SlideShare ist ein Scribd-Unternehmen logo

The challenges of file formats

Ange Albertini
Ange Albertini

Sharing my perspectives with the digipres community.

Technologie
1 von 102
Downloaden Sie, um offline zu lesen
Ange Albertini the challenges of file formats sharing my perspectives with the DigiPres community
USE CRAFTDISSECt My perspectives PRESERVE Malicious files Extreme files Documents Video Games Load/save share
tinkering with Computers for 30+ years... since MO5 (1984) I draw many kinds of things...github.com/corkami/pics
...and document file formats. github.com/corkami/docs
The first use of file formats: "Save your progress"
Ever printed something that looked nothing like what you have on screen? Story time: A document without vowels
Enabling people to share information: a Wonderful digital language.
Ever tried to import someone else's Word document ? "Ouch !"
The developer relies on the specifications to add support in their library.
Preserve... - Insert rant here - Web pages anyone ? ;)
The archivist wants to make sure that their data will be re-usable much later.
Ever tried to re-import an old Word document ? R.I.P. Formatting (at best)
I'm also a Reverse Engineer ● Interested since 1989 ● Video games preservation in 1999 Science & Vie Micro, November 1989 Instructions to manually remove a boot sector virus
But… we live in dark times!
PRofessionally ● 12 years of malware analysis ● Executables, documents... Note: this talk reflects my own opinion, not my employer.
Attackers will try to take advantages of weaknesses...
Black hats Find (and sell) vulnerabilities in software that can be exploited to steal information or money, or spy on people (and get them arrested…). Goals: bypass security, hack into systems.
Find bugs to hack your target. - Analyze code (source) or disassembly (the binary itself) - Blind fuzzing (flip bits randomly and see what happens) - Generational fuzzing (according to the structure of the file format) - Smart fuzzing (modify/instrument/analyse code)
...while defenders will try to prevent this from happening.
Do the same as the bad guys But disclose and fix vulnerabilities (see Bug Bounties) - Remove the low-hanging fruits from the tree. - Controlled burn to prevent huge fires. => improve practices IMHO file formats should receive this treatment too.
Anti-malware industry 1- Analyze files 2- Determine if they're corrupted, or malicious 3- come up with ways to detect them 4- improve defenses
Malware analyst or DFIR are looking for clues. (typically, I open files with a hex editor first)
Digital Forensics - Incident Response determine if and how a file or system was: - hacked - tampered with (casino machines) - If data was stolen (copyright infrigment)
One more thing... So far, just InfoSec things: nothing for the DigiPres world.
PRofessionally (next) - I was fed up of being only retroactive to attackers' "innovation" - I started to experiment and create my own files, from scratch. And share them openly and freely.
A single file with multiple types: It's not a gadget, It's actually useful to hack people! Used in the wild, in 2008! https://en.wikipedia.org/wiki/Gifar Polyglots Image Java
a mini PDF (Adobe-only, 36 bytes) "Too small to be Suspicious!" (or even considered valid) %PDF-0trailer<</Root<</Pages<<>>>>>>
How do I do it ? 1. I study a simple file with the specs 2. I create my own script to reproduce it (Standard tools usually don't give you total control) 3. I can now create my own files, with full control 4. I can then experiment, and optionally, document and visualize.
my collection of hand-made executablesand "documentation" (completely free).
Victor Frankeinstein Initially, I started with simpler stuff But… it excalated quickly :) Dual headed cow Loooooong !
a presentation slide deck viewing itself (PDF viewer and PDF document) PDF viewer PDF slides
HTML JavaScript Java Windows executable PDF 2 standard infection chains in a single file
1 3DES Mixing binary and cryptography AESK AESK JPG JAR (ZIP + CLASS) PDF FLV PNG 2
a Java & JavaScript polyglot - at source level unicode //
a Java & JavaScript polyglot - at binary level
=> Java = JavaScript Yes, your management was right all along ;)
My own Resume is a PDF, compatible Nintendo and Sega
https://www.w3.org/Graphics/JPEG/jfif3.pdf I crafted the binary structure of the files with the first SHA1 collision. These files violate the specifications! And yet they work everywhere. same SHA-1
These files display their own MD5! (not by me) PDF GIF Nintendo Rom
a JavaScript || GIF polyglot (useful to embed payload - also works with JPG or BMP) image JavaScript
"useless?"I remove potential traps by researching, And I train myself with extreme files. Also, some of these were used in the wild to attack people, And I can reproduce key features into shareable files. Isn't this all
My perspective: 1- What is a file? A sequence of byte(s) Any parser can give an incomplete perspective. I open most files first with a hex editor (out of curiosity, at least)Yes, I'm a hex-addict ;)
2- What is a VALID file? A file loaded successfully by a parser/loader/processor. A file in itself is nothing.
Specifications. What we wished...
Specifications. In reality, they are more complex, often for no particular reason (see design by commitee)
Specifications. Now comes a software that takes these files as input. This software defines validity (the parser/loader), not the specifications. READER
Specifications are irrelevant! As long as the file 'works as intended'.
On this computer...
We'll launch... Run this command
...this OS.
size=0 create empty file Let's create… an EMPTY file!
Is it valid? Yes: Transient Commands are copied blindly and execution started at offset zero.
Does it do anything? Transient Memory Area is not Cleared between executions, so the previous command is re-executed.
works as intended Under a commercial OS from 1985, the empty file is valid, useful and reliable. It was even sold as a commercial program for £5.
Takeaway - it's old-school, obsolete… - And yet this example is pure simplicity… to prove that the software defines the rules! - The specifications are volatile…. the software is the ground truth.
Text files What could go wrong? Just a bad encoding maybe?
This is a … malicious Flash file !!No, not base64 - it's directly executable as is! But, aren't Flash files... pure binary!? CWSMIKI0hCD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7iiudIbEAt333swW0ssG03 sDDtDDDt0333333Gt333swwv3wwwFPOHtoHHvwHHFhH3D0Up0IZUnnnnnnnnnnnnnnnnnnnU U5nnnnnn3Snn7YNqdIbeUUUfV13333333333333333s03sDTVqefXAxooooD0CiudIbEAt33 swwEpt0GDG0GtDDDtwwGGGGGsGDt33333www033333GfBDTHHHHUhHHHeRjHHHhHHUccUSsg SkKoE5D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7YNqdIbe13333333333sUUe133 333Wf03sDTVqefXA8oT50CiudIbEAtwEpDDG033sDDGtwGDtwwDwttDDDGwtwG33wwGt0w33 333sG03sDDdFPhHHHbWqHxHjHZNAqFzAHZYqqEHeYAHlqzfJzYyHqQdzEzHVMvnAEYzEVHMH bBRrHyVQfDQflqzfHLTrHAqzfHIYqEqEmIVHaznQHzIIHDRRVEbYqItAzNyH7D0Up0IZUnnn nnnnnnnnnnnnnnnnUU5nnnnnn3Snn7CiudIbEAt33swwEDt0GGDDDGptDtwwG0GGptDDww0G DtDDDGGDDGDDtDD33333s03GdFPXHLHAZZOXHrhwXHLhAwXHLHgBHHhHDEHXsSHoHwXHLXAw XHLxMZOXHWHwtHtHHHHLDUGhHxvwDHDxLdgbHHhHDEHXkKSHuHwXHLXAwXHLTMZOXHeHwtHt HHHHLDUGhHxvwTHDxLtDXmwTHLLDxLXAwXHLTMwlHtxHHHDxLlCvm7D0Up0IZUnnnnnnnnnn nnnnnnnnnUU5nnnnnn3Snn7CiudIbEAtuwt3sG33ww0sDtDt0333GDw0w33333www033GdFP DHTLxXThnohHTXgotHdXHHHxXTlWf7D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7C iudIbEAtwwWtD333wwG03www0GDGpt03wDDDGDDD33333s033GdFPhHHkoDHDHTLKwhHhzoD HDHTlOLHHhHxeHXWgHZHoXHTHNo4D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7Ciu dIbEAt33wwE03GDDGwGGDDGDwGtwDtwDDGGDDtGDwwGw0GDDw0w33333www033GdFPHLRDXt hHHHLHqeeorHthHHHXDhtxHHHLravHQxQHHHOnHDHyMIuiCyIYEHWSsgHmHKcskHoXHLHwhH HvoXHLhAotHthHHHLXAoXHLxUvH1D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SnnwWNq dIbe133333333333333333WfF03sTeqefXA888oooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooo888888880Nj0h <= "Hello World" in Flash: It's a lot of non-ASCII!
Flash can be compressed with ZIP's Deflate. Which can use the Huffman algorithm, in which case you supply a code dictionary. You can craft such a dictionary to 'expand' your data, But in return it's ascii-only. >>> zlib.decompress('xf3Hxcdxc9xc9Wx08xcf/xcaIQxe4x02x00 x91x04H',-8) 'Hello World!n' >>> zlib.decompress("D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUUwCiudIbEAtwwwEt3 33wwG0swGpDDGpDDwDDDGtD33333s033333GdFPkWwwOaGOowgQ4", -8) 'Hello World!n' https://molnarg.github.io/ascii-flash/ascii-flash.pdf https://github.com/molnarg/ascii-zip
Valid Flash files entirely in ASCII: -> bypassed all filters -> abused most websites https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
Specifications are blurry. There's always a corner case that is not clarified.
Specifications are imperfect. I know no perfect specifications.except for the empty file? :) I could only make specifications better by finding problems before they were finalized and set in stone.
The real problem ● Unlike laws, specifications are not enforced. ● Not updated either. Set in stone. ● The problem remains the same - and grows with time. ● Survival of the fittest software: the Winner decides the rules. Specifications Conformity (Whatever that means)
Specifications. Now comes a software that creates these files. Their planned features and actual abilities of readers and writers may not overlap. Writer READER
Large Format Scanners: Infinite "height" scans -> image height fixed to 65535! Tolerated by LibJPEG, So valid everywhere! Detected by Anti-Virus, because it was used to exploit MS04-028.
Specifications are not updated: They become outdated and irrelevant.
File formatsSome specifications are even worse: They're nothing but… a"gentle introduction": Almost useless from the start. Data is in the .data section SEEN ON TV
Divergences As specifications are not perfect, They are interpreted by different people in different ways: So one file may work on one reader, not on the other one.
a normal PDF
%PDF 1 0 obj << /Pages << /Kids [ << /Contents 2 0 R >> ] >> >> 2 0 obj <<>> stream 95 Tf 20 400 Td (Chrome) Tj endstream trailer << /Root 1 0 R >> %PDF-1. 1 0 obj << /Kids [<< /Parent 1 0 R /Resources <<>> /Contents 2 0 R >>] >> 2 0 obj <<>> stream BT /F1 110 Tf 10 400 Td (Adobe Reader) Tj ET endstream endobj trailer << /Root << /Pages 1 0 R >> >> working PDFs
%PDF-1. 1 0 obj << /Kids [<< /Parent 1 0 R /Resources <<>> /Contents 2 0 R >>] >> 2 0 obj <<>> stream BT /F1 110 Tf 10 400 Td (Adobe Reader) Tj ET endstream endobj trailer << /Root << /Pages 1 0 R >> >> truncated signature direct /Kids No /Type No /Font No /CountNo /Type No /Length No XREF Direct /Root No /Size No /Type No startxref No %%EOF %PDF 1 0 obj << /Pages << /Kids [ << /Contents 2 0 R >> ] >> >> 2 0 obj <<>> stream 95 Tf 20 400 Td (Chrome) Tj endstream trailer << /Root 1 0 R >> very truncated signature direct /Kids No /Type No /Font No /CountNo /Type No /Resources No endobj No /Length No XREF Direct /Root No /Size No /Type No startxref No %%EOF No BT/ET No Font selection INVALID? INVALID? No /Parent
ACCEPTED! ACCEPTED!
I made extreme PDFs for each reader [by hand].
These extreme PDFs fail on any other reader.
Specifications. If one of these software becomes standard, the other software will have to adapt to it. Writer READER
RECOVERY Since there's no official 'direction', other softwares may have to be taken into consideration.
Take a standard PDF. (it opens in Adobe with no warnings)
If you modify its XREF table, it won't work correctly...
...or maybe even not open at all!
But if you ERASE the XREF table, Adobe will fall back to recovery mode, and open the file without any warning!
Schizophrenia Different contents (clean & malicious) can be combined In the same file, to bypass security or fool softwares.
Zip archives 3 different softwares will see 3 different archives from the same file This enabled a critical vulnerability in all Android devices in 2013: validate a content, execute a different one! 1 2 3
PDF The trailer defines the start of the document tree. See a different trailer -> see a completely different document! Several trailers can co-exist in the same file, and Parsers tolerate 'unused' objects (referenced by unseen trailers).
3 different documents as seen by 3 different readers in the same file (such things even happen accidentally in the wild!) commented line - seen by PDFium missing trailer keyword, but seen by Poppler Standard trailer - the only one seen by Adobe Reader
It used to work with PDF/A too (OK for Adobe Reader, but not for Preflight)
What you see is not always what you print - when you use Layers [O ptional C ontent G roups]! Fun fact: you can’t change the printing output with Adobe Reader ;) Layers present
1 image (same data), 2 palettes
Is this just an infinite vicious circle? Do we need a great fire destroying our knowledge so that we build file formats in a smarter way? Or ultimately, we'll forget our roots and just maintain stacks of emulation layers…?
Law enforcements Like archivists, investigators rely on softwares to determine if someone is guilty or not. These softwares rely on the same blurry specs… They're vulnerable to the same problems. Same file, two different tabs
http://www.pdfa.org/2015/10/whats-unique-about-pdf/ - Flash is now dying, for security reasons. - Adobe is out of the game for PDF. - Looking at PDF 2.0, I'm very skeptical… (many extra security risks)
- specs & software tolerated to encode a (malicious) JavaScript as JPEG. - This was used to bypass security scans. - This 'feature' was killed to improve security -> specifications were never updated -> they're now clearly outdated. script == picture
PDF is great, but... No major actor (Adobe) behind it anymore? PDF 2.0 is too different? Too permissive security-wise? (Don't get me wrong, I really like to [ab]use PDF)
My point of view: need to create better corpuses To demonstrate the current state of things. To determine the actual limits of file formats. To make automation easier for everyone. Atomic - Copyright-free - PII-free
Preservation Content, or the files? And private data? Preserving usually means "saving to a safer format" This means we gave up on the original format… But which one is safe? We need to preserve interesting files as-is too.
We don't need 'safer' formats(whatever that means) Yet another format? Blurry specs, Divergences, Unclear corner cases...
We need a new process: File formats should be alive! Like cryptography: Updates, deprecations… -> eventually uniform standardisation With a date, a version number, a commit. Up to date specifications and open validator. Once things are properly documented, we could go back easily.
Why doesn't it happen? Because we haven't proved enough yet how broken they are? In cryptography, there are official competitions to break the drafts before choosing the standard: survival of the fittest before setting standards in stone.
Conclusion
- Files formats are awesome (Even PDF!) - Except when they don't work as expected :) - Specifications are not challenged enough. - formats authorship is not a liability. We need to develop our expertises and share our knowledge.
Feedback? Thank you for reading that far!
Extra resourcesFunky files formats: https://speakerdeck.com/ange/funky-file-formats-31c3 Schizophrenic files: https://speakerdeck.com/ange/schizophrenic-files-v2 Abusing file formats: https://archive.org/stream/pocorgtfo07#page/n17/mode/2up

Empfohlen

Improving file formats
Improving file formatsImproving file formats
Improving file formats
Ange Albertini
 
TimeCryption
TimeCryptionTimeCryption
TimeCryption
Ange Albertini
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
Ange Albertini
 
Pandora's Cash Box
Pandora's Cash BoxPandora's Cash Box
Pandora's Cash Box
nitayart
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
 
Python by Martin Geisler
Python by Martin GeislerPython by Martin Geisler
Python by Martin Geisler
Aberla
 
DEF CON 27 - SMEA - adventures in smart buttplug penetration testing
DEF CON 27 - SMEA - adventures in smart buttplug penetration testingDEF CON 27 - SMEA - adventures in smart buttplug penetration testing
DEF CON 27 - SMEA - adventures in smart buttplug penetration testing
Felipe Prado
 
PVS-Studio and 3DO Emulators
PVS-Studio and 3DO EmulatorsPVS-Studio and 3DO Emulators
PVS-Studio and 3DO Emulators
Andrey Karpov
 

Empfohlen

Improving file formats
Improving file formatsImproving file formats
Improving file formats
Ange Albertini
 
TimeCryption
TimeCryptionTimeCryption
TimeCryption
Ange Albertini
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
Ange Albertini
 
Pandora's Cash Box
Pandora's Cash BoxPandora's Cash Box
Pandora's Cash Box
nitayart
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
 
Python by Martin Geisler
Python by Martin GeislerPython by Martin Geisler
Python by Martin Geisler
Aberla
 
DEF CON 27 - SMEA - adventures in smart buttplug penetration testing
DEF CON 27 - SMEA - adventures in smart buttplug penetration testingDEF CON 27 - SMEA - adventures in smart buttplug penetration testing
DEF CON 27 - SMEA - adventures in smart buttplug penetration testing
Felipe Prado
 
PVS-Studio and 3DO Emulators
PVS-Studio and 3DO EmulatorsPVS-Studio and 3DO Emulators
PVS-Studio and 3DO Emulators
Andrey Karpov
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
Class 1: Welcome to programming
Class 1: Welcome to programmingClass 1: Welcome to programming
Class 1: Welcome to programming
Marc Gouw
 
Donnez des couleurs a votre terminal
Donnez des couleurs a votre terminalDonnez des couleurs a votre terminal
Donnez des couleurs a votre terminal
Arthur Lutz
 
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
rivierarb
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2
Ange Albertini
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
sanghwan ahn
 
Python @ PiTech - March 2009
Python @ PiTech - March 2009Python @ PiTech - March 2009
Python @ PiTech - March 2009
tudorprodan
 
A basic unix overview(2)
A basic unix overview(2)A basic unix overview(2)
A basic unix overview(2)
Vishal Gurujuwada
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
Ange Albertini
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
Ange Albertini
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs facts
Ange Albertini
 
ABYSS OF BADUSB
ABYSS OF BADUSBABYSS OF BADUSB
ABYSS OF BADUSB
ssuser6c19e1
 
Funky file formats - 31c3
Funky file formats - 31c3Funky file formats - 31c3
Funky file formats - 31c3
Ange Albertini
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic files
Ange Albertini
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
Anton Chuvakin
 
Dark Data and Missing Evidence
Dark Data and Missing EvidenceDark Data and Missing Evidence
Dark Data and Missing Evidence
Rob Zirnstein
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
 
Dark Data Hiding in your Records: Opportunity or Danger?
Dark Data Hiding in your Records: Opportunity or Danger?Dark Data Hiding in your Records: Opportunity or Danger?
Dark Data Hiding in your Records: Opportunity or Danger?
Rob Zirnstein
 
Taking the hard out of hardware
Taking the hard out of hardwareTaking the hard out of hardware
Taking the hard out of hardware
Ronald McCollam
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano Forensics
Chiawei Wang
 

Weitere ähnliche Inhalte

Was ist angesagt?

Python @ PiTech - March 2009
Python @ PiTech - March 2009Python @ PiTech - March 2009
Python @ PiTech - March 2009
tudorprodan
 

Was ist angesagt? (8)

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
Class 1: Welcome to programming
Class 1: Welcome to programmingClass 1: Welcome to programming
Class 1: Welcome to programming
 
Donnez des couleurs a votre terminal
Donnez des couleurs a votre terminalDonnez des couleurs a votre terminal
Donnez des couleurs a votre terminal
 
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
Piloting processes through std IO at the Ruby Drink-up of Sophia, January 2012
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Python @ PiTech - March 2009
Python @ PiTech - March 2009Python @ PiTech - March 2009
Python @ PiTech - March 2009
 
A basic unix overview(2)
A basic unix overview(2)A basic unix overview(2)
A basic unix overview(2)
 

Ähnlich wie The challenges of file formats

Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Maarten Balliauw
 

Ähnlich wie The challenges of file formats (20)

Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs facts
 
ABYSS OF BADUSB
ABYSS OF BADUSBABYSS OF BADUSB
ABYSS OF BADUSB
 
Funky file formats - 31c3
Funky file formats - 31c3Funky file formats - 31c3
Funky file formats - 31c3
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic files
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Dark Data and Missing Evidence
Dark Data and Missing EvidenceDark Data and Missing Evidence
Dark Data and Missing Evidence
 
Understand study
Understand studyUnderstand study
Understand study
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
 
Dark Data Hiding in your Records: Opportunity or Danger?
Dark Data Hiding in your Records: Opportunity or Danger?Dark Data Hiding in your Records: Opportunity or Danger?
Dark Data Hiding in your Records: Opportunity or Danger?
 
Taking the hard out of hardware
Taking the hard out of hardwareTaking the hard out of hardware
Taking the hard out of hardware
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano Forensics
 
Thumbcoil: How we got here...
Thumbcoil: How we got here...Thumbcoil: How we got here...
Thumbcoil: How we got here...
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
 
Iso burning for morons
Iso burning for moronsIso burning for morons
Iso burning for morons
 

Mehr von Ange Albertini

Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
Ange Albertini
 

Mehr von Ange Albertini (20)

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formats
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formats
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiot
 
KILL MD5
KILL MD5KILL MD5
KILL MD5
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscape
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisions
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communities
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
 
Hacks in video games
Hacks in video gamesHacks in video games
Hacks in video games
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF file
 
An overview of potential leaks via PDF
An overview of potential leaks via PDFAn overview of potential leaks via PDF
An overview of potential leaks via PDF
 
Advanced Pdf Tricks
Advanced Pdf TricksAdvanced Pdf Tricks
Advanced Pdf Tricks
 
Preserving arcade games - 31c3
Preserving arcade games - 31c3Preserving arcade games - 31c3
Preserving arcade games - 31c3
 
Preserving arcade games
Preserving arcade gamesPreserving arcade games
Preserving arcade games
 
Let's talk about...
Let's talk about...Let's talk about...
Let's talk about...
 
Hide Android applications in images
Hide Android applications in imagesHide Android applications in images
Hide Android applications in images
 
Let's play with crypto! v2
Let's play with crypto! v2Let's play with crypto! v2
Let's play with crypto! v2
 

Kürzlich hochgeladen

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

The challenges of file formats

  • 1. Ange Albertini the challenges of file formats sharing my perspectives with the DigiPres community
  • 2. USE CRAFTDISSECt My perspectives PRESERVE Malicious files Extreme files Documents Video Games Load/save share
  • 3. tinkering with Computers for 30+ years... since MO5 (1984) I draw many kinds of things...github.com/corkami/pics
  • 4. ...and document file formats. github.com/corkami/docs
  • 5. The first use of file formats: "Save your progress"
  • 6. Ever printed something that looked nothing like what you have on screen? Story time: A document without vowels
  • 7. Enabling people to share information: a Wonderful digital language.
  • 8. Ever tried to import someone else's Word document ? "Ouch !"
  • 9. The developer relies on the specifications to add support in their library.
  • 10. Preserve... - Insert rant here - Web pages anyone ? ;)
  • 11. The archivist wants to make sure that their data will be re-usable much later.
  • 12. Ever tried to re-import an old Word document ? R.I.P. Formatting (at best)
  • 13. I'm also a Reverse Engineer ● Interested since 1989 ● Video games preservation in 1999 Science & Vie Micro, November 1989 Instructions to manually remove a boot sector virus
  • 14. But… we live in dark times!
  • 15. PRofessionally ● 12 years of malware analysis ● Executables, documents... Note: this talk reflects my own opinion, not my employer.
  • 16. Attackers will try to take advantages of weaknesses...
  • 17. Black hats Find (and sell) vulnerabilities in software that can be exploited to steal information or money, or spy on people (and get them arrested…). Goals: bypass security, hack into systems.
  • 18. Find bugs to hack your target. - Analyze code (source) or disassembly (the binary itself) - Blind fuzzing (flip bits randomly and see what happens) - Generational fuzzing (according to the structure of the file format) - Smart fuzzing (modify/instrument/analyse code)
  • 19. ...while defenders will try to prevent this from happening.
  • 20. Do the same as the bad guys But disclose and fix vulnerabilities (see Bug Bounties) - Remove the low-hanging fruits from the tree. - Controlled burn to prevent huge fires. => improve practices IMHO file formats should receive this treatment too.
  • 21. Anti-malware industry 1- Analyze files 2- Determine if they're corrupted, or malicious 3- come up with ways to detect them 4- improve defenses
  • 22. Malware analyst or DFIR are looking for clues. (typically, I open files with a hex editor first)
  • 23. Digital Forensics - Incident Response determine if and how a file or system was: - hacked - tampered with (casino machines) - If data was stolen (copyright infrigment)
  • 24. One more thing... So far, just InfoSec things: nothing for the DigiPres world.
  • 25. PRofessionally (next) - I was fed up of being only retroactive to attackers' "innovation" - I started to experiment and create my own files, from scratch. And share them openly and freely.
  • 26. A single file with multiple types: It's not a gadget, It's actually useful to hack people! Used in the wild, in 2008! https://en.wikipedia.org/wiki/Gifar Polyglots Image Java
  • 27. a mini PDF (Adobe-only, 36 bytes) "Too small to be Suspicious!" (or even considered valid) %PDF-0trailer<</Root<</Pages<<>>>>>>
  • 28. How do I do it ? 1. I study a simple file with the specs 2. I create my own script to reproduce it (Standard tools usually don't give you total control) 3. I can now create my own files, with full control 4. I can then experiment, and optionally, document and visualize.
  • 29.
  • 30. my collection of hand-made executablesand "documentation" (completely free).
  • 31. Victor Frankeinstein Initially, I started with simpler stuff But… it excalated quickly :) Dual headed cow Loooooong !
  • 32. a presentation slide deck viewing itself (PDF viewer and PDF document) PDF viewer PDF slides
  • 33. HTML JavaScript Java Windows executable PDF 2 standard infection chains in a single file
  • 34. 1 3DES Mixing binary and cryptography AESK AESK JPG JAR (ZIP + CLASS) PDF FLV PNG 2
  • 35. a Java & JavaScript polyglot - at source level unicode //
  • 36. a Java & JavaScript polyglot - at binary level
  • 37. => Java = JavaScript Yes, your management was right all along ;)
  • 38. My own Resume is a PDF, compatible Nintendo and Sega
  • 39. https://www.w3.org/Graphics/JPEG/jfif3.pdf I crafted the binary structure of the files with the first SHA1 collision. These files violate the specifications! And yet they work everywhere. same SHA-1
  • 40. These files display their own MD5! (not by me) PDF GIF Nintendo Rom
  • 41. a JavaScript || GIF polyglot (useful to embed payload - also works with JPG or BMP) image JavaScript
  • 42. "useless?"I remove potential traps by researching, And I train myself with extreme files. Also, some of these were used in the wild to attack people, And I can reproduce key features into shareable files. Isn't this all
  • 43. My perspective: 1- What is a file? A sequence of byte(s) Any parser can give an incomplete perspective. I open most files first with a hex editor (out of curiosity, at least)Yes, I'm a hex-addict ;)
  • 44. 2- What is a VALID file? A file loaded successfully by a parser/loader/processor. A file in itself is nothing.
  • 46. Specifications. In reality, they are more complex, often for no particular reason (see design by commitee)
  • 47. Specifications. Now comes a software that takes these files as input. This software defines validity (the parser/loader), not the specifications. READER
  • 48. Specifications are irrelevant! As long as the file 'works as intended'.
  • 52. size=0 create empty file Let's create… an EMPTY file!
  • 53. Is it valid? Yes: Transient Commands are copied blindly and execution started at offset zero.
  • 54. Does it do anything? Transient Memory Area is not Cleared between executions, so the previous command is re-executed.
  • 55. works as intended Under a commercial OS from 1985, the empty file is valid, useful and reliable. It was even sold as a commercial program for £5.
  • 56. Takeaway - it's old-school, obsolete… - And yet this example is pure simplicity… to prove that the software defines the rules! - The specifications are volatile…. the software is the ground truth.
  • 57. Text files What could go wrong? Just a bad encoding maybe?
  • 58. This is a … malicious Flash file !!No, not base64 - it's directly executable as is! But, aren't Flash files... pure binary!? CWSMIKI0hCD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7iiudIbEAt333swW0ssG03 sDDtDDDt0333333Gt333swwv3wwwFPOHtoHHvwHHFhH3D0Up0IZUnnnnnnnnnnnnnnnnnnnU U5nnnnnn3Snn7YNqdIbeUUUfV13333333333333333s03sDTVqefXAxooooD0CiudIbEAt33 swwEpt0GDG0GtDDDtwwGGGGGsGDt33333www033333GfBDTHHHHUhHHHeRjHHHhHHUccUSsg SkKoE5D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7YNqdIbe13333333333sUUe133 333Wf03sDTVqefXA8oT50CiudIbEAtwEpDDG033sDDGtwGDtwwDwttDDDGwtwG33wwGt0w33 333sG03sDDdFPhHHHbWqHxHjHZNAqFzAHZYqqEHeYAHlqzfJzYyHqQdzEzHVMvnAEYzEVHMH bBRrHyVQfDQflqzfHLTrHAqzfHIYqEqEmIVHaznQHzIIHDRRVEbYqItAzNyH7D0Up0IZUnnn nnnnnnnnnnnnnnnnUU5nnnnnn3Snn7CiudIbEAt33swwEDt0GGDDDGptDtwwG0GGptDDww0G DtDDDGGDDGDDtDD33333s03GdFPXHLHAZZOXHrhwXHLhAwXHLHgBHHhHDEHXsSHoHwXHLXAw XHLxMZOXHWHwtHtHHHHLDUGhHxvwDHDxLdgbHHhHDEHXkKSHuHwXHLXAwXHLTMZOXHeHwtHt HHHHLDUGhHxvwTHDxLtDXmwTHLLDxLXAwXHLTMwlHtxHHHDxLlCvm7D0Up0IZUnnnnnnnnnn nnnnnnnnnUU5nnnnnn3Snn7CiudIbEAtuwt3sG33ww0sDtDt0333GDw0w33333www033GdFP DHTLxXThnohHTXgotHdXHHHxXTlWf7D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7C iudIbEAtwwWtD333wwG03www0GDGpt03wDDDGDDD33333s033GdFPhHHkoDHDHTLKwhHhzoD HDHTlOLHHhHxeHXWgHZHoXHTHNo4D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7Ciu dIbEAt33wwE03GDDGwGGDDGDwGtwDtwDDGGDDtGDwwGw0GDDw0w33333www033GdFPHLRDXt hHHHLHqeeorHthHHHXDhtxHHHLravHQxQHHHOnHDHyMIuiCyIYEHWSsgHmHKcskHoXHLHwhH HvoXHLhAotHthHHHLXAoXHLxUvH1D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SnnwWNq dIbe133333333333333333WfF03sTeqefXA888oooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooo888888880Nj0h <= "Hello World" in Flash: It's a lot of non-ASCII!
  • 59. Flash can be compressed with ZIP's Deflate. Which can use the Huffman algorithm, in which case you supply a code dictionary. You can craft such a dictionary to 'expand' your data, But in return it's ascii-only. >>> zlib.decompress('xf3Hxcdxc9xc9Wx08xcf/xcaIQxe4x02x00 x91x04H',-8) 'Hello World!n' >>> zlib.decompress("D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUUwCiudIbEAtwwwEt3 33wwG0swGpDDGpDDwDDDGtD33333s033333GdFPkWwwOaGOowgQ4", -8) 'Hello World!n' https://molnarg.github.io/ascii-flash/ascii-flash.pdf https://github.com/molnarg/ascii-zip
  • 60. Valid Flash files entirely in ASCII: -> bypassed all filters -> abused most websites https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
  • 61. Specifications are blurry. There's always a corner case that is not clarified.
  • 62. Specifications are imperfect. I know no perfect specifications.except for the empty file? :) I could only make specifications better by finding problems before they were finalized and set in stone.
  • 63.
  • 64. The real problem ● Unlike laws, specifications are not enforced. ● Not updated either. Set in stone. ● The problem remains the same - and grows with time. ● Survival of the fittest software: the Winner decides the rules. Specifications Conformity (Whatever that means)
  • 65. Specifications. Now comes a software that creates these files. Their planned features and actual abilities of readers and writers may not overlap. Writer READER
  • 66. Large Format Scanners: Infinite "height" scans -> image height fixed to 65535! Tolerated by LibJPEG, So valid everywhere! Detected by Anti-Virus, because it was used to exploit MS04-028.
  • 67. Specifications are not updated: They become outdated and irrelevant.
  • 68. File formatsSome specifications are even worse: They're nothing but… a"gentle introduction": Almost useless from the start. Data is in the .data section SEEN ON TV
  • 69. Divergences As specifications are not perfect, They are interpreted by different people in different ways: So one file may work on one reader, not on the other one.
  • 71. %PDF 1 0 obj << /Pages << /Kids [ << /Contents 2 0 R >> ] >> >> 2 0 obj <<>> stream 95 Tf 20 400 Td (Chrome) Tj endstream trailer << /Root 1 0 R >> %PDF-1. 1 0 obj << /Kids [<< /Parent 1 0 R /Resources <<>> /Contents 2 0 R >>] >> 2 0 obj <<>> stream BT /F1 110 Tf 10 400 Td (Adobe Reader) Tj ET endstream endobj trailer << /Root << /Pages 1 0 R >> >> working PDFs
  • 72. %PDF-1. 1 0 obj << /Kids [<< /Parent 1 0 R /Resources <<>> /Contents 2 0 R >>] >> 2 0 obj <<>> stream BT /F1 110 Tf 10 400 Td (Adobe Reader) Tj ET endstream endobj trailer << /Root << /Pages 1 0 R >> >> truncated signature direct /Kids No /Type No /Font No /CountNo /Type No /Length No XREF Direct /Root No /Size No /Type No startxref No %%EOF %PDF 1 0 obj << /Pages << /Kids [ << /Contents 2 0 R >> ] >> >> 2 0 obj <<>> stream 95 Tf 20 400 Td (Chrome) Tj endstream trailer << /Root 1 0 R >> very truncated signature direct /Kids No /Type No /Font No /CountNo /Type No /Resources No endobj No /Length No XREF Direct /Root No /Size No /Type No startxref No %%EOF No BT/ET No Font selection INVALID? INVALID? No /Parent
  • 74. I made extreme PDFs for each reader [by hand].
  • 75. These extreme PDFs fail on any other reader.
  • 76. Specifications. If one of these software becomes standard, the other software will have to adapt to it. Writer READER
  • 77. RECOVERY Since there's no official 'direction', other softwares may have to be taken into consideration.
  • 78. Take a standard PDF. (it opens in Adobe with no warnings)
  • 79. If you modify its XREF table, it won't work correctly...
  • 80. ...or maybe even not open at all!
  • 81. But if you ERASE the XREF table, Adobe will fall back to recovery mode, and open the file without any warning!
  • 82. Schizophrenia Different contents (clean & malicious) can be combined In the same file, to bypass security or fool softwares.
  • 83. Zip archives 3 different softwares will see 3 different archives from the same file This enabled a critical vulnerability in all Android devices in 2013: validate a content, execute a different one! 1 2 3
  • 84. PDF The trailer defines the start of the document tree. See a different trailer -> see a completely different document! Several trailers can co-exist in the same file, and Parsers tolerate 'unused' objects (referenced by unseen trailers).
  • 85. 3 different documents as seen by 3 different readers in the same file (such things even happen accidentally in the wild!) commented line - seen by PDFium missing trailer keyword, but seen by Poppler Standard trailer - the only one seen by Adobe Reader
  • 86. It used to work with PDF/A too (OK for Adobe Reader, but not for Preflight)
  • 87. What you see is not always what you print - when you use Layers [O ptional C ontent G roups]! Fun fact: you can’t change the printing output with Adobe Reader ;) Layers present
  • 88. 1 image (same data), 2 palettes
  • 89. Is this just an infinite vicious circle? Do we need a great fire destroying our knowledge so that we build file formats in a smarter way? Or ultimately, we'll forget our roots and just maintain stacks of emulation layers…?
  • 90. Law enforcements Like archivists, investigators rely on softwares to determine if someone is guilty or not. These softwares rely on the same blurry specs… They're vulnerable to the same problems. Same file, two different tabs
  • 91. http://www.pdfa.org/2015/10/whats-unique-about-pdf/ - Flash is now dying, for security reasons. - Adobe is out of the game for PDF. - Looking at PDF 2.0, I'm very skeptical… (many extra security risks)
  • 92. - specs & software tolerated to encode a (malicious) JavaScript as JPEG. - This was used to bypass security scans. - This 'feature' was killed to improve security -> specifications were never updated -> they're now clearly outdated. script == picture
  • 93. PDF is great, but... No major actor (Adobe) behind it anymore? PDF 2.0 is too different? Too permissive security-wise? (Don't get me wrong, I really like to [ab]use PDF)
  • 94. My point of view: need to create better corpuses To demonstrate the current state of things. To determine the actual limits of file formats. To make automation easier for everyone. Atomic - Copyright-free - PII-free
  • 95. Preservation Content, or the files? And private data? Preserving usually means "saving to a safer format" This means we gave up on the original format… But which one is safe? We need to preserve interesting files as-is too.
  • 96. We don't need 'safer' formats(whatever that means) Yet another format? Blurry specs, Divergences, Unclear corner cases...
  • 97. We need a new process: File formats should be alive! Like cryptography: Updates, deprecations… -> eventually uniform standardisation With a date, a version number, a commit. Up to date specifications and open validator. Once things are properly documented, we could go back easily.
  • 98. Why doesn't it happen? Because we haven't proved enough yet how broken they are? In cryptography, there are official competitions to break the drafts before choosing the standard: survival of the fittest before setting standards in stone.
  • 100. - Files formats are awesome (Even PDF!) - Except when they don't work as expected :) - Specifications are not challenged enough. - formats authorship is not a liability. We need to develop our expertises and share our knowledge.
  • 102. Extra resourcesFunky files formats: https://speakerdeck.com/ange/funky-file-formats-31c3 Schizophrenic files: https://speakerdeck.com/ange/schizophrenic-files-v2 Abusing file formats: https://archive.org/stream/pocorgtfo07#page/n17/mode/2up