Browsing by Author "Maggs, Bruce"
Now showing 1 - 2 of 2
Results Per Page
Sort Options
- Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation PoliciesLarisch, James; Aqeel, Waqar; Lum, Michael; Goldschlag, Yaelle; Kannan, Leah; Torshizi, Kasra; Wang, Yujie; Chung, Taejoong; Levin, Dave; Maggs, Bruce; Mislove, Alan; Parno, Bryan; Wilson, Christo (ACM, 2022-11-07)This paper proposes using a logic programming language to disentangle X.509 certificate validation policy from mechanism. Expressing validation policies in a logic programming language provides multiple benefits. First, policy and mechanism can be more independently written, augmented, and analyzed compared to the current practice of interweaving them within a C or C++ implementation. Once written, these policies can be easily shared and modified for use in different TLS clients. Further, logic programming allows us to determine when clients differ in their policies and use the power of imputation to automatically generate interesting certificates, e.g., a certificate that will be accepted by one browser but not by another. We present a new framework called Hammurabi for expressing validation policies, and we demonstrate that we can express the complex policies of the Google Chrome and Mozilla Firefox web browsers in this framework. We confirm the fidelity of the Hammurabi policies by comparing the validation decisions they make with those made by the browsers themselves on over ten million certificate chains derived from Certificate Transparency logs, as well as 100K synthetic chains. We also use imputation to discover nine validation differences between the two browsers’ policies. Finally, we demonstrate the feasibility of integrating Hammurabi into Firefox and the Go language in less than 100 lines of code each.
- No Root Store Left BehindLarisch, James; Aqeel, Waqar; Chung, Taejoong; Kohler, Eddie; Levin, Dave; Maggs, Bruce; Parno, Bryan; Wilson, Christo (ACM, 2023-11-28)When a root certificate authority (CA) in the Web PKI misbehaves, primary root-store operators such as Mozilla and Google respond by distrusting that CA. However, full distrust is often too broad, so root stores often implement partial distrust of roots, such as only accepting a root for a subset of domains. Unfortunately, derivative root stores (e.g., Debian and Android) that mirror decisions made by primary root stores are often out-of-date and cannot implement partial distrust, leaving TLS applications vulnerable. We propose augmenting root stores with per-certificate programs called General Certificate Constraints (GCCs) that precisely control the trust of root certificates. We propose that primary root-store operators write GCCs and distribute them, along with routine root certificate additions and removals, to all root stores in the Web PKI. To justify our arguments, we review specific instances of CA certificate mis-issuance over the last decade that resulted in partial distrust of roots that derivative root stores were unable to precisely mirror. We also review prior work that illustrates the alarming lag between primary and derivative root stores.We discuss preliminary designs for GCC deployment and how GCCs could enable pre-emptive restrictions on CA power.