SlideShare ist ein Scribd-Unternehmen logo

Improving file formats

Ange Albertini
Ange Albertini

From  to ? Reflections on the problems and some potential solutions.

Technologie
1 von 78
Downloaden Sie, um offline zu lesen
Ange Albertini …? Improving file formats toReflections on the problems and some potential solutions From…
Microsoft(R) MS-DOS(R) Version 3.30 (C)Copyright Microsoft Corp 1981-1987 A> In 1989... our computer (10 MHz CPU, 20 Mb HDD) was infected by a virus...
Thankfully, a french magazine explained how to remove it...
Dans la série des virus qui sont censés vous sortir de la torpeur inhérente à des heures de travail fastidieux devant un écran, il y a aussi le Ping-pong (ou Italian Bouncing) : avec une lenteur désespérante, une baballe rebondit sur les caractères, puis elle les efface, puis une autre apparaît, rebondit encore, et le phénomène continue de se reproduire jusqu'à ce que l'écran ne soit plus que balles vagabondes. C'est certainement le plus visuel des virus sur compatibles IBM, mais aussi le plus exaspérant et le plus récurrent. Installé sur un secteur des pistes de démarrage, il occupe deux autres secteurs qu'il marque comme endommagés dans la table d'allocation des fichiers. Par chance, il n'attaque que les IBM PC-XT. Pour s'en débarrasser, il faut rétablir les pistes de démarrage dans leur état d'origine. Avec un éditeur d'octets du type PC-Tools, vérifiez la présence des octets 33 C0 dans les zones 30 et 31 du secteur d'amorçage du disque dur ; s'ils sont bien présents, mieux vaut exécuter la commande SYS depuis une disquette Système saine; à la fin de la première table d'allocation des fichiers du disque dur, remplacez les trois derniers octets (FF 7F FF) par FF 0F 00. Puis localisez le code du virus lui-même, qui commence par FF 06 F3 7D 8B 1E, et remplacez-le (ainsi que tous les octets qui suivent, jusqu'à 55 AA) par F6 si le formatage est dû à la commande FORMAT du système, ou par 00 s'il provient de PC-Tools. ...by yourself, with a hex editor! “…At the end of the first file allocation table of the hard disk, replace the last 3 bytes FF 7F FF by FF 0F 00. Then find the code of the virus itself which starts with FF 06 F3 7D 8B 1E and overwrite it (including all following bytes, until 55 AA) by F6…” This was my introduction to hex editors and malware.!
About the author ● 13 years of malware analysis ● now Information Security Engineer Note: this talk reflects my own opinion, not my employer.
https://github.com/angea/pocorgtfo#0x19 0cd2741c9dc05b49dcecb10b71c3c6a6b6df4c82d555c70f483913b71be7fa5a My latest creation: 6 file types, 4 prefixes, 3 hashes collisions.
Document, visualize draw, teach.
There are various (with a few things in common) communities around file formats ...and I’m interested in all of them DFIR Black hat White hat DigiPres User Dev
Let’s craft a (commercial & successful) software from scratch... (Yes, really) As a starter...
On this computer...
Let’s launch...
...this OS. 3” Compact Floppy 2 180 Kb / side CP/M 1974 -> DOS 1981 -> Windows 1985
size=0 Create an empty file Let's create… an EMPTY executable!
Is it valid? Yes: Transient Commands are blindly loaded and execution is started at offset zero. (that’s how executables were called on CP/M)
Does it do anything? The Transient Memory Area is not cleared between executions, so the previous command is re-executed.
working as intended (repeats previous command)
Under a commercial OS from 1985, the empty file is valid, useful and reliable. It was even sold as a commercial program for £5. Consistent & reliable.
- Many things have changed since the 80s :) But.... - weird files are nothing new. - Software always defined the rules. - Specifications are entirely optional. - There’s no “that’s not how it works”. Lessons learned
The file format problem A misunderstood field -"specs are enough" -> received less attention -> least rigorous field of computing. Not enough pre-natal checks. Lacking growth control. Crypto File formats
Better controls when designing a format. Better checks to follow its evolution. And we need to educate the different communities. We need...
There is hope: some great formats-focused projects... Note that none of these projects is from the original developer and was started long after the format became mainstream. I.E. a format must be mainstream for a very long time until someone started something similar, much later.
VeraPDF open source PDF/A validator and its corpus, and more… PDF: Adobe 1993 VeraPDF: ISO 2014
CaraDoc https://github.com/caradoc-org/caradoc Caradoc - a PDF parser and validator Caradoc is a parser and validator of PDF files written in OCaml. This is version 0.3 (beta). Caradoc provides many commands to analyze PDFs, as well as an interactive user interface in console. Caradoc was presented at the the third Workshop on Language-Theoretic Security (LangSec) in May 2016.
Cornercases. PoCs. Test suite. Comparative charts… http://seriot.ch/parsing_json.php While JSON is fairly simple, it's still a huge effort for a single person. Nicolas Seriot’s JSON parsers analysis
Michał Górny's TAR analysis https://dev.gentoo.org/~mgorny/articles/portability-of-tar-features.html
BMP Suite https://github.com/jsummers/bmpsuite
We need new tools to define the (current) ground truth. New (automated, scalable) tools -> visibility of the landscape -> understanding (documentations and metrics) -> update of the state of the art -> educating communities -> change the landscape
There are always unknown unknowns.
We need to explore at scale.
GIF (1987) used LZW - patented, and enforced in 1994 JIF was created: GIF (LZW 1984) -> JIF (zLib 1990) Technically, JIFs had all reasons to replace GIFs. From GIF to JIF
Jif: an obvious idea, lost in time. In practice, JIF doesn’t exist: unknown to file unknown to VirusTotal A single file, that I uploaded recently. But it's supported by XnView -> Deprecation is very hard. -> InfoSec doesn’t overlap with DigiPres. https://folk.uib.no/hfohd/SLF/Dyvik/theslist.jif 0fb6018a224cfd9926968c80621f20660b825ec17ef4707b64a0a1d77abf9281
Deprecation? fear, uncertainty, doubt. GIF deprecation == “no more memes/cat pics”? -> irrationality Fight irrationality with ‘data-driven explanations’. -> documentations and metrics. Which, for now, means just "original specs". (that are 30+ year old)
Yet we still use Tape/floppies oriented feature! We can't kill ZIP/Tar. Because of no visibility or way to enforce a successor.
A long forgotten (yet official) way for GIF to display text (they're not comments) GIF Plain Text Extension --------: Introducing GIF89a :-------- When you finish reading this, press any key to continue. If you just sit back and watch, we'll continue when the built-in delay runs out. GIF89a provides for "disposing of" an image or text. All the text in this GIF is "restore to previous", so that the underlying image is restored when you press a key or the delay runs out. "Transparent" images or text can be written over an underlying image so that parts of the old image "show through" the new one. Oh, incidentally, it's pronounced "JIF" This image contains these text frames https://github.com/corkami/formats/blob/WIP/image/gif89a.md#plain-text-extension BOB_89A.GIF
Specifications Written years/decades ago. Originally made for 80x25 screens :) Never updated. Some features are lost or never implemented. Novelties from 1989
No standard way to make transparent JPGs(1992) There are many possible ways (PDF, SVG, TIF, PSD) but no generalized one. It's not just GIF! Another obvious absence in 2019...
A typical file format timeline Good intentions: proper planning. Official specs. Set in stone. Bad things happen: Interpretation blur, unofficial extensions. Format is now used everywhere: Misunderstood. Unmovable.
A new (version of a) parser is out? Fuzz. Get bug fixed. Collect pride & glory. Rinse. Repeat. 10 ParserUpdate 20 Fuzz 30 Fail 40 Collect 50 GOTO 10
A holy text and its cult. How we perceive file formats: ORDER OF THE RFC
More like… outdated and irrelevant practices. ORDER OF THE RFC
The following GIF Capabilities Response message describes three standard IBM PC Enhanced Graphics Adapter configurations with no printer; the GIF data stream can be processed within an error correcting protocol: Spanning is the process of segmenting a ZIP file across multiple removable media. This support has typically only been provided for DOS formatted floppy diskettes. What we have (what we're left with) Sh*tMySpecsSays (outdated/irrelevant) [GIF] The Plain Text Extension contains textual data and the parameters necessary to render that data as a graphic, in a simple form. [JPEG] The APP0 marker is used to identify a JPEG FIF file. The JPEG FIF APP0 marker is mandatory right after the SOI marker. [PNG] For colour types 2 and 6 (truecolour and truecolour with alpha), the PLTE chunk is optional. If present, it provides a suggested set of from 1 to 256 colors to which the truecolor image can be quantized if the viewer cannot display truecolor directly. ... A CRC should be checked before processing the chunk data.
Sh*tMyParserSays What we see...
Encyclopedia of graphics file formats A ‘good’ reference but: - outdated (1996). - doesn't reflect the current landscape. Oxford dictionary: still fresh
What we'd need…. (more exactly, we first need the tools to get there) Covers all CVEs Test files included New content Cheat sheets
People rely on the original specs. (Nothing changes) The status quo How it is (mostly) How it should be. Fuzzing/manual analysis -> bug found LAndscape analysis Test/fuzzing corpus Hardening (filtering, normalization)
Typical advances in file formats Decorated navigation/char sets
Kaitai From Yaml grammar to... meta: id: bmp file-extension: bmp endian: le license: CC0-1.0 ks-version: 0.8 seq: - id: file_hdr type: file_header - id: len_dib_header type: s4 - id: dib_header size: len_dib_header - 4 type: switch-on: len_dib_header cases: 12: bitmap_core_header 40: bitmap_info_header 104: bitmap_core_header 124: bitmap_core_header types: file_header: -orig-id: BITMAPFILEHEADER seq: - id: magic -orig-id: bfType contents: "BM" - id: len_file -orig-id: bfSize type: u4 - id: reserved1 -orig-id: bfReserved1 type: u2
Kaitai: Many formats (and grammar visualisation)
Kaitai grammars: readable, concise -> a good starter for understanding https://github.com/kaitai-io/dicom.ksy/blob/master/dicom.ksy meta: id: dicom file-extension: dcm license: MIT endian: le seq: - id: file_header type: t_file_header - id: elements type: t_data_element_implicit repeat: eos types: t_file_header: seq: - id: preamble size: 128 - id: magic contents: 'DICM' [...] <-> The DICOM Standard
Kaitai’s great IDE (read-only file-wise, classic offset/hex/ascii view)
Kaitai parser compiler private void _read() { _magic = m_io.EnsureFixedContents(new byte[] { 66, 77 }); _lenFile = m_io.ReadU4le(); _reserved1 = m_io.ReadU2le(); _reserved2 = m_io.ReadU2le(); _ofsBitmap = m_io.ReadS4le(); } sub _read { my ($self) = @_; $self->{magic} = $self->{_io}->ensure_fixed_contents(pack('C*', (66, 77))); $self->{len_file} = $self->{_io}->read_u4le(); $self->{reserved1} = $self->{_io}->read_u2le(); $self->{reserved2} = $self->{_io}->read_u2le(); $self->{ofs_bitmap} = $self->{_io}->read_s4le(); } private function _read() { $this->_m_magic = $this->_io->ensureFixedContents("x42x4D"); $this->_m_lenFile = $this->_io->readU4le(); $this->_m_reserved1 = $this->_io->readU2le(); $this->_m_reserved2 = $this->_io->readU2le(); $this->_m_ofsBitmap = $this->_io->readS4le(); } void bmp_t::file_header_t::_read() { m_magic = m__io->ensure_fixed_contents(std::string("x42x4D", 2)); m_len_file = m__io->read_u4le(); m_reserved1 = m__io->read_u2le(); m_reserved2 = m__io->read_u2le(); m_ofs_bitmap = m__io->read_s4le(); } private void _read() { this.magic = this._io.ensureFixedContents(new byte[] { 66, 77 }); this.lenFile = this._io.readU4le(); this.reserved1 = this._io.readU2le(); this.reserved2 = this._io.readU2le(); this.ofsBitmap = this._io.readS4le(); } def _read(self): self.magic = self._io.ensure_fixed_contents(b"x42x4D") self.len_file = self._io.read_u4le() self.reserved1 = self._io.read_u2le() self.reserved2 = self._io.read_u2le() self.ofs_bitmap = self._io.read_s4le() FileHeader.prototype._read = function() { this.magic = this._io.ensureFixedContents([66, 77]); this.lenFile = this._io.readU4le(); this.reserved1 = this._io.readU2le(); this.reserved2 = this._io.readU2le(); this.ofsBitmap = this._io.readS4le(); } def _read @magic = @_io.ensure_fixed_contents([66, 77].pack('C*')) @len_file = @_io.read_u4le @reserved1 = @_io.read_u2le @reserved2 = @_io.read_u2le @ofs_bitmap = @_io.read_s4le self end
Not everything can be expressed with Yaml. Mixed formats (PDF) or bit-level (BZip2) can’t work. Kaitai limitations <= BZip2 (Bit-based) PDF => (Text skeleton)
Very good to explain logic at various level. Underrated, underused. Syntax diagrams
Different levels of details for different goals. 2 syntax diagrams of the same format (JPEG)
It can be useful to see every detail. It can be overwhelming (and intimidating) and prevent us to grasp their generic structure.
Already simplified, yet not so clear -> you may miss some important points.
Useful to explain specific concepts. Long comment: 1st image extended as a comment Short comment: comment stops before the first image. Collision schema Same color+shape = same data structur
What do they lack? 1/2 Different views are needed: Sometimes, you need just the logic. Sometimes, you need to explain the bytes and encoding. Sometimes, you want to show the basic requirements.
What do they lack? 2/2 No collapsable groups - that could be annotated. No relations between elements: Ex: isPalettePresent bit then Palette array.
File ::= 'GIF' '8[7-9]a' LogScrDesc GlobalPal? (('!' FuncCode ( Length Data+)* '0')* ',' ImgDesc LocalPal? CodeSize (Length Data+)* '0')+ ';' macro_rules! ECS { ($SoI:expr $( $( Segments )+ $( Scan $ECS:ty $( $Restart:expr $ECS:ty)* )+ )+ $EoI:expr ) => { ... }; } Some (limited but worth knowing) tools for syntax diagrams JPEG Gif
My own contributions... (Individual effort in my spare time)
Better specs: first, better format. Then, rewrite. Specs are either ASCII-formatted, HTML, PDFs - not so convenient. Reformatting as MarkDown with rendered elements with parsable diagrams and logic. GIFDataStream ::= Header LogicalScreen Data* Trailer LogicalScreen ::= LogicalScreenDescriptor GlobalColorTable? Data ::= GraphicBlock | SpecialPurposeBlock GraphicBlock ::= GraphicControlExtension? GraphicRenderingBlock GraphicRenderingBlock ::= TableBasedImage | PlainTextExtension TableBasedImage ::= ImageDescriptor LocalColorTable? ImageData SpecialPurposeBlock ::= ApplicationExtension | CommentExtension Complete ::= Header LogicalScreenDescriptor GlobalColorTable? (GraphicControlExtension? ((ImageDescriptor LocalColorTable? ImageData) | PlainTextExtension) | (ApplicationExtension | CommentExtension))* Trailer https://github.com/corkami/formats
Scalable and readable hex representation that could be plugged to any parser even w/ just dynamic instrumentation. Outputs: - ANSI text -> HTML / RTF / TeX - CSS-less SVG -> PDF Better binary visualisation Type:Png [file] Field Value 000: 89 .P .N .G r n 1a n +00 signature x89PNGrnx1an 0 1 2 3 4 5 6 7 8 9 a b c d e f Chunk: Image Header [chunk] Field Value 000: 00 00 00 0D .I .H .D .R +00 length 13 010: 00 00 00 03 00 00 00 01 08 02 00 00 00 94 82 83 +04 type IHDR 020: E3 +15 crc-32 0x948283e3 0 1 2 3 4 5 6 7 8 9 a b c d e f Chunk: Image Data [chunk] Field Value 020: 00 00 00 15 .I .D .A .T 08 1D 01 0A 00 F5 FF +00 length 21 030: 00 FF 00 00 00 FF 00 00 00 FF 0E FB 02 FE E9 32 +04 type IDAT 040: 61 E5 +1d crc-32 0xe93261e5 0 1 2 3 4 5 6 7 8 9 a b c d e f Chunk: Image End [chunk] Field Value 040: 00 00 00 00 .I .E .N .D AE 42 60 82 +00 length 0 0 1 2 3 4 5 6 7 8 9 a b c d e f +04 type IEND +08 crc-32 0xae426082 https://github.com/corkami/sbud
Better binary dissection+edition db `x89PNGrnx1an` ; signature ;0000: chunk1: ; chunk1 { //Image Header ddbe 13 ; length ;0008: ;ddbe (chunk1.crc32 - chunk1.data) .type db `IHDR` ; type ;000c: .data: ; Data { incbin 'rgb.png', 0x10, 0xd ;0010: ;} ; } //Data .crc32 ddbe 0x948283e3 ; crc-32 ;001d: ;> chunk1.crc32=CRC32(chunk1.type,chunk1.crc32) ;} ; } //chunk chunk2: ; chunk2 { //Image Data ddbe 21 ; length ;0021: ;ddbe (chunk2.crc32 - chunk2.data) .type db `IDAT` ; type ;0025: .data: ; Data { incbin 'rgb.png', 0x29, 0x15 ;0029: ;} ; } //Data .crc32 ddbe 0xe93261e5 ; crc-32 ;003e: ;> chunk2.crc32=CRC32(chunk2.type,chunk2.crc32) ;} ; } //chunk chunk3: ; chunk3 { //Image End ddbe 0 ; length ;0042: ;ddbe (chunk3.crc32 - chunk3.data) .type db `IEND` ; type ;0046: .data: .crc32 ddbe 0xae426082 ; crc-32 ;004a: ;> chunk3.crc32=CRC32(chunk3.type,chunk3.crc32) ;} ; } //chunk Raw assembly (no opcodes) with many macros and structure decoration. A new language could be better, But the jump is not clearly needed yet. https://github.com/corkami/sbud
No “Executable” GUI please! GUIs give fancy representation easily, but then we’re left with ugly screenshots. -> better output parseable/reusable format from the beginning Eventually with an interactive webpage and showing a rendering in the browser.
More info @ https://speakerdeck.com/ange/no-more-dumb-hex
PDF: here be dragons
PDF has a lot of hard problems such as.. Whitespace in PDF (all readers don't agree)
What a normal PDF usually looks like.
What a weird PDF can look like. %PDF-1.3 1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj 2 0 obj<</Type/Pages/Count 1/Kids[3 0 R]>>endobj 3 0 obj<</Type/Page/Contents 4 0 R/Parent 2 0 R/Resources<</Font<</F<</Type/Font/Subtype/Type1/Base Font/Arial>>>>>>>>endobj 4 0 obj<<>>stream BT/F 55 Tf 10 400 Td(http://www.corkami.com)' ET endstream endobj trailer <</Root 1 0 R>> This one works fine with all readers without any warning. No XREF, no /Length, no /Size
What a crazy PDF can look like….
t1t0tobj<</Resources<</Font<</<</BaseFont//Subtype/>>>>>>/Contents<<>>streamn /t50Tf20r450Td(http://www.corkami.com)Tjendstream>>endobjx20 trailer<</Root<</Pages<</Kids[1t0R]/Countf9 This is a valid PDF for fireFox. It breaks so many rules, and yet... it works without any warning!
t1t0tobj<</Resources<</Font<</<</BaseFont//Subtype/>>>>>>/Contents<<>>streamn /t50Tf20r450Td(http://www.corkami.com)Tjendstream>>endobjx20 trailer<</Root<</Pages<</Kids[1t0R]/Countf9 No %PDF signature,no Type, no Parent... Mixed whitespace. Empty font name, BaseFont, Subtype. Recursive & inline stream object. Non-closed dictionaries. No whitespace between keywords and numbers. 9 pages counted but only 1 kid. We really have a lot of cleaning to do...
This crazy PDF can’t be repaired with standard tools. $ mutool clean wtff0C.pdf error: cannot recognize version marker warning: trying to repair broken xref error: invalid key in dict error: cannot parse dict error: invalid indirect reference in dict error: cannot parse dict error: cannot parse dict error: cannot parse dict error: invalid key in dict error: cannot parse dict error: cannot load object (1 0 R) into cache warning: ignoring broken object (1 0 R) error: invalid key in dict error: cannot parse dict error: cannot load object (1 0 R) into cache warning: cannot load object (1 0 R) into cache $ qpdf wtff0C.pdf repaired.pdf WARNING: wtff0C.pdf: can't find PDF header WARNING: wtff0C.pdf: file is damaged WARNING: wtff0C.pdf: can't find startxref WARNING: wtff0C.pdf: Attempting to reconstruct cross-reference table wtff0C.pdf: unable to find trailer dictionary while recovering damaged file $ %PDF-0.0 %%μῦ 1 0 obj null endobj xref 0 2 0000000000 65536 f 0000000018 00000 n trailer <</Size 2>> startxref 38 %%EOF Output from mutool:
Conclusion
A really long way to go...https://reference.pdfa.org/iso/32000/
tests/ valid extreme obsolete invalid bug exploit tools/ reader writer visualizer fuzzer sanitizer docs/ specs grammars What we want in the future…? VeraPDFˆX
Acknowlegdments: Dr Sergey Bratus Thank you! Any feedback? From to ?

Empfohlen

TimeCryption
TimeCryptionTimeCryption
TimeCryption
Ange Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formats
Ange Albertini
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documents
Ange Albertini
 
HackIM 2012 CTF Walkthrough
HackIM 2012 CTF WalkthroughHackIM 2012 CTF Walkthrough
HackIM 2012 CTF Walkthrough
Himanshu Kumar Das
 
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
Yogi Sharo
 
Except UnicodeError: battling Unicode demons in Python
Except UnicodeError: battling Unicode demons in PythonExcept UnicodeError: battling Unicode demons in Python
Except UnicodeError: battling Unicode demons in Python
Aram Dulyan
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
Larion
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
 

Empfohlen

TimeCryption
TimeCryptionTimeCryption
TimeCryption
Ange Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formats
Ange Albertini
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documents
Ange Albertini
 
HackIM 2012 CTF Walkthrough
HackIM 2012 CTF WalkthroughHackIM 2012 CTF Walkthrough
HackIM 2012 CTF Walkthrough
Himanshu Kumar Das
 
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)
Yogi Sharo
 
Except UnicodeError: battling Unicode demons in Python
Except UnicodeError: battling Unicode demons in PythonExcept UnicodeError: battling Unicode demons in Python
Except UnicodeError: battling Unicode demons in Python
Aram Dulyan
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
Larion
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
RootedCON
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
 
(Slightly) Smarter Smart Pointers
(Slightly) Smarter Smart Pointers(Slightly) Smarter Smart Pointers
(Slightly) Smarter Smart Pointers
Carlo Pescio
 
Vocabulary Types in C++17
Vocabulary Types in C++17Vocabulary Types in C++17
Vocabulary Types in C++17
Bartlomiej Filipek
 
Flex
FlexFlex
Flex
9029170256
 
Let's talks about string operations in C++17
Let's talks about string operations in C++17Let's talks about string operations in C++17
Let's talks about string operations in C++17
Bartlomiej Filipek
 
Checking the Open-Source Multi Theft Auto Game
Checking the Open-Source Multi Theft Auto GameChecking the Open-Source Multi Theft Auto Game
Checking the Open-Source Multi Theft Auto Game
Andrey Karpov
 
A Tour of Go - Workshop
A Tour of Go - WorkshopA Tour of Go - Workshop
A Tour of Go - Workshop
Rodolfo Carvalho
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
When AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VWhen AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode V
Ange Albertini
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
David Evans
 
Python 3 Compatibility (PyCon 2009)
Python 3 Compatibility (PyCon 2009)Python 3 Compatibility (PyCon 2009)
Python 3 Compatibility (PyCon 2009)
Lennart Regebro
 
Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012
Jaime Restrepo
 
Big Data & NoSQL - EFS'11 (Pavlo Baron)
Big Data & NoSQL - EFS'11 (Pavlo Baron)Big Data & NoSQL - EFS'11 (Pavlo Baron)
Big Data & NoSQL - EFS'11 (Pavlo Baron)
Pavlo Baron
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd round
Rodolfo Carvalho
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
RootedCON
 
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
rivierarb
 
The Go features I can't live without
The Go features I can't live withoutThe Go features I can't live without
The Go features I can't live without
Rodolfo Carvalho
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
Ange Albertini
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...
Sławomir Zborowski
 
Proyecto de microcontroladores
Proyecto de microcontroladoresProyecto de microcontroladores
Proyecto de microcontroladores
Carlos Molina
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
RootedCON
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 

Was ist angesagt? (19)

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
 
(Slightly) Smarter Smart Pointers
(Slightly) Smarter Smart Pointers(Slightly) Smarter Smart Pointers
(Slightly) Smarter Smart Pointers
 
Vocabulary Types in C++17
Vocabulary Types in C++17Vocabulary Types in C++17
Vocabulary Types in C++17
 
Flex
FlexFlex
Flex
 
Let's talks about string operations in C++17
Let's talks about string operations in C++17Let's talks about string operations in C++17
Let's talks about string operations in C++17
 
Checking the Open-Source Multi Theft Auto Game
Checking the Open-Source Multi Theft Auto GameChecking the Open-Source Multi Theft Auto Game
Checking the Open-Source Multi Theft Auto Game
 
A Tour of Go - Workshop
A Tour of Go - WorkshopA Tour of Go - Workshop
A Tour of Go - Workshop
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
When AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode VWhen AES(☢) = ☠ - Episode V
When AES(☢) = ☠ - Episode V
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
 
Python 3 Compatibility (PyCon 2009)
Python 3 Compatibility (PyCon 2009)Python 3 Compatibility (PyCon 2009)
Python 3 Compatibility (PyCon 2009)
 
Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012
 
Big Data & NoSQL - EFS'11 (Pavlo Baron)
Big Data & NoSQL - EFS'11 (Pavlo Baron)Big Data & NoSQL - EFS'11 (Pavlo Baron)
Big Data & NoSQL - EFS'11 (Pavlo Baron)
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd round
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
 
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
 
The Go features I can't live without
The Go features I can't live withoutThe Go features I can't live without
The Go features I can't live without
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 

Ähnlich wie Improving file formats

NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)
overcertified
 
Integrating technology into the classroom
Integrating technology into the classroomIntegrating technology into the classroom
Integrating technology into the classroom
TammiRice
 
Embedded Linux Multimedia
Embedded Linux MultimediaEmbedded Linux Multimedia
Embedded Linux Multimedia
Caglar Dursun
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
Alon Fliess
 

Ähnlich wie Improving file formats (20)

Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...
 
Proyecto de microcontroladores
Proyecto de microcontroladoresProyecto de microcontroladores
Proyecto de microcontroladores
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs facts
 
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)
 
Raspberry Pi introduction
Raspberry Pi introductionRaspberry Pi introduction
Raspberry Pi introduction
 
Casual Engines 2009
Casual Engines 2009Casual Engines 2009
Casual Engines 2009
 
Funky file formats - 31c3
Funky file formats - 31c3Funky file formats - 31c3
Funky file formats - 31c3
 
Integrating technology into the classroom
Integrating technology into the classroomIntegrating technology into the classroom
Integrating technology into the classroom
 
SELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdfSELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdf
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Hacking the Kinect with GAFFTA Day 1
Hacking the Kinect with GAFFTA Day 1Hacking the Kinect with GAFFTA Day 1
Hacking the Kinect with GAFFTA Day 1
 
Pcsx2 readme 0.9.6
Pcsx2 readme 0.9.6Pcsx2 readme 0.9.6
Pcsx2 readme 0.9.6
 
Xen in Linux (aka PVOPS update)
Xen in Linux (aka PVOPS update)Xen in Linux (aka PVOPS update)
Xen in Linux (aka PVOPS update)
 
Why you should use the Yocto Project
Why you should use the Yocto ProjectWhy you should use the Yocto Project
Why you should use the Yocto Project
 
Basic course
Basic courseBasic course
Basic course
 
Open frameworks 101_fitc
Open frameworks 101_fitcOpen frameworks 101_fitc
Open frameworks 101_fitc
 
Embedded Linux Multimedia
Embedded Linux MultimediaEmbedded Linux Multimedia
Embedded Linux Multimedia
 
Tac Presentation October 72014- Raspberry PI
Tac Presentation October 72014- Raspberry PITac Presentation October 72014- Raspberry PI
Tac Presentation October 72014- Raspberry PI
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 

Mehr von Ange Albertini

Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
Ange Albertini
 

Mehr von Ange Albertini (20)

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formats
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formats
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiot
 
KILL MD5
KILL MD5KILL MD5
KILL MD5
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscape
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisions
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communities
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
 
Hacks in video games
Hacks in video gamesHacks in video games
Hacks in video games
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF file
 
An overview of potential leaks via PDF
An overview of potential leaks via PDFAn overview of potential leaks via PDF
An overview of potential leaks via PDF
 
Advanced Pdf Tricks
Advanced Pdf TricksAdvanced Pdf Tricks
Advanced Pdf Tricks
 
Preserving arcade games - 31c3
Preserving arcade games - 31c3Preserving arcade games - 31c3
Preserving arcade games - 31c3
 
Preserving arcade games
Preserving arcade gamesPreserving arcade games
Preserving arcade games
 
Let's talk about...
Let's talk about...Let's talk about...
Let's talk about...
 
Hide Android applications in images
Hide Android applications in imagesHide Android applications in images
Hide Android applications in images
 

Kürzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Improving file formats

  • 1. Ange Albertini …? Improving file formats toReflections on the problems and some potential solutions From…
  • 2. Microsoft(R) MS-DOS(R) Version 3.30 (C)Copyright Microsoft Corp 1981-1987 A> In 1989... our computer (10 MHz CPU, 20 Mb HDD) was infected by a virus...
  • 3. Thankfully, a french magazine explained how to remove it...
  • 4. Dans la série des virus qui sont censés vous sortir de la torpeur inhérente à des heures de travail fastidieux devant un écran, il y a aussi le Ping-pong (ou Italian Bouncing) : avec une lenteur désespérante, une baballe rebondit sur les caractères, puis elle les efface, puis une autre apparaît, rebondit encore, et le phénomène continue de se reproduire jusqu'à ce que l'écran ne soit plus que balles vagabondes. C'est certainement le plus visuel des virus sur compatibles IBM, mais aussi le plus exaspérant et le plus récurrent. Installé sur un secteur des pistes de démarrage, il occupe deux autres secteurs qu'il marque comme endommagés dans la table d'allocation des fichiers. Par chance, il n'attaque que les IBM PC-XT. Pour s'en débarrasser, il faut rétablir les pistes de démarrage dans leur état d'origine. Avec un éditeur d'octets du type PC-Tools, vérifiez la présence des octets 33 C0 dans les zones 30 et 31 du secteur d'amorçage du disque dur ; s'ils sont bien présents, mieux vaut exécuter la commande SYS depuis une disquette Système saine; à la fin de la première table d'allocation des fichiers du disque dur, remplacez les trois derniers octets (FF 7F FF) par FF 0F 00. Puis localisez le code du virus lui-même, qui commence par FF 06 F3 7D 8B 1E, et remplacez-le (ainsi que tous les octets qui suivent, jusqu'à 55 AA) par F6 si le formatage est dû à la commande FORMAT du système, ou par 00 s'il provient de PC-Tools. ...by yourself, with a hex editor! “…At the end of the first file allocation table of the hard disk, replace the last 3 bytes FF 7F FF by FF 0F 00. Then find the code of the virus itself which starts with FF 06 F3 7D 8B 1E and overwrite it (including all following bytes, until 55 AA) by F6…” This was my introduction to hex editors and malware.!
  • 5. About the author ● 13 years of malware analysis ● now Information Security Engineer Note: this talk reflects my own opinion, not my employer.
  • 8. There are various (with a few things in common) communities around file formats ...and I’m interested in all of them DFIR Black hat White hat DigiPres User Dev
  • 9. Let’s craft a (commercial & successful) software from scratch... (Yes, really) As a starter...
  • 12. ...this OS. 3” Compact Floppy 2 180 Kb / side CP/M 1974 -> DOS 1981 -> Windows 1985
  • 13. size=0 Create an empty file Let's create… an EMPTY executable!
  • 14. Is it valid? Yes: Transient Commands are blindly loaded and execution is started at offset zero. (that’s how executables were called on CP/M)
  • 15. Does it do anything? The Transient Memory Area is not cleared between executions, so the previous command is re-executed.
  • 16. working as intended (repeats previous command)
  • 17. Under a commercial OS from 1985, the empty file is valid, useful and reliable. It was even sold as a commercial program for £5. Consistent & reliable.
  • 18. - Many things have changed since the 80s :) But.... - weird files are nothing new. - Software always defined the rules. - Specifications are entirely optional. - There’s no “that’s not how it works”. Lessons learned
  • 19. The file format problem A misunderstood field -"specs are enough" -> received less attention -> least rigorous field of computing. Not enough pre-natal checks. Lacking growth control. Crypto File formats
  • 20. Better controls when designing a format. Better checks to follow its evolution. And we need to educate the different communities. We need...
  • 21. There is hope: some great formats-focused projects... Note that none of these projects is from the original developer and was started long after the format became mainstream. I.E. a format must be mainstream for a very long time until someone started something similar, much later.
  • 22. VeraPDF open source PDF/A validator and its corpus, and more… PDF: Adobe 1993 VeraPDF: ISO 2014
  • 23. CaraDoc https://github.com/caradoc-org/caradoc Caradoc - a PDF parser and validator Caradoc is a parser and validator of PDF files written in OCaml. This is version 0.3 (beta). Caradoc provides many commands to analyze PDFs, as well as an interactive user interface in console. Caradoc was presented at the the third Workshop on Language-Theoretic Security (LangSec) in May 2016.
  • 24. Cornercases. PoCs. Test suite. Comparative charts… http://seriot.ch/parsing_json.php While JSON is fairly simple, it's still a huge effort for a single person. Nicolas Seriot’s JSON parsers analysis
  • 25. Michał Górny's TAR analysis https://dev.gentoo.org/~mgorny/articles/portability-of-tar-features.html
  • 27. We need new tools to define the (current) ground truth. New (automated, scalable) tools -> visibility of the landscape -> understanding (documentations and metrics) -> update of the state of the art -> educating communities -> change the landscape
  • 28. There are always unknown unknowns.
  • 29. We need to explore at scale.
  • 30. GIF (1987) used LZW - patented, and enforced in 1994 JIF was created: GIF (LZW 1984) -> JIF (zLib 1990) Technically, JIFs had all reasons to replace GIFs. From GIF to JIF
  • 31. Jif: an obvious idea, lost in time. In practice, JIF doesn’t exist: unknown to file unknown to VirusTotal A single file, that I uploaded recently. But it's supported by XnView -> Deprecation is very hard. -> InfoSec doesn’t overlap with DigiPres. https://folk.uib.no/hfohd/SLF/Dyvik/theslist.jif 0fb6018a224cfd9926968c80621f20660b825ec17ef4707b64a0a1d77abf9281
  • 32. Deprecation? fear, uncertainty, doubt. GIF deprecation == “no more memes/cat pics”? -> irrationality Fight irrationality with ‘data-driven explanations’. -> documentations and metrics. Which, for now, means just "original specs". (that are 30+ year old)
  • 33. Yet we still use Tape/floppies oriented feature! We can't kill ZIP/Tar. Because of no visibility or way to enforce a successor.
  • 34. A long forgotten (yet official) way for GIF to display text (they're not comments) GIF Plain Text Extension --------: Introducing GIF89a :-------- When you finish reading this, press any key to continue. If you just sit back and watch, we'll continue when the built-in delay runs out. GIF89a provides for "disposing of" an image or text. All the text in this GIF is "restore to previous", so that the underlying image is restored when you press a key or the delay runs out. "Transparent" images or text can be written over an underlying image so that parts of the old image "show through" the new one. Oh, incidentally, it's pronounced "JIF" This image contains these text frames https://github.com/corkami/formats/blob/WIP/image/gif89a.md#plain-text-extension BOB_89A.GIF
  • 35. Specifications Written years/decades ago. Originally made for 80x25 screens :) Never updated. Some features are lost or never implemented. Novelties from 1989
  • 36. No standard way to make transparent JPGs(1992) There are many possible ways (PDF, SVG, TIF, PSD) but no generalized one. It's not just GIF! Another obvious absence in 2019...
  • 37. A typical file format timeline Good intentions: proper planning. Official specs. Set in stone. Bad things happen: Interpretation blur, unofficial extensions. Format is now used everywhere: Misunderstood. Unmovable.
  • 38. A new (version of a) parser is out? Fuzz. Get bug fixed. Collect pride & glory. Rinse. Repeat. 10 ParserUpdate 20 Fuzz 30 Fail 40 Collect 50 GOTO 10
  • 39. A holy text and its cult. How we perceive file formats: ORDER OF THE RFC
  • 40. More like… outdated and irrelevant practices. ORDER OF THE RFC
  • 41. The following GIF Capabilities Response message describes three standard IBM PC Enhanced Graphics Adapter configurations with no printer; the GIF data stream can be processed within an error correcting protocol: Spanning is the process of segmenting a ZIP file across multiple removable media. This support has typically only been provided for DOS formatted floppy diskettes. What we have (what we're left with) Sh*tMySpecsSays (outdated/irrelevant) [GIF] The Plain Text Extension contains textual data and the parameters necessary to render that data as a graphic, in a simple form. [JPEG] The APP0 marker is used to identify a JPEG FIF file. The JPEG FIF APP0 marker is mandatory right after the SOI marker. [PNG] For colour types 2 and 6 (truecolour and truecolour with alpha), the PLTE chunk is optional. If present, it provides a suggested set of from 1 to 256 colors to which the truecolor image can be quantized if the viewer cannot display truecolor directly. ... A CRC should be checked before processing the chunk data.
  • 43. Encyclopedia of graphics file formats A ‘good’ reference but: - outdated (1996). - doesn't reflect the current landscape. Oxford dictionary: still fresh
  • 44. What we'd need…. (more exactly, we first need the tools to get there) Covers all CVEs Test files included New content Cheat sheets
  • 45. People rely on the original specs. (Nothing changes) The status quo How it is (mostly) How it should be. Fuzzing/manual analysis -> bug found LAndscape analysis Test/fuzzing corpus Hardening (filtering, normalization)
  • 46. Typical advances in file formats Decorated navigation/char sets
  • 47. Kaitai From Yaml grammar to... meta: id: bmp file-extension: bmp endian: le license: CC0-1.0 ks-version: 0.8 seq: - id: file_hdr type: file_header - id: len_dib_header type: s4 - id: dib_header size: len_dib_header - 4 type: switch-on: len_dib_header cases: 12: bitmap_core_header 40: bitmap_info_header 104: bitmap_core_header 124: bitmap_core_header types: file_header: -orig-id: BITMAPFILEHEADER seq: - id: magic -orig-id: bfType contents: "BM" - id: len_file -orig-id: bfSize type: u4 - id: reserved1 -orig-id: bfReserved1 type: u2
  • 48. Kaitai: Many formats (and grammar visualisation)
  • 49. Kaitai grammars: readable, concise -> a good starter for understanding https://github.com/kaitai-io/dicom.ksy/blob/master/dicom.ksy meta: id: dicom file-extension: dcm license: MIT endian: le seq: - id: file_header type: t_file_header - id: elements type: t_data_element_implicit repeat: eos types: t_file_header: seq: - id: preamble size: 128 - id: magic contents: 'DICM' [...] <-> The DICOM Standard
  • 50. Kaitai’s great IDE (read-only file-wise, classic offset/hex/ascii view)
  • 51. Kaitai parser compiler private void _read() { _magic = m_io.EnsureFixedContents(new byte[] { 66, 77 }); _lenFile = m_io.ReadU4le(); _reserved1 = m_io.ReadU2le(); _reserved2 = m_io.ReadU2le(); _ofsBitmap = m_io.ReadS4le(); } sub _read { my ($self) = @_; $self->{magic} = $self->{_io}->ensure_fixed_contents(pack('C*', (66, 77))); $self->{len_file} = $self->{_io}->read_u4le(); $self->{reserved1} = $self->{_io}->read_u2le(); $self->{reserved2} = $self->{_io}->read_u2le(); $self->{ofs_bitmap} = $self->{_io}->read_s4le(); } private function _read() { $this->_m_magic = $this->_io->ensureFixedContents("x42x4D"); $this->_m_lenFile = $this->_io->readU4le(); $this->_m_reserved1 = $this->_io->readU2le(); $this->_m_reserved2 = $this->_io->readU2le(); $this->_m_ofsBitmap = $this->_io->readS4le(); } void bmp_t::file_header_t::_read() { m_magic = m__io->ensure_fixed_contents(std::string("x42x4D", 2)); m_len_file = m__io->read_u4le(); m_reserved1 = m__io->read_u2le(); m_reserved2 = m__io->read_u2le(); m_ofs_bitmap = m__io->read_s4le(); } private void _read() { this.magic = this._io.ensureFixedContents(new byte[] { 66, 77 }); this.lenFile = this._io.readU4le(); this.reserved1 = this._io.readU2le(); this.reserved2 = this._io.readU2le(); this.ofsBitmap = this._io.readS4le(); } def _read(self): self.magic = self._io.ensure_fixed_contents(b"x42x4D") self.len_file = self._io.read_u4le() self.reserved1 = self._io.read_u2le() self.reserved2 = self._io.read_u2le() self.ofs_bitmap = self._io.read_s4le() FileHeader.prototype._read = function() { this.magic = this._io.ensureFixedContents([66, 77]); this.lenFile = this._io.readU4le(); this.reserved1 = this._io.readU2le(); this.reserved2 = this._io.readU2le(); this.ofsBitmap = this._io.readS4le(); } def _read @magic = @_io.ensure_fixed_contents([66, 77].pack('C*')) @len_file = @_io.read_u4le @reserved1 = @_io.read_u2le @reserved2 = @_io.read_u2le @ofs_bitmap = @_io.read_s4le self end
  • 52. Not everything can be expressed with Yaml. Mixed formats (PDF) or bit-level (BZip2) can’t work. Kaitai limitations <= BZip2 (Bit-based) PDF => (Text skeleton)
  • 53. Very good to explain logic at various level. Underrated, underused. Syntax diagrams
  • 54. Different levels of details for different goals. 2 syntax diagrams of the same format (JPEG)
  • 55. It can be useful to see every detail. It can be overwhelming (and intimidating) and prevent us to grasp their generic structure.
  • 56. Already simplified, yet not so clear -> you may miss some important points.
  • 57. Useful to explain specific concepts. Long comment: 1st image extended as a comment Short comment: comment stops before the first image. Collision schema Same color+shape = same data structur
  • 58. What do they lack? 1/2 Different views are needed: Sometimes, you need just the logic. Sometimes, you need to explain the bytes and encoding. Sometimes, you want to show the basic requirements.
  • 59. What do they lack? 2/2 No collapsable groups - that could be annotated. No relations between elements: Ex: isPalettePresent bit then Palette array.
  • 60. File ::= 'GIF' '8[7-9]a' LogScrDesc GlobalPal? (('!' FuncCode ( Length Data+)* '0')* ',' ImgDesc LocalPal? CodeSize (Length Data+)* '0')+ ';' macro_rules! ECS { ($SoI:expr $( $( Segments )+ $( Scan $ECS:ty $( $Restart:expr $ECS:ty)* )+ )+ $EoI:expr ) => { ... }; } Some (limited but worth knowing) tools for syntax diagrams JPEG Gif
  • 61. My own contributions... (Individual effort in my spare time)
  • 62. Better specs: first, better format. Then, rewrite. Specs are either ASCII-formatted, HTML, PDFs - not so convenient. Reformatting as MarkDown with rendered elements with parsable diagrams and logic. GIFDataStream ::= Header LogicalScreen Data* Trailer LogicalScreen ::= LogicalScreenDescriptor GlobalColorTable? Data ::= GraphicBlock | SpecialPurposeBlock GraphicBlock ::= GraphicControlExtension? GraphicRenderingBlock GraphicRenderingBlock ::= TableBasedImage | PlainTextExtension TableBasedImage ::= ImageDescriptor LocalColorTable? ImageData SpecialPurposeBlock ::= ApplicationExtension | CommentExtension Complete ::= Header LogicalScreenDescriptor GlobalColorTable? (GraphicControlExtension? ((ImageDescriptor LocalColorTable? ImageData) | PlainTextExtension) | (ApplicationExtension | CommentExtension))* Trailer https://github.com/corkami/formats
  • 63. Scalable and readable hex representation that could be plugged to any parser even w/ just dynamic instrumentation. Outputs: - ANSI text -> HTML / RTF / TeX - CSS-less SVG -> PDF Better binary visualisation Type:Png [file] Field Value 000: 89 .P .N .G r n 1a n +00 signature x89PNGrnx1an 0 1 2 3 4 5 6 7 8 9 a b c d e f Chunk: Image Header [chunk] Field Value 000: 00 00 00 0D .I .H .D .R +00 length 13 010: 00 00 00 03 00 00 00 01 08 02 00 00 00 94 82 83 +04 type IHDR 020: E3 +15 crc-32 0x948283e3 0 1 2 3 4 5 6 7 8 9 a b c d e f Chunk: Image Data [chunk] Field Value 020: 00 00 00 15 .I .D .A .T 08 1D 01 0A 00 F5 FF +00 length 21 030: 00 FF 00 00 00 FF 00 00 00 FF 0E FB 02 FE E9 32 +04 type IDAT 040: 61 E5 +1d crc-32 0xe93261e5 0 1 2 3 4 5 6 7 8 9 a b c d e f Chunk: Image End [chunk] Field Value 040: 00 00 00 00 .I .E .N .D AE 42 60 82 +00 length 0 0 1 2 3 4 5 6 7 8 9 a b c d e f +04 type IEND +08 crc-32 0xae426082 https://github.com/corkami/sbud
  • 64. Better binary dissection+edition db `x89PNGrnx1an` ; signature ;0000: chunk1: ; chunk1 { //Image Header ddbe 13 ; length ;0008: ;ddbe (chunk1.crc32 - chunk1.data) .type db `IHDR` ; type ;000c: .data: ; Data { incbin 'rgb.png', 0x10, 0xd ;0010: ;} ; } //Data .crc32 ddbe 0x948283e3 ; crc-32 ;001d: ;> chunk1.crc32=CRC32(chunk1.type,chunk1.crc32) ;} ; } //chunk chunk2: ; chunk2 { //Image Data ddbe 21 ; length ;0021: ;ddbe (chunk2.crc32 - chunk2.data) .type db `IDAT` ; type ;0025: .data: ; Data { incbin 'rgb.png', 0x29, 0x15 ;0029: ;} ; } //Data .crc32 ddbe 0xe93261e5 ; crc-32 ;003e: ;> chunk2.crc32=CRC32(chunk2.type,chunk2.crc32) ;} ; } //chunk chunk3: ; chunk3 { //Image End ddbe 0 ; length ;0042: ;ddbe (chunk3.crc32 - chunk3.data) .type db `IEND` ; type ;0046: .data: .crc32 ddbe 0xae426082 ; crc-32 ;004a: ;> chunk3.crc32=CRC32(chunk3.type,chunk3.crc32) ;} ; } //chunk Raw assembly (no opcodes) with many macros and structure decoration. A new language could be better, But the jump is not clearly needed yet. https://github.com/corkami/sbud
  • 65. No “Executable” GUI please! GUIs give fancy representation easily, but then we’re left with ugly screenshots. -> better output parseable/reusable format from the beginning Eventually with an interactive webpage and showing a rendering in the browser.
  • 66. More info @ https://speakerdeck.com/ange/no-more-dumb-hex
  • 67. PDF: here be dragons
  • 68. PDF has a lot of hard problems such as.. Whitespace in PDF (all readers don't agree)
  • 69. What a normal PDF usually looks like.
  • 70. What a weird PDF can look like. %PDF-1.3 1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj 2 0 obj<</Type/Pages/Count 1/Kids[3 0 R]>>endobj 3 0 obj<</Type/Page/Contents 4 0 R/Parent 2 0 R/Resources<</Font<</F<</Type/Font/Subtype/Type1/Base Font/Arial>>>>>>>>endobj 4 0 obj<<>>stream BT/F 55 Tf 10 400 Td(http://www.corkami.com)' ET endstream endobj trailer <</Root 1 0 R>> This one works fine with all readers without any warning. No XREF, no /Length, no /Size
  • 71. What a crazy PDF can look like….
  • 73. t1t0tobj<</Resources<</Font<</<</BaseFont//Subtype/>>>>>>/Contents<<>>streamn /t50Tf20r450Td(http://www.corkami.com)Tjendstream>>endobjx20 trailer<</Root<</Pages<</Kids[1t0R]/Countf9 No %PDF signature,no Type, no Parent... Mixed whitespace. Empty font name, BaseFont, Subtype. Recursive & inline stream object. Non-closed dictionaries. No whitespace between keywords and numbers. 9 pages counted but only 1 kid. We really have a lot of cleaning to do...
  • 74. This crazy PDF can’t be repaired with standard tools. $ mutool clean wtff0C.pdf error: cannot recognize version marker warning: trying to repair broken xref error: invalid key in dict error: cannot parse dict error: invalid indirect reference in dict error: cannot parse dict error: cannot parse dict error: cannot parse dict error: invalid key in dict error: cannot parse dict error: cannot load object (1 0 R) into cache warning: ignoring broken object (1 0 R) error: invalid key in dict error: cannot parse dict error: cannot load object (1 0 R) into cache warning: cannot load object (1 0 R) into cache $ qpdf wtff0C.pdf repaired.pdf WARNING: wtff0C.pdf: can't find PDF header WARNING: wtff0C.pdf: file is damaged WARNING: wtff0C.pdf: can't find startxref WARNING: wtff0C.pdf: Attempting to reconstruct cross-reference table wtff0C.pdf: unable to find trailer dictionary while recovering damaged file $ %PDF-0.0 %%μῦ 1 0 obj null endobj xref 0 2 0000000000 65536 f 0000000018 00000 n trailer <</Size 2>> startxref 38 %%EOF Output from mutool:
  • 76. A really long way to go...https://reference.pdfa.org/iso/32000/
  • 78. Acknowlegdments: Dr Sergey Bratus Thank you! Any feedback? From to ?