Protocol Layering Attacks

Attacks that exploit semantic gaps between the layers of a protocol stack — e.g. between ASN.1 parsing, X.509 interpretation, and application-level name comparison — so that inputs that are benign at one layer become malicious at another. The structural attack class exposed across the PKI Layer Cake.

In this vault

Backlinks

PKI Layer Cake - Kaminsky Patterson Sassaman line 24

Linked Pages

Shotgun Parsing

LangSec anti-pattern: parsing interleaved with use/enforcement, scattered across the program — yields parser differentials and exploitable state.

In this vault

LangSec

Language-theoretic Security

Research programme treating input-handling bugs as recognition-theoretic failures: minimise input-language power and build validating recognisers.

In this vault

Parser Differential

Attack exploiting the fact that two parsers accept or interpret the same input differently.

In this vault

PKI Layer Cake - Kaminsky Patterson Sassaman

PKI Layer Cake: New Collision Attacks Against the Global X.509 Infrastructure

Reference: Dan Kaminsky, Meredith L. Patterson, and Len Sassaman (2009). Black Hat USA / IOActive technical report. Source file: 1299769.pdf. URL

Summary

Presents several new classes of attacks against the X.509 certificate infrastructure: MD2 preimage exploitation of VeriSign’s still-trusted root, PKCS#10 Subject Name confusion attacks exploiting inconsistent ASN.1 BER parsing between CAs and browsers (multiple CNs, OID leading-zero padding, integer overflow, early null terminators), SQL injection through PKCS#10 subject names, generic SSL client-authentication bypasses, and EV-certificate hijacking via mixed script content.

The paper is largely a case study in how ambiguity at the interface between components — in parsers, in semantics of fields like Common Name, in trust-store EKU handling — turns into exploitable security pathologies. It is of interest to agent-communication research as a cautionary tale about shared-format ambiguity between senders and receivers.

Key Ideas

ASN.1 BER is context-sensitive and handwritten parsers disagree subtly
Subject Name parsing varies across OpenSSL, NSS, CryptoAPI — attacker exploits the gap
MD2 preimage attack enables signature transfer to forged intermediate CA
“Sender-receiver parsing disagreement” as a general attack pattern
Postel’s robustness principle considered harmful for security-critical parsing

Connections

Conceptual Contribution

Claim: The global X.509 PKI is vulnerable not only because of weak hashes (MD2/MD5) but because layered, ambiguously-specified parsers (ASN.1 BER, PKCS#10, Subject Name handling) disagree about what a certificate says — an inter-layer semantic gap exploitable by attackers.
Mechanism: Demonstrate concrete attacks: MD2RSA signature transfer from Verisign’s root, Subject Name Confusion via implementation-dependent CN-selection policies, PKCS#10-tunneled SQL/ASN.1 injection, OID leading-zero/integer-overflow tricks, null-terminator CN spoofing, SSL Client Authentication EKU bypass, and EV hijacking via mixed-trust scripting.
Concepts introduced/used: Parser Differential, Parser Differentials, X.509 PKI, ASN.1 BER Ambiguity, Certificate Authorities, Protocol Layering Attacks, Distributed Security, LangSec, Language-theoretic Security, Postel’s Robustness Principle
Stance: empirical / security-critique
Relates to: Canonical case study for Distributed Security and a prime example of why A Language-Based Approach To Prevent DDoS-style disciplined parsing matters. The ambiguity of ASN.1 BER mirrors the semantic-drift concerns in agent communication languages (A Common Ontology Of ACLs, ACL Rethinking Principles) — when two parties disagree about message meaning, security or coordination fails.