Floragasse 7 – 5th floor, 1040 Vienna

News

Adrian Dabrowski @ IEEE S&P

Adrian Dabrowski presents his paper “Error-Correcting Codes as Source for Decoding Ambiguity” at LangSec Workshop, which is held in conjunction with IEEE Security & Privacy on Thursday May 21, 2015.

Abstract: Data decoding, format, or language ambiguities have been long known for amusement purposes. Only recently, it came to attention that they also pose a security risk. In this paper, we present decoder manipulations based on deliberately caused ambiguities facilitating the error correction mechanisms used in several popular applications. This can be used to encode data in multiple formats or even the same format with different content. Implementation details of the decoder or environmental differences decide which data the decoder locks on. This leads to different users receiving different content based on a language decoding ambiguity. In general, ambiguity is not desired, however in special cases it can be particularly harmful. Format dissectors can make wrong decisions: e.g. a firewall scans based on one format but the user decodes different harmful content. We demonstrate this behavior with popular barcodes and argue that it can be used to deliver exploits based on the software installed, or use probabilistic effects to divert a small percentage of users to fraudulent sites.

Website Paper Slides

@ IEEE S&P

 

 

 

 

 

 

Edgar Weippl, Adrian Dabrowksi, Martina Lindorfer and Stefan Brunthaler @ IEEE S&P

This Website uses Cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close