Adrian Dabrowski @ IEEE S&P
Adrian Dabrowski presents his paper “Error-Correcting Codes as Source for Decoding Ambiguity” at LangSec Workshop, which is held in conjunction with IEEE Security & Privacy on Thursday May 21, 2015.
Abstract: Data decoding, format, or language ambiguities have been long known for amusement purposes. Only recently, it came to attention that they also pose a security risk. In this paper, we present decoder manipulations based on deliberately caused ambiguities facilitating the error correction mechanisms used in several popular applications. This can be used to encode data in multiple formats or even the same format with different content. Implementation details of the decoder or environmental differences decide which data the decoder locks on. This leads to different users receiving different content based on a language decoding ambiguity. In general, ambiguity is not desired, however in special cases it can be particularly harmful. Format dissectors can make wrong decisions: e.g. a firewall scans based on one format but the user decodes different harmful content. We demonstrate this behavior with popular barcodes and argue that it can be used to deliver exploits based on the software installed, or use probabilistic effects to divert a small percentage of users to fraudulent sites.
Edgar Weippl, Adrian Dabrowksi, Martina Lindorfer and Stefan Brunthaler @ IEEE S&P