security and privacy
play

Security and Privacy Jens Mller, Fabian Ising, Christian Mainka, - PowerPoint PPT Presentation

Feb 09, 2024 •239 likes •631 views

Office Document Security and Privacy Jens Mller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jrg Schwenk Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure

  1. Office Document Security and Privacy Jens Müller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jörg Schwenk

  2. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 2

  3. History: Office Wars • 1990: MS Office 1.0 • 2002: Star Office → OpenOffice.org • 2006: OOXML + ODF standardization • 2010: OpenOffice.org → LibreOffice 3

  4. Two competing standards OOXML (ISO/IEC 29500) ODF (ISO/IEC 26300) Office Open XML Open Document Format 6500 pages 800 pages (some) MS proprietary formats re-use of SVG, MathML, XForms , … .docx, .xlsx, .pptx , … .odt, .ods, .odp , … XML-based, Zip container XML-based, Zip container 4

  5. OOXML Directory Structure 5

  6. OOXML Example 6

  7. ODF Directory Structure 7

  8. ODF Example 8

  9. Attacker Model • Victim opens malicious office document • “Bad things” happen (attack -dependent) 9

  10. Overview 1. OOXML/ODF Basics 2. Denial of Service  Deflate Bomb 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 10

  11. Deflate Bomb max. compression ratio: 1:1023 11

  12. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy  URL Invocation, Evitable Metadata 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 12

  13. URL Invocation • Goal: “phone home” to attacker’s server once document is opened 13

  14. URL Invocation CVE-2020-12802 14

  15. URL Invocation 15

  16. Evitable Metadata Source: news.bbc.co.uk 16

  17. Evitable Metadata 17

  18. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure  Data Exfiltration, File Disclosure, Credential Theft 5. Data Manipulation 6. Code Execution 7. Evaluation 18

  19. Data Exfiltration • Idea: victim obtains spreadsheet; user input values sent to attacker’s server 19

  20. File Disclosure • Idea: include local files on disk 20

  21. File Disclosure 21

  22. File Disclosure 22

  23. File Disclosure 23

  24. Credential Theft • Goal: obtain user’s NTLM hash 24

  25. Credential Theft • Offline cracking – NTLMv2 : modern GPU requires 2,5h for eight chars – NTLMv1, LM : considered broken [Marlinspike2012] • Pass-the-hash or relay attacks – Compare [Ochoa2008, Hummel2009] – Depending on Windows security policy 25

  26. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation  File Write Access, Content Masking 6. Code Execution 7. Evaluation 20

  27. File Write Access • Idea: XForms allow local file as target 27

  28. File Write Access CVE-2020-12803 28

  29. Content Masking: OOXML 29

  30. Content Masking: ODF Parsed by MS Office Parsed by LibreOffice 30

  31. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution  Macros 7. Evaluation 24

  32. Macros 32

  33. Addition Findings CVE-2018-8161 (memory corruption) 33

  34. One-Click RCE in LibreOffice • We can write XML to arbitrary files • LibreOffice config file itself is XML 34

  35. One-Click RCE in LibreOffice CVE-2020-12803 35

  36. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 28

  37. Evaluation 37

  38. Countermeasures • Removing insecure features • User privacy by default • Limitation of resources • Elimination of ambiguities 38

  39. Conclusion • OOXML and ODF are complex formats • Thorough analysis of dangerous features • One-click pure logic chain RCE in 2020 ;) Artifacts: https://github.com/RUB-NDS/Office-Security 39

Recommend

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director Global Privacy & Security by Design Centre Technion Summer School on Cyber Security Haifa, Israel September 9, 2020 Lets Dispel The Myths

929 views • 55 slides
CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt // http://yxiao.info i i f Outline Outline What is Location Privacy Basic Techniques Private Information Retrieval Probabilistic

415 views • 24 slides
Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead-

Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead-

Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead- -In In Overview and Lead Security has been one of the great detractors for wireless technologies WINLABs security initiatives:

642 views • 13 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Privacy and Security by Design: Regulatory Compliance Will Not be Enough to Preserve our Privacy

Privacy and Security by Design: Regulatory Compliance Will Not be Enough to Preserve our Privacy

Privacy and Security by Design: Regulatory Compliance Will Not be Enough to Preserve our Privacy Ann Cavoukian, Ph.D. Distinguished Expert-in-Residence Privacy by Design Centre of Excellence Ryerson University Ryerson CSR Institute / PPOCIR

3.12k views • 64 slides
Social Network Privacy W2SP 2010: WEB 2.0 SECURITY AND PRIVACY 2010 Kurt Opsahl Why is privacy

Social Network Privacy W2SP 2010: WEB 2.0 SECURITY AND PRIVACY 2010 Kurt Opsahl Why is privacy

Social Network Privacy W2SP 2010: WEB 2.0 SECURITY AND PRIVACY 2010 Kurt Opsahl Why is privacy important? If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.

725 views • 31 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/18/2018 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

374 views • 9 slides
Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland Approaches to Security & Privacy in

749 views • 39 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Privacy cy and Anonymity 2 Privacy Privacy and Society

869 views • 86 slides
The Security-Privacy tension: recent developments in the U.K. and elsewhere James Davenport

The Security-Privacy tension: recent developments in the U.K. and elsewhere James Davenport

The Security-Privacy tension: recent developments in the U.K. and elsewhere James Davenport Hebron & Medlock Professor of Information Technology University of Bath (U.K.) 16 January 2014 Overall Thesis When it comes to security/privacy,

419 views • 18 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides

More recommend