VTechWorks staff will be away for the Thanksgiving holiday beginning at noon on Wednesday, November 27, through Friday, November 29. We will resume normal operations on Monday, December 2. Thank you for your patience.
 

Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies

dc.contributor.authorLarisch, Jamesen
dc.contributor.authorAqeel, Waqaren
dc.contributor.authorLum, Michaelen
dc.contributor.authorGoldschlag, Yaelleen
dc.contributor.authorKannan, Leahen
dc.contributor.authorTorshizi, Kasraen
dc.contributor.authorWang, Yujieen
dc.contributor.authorChung, Taejoongen
dc.contributor.authorLevin, Daveen
dc.contributor.authorMaggs, Bruceen
dc.contributor.authorMislove, Alanen
dc.contributor.authorParno, Bryanen
dc.contributor.authorWilson, Christoen
dc.date.accessioned2023-03-07T13:23:46Zen
dc.date.available2023-03-07T13:23:46Zen
dc.date.issued2022-11-07en
dc.date.updated2023-01-23T15:13:50Zen
dc.description.abstractThis paper proposes using a logic programming language to disentangle X.509 certificate validation policy from mechanism. Expressing validation policies in a logic programming language provides multiple benefits. First, policy and mechanism can be more independently written, augmented, and analyzed compared to the current practice of interweaving them within a C or C++ implementation. Once written, these policies can be easily shared and modified for use in different TLS clients. Further, logic programming allows us to determine when clients differ in their policies and use the power of imputation to automatically generate interesting certificates, e.g., a certificate that will be accepted by one browser but not by another. We present a new framework called Hammurabi for expressing validation policies, and we demonstrate that we can express the complex policies of the Google Chrome and Mozilla Firefox web browsers in this framework. We confirm the fidelity of the Hammurabi policies by comparing the validation decisions they make with those made by the browsers themselves on over ten million certificate chains derived from Certificate Transparency logs, as well as 100K synthetic chains. We also use imputation to discover nine validation differences between the two browsers’ policies. Finally, we demonstrate the feasibility of integrating Hammurabi into Firefox and the Go language in less than 100 lines of code each.en
dc.description.versionPublished versionen
dc.format.mimetypeapplication/pdfen
dc.identifier.doihttps://doi.org/10.1145/3548606.3560594en
dc.identifier.urihttp://hdl.handle.net/10919/114048en
dc.language.isoenen
dc.publisherACMen
dc.rightsIn Copyrighten
dc.rights.holderThe author(s)en
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.titleHammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policiesen
dc.typeArticle - Refereeden
dc.type.dcmitypeTexten

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
3548606.3560594.pdf
Size:
1.21 MB
Format:
Adobe Portable Document Format
Description:
Published version
License bundle
Now showing 1 - 1 of 1
Name:
license.txt
Size:
0 B
Format:
Item-specific license agreed upon to submission
Description: