UnicodeIUC22
Program Showcase Registration Accommodation Travel Sponsors
Unicode Standard Conference Board Conference CD Last Conference Past Conferences Next Conference
Abstract

Unicode Security Issues

Carter Weiss - Hokulewa Associates

Intended Audience: Managers, Software Engineers
Session Level: Beginner, Intermediate

2000-01 was a bad year for Microsoft IIS Web servers, and a good year for viruses. Hackers discovered errors in IIS UTF-8 canonicalization routines, and used them in attacks on prominent Web sites, and later in creation of major viruses. Poorly-informed tech writers described Unicode in terms like "this insidious virus factory".

What are the major Unicode security issues?

This paper examines Unicode from a network security point of view. We begin by examining specific vulnerabilities listed in public online catalogs, and implemented in commercial and open source NIDS (network intrusion detection systems).

The common theme in Unicode-based exploits has been manipulation of parsing errors in specific products. Most of these involve UTF-8, specifically creation and interpretation of bytecode representations of UTF-8 for transmission on the wire. We show how these flaws can be used to create standard security breaches, like buffer overflows, directory traversal, exploiting web scripting, and avoiding NDIS filtering.

We go on to illustrate how these flaws have been exploited to create tools for publicly- available hacker tool kits, which led to the major exploits in the "Year of the Viruses".

The paper also covers the possible exploitation of Unicode spoofing, and its relationship to the increasingly complex use of Web proxying.

The paper concludes with a brief overview of the current state of network security - where are the threats and vulnerabilities - as it relates to Unicode? Where can Unicode professionals expect our core technology to be used as the basis of future security breaches?


Unicode
When the world wants to talk, it speaks Unicode

UnicodeIUC22
Program Showcase Registration Accommodation Travel Sponsors
Unicode Standard Conference Board Conference CD Last Conference Past Conferences Next Conference
International Unicode Conferences are organized by Global Meeting Services, Inc., (GMS). GMS is pleased to be able to offer the International Unicode Conferences under an exclusive license granted by the Unicode Consortium. All responsibility for conference finances and operations is borne by GMS. The independent conference board serves solely at the pleasure of GMS and is composed of volunteers active in Unicode and in international software development. All inquiries regarding International Unicode Conferences should be addressed to info@global-conference.com.

Unicode and the Unicode logo are registered trademarks of Unicode, Inc. Used with permission.

22 May 2002, Webmaster