X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in Cryptographic Libraries using Crafted X.509 Certificates
Bing Shi
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · Software Security 1
In the realm of cybersecurity research, a significant amount of attention is typically directed towards vulnerabilities that compromise the **confidentiality** or **integrity** of data. However, the critical aspect of **availability** often receives comparatively less focus. The talk "X.509DoS" by Bing Shi addresses this gap by presenting a comprehensive study on denial-of-service (DoS) vulnerabilities within cryptographic libraries, specifically those exploitable through maliciously crafted X.509 certificates. This research unveils a new class of attacks, dubbed **X.509DoS**, that leverage subtle flaws in certificate parsing and validation to trigger resource exhaustion or crashes in widely used systems.
AI review
Solid USENIX-quality research that carves out a genuinely underexplored attack surface: DoS via maliciously crafted X.509 certificates exploitable before signature verification, with 18+ CVEs and a particularly nasty zero-click persistence demo against Apple's trustd. The pre-sig-verify insight is the real contribution — it collapses the attacker's barrier to near zero and makes the entire class of bugs immediately weaponizable at scale.