ASN1*: Provably Correct Non-Malleable Parsing for ASN.1 DER

Haobin Ni (Department of Computer Science, Cornell University, Ithaca, NY, USA)
Antoine Delignat-Lavaud (Programming Principles and Tools)
Cédric Fournet (Programming Principles and Tools)
Tahina Ramananandro (RiSE: Research in Software Engineering, Microsoft Research, Redmond, WA, USA)
Nikhil Swamy (RiSE)

CPP 2023 (accepted for publication, to appear)

Abstract Syntax Notation One (ASN.1) is a language for strutured data exchange between computers, standardized by both ITU-T and ISO/IEC since 1984. The Distinguished Encoding Rules (DER) specify its non-malleable binary format: for a given ASN.1 data type, every value has a distinct, unique binary representation. ASN.1 DER is used in many security-critical interfaces for telecommunications and neworking, such as the X.509 public key infrastructure, where non-malleability is essential. However, due to the expressivness and flexibility of the general-purpose ASN.1 language, correctly parsing ASN.1 DER data formats is still considered a serious security challenge in practice.

We present ASN1*, the first formalization of ASN.1 DER with a mechanized proof of non-malleability. Our development provides a shallow embedding of ASN.1 in the F* proof assistant and formalizes its DER semantics within the EverParse parser generator framework. It guarantees that any ASN.1 data encoded using our DER semantics is nomalleable. It yields verified code that parses valid binary representations into values of the corresponding ASN.1 data type while rejecting invalid ones.

We empirically confirm that our semantics models ASN.1 DER usage in practice by evaluating ASN1* parsers extracted to OCaml on both positive and negative test cases involving X.509 certificates and Certificate Revocation Lists (CRLs).