Pro­ces­sing Dan­ge­rous Paths - On Se­cu­ri­ty and Pri­va­cy of the Por­ta­ble Do­cu­ment For­mat

Jens Mül­ler, Do­mi­nik Noß, Chris­ti­an Main­ka, Vla­dis­lav Mla­de­nov, Jörg Schwenk

28th Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty Sym­po­si­um (NDSS 2021)

Ab­stract

PDF is the de-fac­to stan­dard for do­cu­ment ex­chan­ge. It is com­mon to open PDF files from po­ten­ti­al­ly un­trusted sour­ces such as email at­tach­ments or down­loa­ded from the In­ter­net. In this work, we per­form an in-depth ana­ly­sis of the ca­pa­bi­li­ties of ma­li­cious PDF do­cu­ments. In­s­tead of fo­cu­sing on im­ple­men­ta­ti­on bugs, we abuse le­gi­ti­ma­te fea­tures of the PDF stan­dard its­elf by sys­te­ma­ti­cal­ly iden­ti­fy­ing dan­ge­rous paths in the PDF file struc­tu­re. These dan­ge­rous paths lead to at­tacks that we ca­te­go­ri­ze into four ge­ne­ric clas­ses: (1) De­ni­al-of-Ser­vice at­tacks af­fec­ting the host that pro­ces­ses the do­cu­ment. (2) In­for­ma­ti­on dis­clo­su­re at­tacks lea­king per­so­nal data out of the victim’s com­pu­ter. (3) Data ma­ni­pu­la­ti­on on the victim’s sys­tem. (4) Code exe­cu­ti­on on the victim’s ma­chi­ne. An eva­lua­ti­on of 28 po­pu­lar PDF pro­ces­sing ap­p­li­ca­ti­ons shows that 26 of them are vul­nerable at least one at­tack. Fi­nal­ly, we pro­po­se a me­tho­do­lo­gy to pro­tect against at­tacks based on PDF fea­tures sys­te­ma­ti­cal­ly.

Tags: pdf-se­cu­ri­ty