Portal de Periódicos da CAPES

Systematic parsing of X.509: Eradicating security issues with a parse tree

2018; IOS Press; Volume: 26; Issue: 6 Linguagem: Inglês

10.3233/jcs-171110

1875-8924

Alessandro Barenghi, Nicholas Mainardi, Gerardo Pelosi,

Software Testing and Debugging Techniques

X.509 certificate parsing and validation is a critical task which has shown consistent lack of effectiveness, with practical attacks being reported with a steady rate during the last 10 years. In this work we analyze the X.509 standard and provide a grammar description of it amenable to the automated generation of a parser with strong termination guarantees, providing unambiguous input parsing. We report the results of analyzing a 11M X.509 certificate dump of the HTTPS servers running on the entire IPv4 space, showing that 21.5% of the certificates in use are syntactically invalid. We compare the results of our parsing against 7 widely used TLS libraries showing that 631k to 1,156k syntactically incorrect certificates are deemed valid by them (5.7%--10.5%), including instances with security critical mis-parsings. We prove the criticality of such mis-parsing exploiting one of the syntactic flaws found in existing certificates to perform an impersonation attack.