Re: Security Risks of Unicode

From: Tex Texin (texin@progress.com)
Date: Sun Jul 16 2000 - 20:35:32 EDT


My first reaction was the problem didn't seem to be any worse than
for other code pages.

But for most code pages, you do not necessarily pass thru code points
that are undefined to the software. You may, or you may not, depending
on the function being performed or the implementation.

However, Unicode requires software to transmit Unicode characters that
are (as yet) undefined to the software. It does seem counter to general
security measures to be passing along characters the software is unsure of.
Perhaps this can be leveraged in an attack.

An interesting thought, although perhaps too easy to detect:
it is possible to modulate a text stream with occasional as yet undefined
characters and so have a hidden message.
For example, I could treat the first 127 characters of plane 5 as equivalent
to ASCII. I could write a message in plane 5 characters and then sprinkle
them
into some other Unicode text stream. Software processing the text
would be required to pass along the plane 5 characters.
Although they wouldn't display correctly, if they were sprinkled far enough
apart they might be thought to be due to some other noise. Software
listening
in could pluck out just the plane 5 characters and ferret out the hidden
message.

Cool!
tex

Elliotte Rusty Harold wrote:
>
> Bruce Schneier expresses some concerns about "Security Risks of
> Unicode" in the latest issue of his Cryptogram newsletter. Thoser who
> don't subscribe can see:
>
> http://www.counterpane.com/crypto-gram-0007.html#9
>
> At this point the concerns are mostly theoretical. Nonetheless I
> think they're reasonable, especially when you consider the recent
> discussions here about C1 control characters and the unintended
> consequences of these characters. Throw XML/Unicode encoded
> application protocols like SOAP and XML-RPC into the mix and who
> knows what can happen? Which is pretty much Schneier's point.
>
> Anyway, I'm curious to know what other Unicodists think about the
> potential security implications Schneier raises. I'm not sure if he
> subscribes to this list (unicode@unicode.org,
> http://www.unicode.org/unicode/consortium/distlist.html) or not so I
> cc'd him so he can participate as well.
>
> +-----------------------+------------------------+-------------------+
> | Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
> +-----------------------+------------------------+-------------------+
> | The XML Bible (IDG Books, 1999) |
> | http://metalab.unc.edu/xml/books/bible/ |
> | http://www.amazon.com/exec/obidos/ISBN=0764532367/cafeaulaitA/ |
> +----------------------------------+---------------------------------+
> | Read Cafe au Lait for Java news: http://metalab.unc.edu/javafaq/ |
> | Read Cafe con Leche for XML news: http://metalab.unc.edu/xml/ |
> +----------------------------------+---------------------------------+

-- 
If practice makes perfect, and nobody's perfect, why practice?
----------------------------------------------------------------------------
Tex Texin                      Director, International Products
mailto:texin@progress.com      +1-781-280-4271 Fax:+1-781-280-4655
Progress Software Corp.        14 Oak Park, Bedford, MA 01730

http://www.progress.com #1 Embedded Database http://www.SonicMQ.com JMS Messaging- Best Middleware Award http://www.aspconnections.com #1 provider in the ASP marketplace http://www.NuSphere.com Open Source software and services for MySQL

Globalization Program http://www.progress.com/partners/globalization.htm ----------------------------------------------------------------------------- Come to the Panel on Open Source Approaches to Unicode Libraries at the Sept. Unicode Conference http://www.unicode.org/iuc/iuc17



This archive was generated by hypermail 2.1.2 : Tue Jul 10 2001 - 17:21:05 EDT