Unicode Security Issues
Carter Weiss - Hokulewa Associates
2000-01 was a bad year for Microsoft IIS Web servers, and a good year for viruses. Hackers discovered errors in IIS UTF-8 canonicalization routines, and used them in attacks on prominent Web sites, and later in creation of major viruses. Poorly-informed tech writers described Unicode in terms like "this insidious virus factory".
What are the major Unicode security issues?
This paper examines Unicode from a network security point of view. We begin by examining specific vulnerabilities listed in public online catalogs, and implemented in commercial and open source NIDS (network intrusion detection systems).
The common theme in Unicode-based exploits has been manipulation of parsing errors in specific products. Most of these involve UTF-8, specifically creation and interpretation of bytecode representations of UTF-8 for transmission on the wire. We show how these flaws can be used to create standard security breaches, like buffer overflows, directory traversal, exploiting web scripting, and avoiding NDIS filtering.
We go on to illustrate how these flaws have been exploited to create tools for publicly- available hacker tool kits, which led to the major exploits in the "Year of the Viruses".
The paper also covers the possible exploitation of Unicode spoofing, and its relationship to the increasingly complex use of Web proxying.
The paper concludes with a brief overview of the current state of network security - where are the threats and vulnerabilities - as it relates to Unicode? Where can Unicode professionals expect our core technology to be used as the basis of future security breaches?
|When the world wants to talk, it speaks Unicode|
International Unicode Conferences are organized by Global Meeting Services, Inc., (GMS).
GMS is pleased to be able to offer the International Unicode Conferences under an exclusive
license granted by the Unicode Consortium. All responsibility for conference finances and
operations is borne by GMS. The independent conference board serves solely at the pleasure
of GMS and is composed of volunteers active in Unicode and in international software
development. All inquiries regarding International Unicode Conferences should be addressed
Unicode and the Unicode logo are registered trademarks of Unicode, Inc. Used with permission.
22 May 2002, Webmaster