mitigation
• docs/DEPLOYMENT_GUIDE.md - Production deployment

Quick Refs

• README-TESTING.md - Quick testing reference
• docs/core/INSTALLATION_GUIDE.md - System installation guide
• examples/README.md - Example programs
• docs/openssl-original/ - Original OpenSSL docs

---

🛠️ Configuration

Environment Variables

export DSMIL_PROFILE=DSMIL_SECURE
export THREATCON_LEVEL=HIGH
export DSMIL_EVENT_SOCKET=/run/crypto-events.sock

Configuration Files

# WORLD_COMPAT profile
openssl s_server -config configs/world.cnf

# DSMIL_SECURE profile
openssl s_server -config configs/dsmil-secure.cnf

# ATOMAL profile (requires TPM)
openssl s_server -config configs/atomal.cnf

---

🎓 Examples

Check PQC Support

cd examples && make
./check-pqc

Output:

Post-Quantum Algorithms:
  ✓ ML-KEM-512 (KEM)
  ✓ ML-KEM-768 (KEM)
  ✓ ML-KEM-1024 (KEM)
  ✓ ML-DSA-44 (Signature)
  ✓ ML-DSA-65 (Signature)
  ✓ ML-DSA-87 (Signature)

TLS Client with Profile

./dsmil-client cloudflare.com 443 DSMIL_SECURE

TPM Key Management

#include "providers/dsmil/tpm_integration.h"

// Seal private key to TPM
DSMIL_TPM_CTX tpm_ctx;
dsmil_tpm_init(&tpm_ctx, policy_ctx);
dsmil_tpm_seal_key(&tpm_ctx, key, 32, sealed_blob, &size);

// Later: unseal from TPM
dsmil_tpm_unseal_key(&tpm_ctx, sealed_blob, size, key, &key_size);

---

🔒 Security

Security Score: 100%

Based on 37 security validation tests:

• ✅ Policy enforcement (all profiles)
• ✅ Downgrade attack prevention
• ✅ Constant-time implementations
• ✅ TPM key protection
• ✅ Memory safety
• ✅ Build security flags
• ✅ Attack surface minimization

Reporting Issues

DO NOT file public issues for security vulnerabilities.

Contact: Contact me directly for reporting issues.

---

📈 Project Status

Phases Complete (9/9) 🎉

Phase	Status	Tests
1. Build System	✅	45+
2. Policy Provider	✅	38+
3. Event Telemetry	✅	70+
4. Configuration	✅	52+
5. Hybrid Crypto Docs	✅	N/A
6. CSNA Hardening	✅	45+
7. TPM Integration	✅	55+
8. Testing	✅	37+
9. Deployment	✅	N/A

---

🛠️ Requirements

Build Environment

• Compiler: DSLLVM (https://github.com/SWORDIntel/DSLLVM) or Clang
• OS: Linux (kernel 4.4+), x86_64
• Tools: make, perl, standard build tools

Hardware (Optional)

• TPM 2.0: Required for ATOMAL profile
• Intel Meteor Lake: For NPU/GNA acceleration
• AES-NI, AVX-512: For hardware acceleration

---

📊 Statistics

Code: ~12,000+ lines of implementation
Tests: 350+ automated tests (98%+ pass rate)
Documentation: 18 docs, ~250 pages
Algorithms: 88 TPM2-compatible
Security Score: 100%
TLS Features: TLS 1.3 Hybrid KEM fully integrated
CVE Coverage: 2024-2025 high-impact SSL/TLS vulnerabilities

---

🤝 Contributing

This is a controlled DoD project. Contributions require:

• Security clearance
• Signed contributor agreement
• Internal review process

External contributions not currently accepted.

---

📄 License

License: Proprietary DoD License
Classification: UNCLASSIFIED // FOR OFFICIAL USE ONLY
Distribution: Authorized DoD personnel and contractors only

---

🙏 Acknowledgments

• OpenSSL Project (Apache 2.0)
• NIST PQC Program
• DSLLVM Team
• Intel Hardware Team
• DoD Crypto Modernization Program

---

📞 Support

• Documentation: docs/DOCUMENTATION_INDEX.md
• Testing: docs/TESTING.md
• DSLLVM Issues: https://github.com/SWORDIntel/DSLLVM/issues
• Internal: Use DoD secure channels

---

🔒 Security Enhancements (2025)

TLS 1.3 Hybrid KEM Integration

• ✅ Full handshake support for hybrid groups (X25519+ML-KEM-768, P-256+ML-KEM-768)
• ✅ Client and server key exchange implementation
• ✅ HKDF-based secret combination
• ✅ Policy-based group negotiation
• ✅ Comprehensive test suite

CVE Detection & Mitigation

• ✅ Real-time attack pattern detection
• ✅ Automatic mitigation for known vulnerabilities
• ✅ Security event logging and telemetry
• ✅ Support for 2024-2025 high-impact CVEs:
  • SSL/TLS injection attacks
  • Handshake DoS attacks
  • TLS 1.3 downgrade attacks
  • Key share replay attacks
  • Hybrid KEM manipulation

⚠️ Offensive Operations (Authorized Testing Only)

• ✅ Protocol manipulation (version downgrade, cipher suite manipulation)
• ✅ Key exchange attack simulation (replay, manipulation, hybrid bypass)
• ✅ Certificate attack testing (chain manipulation, signature testing)
• ✅ Timing analysis tools (side-channel testing)
• ✅ Resource exhaustion testing (DoS, memory exhaustion)
• ✅ Custom payload injection
• ✅ Authorization required - Security testing and red team exercises only
• ✅ Unauthorized use prohibited

Security Audit Improvements

• ✅ Memory safety fixes (strncpy, JSON injection)
• ✅ Constant-time annotations (CSNA 2.0)
• ✅ Policy enforcement enhancements
• ✅ Input validation improvements
• ✅ Build system hardening

Version: 1.1.0 (Phases 1-9 + TLS Hybrid KEM + CVE Detection - Production Ready)
Last Updated: 2025-01-15
Classification: UNCLASSIFIED // FOR OFFICIAL USE ONLY

For original OpenSSL documentation, see docs/openssl-original/