LANGSEC. Arthur, Jan, Marco. Berlin, 14. Oktober Humboldt-Universität zu Berlin Institut für Informatik Lehrstuhl Praktische Informatik

Size: px

Start display at page:

Download "LANGSEC. Arthur, Jan, Marco. Berlin, 14. Oktober Humboldt-Universität zu Berlin Institut für Informatik Lehrstuhl Praktische Informatik"

Dora York
6 years ago
Views:

1 (language-theoretic security) Humboldt-Universität zu Berlin Institut für Informatik Lehrstuhl Praktische Informatik Berlin, 14. Oktober 2016

2 (language-theoretic security) language-theoretic security theory extracted from practice what are exploits? why do they happen? how do they work? how to prevent them?

3 In Short (language-theoretic security) Lisp: code is data

4 In Short (language-theoretic security) Lisp: : code is data data is code

5 In Short (language-theoretic security) Lisp: : code is data data is code Exploits are unexpected computations that run on weird machines.

6 Example: PDF (language-theoretic security) the standard says: %PDF-1.5 header: %PDF- + version % (...file content goes here...) % at the end: xref % fixed-format(!) lookup table 0 23 % revision, #objects f % don t ask n % offset version n CRLF n % (...more object locations...) trailer << /Root 5 0 R % root node of document tree % (...more info...) >> startxref % ASCII decimal offset of xref %%EOF

7 (language-theoretic security) libpoppler: reading a PDF PDFDoc::PDFDoc( GooString *filename, GooString *ownerpw, GooString *userpw ) { Object obj; file = GooFile::open(fileName); if (file == NULL) { /* [...] error out */ } obj.initnull(); str = new FileStream(file, 0, gfalse, file->size(), &obj); ok = setup(ownerpassword, userpassword); } GBool PDFDoc::setup(GooString *ownerpassword, GooString * userpassword) { // Adobe does not seem to enforce %%EOF, so we do the same // if (!checkfooter()) return gfalse; checkheader(); /*...more stuff... */ }

8 (language-theoretic security) libpoppler: reading a PDF /* somewhere above: #define headersearchsize 1024 */ // Check for PDF header, skip past garbage if necessary. void PDFDoc::checkHeader() { char hdrbuf[headersearchsize+1], *p, *tokptr; int i; /* [...] copy headersearchsize bytes into hdrbuf */ for (i = 0; i < headersearchsize - 5; ++i) { if (!strncmp(&hdrbuf[i], "%PDF-", 5)) break; } if (i >= headersearchsize - 5) { error(errsyntaxwarning, -1, "May not be a PDF file ( continuing anyway)"); return; } if (!(p = strtok_r(&hdrbuf[i+5], " \t\n\r", &tokptr))) { error(errsyntaxwarning, -1, "May not be a PDF file ( continuing anyway)"); return; } sscanf(p, "%d.%d", &pdfmajorversion, &pdfminorversion); // We don t do the version check. Don t add it back in. }

9 (language-theoretic security) libpoppler: reading a PDF /* somewhere above: #define headersearchsize 1024 */ // Check for PDF header, skip past garbage if necessary. void PDFDoc::checkHeader() { char hdrbuf[headersearchsize+1], *p, *tokptr; int i; /* [...] copy headersearchsize bytes into hdrbuf */ for (i = 0; i < headersearchsize - 5; ++i) { if (!strncmp(&hdrbuf[i], "%PDF-", 5)) break; } if (i >= headersearchsize - 5) { error(errsyntaxwarning, -1, "May not be a PDF file ( continuing anyway)"); return; } if (!(p = strtok_r(&hdrbuf[i+5], " \t\n\r", &tokptr))) { error(errsyntaxwarning, -1, "May not be a PDF file ( continuing anyway)"); return; } sscanf(p, "%d.%d", &pdfmajorversion, &pdfminorversion); // We don t do the version check. Don t add it back in. }

10 (language-theoretic security) libpoppler: reading a PDF let s just stop here: it goes on like that... knowing the standard does not help at all for reasoning about actual systems plenty of room for unexpected behavior

11 Problems (language-theoretic security) recovery code / user friendliness / Postel Principle breaks simple theoretical models & specifications is part of the actual system more computational power & expressivity for attacker Postel s Robustness Principle be conservative in what you do, be liberal in what you accept from others.

12 Problems (language-theoretic security) parser as attack surface the whole system matters

13 (language-theoretic security)

14 (language-theoretic security)

15 (language-theoretic security) What are? naive approach: file has ONE data type A Polyglot is a file with various data types example: A PDF which is a ZIP-archive at the same time

16 (language-theoretic security) What are? naive approach: file has ONE data type A Polyglot is a file with various data types example: A PDF which is a ZIP-archive at the same time

17 (language-theoretic security) What are? naive approach: file has ONE data type A Polyglot is a file with various data types example: A PDF which is a ZIP-archive at the same time

18 (language-theoretic security) Why are interesting? shows the compromises IT has to deal with are de facto unavoidable shows ambiguity

19 (language-theoretic security) Why are interesting? shows the compromises IT has to deal with are de facto unavoidable shows ambiguity

20 (language-theoretic security) Why are interesting? shows the compromises IT has to deal with are de facto unavoidable shows ambiguity

21 (language-theoretic security) Our main aim while experimenting with First of all: understanding maybe finding a security problem

22 (language-theoretic security) Our main aim while experimenting with First of all: understanding maybe finding a security problem

23 (language-theoretic security) Demo

24 (language-theoretic security)

25 (language-theoretic security)

26 (language-theoretic security) A normal PNG that is rejected by MediaWiki.

27 (language-theoretic security) If you want to learn more... langsec.org for all things github.com/corkami/pics/ file formats International Journal of PoC GTFO, e.g. from read more code unzip this PDF

Vulnerability Report

Vulnerability Report Attacks bypassing the signature validation in PDF Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, Jörg Schwenk November 08, 2018 Chair for Network