0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/427 Thanks! 1 00:00:16,810 --> 00:00:19,299 OK, so welcome to my dog. 2 00:00:19,300 --> 00:00:21,099 My name is Angel Brittanie. 3 00:00:21,100 --> 00:00:22,539 I'm the author. I'm doing reverse 4 00:00:22,540 --> 00:00:23,919 engineer visual documentation. 5 00:00:23,920 --> 00:00:26,109 And the title of this talk comes 6 00:00:26,110 --> 00:00:28,839 from my work in 7 00:00:28,840 --> 00:00:30,939 the procedure for publication 8 00:00:30,940 --> 00:00:32,758 of the file for Funky File Format 9 00:00:32,759 --> 00:00:33,909 Polyglot. 10 00:00:33,910 --> 00:00:36,339 So that's where the title of the talk 11 00:00:36,340 --> 00:00:37,599 comes from. 12 00:00:37,600 --> 00:00:39,069 OK, so 13 00:00:40,450 --> 00:00:42,609 this talk is about files and what are the 14 00:00:42,610 --> 00:00:44,049 usual file categories? 15 00:00:45,400 --> 00:00:47,679 It depends if you're a newbie, a user, 16 00:00:47,680 --> 00:00:48,789 a dev or a hacker. 17 00:00:50,290 --> 00:00:52,509 But in general we 18 00:00:52,510 --> 00:00:54,909 typically people are just interested in 19 00:00:54,910 --> 00:00:57,489 exploiting, exploiting 20 00:00:57,490 --> 00:00:59,889 with file formats and typically 21 00:00:59,890 --> 00:01:02,439 valid files are considered boring. 22 00:01:02,440 --> 00:01:04,568 But I 23 00:01:04,569 --> 00:01:06,759 still think the important point 24 00:01:06,760 --> 00:01:09,189 is that the limits between 25 00:01:09,190 --> 00:01:11,469 can you see the top Colosio is valid 26 00:01:11,470 --> 00:01:12,749 written here. The colors are real. 27 00:01:12,750 --> 00:01:13,750 No. 28 00:01:14,780 --> 00:01:16,399 It's supposed to be read here. 29 00:01:16,400 --> 00:01:18,739 OK, weird colors, 30 00:01:18,740 --> 00:01:21,369 so the 31 00:01:21,370 --> 00:01:23,449 the problem is that the frontier between 32 00:01:23,450 --> 00:01:25,969 valid files and corrupted is not 33 00:01:25,970 --> 00:01:28,309 clearly defined and I play with it. 34 00:01:28,310 --> 00:01:30,469 So just let's take an example and 35 00:01:30,470 --> 00:01:31,729 here is a valid file. 36 00:01:31,730 --> 00:01:33,799 So to just to show the kind of valid 37 00:01:33,800 --> 00:01:35,089 files that I like to try, it's not 38 00:01:35,090 --> 00:01:37,309 exploiting everything, but it's maybe 39 00:01:37,310 --> 00:01:38,719 not a standard file. 40 00:01:38,720 --> 00:01:40,819 So this is a JPEG 41 00:01:40,820 --> 00:01:43,069 picture that might ring a bell. 42 00:01:43,070 --> 00:01:44,659 And if you. 43 00:01:44,660 --> 00:01:46,939 Yeah, it's also a Jamma fine 44 00:01:46,940 --> 00:01:47,940 because. Why not. 45 00:01:50,660 --> 00:01:51,890 That's not really complex. 46 00:01:58,550 --> 00:02:00,649 But you can play further if you 47 00:02:00,650 --> 00:02:03,079 apply a yes on this picture. 48 00:02:03,080 --> 00:02:05,149 It's a jpg picture, then you 49 00:02:05,150 --> 00:02:06,830 get a picture. 50 00:02:13,910 --> 00:02:16,039 So it was encryption with a yes, if you 51 00:02:16,040 --> 00:02:18,199 decrypt it with triple digits, then 52 00:02:18,200 --> 00:02:20,149 you get a PDF. 53 00:02:27,750 --> 00:02:29,969 If you include the same file, the same 54 00:02:29,970 --> 00:02:31,529 file once again, but with the different 55 00:02:31,530 --> 00:02:33,719 key, with a yes, again, you get 56 00:02:33,720 --> 00:02:34,720 a flash video. 57 00:02:36,300 --> 00:02:38,609 I could go on and on and on getting 58 00:02:38,610 --> 00:02:40,379 crazy with the proof of concept. 59 00:02:40,380 --> 00:02:42,809 I thought I could do a whole talk 60 00:02:42,810 --> 00:02:45,149 on the with a single file, but 61 00:02:45,150 --> 00:02:46,649 maybe that won't be a real talk. 62 00:02:46,650 --> 00:02:48,689 So at least I hope that by now you're 63 00:02:48,690 --> 00:02:50,669 convinced that I'm just a normal guy and 64 00:02:50,670 --> 00:02:52,110 I just like to play with binary, 65 00:02:53,520 --> 00:02:55,859 although I like to explain 66 00:02:55,860 --> 00:02:56,789 or represent binaries. 67 00:02:56,790 --> 00:02:59,129 And maybe you've seen my posters 68 00:02:59,130 --> 00:03:01,229 in the building. So this is a picture 69 00:03:01,230 --> 00:03:02,789 of them at the top floor. 70 00:03:02,790 --> 00:03:04,679 So it's printed thanks record. 71 00:03:04,680 --> 00:03:06,869 And so I also I play with 72 00:03:06,870 --> 00:03:09,869 binary eyes or light to represent 73 00:03:09,870 --> 00:03:11,550 forces visually for everybody. 74 00:03:14,280 --> 00:03:16,439 And yet all these posters are free to 75 00:03:16,440 --> 00:03:18,509 download and talk about coming, if you 76 00:03:18,510 --> 00:03:21,119 want to get to order a print 77 00:03:21,120 --> 00:03:23,249 on a pillow, if 78 00:03:23,250 --> 00:03:24,850 iPhone case or whatever it is, print out. 79 00:03:26,130 --> 00:03:28,199 OK, so 80 00:03:28,200 --> 00:03:30,749 oops, no, it doesn't work anymore. 81 00:03:30,750 --> 00:03:31,750 What's wrong? 82 00:03:33,950 --> 00:03:34,950 Yeah, so. 83 00:03:36,220 --> 00:03:37,589 Let's not go too deep into to the 84 00:03:37,590 --> 00:03:39,449 technical details and let's go back to 85 00:03:39,450 --> 00:03:41,729 the fundamentals and let's talk about 86 00:03:41,730 --> 00:03:42,730 cows. 87 00:03:43,590 --> 00:03:46,139 So how do you identify 88 00:03:46,140 --> 00:03:48,239 a cow? How would be the possible 89 00:03:48,240 --> 00:03:49,589 ways to identify a cow? 90 00:03:49,590 --> 00:03:50,879 And of course, we can apply the same 91 00:03:50,880 --> 00:03:52,319 model to file somehow. 92 00:03:53,370 --> 00:03:54,370 Is it my head? 93 00:03:55,950 --> 00:03:58,349 Is it my body shape 94 00:03:58,350 --> 00:04:00,330 or is it by the sound? 95 00:04:01,350 --> 00:04:03,659 Well, you can see that identifying 96 00:04:03,660 --> 00:04:05,729 a file could be done by different 97 00:04:05,730 --> 00:04:07,799 way, the same way in a similar 98 00:04:07,800 --> 00:04:09,479 way in practice. 99 00:04:09,480 --> 00:04:11,669 Here is an early file to identify from 100 00:04:11,670 --> 00:04:12,839 French technology. 101 00:04:12,840 --> 00:04:14,430 So basically, you look at the head. 102 00:04:22,520 --> 00:04:24,649 I had fun drawing Guillotine myself, 103 00:04:26,360 --> 00:04:28,459 and so basically, typically the file 104 00:04:28,460 --> 00:04:30,859 type is identified by a signature called 105 00:04:30,860 --> 00:04:33,079 magic that is fixed and forced 106 00:04:33,080 --> 00:04:34,039 and offset. 107 00:04:34,040 --> 00:04:36,439 Some have a meaning, some don't have 108 00:04:36,440 --> 00:04:38,689 most file formats have a magic 109 00:04:38,690 --> 00:04:40,609 signature of Seijiro. 110 00:04:40,610 --> 00:04:43,009 Some don't like the song 111 00:04:43,010 --> 00:04:45,289 archive formats as 112 00:04:45,290 --> 00:04:47,209 particularly the zip, which is also used 113 00:04:47,210 --> 00:04:49,369 in many other formats as AP, Kjaer 114 00:04:49,370 --> 00:04:50,719 and and others. 115 00:04:50,720 --> 00:04:53,419 Some compressor's actually enforce 116 00:04:53,420 --> 00:04:55,489 signature of said zero and 117 00:04:55,490 --> 00:04:58,069 PDF, which I like to abuse 118 00:04:58,070 --> 00:04:59,809 theoretically has to start out of said 119 00:04:59,810 --> 00:05:02,209 zero, but in practice only within 120 00:05:02,210 --> 00:05:04,519 the first first copy 121 00:05:04,520 --> 00:05:06,649 of the file. So that's how I could abuse 122 00:05:06,650 --> 00:05:08,059 it. We'll see that later. 123 00:05:08,060 --> 00:05:09,499 I could have used PDF files. 124 00:05:09,500 --> 00:05:11,749 A lot of important 125 00:05:11,750 --> 00:05:14,029 point for Zipp is that ZIP 126 00:05:14,030 --> 00:05:16,489 does it and it's not a zip and forces 127 00:05:16,490 --> 00:05:18,109 a signature anywhere. 128 00:05:18,110 --> 00:05:20,389 It's actually zip's are written backward 129 00:05:20,390 --> 00:05:22,249 from the from the end. 130 00:05:22,250 --> 00:05:24,589 This is for all good reasons. 131 00:05:24,590 --> 00:05:26,689 When you are writing a zip file on 132 00:05:26,690 --> 00:05:28,729 the fly on multiple floppies, it will 133 00:05:28,730 --> 00:05:30,469 write the last information on the last 134 00:05:30,470 --> 00:05:32,329 disk and it would minimize the floppy 135 00:05:32,330 --> 00:05:34,639 swaps. So basically zip 136 00:05:34,640 --> 00:05:36,649 it enforces. That is sort of the 137 00:05:36,650 --> 00:05:37,969 signature. 138 00:05:37,970 --> 00:05:39,859 I mean, the start the first 139 00:05:41,120 --> 00:05:43,219 structure to be checked is near the end 140 00:05:43,220 --> 00:05:44,629 of the file. 141 00:05:44,630 --> 00:05:46,639 The thing is it's actually not so 142 00:05:46,640 --> 00:05:47,659 respected all the time. 143 00:05:47,660 --> 00:05:49,819 And I did a talk on Zipf schizophrenia. 144 00:05:49,820 --> 00:05:51,259 If you want more details, you can check 145 00:05:51,260 --> 00:05:52,669 it later. 146 00:05:52,670 --> 00:05:55,039 A few hardware, a few formats 147 00:05:55,040 --> 00:05:56,569 are where bound to hardware. 148 00:05:56,570 --> 00:05:58,729 And usually when you have a memory 149 00:05:58,730 --> 00:06:01,129 wrench to be executed by a special chip, 150 00:06:01,130 --> 00:06:02,779 then they don't they don't want a header 151 00:06:02,780 --> 00:06:05,089 there. So basically to ISIL 152 00:06:05,090 --> 00:06:07,279 and B-R, even TGA did start 153 00:06:07,280 --> 00:06:09,619 directly with the data and optionally 154 00:06:09,620 --> 00:06:11,809 they have a header that is later 155 00:06:11,810 --> 00:06:13,219 in the memory space. 156 00:06:13,220 --> 00:06:15,289 So those hardware, those 157 00:06:15,290 --> 00:06:16,849 formats have an excuse because they are 158 00:06:16,850 --> 00:06:18,439 bound to some hardware not to have a 159 00:06:18,440 --> 00:06:20,479 magical tattoff, said zero. 160 00:06:20,480 --> 00:06:22,909 So but in general, a good magic signature 161 00:06:22,910 --> 00:06:25,069 should be enforced of zero and 162 00:06:25,070 --> 00:06:27,139 unique. And if you create a new file 163 00:06:27,140 --> 00:06:29,449 format, please respect this rule because 164 00:06:29,450 --> 00:06:31,609 otherwise it can lead to a few abuse 165 00:06:31,610 --> 00:06:32,689 that will see now. 166 00:06:32,690 --> 00:06:34,819 So if you think how a standard 167 00:06:34,820 --> 00:06:37,189 tool, a standard passing to 168 00:06:37,190 --> 00:06:39,049 act, it just checks the magic. 169 00:06:39,050 --> 00:06:41,119 Then it chooses a path and it 170 00:06:41,120 --> 00:06:42,799 will never return and try something else. 171 00:06:42,800 --> 00:06:44,389 It found the signature. Oh, I chose this 172 00:06:44,390 --> 00:06:46,279 path. It must be just file type and it 173 00:06:46,280 --> 00:06:48,379 will ignore any other file that could 174 00:06:48,380 --> 00:06:51,139 be included in the same file. 175 00:06:51,140 --> 00:06:53,269 So another common, yet important 176 00:06:53,270 --> 00:06:55,429 property that is useful for abuses. 177 00:06:56,770 --> 00:06:58,669 You see a cow. 178 00:06:58,670 --> 00:07:00,199 There is something coming next, but you 179 00:07:00,200 --> 00:07:02,689 definitely see a cow, so it's like 180 00:07:02,690 --> 00:07:04,759 because you can see a complete cow, 181 00:07:04,760 --> 00:07:06,439 then there is a cow, there's something 182 00:07:06,440 --> 00:07:07,729 coming next. It's still a cow. 183 00:07:07,730 --> 00:07:08,719 It's still a valid call. 184 00:07:08,720 --> 00:07:09,809 Right. 185 00:07:09,810 --> 00:07:11,959 Means whatever you put after 186 00:07:11,960 --> 00:07:13,709 it was, you see the full cow. 187 00:07:13,710 --> 00:07:16,189 So you think it's in some fingers 188 00:07:16,190 --> 00:07:18,919 and file formats typically 189 00:07:18,920 --> 00:07:21,199 define a Terminator that 190 00:07:21,200 --> 00:07:23,539 says this is the end of my file format. 191 00:07:23,540 --> 00:07:25,759 And once the Terminator is 192 00:07:25,760 --> 00:07:27,289 you, when the Terminator does nothing 193 00:07:27,290 --> 00:07:28,699 left to pass. 194 00:07:30,140 --> 00:07:32,699 So with this abuse of file formats 195 00:07:32,700 --> 00:07:35,839 and are forced out of said zero and some 196 00:07:35,840 --> 00:07:38,419 files format, allowing 197 00:07:38,420 --> 00:07:40,129 something that comes next, then you can 198 00:07:40,130 --> 00:07:41,739 just stack them up like the 199 00:07:42,950 --> 00:07:45,169 animals of Bremnes and you can end up 200 00:07:45,170 --> 00:07:47,239 doing a file that has several 201 00:07:47,240 --> 00:07:48,589 file types. 202 00:07:48,590 --> 00:07:50,809 So this is an example of a Jahjah being 203 00:07:50,810 --> 00:07:51,810 polyglots. 204 00:07:53,750 --> 00:07:56,149 So Abbink is a special game oriented 205 00:07:56,150 --> 00:07:58,429 video format and I chose a random picture 206 00:07:58,430 --> 00:08:00,679 to display via video. 207 00:08:00,680 --> 00:08:03,289 So you just 208 00:08:03,290 --> 00:08:05,489 create your Behnken. Then you opened 209 00:08:05,490 --> 00:08:07,759 OJARS file, which are just zip. 210 00:08:07,760 --> 00:08:10,309 And as we saw, ZIP does enforce 211 00:08:10,310 --> 00:08:11,749 the starting gate of Z zero. 212 00:08:11,750 --> 00:08:13,879 So that's why judger being polyglot 213 00:08:13,880 --> 00:08:14,880 is possible. 214 00:08:16,100 --> 00:08:18,349 Now another kind of file polyglots 215 00:08:18,350 --> 00:08:21,529 is when you have a host and the parasite. 216 00:08:21,530 --> 00:08:23,719 So if your Frogh, 217 00:08:23,720 --> 00:08:25,789 if you call Swallow's keeps a frog in its 218 00:08:25,790 --> 00:08:28,249 mouth, then it can speak from in. 219 00:08:28,250 --> 00:08:30,379 So the outer space 220 00:08:30,380 --> 00:08:32,689 for the inner wok, a more realistic 221 00:08:32,690 --> 00:08:34,969 example here is our call with 222 00:08:34,970 --> 00:08:37,189 the value of our use data chunks. 223 00:08:37,190 --> 00:08:40,158 And if you call Swallow's a mycorrhiza, 224 00:08:40,159 --> 00:08:42,168 then it's still a valid call, even if it 225 00:08:42,169 --> 00:08:44,629 contains foreign data that is tolerated 226 00:08:44,630 --> 00:08:45,769 by the stomach. 227 00:08:50,540 --> 00:08:52,639 So as an example, I did 228 00:08:52,640 --> 00:08:54,949 this file, which was so it was 229 00:08:54,950 --> 00:08:57,169 a change of Windows 230 00:08:57,170 --> 00:08:59,999 executable and a PDF in the same file. 231 00:09:00,000 --> 00:09:02,719 So it's interesting because you actually 232 00:09:02,720 --> 00:09:04,969 dropping a launching a Java, dropping a P 233 00:09:04,970 --> 00:09:07,159 or a PDF, exploiting and dropping 234 00:09:07,160 --> 00:09:09,349 a B R to valid infection chains. 235 00:09:09,350 --> 00:09:11,449 And those two infection's chains 236 00:09:11,450 --> 00:09:13,129 are present in the same file. 237 00:09:13,130 --> 00:09:15,259 And because I built it entirely 238 00:09:15,260 --> 00:09:18,109 to find myself here you have that the PDF 239 00:09:18,110 --> 00:09:20,539 part of the document is actually inside 240 00:09:20,540 --> 00:09:21,769 of Java. 241 00:09:21,770 --> 00:09:23,959 So it's not just stacking 242 00:09:23,960 --> 00:09:26,090 stuff together, but you put some 243 00:09:27,140 --> 00:09:28,759 one format inside the other. 244 00:09:28,760 --> 00:09:30,559 You have some real life example in the 245 00:09:30,560 --> 00:09:32,899 Wall Street, another example 246 00:09:32,900 --> 00:09:34,999 with a that's actually used for 247 00:09:35,000 --> 00:09:35,949 testing. 248 00:09:35,950 --> 00:09:38,539 Basically, it's a valid picture 249 00:09:38,540 --> 00:09:40,399 here. You see the black line, which is a 250 00:09:40,400 --> 00:09:42,829 picture and it's also a valid JavaScript. 251 00:09:42,830 --> 00:09:44,779 You abuse the header so that it starts a 252 00:09:44,780 --> 00:09:46,609 JavaScript comment and you close the 253 00:09:46,610 --> 00:09:48,139 comment and then you put your JavaScript. 254 00:09:48,140 --> 00:09:50,299 So it's a valid JavaScript and picture. 255 00:09:50,300 --> 00:09:52,549 You can break a lot of stuff with that. 256 00:09:52,550 --> 00:09:54,829 It's also available in vampy flavor 257 00:09:54,830 --> 00:09:56,480 for pen testing purposes. 258 00:09:57,500 --> 00:09:59,839 So they say this kind of 259 00:09:59,840 --> 00:10:02,149 host parasite exploitation tricks 260 00:10:02,150 --> 00:10:03,559 already exists in the wild. 261 00:10:03,560 --> 00:10:05,729 It was represented in some famous movies. 262 00:10:05,730 --> 00:10:07,579 It is just that inappropriate use of 263 00:10:07,580 --> 00:10:09,739 unallocated space left or 264 00:10:09,740 --> 00:10:12,379 made possible inside the outer 265 00:10:12,380 --> 00:10:13,380 file format. 266 00:10:14,460 --> 00:10:16,619 So as I said, I worked on 267 00:10:16,620 --> 00:10:17,620 the. 268 00:10:17,820 --> 00:10:20,159 If you're not familiar with this very 269 00:10:20,160 --> 00:10:21,299 nice publication. 270 00:10:21,300 --> 00:10:23,189 It's really interesting to read, but also 271 00:10:23,190 --> 00:10:24,629 the file itself. 272 00:10:24,630 --> 00:10:27,389 So the issue, too, was bootable, booting 273 00:10:27,390 --> 00:10:28,519 much Bangalore's. 274 00:10:29,790 --> 00:10:32,549 It's also a zip and a valid PDF. 275 00:10:32,550 --> 00:10:33,839 The issue tree. 276 00:10:33,840 --> 00:10:34,939 I got a bit crazy. 277 00:10:34,940 --> 00:10:37,139 It was a valid radio 278 00:10:37,140 --> 00:10:39,209 message and a jpeg and if 279 00:10:39,210 --> 00:10:41,369 you are encrypted you get a plug 280 00:10:41,370 --> 00:10:44,039 in a zip issue 281 00:10:44,040 --> 00:10:46,949 for was a valid true crit container 282 00:10:46,950 --> 00:10:48,419 pdf and a zip. 283 00:10:48,420 --> 00:10:50,579 And I just created this and two days 284 00:10:50,580 --> 00:10:53,069 after to discontinuity 285 00:10:53,070 --> 00:10:54,070 it. 286 00:11:02,670 --> 00:11:05,519 The issue five was isoprene 287 00:11:05,520 --> 00:11:07,739 and a flush, so that's 288 00:11:07,740 --> 00:11:10,159 isoButane, a Tetris game. 289 00:11:10,160 --> 00:11:11,759 Would you just explain it in the article 290 00:11:11,760 --> 00:11:13,109 and you have the flash, which was 291 00:11:13,110 --> 00:11:14,279 rickrolling the audience. 292 00:11:15,570 --> 00:11:17,729 An issue six is the latest 293 00:11:17,730 --> 00:11:20,039 issue that was out last month is also 294 00:11:20,040 --> 00:11:21,509 atah a PDF and zip. 295 00:11:21,510 --> 00:11:22,739 And this is one of the example. 296 00:11:22,740 --> 00:11:24,689 If you open with a lot of PDF readers to 297 00:11:24,690 --> 00:11:27,219 just see, oh, it starts with the tar, 298 00:11:27,220 --> 00:11:28,829 like the picture outturn picture. 299 00:11:28,830 --> 00:11:30,329 The reader says it's a tar. 300 00:11:30,330 --> 00:11:31,319 I open it as a term. 301 00:11:31,320 --> 00:11:32,579 They never see the PDF. 302 00:11:32,580 --> 00:11:34,829 You imagine that was a security tool and 303 00:11:34,830 --> 00:11:36,389 you maybe you got to win or lose 304 00:11:36,390 --> 00:11:37,390 depending on your side. 305 00:11:39,160 --> 00:11:41,529 So a few interesting 306 00:11:41,530 --> 00:11:43,589 other polyglots over Java, JavaScript, 307 00:11:43,590 --> 00:11:45,579 so it's two sources of JavaScript, you 308 00:11:45,580 --> 00:11:47,529 are using the source parser of the Java 309 00:11:47,530 --> 00:11:49,119 compiler. I mean, compiler. 310 00:11:49,120 --> 00:11:51,339 Yeah, so that's it's a 311 00:11:51,340 --> 00:11:53,199 Java and JavaScript in the same source 312 00:11:53,200 --> 00:11:55,399 file. Or you can do the same at 313 00:11:55,400 --> 00:11:57,519 a binary level so that you can 314 00:11:57,520 --> 00:11:59,319 tell your friends that Java is equal to 315 00:11:59,320 --> 00:12:00,369 JavaScript and. Yes. 316 00:12:10,260 --> 00:12:11,260 Now it's proved, 317 00:12:13,530 --> 00:12:15,599 OK, so not polyglots anymore, 318 00:12:15,600 --> 00:12:17,849 but still worth playing with 319 00:12:17,850 --> 00:12:20,369 because they always have funny results, 320 00:12:20,370 --> 00:12:22,409 if you do extreme fast, like way too 321 00:12:22,410 --> 00:12:24,389 small a way too big, they tend to bypass 322 00:12:24,390 --> 00:12:26,639 filter. So an analogy that's 323 00:12:26,640 --> 00:12:28,719 actually a hoax. So the farmer got denied 324 00:12:28,720 --> 00:12:30,029 a permit to build a whole shelter. 325 00:12:30,030 --> 00:12:32,249 So he just built a giant table to protect 326 00:12:32,250 --> 00:12:34,859 his horse and he doesn't need a permit. 327 00:12:34,860 --> 00:12:36,269 So that's actually a hoax. 328 00:12:36,270 --> 00:12:38,009 But you can feel it's almost really 329 00:12:38,010 --> 00:12:40,319 right. And if you do it the other way, 330 00:12:40,320 --> 00:12:42,539 if you make a valid PDF file for 331 00:12:42,540 --> 00:12:44,639 Adobe Reader, so that's a complete file 332 00:12:44,640 --> 00:12:47,199 that is usually too small for 333 00:12:47,200 --> 00:12:48,289 software to consider. 334 00:12:48,290 --> 00:12:50,789 It can be valid then to just reject 335 00:12:50,790 --> 00:12:53,489 it and they will not pass it as a PDF. 336 00:12:53,490 --> 00:12:55,559 So you can bypass scanners 337 00:12:55,560 --> 00:12:58,109 and security to feature 338 00:12:58,110 --> 00:13:00,329 predictions by creating a file 339 00:13:00,330 --> 00:13:03,029 that is too small to be likely 340 00:13:03,030 --> 00:13:05,159 uncorrected, valid, or you can do the 341 00:13:05,160 --> 00:13:07,199 opposite. You can do a huge file. 342 00:13:07,200 --> 00:13:09,929 So here with a 64 K of S.P., 343 00:13:09,930 --> 00:13:12,179 it was crushing directly 344 00:13:12,180 --> 00:13:13,829 only debug and other tools because you 345 00:13:13,830 --> 00:13:15,899 just if they were trying to allocate 346 00:13:15,900 --> 00:13:18,239 everything even worse, the whole every 347 00:13:18,240 --> 00:13:20,399 section was fully executed, even though 348 00:13:20,400 --> 00:13:21,779 they are physically empty. 349 00:13:21,780 --> 00:13:23,849 They were taking a lot of all 350 00:13:23,850 --> 00:13:25,169 of them, some space in memory and they 351 00:13:25,170 --> 00:13:26,249 were all executed. 352 00:13:26,250 --> 00:13:28,259 And it takes actually a few seconds on 353 00:13:28,260 --> 00:13:29,819 the modern computer to run, even though 354 00:13:29,820 --> 00:13:32,069 it does nothing but a lot of 355 00:13:32,070 --> 00:13:33,070 nothing. 356 00:13:34,620 --> 00:13:36,659 So you crash not only not only slow to 357 00:13:36,660 --> 00:13:38,819 execute directly natively, 358 00:13:38,820 --> 00:13:40,829 but also you crush a lot of analysis 359 00:13:40,830 --> 00:13:42,210 tools with similar files. 360 00:13:43,710 --> 00:13:46,499 So now which saw the how to combine 361 00:13:46,500 --> 00:13:48,559 files types, but you can also 362 00:13:48,560 --> 00:13:50,309 object to passing. 363 00:13:50,310 --> 00:13:52,919 How do you pass a cow? 364 00:13:52,920 --> 00:13:55,229 This is how a user sees a cow. 365 00:13:55,230 --> 00:13:57,329 So how do people pass cars? 366 00:13:57,330 --> 00:13:59,549 Well, you all know you have 367 00:13:59,550 --> 00:14:01,529 an image of cows passing. 368 00:14:01,530 --> 00:14:03,929 This is how they could 369 00:14:03,930 --> 00:14:05,279 pass a cow. 370 00:14:05,280 --> 00:14:07,529 But it turns out that not everybody 371 00:14:07,530 --> 00:14:09,809 agrees. And this is how another Dev 372 00:14:09,810 --> 00:14:11,879 sees a cow. So this is French 373 00:14:11,880 --> 00:14:14,279 beef cuts of a cow, the official 374 00:14:14,280 --> 00:14:15,449 beef cuts of a cow. 375 00:14:15,450 --> 00:14:17,069 And these are the Brazilian ones. 376 00:14:17,070 --> 00:14:19,139 So you see it's the same 377 00:14:19,140 --> 00:14:20,789 data and different parts are different 378 00:14:20,790 --> 00:14:21,959 interpretation for different 379 00:14:21,960 --> 00:14:23,909 implementation of cow passing. 380 00:14:23,910 --> 00:14:26,009 It would have been too easy like mankind 381 00:14:26,010 --> 00:14:28,199 really, not just sex with computers, 382 00:14:28,200 --> 00:14:29,580 but also with cow crossing. 383 00:14:31,110 --> 00:14:33,179 So as you see, the 384 00:14:33,180 --> 00:14:35,249 same cow can be seen in 385 00:14:35,250 --> 00:14:36,299 completely different ways. 386 00:14:36,300 --> 00:14:38,189 I mean, OK, the head is still the head, 387 00:14:38,190 --> 00:14:40,079 luckily, but still the parts are 388 00:14:40,080 --> 00:14:42,119 different because the standards are 389 00:14:42,120 --> 00:14:43,049 different. 390 00:14:43,050 --> 00:14:44,999 So if you abuse that, you can, for 391 00:14:45,000 --> 00:14:47,159 example, create a PDF that 392 00:14:47,160 --> 00:14:49,319 has three different trailers. 393 00:14:49,320 --> 00:14:50,969 The trailer is the defining the root 394 00:14:50,970 --> 00:14:51,929 element of a PDF. 395 00:14:51,930 --> 00:14:53,129 So this is the same file. 396 00:14:53,130 --> 00:14:54,719 And with three different viewers, it 397 00:14:54,720 --> 00:14:56,309 gives you the three random pictures. 398 00:14:57,750 --> 00:15:00,299 And because two readers 399 00:15:00,300 --> 00:15:01,980 are not so chrome and 400 00:15:03,840 --> 00:15:05,909 new PDF readers 401 00:15:05,910 --> 00:15:08,699 are not respecting the standard 402 00:15:08,700 --> 00:15:11,009 like Adobe, then they see a different 403 00:15:11,010 --> 00:15:12,509 route document and they see a completely 404 00:15:12,510 --> 00:15:14,429 different document to be passed. 405 00:15:14,430 --> 00:15:16,919 So basically one file, 406 00:15:16,920 --> 00:15:18,659 but three different document and the 407 00:15:18,660 --> 00:15:21,179 other readers don't see 408 00:15:21,180 --> 00:15:23,279 the other document, the two other 409 00:15:23,280 --> 00:15:24,179 two documents at all. 410 00:15:24,180 --> 00:15:26,519 It's not a trick in a conditional if 411 00:15:26,520 --> 00:15:28,139 by detecting the reader version or 412 00:15:28,140 --> 00:15:30,209 anything or another 413 00:15:30,210 --> 00:15:31,859 one a bit different here, but it's 414 00:15:31,860 --> 00:15:33,359 actually using a feature. 415 00:15:33,360 --> 00:15:35,309 But you have the PDF that shows something 416 00:15:35,310 --> 00:15:36,599 and when it's time to print it chose 417 00:15:36,600 --> 00:15:37,739 something completely different. 418 00:15:46,100 --> 00:15:48,759 And here, it's not lack of 419 00:15:48,760 --> 00:15:50,409 respecting the standard, it's actually a 420 00:15:50,410 --> 00:15:52,509 part of the standard, but unknown to 421 00:15:52,510 --> 00:15:54,699 most people because, yeah, 422 00:15:54,700 --> 00:15:57,009 it's a security, but oh, no 423 00:15:57,010 --> 00:15:58,600 obfuscation by yourself. 424 00:16:00,490 --> 00:16:01,809 Not security by obscurity. 425 00:16:01,810 --> 00:16:03,640 But yeah, basically the standard is 426 00:16:04,660 --> 00:16:06,819 complex with a lot of unusual, not so 427 00:16:06,820 --> 00:16:08,559 useful for everybody. 428 00:16:08,560 --> 00:16:10,659 Are not security oriented features, I'd 429 00:16:10,660 --> 00:16:11,660 say. 430 00:16:12,460 --> 00:16:14,429 Or this is a presentation I did 431 00:16:15,490 --> 00:16:16,869 that last year. 432 00:16:16,870 --> 00:16:18,699 So this was my presentation, it was my 433 00:16:18,700 --> 00:16:20,829 first binary inceptions and it was the 434 00:16:20,830 --> 00:16:22,719 same file was the PDF. 435 00:16:22,720 --> 00:16:24,219 You were in the PDF slide. 436 00:16:24,220 --> 00:16:26,349 So basically the the file 437 00:16:26,350 --> 00:16:27,399 was viewing itself. 438 00:16:27,400 --> 00:16:29,319 And at the time the people were watching 439 00:16:29,320 --> 00:16:30,399 the slides, but they were actually 440 00:16:30,400 --> 00:16:32,259 already watching the demo because it was 441 00:16:32,260 --> 00:16:33,549 the file running on itself 442 00:16:35,440 --> 00:16:37,779 and it was also a Java file 443 00:16:37,780 --> 00:16:39,769 and a JavaScript with Mario. 444 00:16:39,770 --> 00:16:40,779 OK, because why not 445 00:16:42,010 --> 00:16:44,079 in the same file if you run it 446 00:16:44,080 --> 00:16:46,299 into different viewers, you have it 447 00:16:46,300 --> 00:16:47,349 was also schizophrenic. 448 00:16:47,350 --> 00:16:48,819 So you would have a different document 449 00:16:48,820 --> 00:16:50,350 with open with a different view. 450 00:16:51,670 --> 00:16:53,979 So a bit combining everything 451 00:16:53,980 --> 00:16:55,299 in one proof of concept. 452 00:16:55,300 --> 00:16:56,989 And this time it was not written by hand. 453 00:16:56,990 --> 00:16:58,299 It was like really generated. 454 00:16:58,300 --> 00:17:00,909 And that's now what we do for. 455 00:17:00,910 --> 00:17:03,009 It's it's it's a make file that 456 00:17:03,010 --> 00:17:05,379 combines everything. It's not me crafting 457 00:17:05,380 --> 00:17:07,868 manually the file 458 00:17:07,869 --> 00:17:09,939 until the end. And although we care 459 00:17:09,940 --> 00:17:12,190 about compatibility, that's the problem. 460 00:17:13,960 --> 00:17:16,179 OK, so another 461 00:17:16,180 --> 00:17:18,309 problem that for security in general is 462 00:17:18,310 --> 00:17:20,828 that you have unexpected passes 463 00:17:20,829 --> 00:17:22,059 and that's not mine. 464 00:17:22,060 --> 00:17:24,219 But that's I don't 465 00:17:24,220 --> 00:17:25,749 know how to say l came tough. 466 00:17:25,750 --> 00:17:28,539 Who basically found the 467 00:17:28,540 --> 00:17:30,309 expectation with the strings comment. 468 00:17:31,330 --> 00:17:33,429 So that's a CV and basically you would 469 00:17:33,430 --> 00:17:35,769 expect that strings to come on line 470 00:17:36,970 --> 00:17:38,879 two. Yeah. 471 00:17:38,880 --> 00:17:41,139 Is doesn't pass anything but just looks 472 00:17:41,140 --> 00:17:43,389 fostering, even though it's actually 473 00:17:43,390 --> 00:17:45,519 calling parsers and it's actually it was 474 00:17:45,520 --> 00:17:47,629 exploitable and it's a civilian. 475 00:17:47,630 --> 00:17:50,109 And now he also did that with less. 476 00:17:50,110 --> 00:17:52,329 So the problem is that not only you have 477 00:17:52,330 --> 00:17:53,799 different passwords, but also you have 478 00:17:53,800 --> 00:17:55,749 partners in an unexpected place. 479 00:17:55,750 --> 00:17:57,879 So don't run 480 00:17:57,880 --> 00:17:59,979 strings on a known file, don't run 481 00:17:59,980 --> 00:18:02,049 less on unknown file, don't do anything 482 00:18:02,050 --> 00:18:04,329 basically because you never 483 00:18:04,330 --> 00:18:06,219 know, especially if the file comes from 484 00:18:06,220 --> 00:18:06,339 you. 485 00:18:06,340 --> 00:18:07,340 Who my. 486 00:18:08,230 --> 00:18:10,539 OK, just a little parenthesis 487 00:18:10,540 --> 00:18:12,849 on metadata. But, you know, people like 488 00:18:12,850 --> 00:18:15,189 to attribute oh there's a Chinese string 489 00:18:15,190 --> 00:18:17,349 here. Oh it must be China or North Korea. 490 00:18:17,350 --> 00:18:18,819 Yeah. Why not. 491 00:18:18,820 --> 00:18:20,049 Yes, of course. 492 00:18:20,050 --> 00:18:21,849 And metadata and metadata. 493 00:18:21,850 --> 00:18:23,470 Because you cannot see the head in 494 00:18:25,300 --> 00:18:27,939 easily then you just brand 495 00:18:27,940 --> 00:18:29,769 the cattle with a branding. 496 00:18:29,770 --> 00:18:31,449 And the problem is this. Running errands 497 00:18:31,450 --> 00:18:33,939 can also be faked or patched 498 00:18:33,940 --> 00:18:36,129 into another symbols like you extend 499 00:18:36,130 --> 00:18:38,079 the sign on the cow to look like 500 00:18:38,080 --> 00:18:38,979 something else. 501 00:18:38,980 --> 00:18:41,199 And the conclusion is that attribution is 502 00:18:41,200 --> 00:18:43,329 hard. And the 503 00:18:43,330 --> 00:18:45,069 important thing for us, I don't really 504 00:18:45,070 --> 00:18:46,449 care about cows, but still we need a 505 00:18:46,450 --> 00:18:48,789 proof of concept of a real 506 00:18:48,790 --> 00:18:50,859 branding Irun that we didn't have a cow 507 00:18:50,860 --> 00:18:53,289 to just check about metadata 508 00:18:53,290 --> 00:18:54,969 modification life. 509 00:18:54,970 --> 00:18:57,219 But just for a few careful sake 510 00:18:57,220 --> 00:18:59,769 we did. I asked Munin to actually forge 511 00:18:59,770 --> 00:19:01,839 a branding iron just for the sake of the 512 00:19:01,840 --> 00:19:03,879 presentation. That's me. 513 00:19:03,880 --> 00:19:05,409 I'm a normal guy. 514 00:19:05,410 --> 00:19:07,599 OK, now let's change a bit 515 00:19:07,600 --> 00:19:09,669 from five types and let's move a bit 516 00:19:09,670 --> 00:19:10,899 to crypto stuff. 517 00:19:10,900 --> 00:19:13,269 And the important thing is that 518 00:19:13,270 --> 00:19:15,819 usually when you encrypt file, you 519 00:19:15,820 --> 00:19:18,249 think that the result is encrypted 520 00:19:18,250 --> 00:19:20,499 in the terms of it looks random. 521 00:19:20,500 --> 00:19:23,009 So the operation of encrypting a file 522 00:19:23,010 --> 00:19:25,089 is usually thought 523 00:19:25,090 --> 00:19:26,259 as being random. 524 00:19:26,260 --> 00:19:28,089 But it's wrong, as you saw in the 525 00:19:28,090 --> 00:19:30,609 introduction, and they're 526 00:19:30,610 --> 00:19:32,529 the result of encryption can be valid. 527 00:19:32,530 --> 00:19:34,689 So I try to introduce that quickly 528 00:19:34,690 --> 00:19:37,029 without all the advanced details. 529 00:19:37,030 --> 00:19:38,619 I did another presentation on that 530 00:19:38,620 --> 00:19:39,759 before. 531 00:19:39,760 --> 00:19:42,129 So basically, let's take two fake 532 00:19:42,130 --> 00:19:44,199 I mean, yeah, fake file 533 00:19:44,200 --> 00:19:46,269 formats. And so we have 534 00:19:46,270 --> 00:19:48,009 a data file format and we have a text 535 00:19:48,010 --> 00:19:49,839 file format. And the properties that are 536 00:19:49,840 --> 00:19:52,169 important is that data and 537 00:19:52,170 --> 00:19:54,369 the Terminator and what 538 00:19:54,370 --> 00:19:56,139 comes after this intermediator is 539 00:19:56,140 --> 00:19:56,589 ignored. 540 00:19:56,590 --> 00:19:58,839 So that data is tolerating 541 00:19:58,840 --> 00:20:01,239 a penny. Data and text also 542 00:20:01,240 --> 00:20:03,399 tolerates a comment like we just 543 00:20:03,400 --> 00:20:05,649 take the normal comments so you 544 00:20:05,650 --> 00:20:08,089 can as soon as the source format 545 00:20:08,090 --> 00:20:10,389 tolerates upended data and the 546 00:20:10,390 --> 00:20:13,149 target format tolerates has a way to 547 00:20:13,150 --> 00:20:15,219 to do to have a host parasite 548 00:20:15,220 --> 00:20:17,739 polyglots data, then this is 549 00:20:17,740 --> 00:20:19,779 you can you can apply that. 550 00:20:19,780 --> 00:20:21,849 So basically, if you encrypt with 551 00:20:21,850 --> 00:20:24,039 a yes, you get something random in 552 00:20:24,040 --> 00:20:26,169 general, you cannot control 553 00:20:26,170 --> 00:20:28,779 what you have in input and 554 00:20:28,780 --> 00:20:31,149 what you have in output because that's 555 00:20:31,150 --> 00:20:33,459 yeah. Encryption is still 556 00:20:33,460 --> 00:20:36,549 not broken to my standard here, atest. 557 00:20:36,550 --> 00:20:38,499 But the thing is a yes is a block cipher. 558 00:20:38,500 --> 00:20:40,959 It just works with block and 559 00:20:40,960 --> 00:20:43,059 if you work with the file then 560 00:20:43,060 --> 00:20:44,919 it needs to work with the mode of 561 00:20:44,920 --> 00:20:45,879 operation. 562 00:20:45,880 --> 00:20:47,979 Usually what people think no about this 563 00:20:47,980 --> 00:20:50,259 is that if you use the ECB 564 00:20:50,260 --> 00:20:52,869 mode, then you can still see the pinguin 565 00:20:52,870 --> 00:20:55,479 and you know that this is bad encryption. 566 00:20:55,480 --> 00:20:56,859 So if you use 567 00:20:58,120 --> 00:20:59,829 a mode of encryption that just takes 568 00:20:59,830 --> 00:21:00,830 every rock and 569 00:21:02,020 --> 00:21:04,419 keep them independently, then 570 00:21:04,420 --> 00:21:06,669 each identical block will get this gives 571 00:21:06,670 --> 00:21:07,599 you the same results. 572 00:21:07,600 --> 00:21:09,579 So you can it's not good encryption, 573 00:21:09,580 --> 00:21:11,919 basically. So one of the mode, the CBC 574 00:21:11,920 --> 00:21:13,210 mode is actually 575 00:21:14,560 --> 00:21:16,089 using an extra parameter, the 576 00:21:16,090 --> 00:21:18,609 initialization vector that you initially 577 00:21:18,610 --> 00:21:21,309 are with the first plaintext block. 578 00:21:21,310 --> 00:21:23,709 So basically this is 579 00:21:23,710 --> 00:21:24,969 an extra parameter. 580 00:21:24,970 --> 00:21:27,189 And then after encryption 581 00:21:27,190 --> 00:21:29,409 by A-S with a given key, 582 00:21:29,410 --> 00:21:31,119 then you get the first cipher block. 583 00:21:31,120 --> 00:21:33,279 The thing is this operation is you can 584 00:21:33,280 --> 00:21:35,469 do it backward, you can decrypt and 585 00:21:35,470 --> 00:21:36,579 also you can decrypt. 586 00:21:36,580 --> 00:21:38,229 So basically, if you define the first 587 00:21:38,230 --> 00:21:40,179 plaintext block and the first cipher 588 00:21:40,180 --> 00:21:42,579 block, then you can. 589 00:21:42,580 --> 00:21:44,739 You can. And the key is 590 00:21:44,740 --> 00:21:46,419 the defined once for all. 591 00:21:46,420 --> 00:21:48,519 Then you can craft initialization 592 00:21:48,520 --> 00:21:50,649 vector that will actually 593 00:21:50,650 --> 00:21:52,539 make this block and create into this 594 00:21:52,540 --> 00:21:53,169 block. 595 00:21:53,170 --> 00:21:54,250 So now we control. 596 00:21:55,710 --> 00:21:57,779 We can control one block 597 00:21:57,780 --> 00:21:59,999 of outputs and then the rest we can 598 00:22:00,000 --> 00:22:01,599 don't control that anymore. 599 00:22:01,600 --> 00:22:03,719 OK, but at least now 600 00:22:03,720 --> 00:22:05,849 we can craft an 601 00:22:05,850 --> 00:22:07,499 initialization vector so that the first 602 00:22:07,500 --> 00:22:09,809 block is something that makes 603 00:22:09,810 --> 00:22:11,669 it valid and we still have control of 604 00:22:11,670 --> 00:22:14,039 something. OK, now what about the random 605 00:22:14,040 --> 00:22:15,839 wrist? What comes next? 606 00:22:15,840 --> 00:22:17,459 We don't control it anymore because it's 607 00:22:17,460 --> 00:22:18,389 a result of a yes. 608 00:22:18,390 --> 00:22:20,339 We don't control any parameters anymore. 609 00:22:20,340 --> 00:22:23,099 We cannot do we cannot manipulate that. 610 00:22:23,100 --> 00:22:25,439 So basically, we just 611 00:22:25,440 --> 00:22:28,199 here we use a a 612 00:22:28,200 --> 00:22:30,089 feature of the text format of the target 613 00:22:30,090 --> 00:22:32,579 format so that our initialization 614 00:22:32,580 --> 00:22:33,749 vector starts a comment. 615 00:22:33,750 --> 00:22:35,399 So this will be ignored. 616 00:22:35,400 --> 00:22:38,159 OK, now we have chosen initialization 617 00:22:38,160 --> 00:22:40,469 vectors so that this encrypt text start 618 00:22:40,470 --> 00:22:41,369 equipment. 619 00:22:41,370 --> 00:22:43,589 So the magic signatures start comment and 620 00:22:43,590 --> 00:22:44,669 this is ignored. 621 00:22:44,670 --> 00:22:46,499 Now, if we take this file and we actually 622 00:22:46,500 --> 00:22:48,839 close the comments, we just append data 623 00:22:48,840 --> 00:22:50,969 and the original data, then this 624 00:22:50,970 --> 00:22:52,319 file, this file is. 625 00:22:53,330 --> 00:22:55,669 Correct, and it's equivalent 626 00:22:55,670 --> 00:22:57,799 to the initial file we wanted to have as 627 00:22:57,800 --> 00:22:59,509 a result of our encryption. 628 00:22:59,510 --> 00:23:01,669 Now, the thing is, if we 629 00:23:01,670 --> 00:23:03,799 actually just decrypt with the same 630 00:23:03,800 --> 00:23:05,869 initialization vector, we get 631 00:23:05,870 --> 00:23:08,029 the initial blocks, because these blocks 632 00:23:08,030 --> 00:23:10,279 here, we're just depending on the first 633 00:23:10,280 --> 00:23:11,779 block, not on the next blocks. 634 00:23:11,780 --> 00:23:13,939 So we get we we get 635 00:23:13,940 --> 00:23:16,159 back to the original data file 636 00:23:16,160 --> 00:23:18,409 and we have something random 637 00:23:18,410 --> 00:23:19,969 that we don't control. But it's after the 638 00:23:19,970 --> 00:23:21,919 end term Terminator. 639 00:23:21,920 --> 00:23:23,959 So this is ignored and this is still a 640 00:23:23,960 --> 00:23:26,059 valid data file as we wanted. 641 00:23:26,060 --> 00:23:28,039 And this is the text file which has the 642 00:23:28,040 --> 00:23:29,089 content that we want. 643 00:23:29,090 --> 00:23:31,159 It's not exactly the original file, but 644 00:23:31,160 --> 00:23:33,109 for parsing perspective, it's exactly the 645 00:23:33,110 --> 00:23:34,729 same file, just using a comment on 646 00:23:34,730 --> 00:23:35,689 something garbage. 647 00:23:35,690 --> 00:23:37,519 So that's basically the trick of what was 648 00:23:37,520 --> 00:23:38,629 called encryption. 649 00:23:38,630 --> 00:23:40,879 And that's what I used in different ways 650 00:23:40,880 --> 00:23:42,409 with PDF flash videos in the 651 00:23:42,410 --> 00:23:43,699 introduction. 652 00:23:43,700 --> 00:23:46,179 So now, because 653 00:23:46,180 --> 00:23:48,319 a CBC only works 654 00:23:48,320 --> 00:23:50,479 what comes from the previous block, then 655 00:23:50,480 --> 00:23:52,189 this will indeed encrypt correctly as 656 00:23:52,190 --> 00:23:54,319 what we wanted. So now we have we 657 00:23:54,320 --> 00:23:56,449 can encrypt this file with a yes 658 00:23:56,450 --> 00:23:58,429 into this file because we control the 659 00:23:58,430 --> 00:23:59,449 initialization vector. 660 00:23:59,450 --> 00:24:00,979 But it's perfectly normal. 661 00:24:00,980 --> 00:24:03,139 A yes and a CBC 662 00:24:03,140 --> 00:24:05,329 is seen as secure. 663 00:24:05,330 --> 00:24:08,029 So it's not a problem. 664 00:24:08,030 --> 00:24:09,619 It's not that it's broken. 665 00:24:09,620 --> 00:24:11,899 It's not that CBC is bad. 666 00:24:11,900 --> 00:24:14,329 Like ECB is just 667 00:24:14,330 --> 00:24:15,619 stender normal. 668 00:24:15,620 --> 00:24:17,539 It's a part of the specs all along 669 00:24:17,540 --> 00:24:19,399 because the file format tolerates extra 670 00:24:19,400 --> 00:24:20,619 data and appended data. 671 00:24:21,770 --> 00:24:24,049 So that's the layout of the files 672 00:24:24,050 --> 00:24:26,029 before and after encryption and all of 673 00:24:26,030 --> 00:24:27,030 you. 674 00:24:28,100 --> 00:24:29,839 And you can even try it at home with just 675 00:24:29,840 --> 00:24:31,969 openness. For example, if you 676 00:24:31,970 --> 00:24:34,009 want to entertain your kids or your 677 00:24:34,010 --> 00:24:36,289 friends, you don't need much and 678 00:24:36,290 --> 00:24:37,669 you should try. It's very good. 679 00:24:37,670 --> 00:24:38,689 Go to bed now. 680 00:24:38,690 --> 00:24:41,669 OK, I'll let you try. 681 00:24:41,670 --> 00:24:43,519 OK, another kind of polyglots that is a 682 00:24:43,520 --> 00:24:45,679 bit autistic, but it's interesting 683 00:24:45,680 --> 00:24:46,760 because sometimes 684 00:24:47,810 --> 00:24:49,939 the advance file process just look 685 00:24:49,940 --> 00:24:52,189 for the body because they saw this 686 00:24:52,190 --> 00:24:54,589 ahead. They saw a JPEG header 687 00:24:54,590 --> 00:24:56,359 and it's oh here is my JPEG data. 688 00:24:56,360 --> 00:24:58,489 Now let's skip forward and 689 00:24:58,490 --> 00:25:00,739 this is a jpeg, 690 00:25:00,740 --> 00:25:03,109 a zip and a PDF and 691 00:25:03,110 --> 00:25:05,509 the PDF shows the image to 692 00:25:05,510 --> 00:25:07,399 the JPEG is the image and the zip 693 00:25:07,400 --> 00:25:09,169 contains the image, but the image is 694 00:25:09,170 --> 00:25:10,219 present only once. 695 00:25:10,220 --> 00:25:12,349 So basically you put three hedges and you 696 00:25:12,350 --> 00:25:13,879 make them point to the same data. 697 00:25:13,880 --> 00:25:15,979 So if by any chance an advanced tool 698 00:25:15,980 --> 00:25:18,229 was just checking the bodies, 699 00:25:18,230 --> 00:25:20,359 then it will just see one file type 700 00:25:20,360 --> 00:25:22,369 and it will ignore the others. 701 00:25:22,370 --> 00:25:24,229 So this is a layout. 702 00:25:24,230 --> 00:25:26,209 I'm not sure it's really visible now, but 703 00:25:26,210 --> 00:25:27,889 basically you have the layout of the file 704 00:25:27,890 --> 00:25:29,119 and JPEG pdf and zip. 705 00:25:29,120 --> 00:25:30,979 So JPEG starts first because it enforce 706 00:25:30,980 --> 00:25:33,169 the magic at zero, then PDF and zip 707 00:25:33,170 --> 00:25:35,359 and the image data is only seen once. 708 00:25:35,360 --> 00:25:37,699 You still need to abuse the format 709 00:25:37,700 --> 00:25:39,139 of. So for example, you have a part of 710 00:25:39,140 --> 00:25:41,329 the PDF structure into the zip comments 711 00:25:41,330 --> 00:25:43,399 because it was not made 712 00:25:43,400 --> 00:25:44,449 to to be done. 713 00:25:44,450 --> 00:25:47,899 So initially tough problems. 714 00:25:47,900 --> 00:25:50,299 OK, a different one. 715 00:25:50,300 --> 00:25:51,859 This is a picture of a cat or a proof of 716 00:25:51,860 --> 00:25:54,169 concept, and it's a BNP that is 717 00:25:54,170 --> 00:25:55,170 not compressed. 718 00:25:56,340 --> 00:25:58,619 BNP has a funny 719 00:25:58,620 --> 00:26:00,869 characteristic that enables to define 720 00:26:00,870 --> 00:26:03,119 the bitterness of each color, 721 00:26:03,120 --> 00:26:05,369 and if you might be to a 32 bit, then 722 00:26:05,370 --> 00:26:06,719 you can have bits of free space. 723 00:26:06,720 --> 00:26:10,079 So you have for each other. 724 00:26:10,080 --> 00:26:11,399 So you have for each W.L. 725 00:26:11,400 --> 00:26:13,319 You have six, sixteen bits that you can 726 00:26:13,320 --> 00:26:15,219 control. What can you do with that? 727 00:26:15,220 --> 00:26:17,339 Well, you can put some sound 728 00:26:17,340 --> 00:26:19,529 so that you can play the picture 729 00:26:19,530 --> 00:26:20,549 seriously. 730 00:26:20,550 --> 00:26:22,139 And I know you can. 731 00:26:22,140 --> 00:26:23,909 I won't make the demo because that would 732 00:26:23,910 --> 00:26:25,259 explode your ears. I mean. 733 00:26:25,260 --> 00:26:26,969 Well I could but you will not like me for 734 00:26:26,970 --> 00:26:29,149 that. But OK, you have sound. 735 00:26:29,150 --> 00:26:30,809 So initially we put some natural music 736 00:26:30,810 --> 00:26:32,369 into the amp that was playable. 737 00:26:32,370 --> 00:26:33,779 It's not steganography because you can 738 00:26:33,780 --> 00:26:35,999 play directly from the sound player, 739 00:26:36,000 --> 00:26:38,129 it's just roll PKM. 740 00:26:38,130 --> 00:26:40,349 But we went we went further. 741 00:26:40,350 --> 00:26:42,869 So if you consider the BNP Arabism 742 00:26:42,870 --> 00:26:45,029 and you uncowed a picture into 743 00:26:45,030 --> 00:26:47,489 sound, so that is viewable via Sock's 744 00:26:47,490 --> 00:26:49,649 as a spectrogram, then you can 745 00:26:49,650 --> 00:26:51,549 have another picture in the picture when 746 00:26:51,550 --> 00:26:52,550 they buy sound. 747 00:26:53,790 --> 00:26:54,869 So I'll never forget to. 748 00:27:02,600 --> 00:27:04,429 So never forget to open your favorite 749 00:27:04,430 --> 00:27:05,430 picture in the sunflower 750 00:27:06,920 --> 00:27:08,990 and you have all the gels here, and 751 00:27:10,940 --> 00:27:13,129 Philip DOEN actually did further and 752 00:27:13,130 --> 00:27:14,929 he did with three channels, including 753 00:27:14,930 --> 00:27:17,089 each RGV picture, and 754 00:27:17,090 --> 00:27:18,859 he could represent that's the actual 755 00:27:18,860 --> 00:27:21,199 spectrograms view of the day. 756 00:27:21,200 --> 00:27:23,059 Did some data that is integrated in this 757 00:27:23,060 --> 00:27:25,159 picture. So with represented with 758 00:27:25,160 --> 00:27:27,259 borderline. So this is image and this is 759 00:27:27,260 --> 00:27:28,260 sound. 760 00:27:38,360 --> 00:27:40,849 OK, another kind of artistic 761 00:27:40,850 --> 00:27:42,979 file. So this time it's you have 762 00:27:42,980 --> 00:27:45,199 to do twice 763 00:27:45,200 --> 00:27:47,329 to two to two heads with the same 764 00:27:47,330 --> 00:27:49,069 type fall the same body. 765 00:27:49,070 --> 00:27:50,839 And of course, it's not steganography 766 00:27:50,840 --> 00:27:52,679 once again, because the data doesn't need 767 00:27:52,680 --> 00:27:54,019 any extra instruction. 768 00:27:54,020 --> 00:27:55,639 It's usable directly. 769 00:27:55,640 --> 00:27:57,689 And but it's it's interesting. 770 00:27:57,690 --> 00:27:59,239 So I just want to do it live. 771 00:27:59,240 --> 00:28:01,819 So this is RGV picture 772 00:28:01,820 --> 00:28:03,030 in his work, his 773 00:28:04,190 --> 00:28:05,299 boots with small. 774 00:28:08,550 --> 00:28:11,189 So words were 775 00:28:11,190 --> 00:28:13,889 that this is his picture, so it's a 776 00:28:13,890 --> 00:28:16,049 it's a picture and this 777 00:28:16,050 --> 00:28:18,449 is RGV picture, so let's 778 00:28:18,450 --> 00:28:20,549 show it again. So basically the data 779 00:28:20,550 --> 00:28:22,619 is made of triplets of 780 00:28:22,620 --> 00:28:24,809 bites and four red, green and 781 00:28:24,810 --> 00:28:25,739 blue colors. 782 00:28:25,740 --> 00:28:28,019 OK, the trick with that picture 783 00:28:28,020 --> 00:28:30,329 is that we 784 00:28:30,330 --> 00:28:31,330 Wolds. 785 00:28:34,790 --> 00:28:36,899 Does it work? Yes, that works, we 786 00:28:36,900 --> 00:28:39,559 added the palette, the random palette, 787 00:28:39,560 --> 00:28:41,689 and basically 788 00:28:41,690 --> 00:28:43,940 the trick is that when you have. 789 00:28:47,010 --> 00:28:48,839 When you have a picture data for a 790 00:28:48,840 --> 00:28:50,609 pallette, then each byte is an index in 791 00:28:50,610 --> 00:28:51,719 the palette. 792 00:28:51,720 --> 00:28:53,939 So the idea is that 793 00:28:53,940 --> 00:28:56,069 you adjust each RGV 794 00:28:56,070 --> 00:28:58,259 value red green room so that 795 00:28:58,260 --> 00:28:59,759 it actually maps to a different. 796 00:29:00,760 --> 00:29:02,919 The color in the palette 797 00:29:02,920 --> 00:29:05,259 so that it's a valid argue, it's also 798 00:29:05,260 --> 00:29:06,970 a valid picture you probably won't do. 799 00:29:08,140 --> 00:29:10,509 And so basically you have a second 800 00:29:10,510 --> 00:29:12,399 picture that is stored in the same data 801 00:29:12,400 --> 00:29:13,629 via the palette. 802 00:29:13,630 --> 00:29:16,419 And in this case, this is the picture 803 00:29:16,420 --> 00:29:18,789 and this is a barcode inception 804 00:29:18,790 --> 00:29:20,859 because you have a QR code and a data 805 00:29:20,860 --> 00:29:22,179 matrix code inside. 806 00:29:22,180 --> 00:29:24,339 So depending on your reader, then 807 00:29:24,340 --> 00:29:25,899 you you will see one on the other. 808 00:29:35,000 --> 00:29:37,399 The danger is also, if you can directly 809 00:29:37,400 --> 00:29:38,959 or if you just swipe, because if you 810 00:29:38,960 --> 00:29:41,749 swipe, it will see the smaller one first. 811 00:29:41,750 --> 00:29:43,999 So just it's usually you can 812 00:29:44,000 --> 00:29:45,739 see it. You can see the data matrix here. 813 00:29:45,740 --> 00:29:47,569 It works better with a white line. 814 00:29:47,570 --> 00:29:49,789 So you can notice it if you 815 00:29:49,790 --> 00:29:50,879 are trained. 816 00:29:50,880 --> 00:29:52,819 But if you didn't know, then maybe check 817 00:29:52,820 --> 00:29:54,589 twice. I mean, feel free to scan it. 818 00:29:57,690 --> 00:29:58,969 You can trust me. 819 00:29:58,970 --> 00:29:59,970 No worries. 820 00:30:02,620 --> 00:30:03,620 OK, 821 00:30:04,720 --> 00:30:07,359 I also worked with a 822 00:30:07,360 --> 00:30:09,939 famous cryptographers and they created 823 00:30:09,940 --> 00:30:12,129 a collision of a modified version 824 00:30:12,130 --> 00:30:13,089 of Sean. 825 00:30:13,090 --> 00:30:15,249 So this is the full show on all 826 00:30:15,250 --> 00:30:17,289 the rounds. But it's just that Sean has 827 00:30:17,290 --> 00:30:19,179 five constants, internal constant, and 828 00:30:19,180 --> 00:30:21,399 you just modify four of them so 829 00:30:21,400 --> 00:30:23,979 that it looks secure like Sean. 830 00:30:23,980 --> 00:30:26,319 But we actually can control 831 00:30:26,320 --> 00:30:28,899 something and get a collision. 832 00:30:28,900 --> 00:30:31,779 OK, the collision rules are complex 833 00:30:31,780 --> 00:30:33,319 and it gives you this. 834 00:30:33,320 --> 00:30:35,379 OK, so you have these two blocks that 835 00:30:35,380 --> 00:30:36,460 collide like 836 00:30:37,470 --> 00:30:39,309 a really impressive and the rules are a 837 00:30:39,310 --> 00:30:41,769 bit complex at most three consecutive 838 00:30:41,770 --> 00:30:43,629 bytes without a difference in everyday 839 00:30:43,630 --> 00:30:45,549 world, only the middle two bytes have no 840 00:30:45,550 --> 00:30:47,679 differences. OK, 841 00:30:47,680 --> 00:30:49,899 and this takes like between 842 00:30:49,900 --> 00:30:52,089 15 and 30 hours to compute 843 00:30:52,090 --> 00:30:53,529 on 80 cores. 844 00:30:53,530 --> 00:30:55,629 So this is a modified Shewan 845 00:30:55,630 --> 00:30:57,969 collision, but it's not exactly super 846 00:30:57,970 --> 00:30:59,749 impressive. Right. 847 00:30:59,750 --> 00:31:02,109 OK, so my my task was to abuse 848 00:31:02,110 --> 00:31:04,509 that in the valley with a valid file 849 00:31:04,510 --> 00:31:06,789 format and JPEG has 850 00:31:06,790 --> 00:31:09,369 the nice ability to have several. 851 00:31:09,370 --> 00:31:11,589 So it has a very short signature and 852 00:31:11,590 --> 00:31:14,349 then it has the several markers e0 853 00:31:14,350 --> 00:31:16,699 you into each way that we can 854 00:31:16,700 --> 00:31:18,009 that are all valid. 855 00:31:18,010 --> 00:31:19,629 And then we just abuse the lens so that 856 00:31:19,630 --> 00:31:21,909 we can combine two pictures and 857 00:31:21,910 --> 00:31:23,529 then we this 858 00:31:24,700 --> 00:31:26,919 question marks, we don't control them, 859 00:31:26,920 --> 00:31:29,169 but at least we know we can put 860 00:31:29,170 --> 00:31:30,909 something at the end of the all the good 861 00:31:30,910 --> 00:31:32,529 things that the length is not too long is 862 00:31:32,530 --> 00:31:33,969 just on the word, not a double word. 863 00:31:33,970 --> 00:31:36,069 So you can at the end of 864 00:31:36,070 --> 00:31:38,499 this length that was generated 865 00:31:38,500 --> 00:31:40,689 by the cluster. So we don't control you 866 00:31:40,690 --> 00:31:42,879 can put back the start of the next image. 867 00:31:42,880 --> 00:31:45,099 The result is a bit more visual to random 868 00:31:45,100 --> 00:31:46,100 pictures. 869 00:31:47,180 --> 00:31:49,009 So that's actually collide with a 870 00:31:49,010 --> 00:31:50,010 modified Sean. 871 00:31:57,590 --> 00:32:00,079 And it will just work with the 872 00:32:00,080 --> 00:32:02,329 most jpeg sighs 873 00:32:02,330 --> 00:32:04,579 I think with any GPG, and 874 00:32:04,580 --> 00:32:05,949 that was just before the final. 875 00:32:05,950 --> 00:32:08,569 So yeah, just a coincidence. 876 00:32:09,690 --> 00:32:11,449 And of course, because the problem is 877 00:32:11,450 --> 00:32:13,429 that the backdoor only gives you one 878 00:32:13,430 --> 00:32:15,349 collision block, not as many collision of 879 00:32:15,350 --> 00:32:17,119 you as you wish. 880 00:32:17,120 --> 00:32:18,979 It's also interesting to actually turn 881 00:32:18,980 --> 00:32:20,629 this collision into a military type of 882 00:32:20,630 --> 00:32:22,789 polyglot collision so that we could 883 00:32:22,790 --> 00:32:24,889 actually make not only a collision 884 00:32:24,890 --> 00:32:27,499 with value various file types, but also 885 00:32:27,500 --> 00:32:29,049 with us. 886 00:32:29,050 --> 00:32:31,219 So we have the collision, but also with 887 00:32:31,220 --> 00:32:33,499 time so that the battering is more 888 00:32:33,500 --> 00:32:35,279 efficient. Potentially, it doesn't mean 889 00:32:35,280 --> 00:32:37,189 Xiaochuan is broken, but it was certainly 890 00:32:37,190 --> 00:32:39,229 an interesting experience from the file 891 00:32:39,230 --> 00:32:40,309 format perspective. 892 00:32:41,500 --> 00:32:44,749 OK, this one is a real demo, 893 00:32:44,750 --> 00:32:47,319 you know, the probably the phony award 894 00:32:47,320 --> 00:32:49,779 and Tony Awards has different categories. 895 00:32:49,780 --> 00:32:51,729 And one of the categories, the best song, 896 00:32:51,730 --> 00:32:53,679 which I'm not sure is boning a lot of 897 00:32:53,680 --> 00:32:54,969 things. Exactly. 898 00:32:54,970 --> 00:32:57,159 So Melissa 899 00:32:57,160 --> 00:32:58,879 won the award. 900 00:32:58,880 --> 00:33:00,609 That's really true. 901 00:33:00,610 --> 00:33:03,039 You can, you know, 902 00:33:03,040 --> 00:33:06,039 use can you get 903 00:33:06,040 --> 00:33:08,199 that? I made a PDF with her picture with 904 00:33:08,200 --> 00:33:09,919 the pony and the lyrics. 905 00:33:09,920 --> 00:33:12,669 OK, but 906 00:33:12,670 --> 00:33:14,739 Melissa, also a bad idea also 907 00:33:14,740 --> 00:33:15,819 can. 908 00:33:15,820 --> 00:33:17,149 Yeah, well, I'm not sure if I should 909 00:33:17,150 --> 00:33:19,509 disclose this yet. 910 00:33:19,510 --> 00:33:20,819 What happened. I do. 911 00:33:20,820 --> 00:33:21,820 I hope I have some. 912 00:33:23,310 --> 00:33:24,809 Oops. Were you? 913 00:33:29,740 --> 00:33:31,939 So this is a new kind of 914 00:33:31,940 --> 00:33:33,819 music of the polyglot. 915 00:33:35,880 --> 00:33:38,190 So you have the music, the movie. 916 00:33:39,810 --> 00:33:41,060 Why did it stop? I don't know. 917 00:33:43,990 --> 00:33:46,269 Now you have a good proof of concept, 918 00:33:46,270 --> 00:33:48,989 you have the picture, the song, 919 00:33:48,990 --> 00:33:50,309 the lyrics and the song. 920 00:33:50,310 --> 00:33:51,310 I don't know why they so. 921 00:34:01,770 --> 00:34:03,809 So obviously, never forget to open your 922 00:34:03,810 --> 00:34:05,579 PDF in your favorite consolingly leader. 923 00:34:08,250 --> 00:34:10,379 Actually, I went further and maybe 924 00:34:10,380 --> 00:34:12,928 you remember that this picture, 925 00:34:12,929 --> 00:34:14,849 if you're old enough, I mean, I'm young, 926 00:34:14,850 --> 00:34:17,428 but and 927 00:34:17,429 --> 00:34:19,499 in the similar way I use this 928 00:34:19,500 --> 00:34:21,599 is as you can expect to once again, 929 00:34:21,600 --> 00:34:23,908 this is a PDF document and 930 00:34:23,909 --> 00:34:26,099 the document is a valid 931 00:34:26,100 --> 00:34:27,750 Super Nintendo and make a driver on. 932 00:34:37,000 --> 00:34:38,709 With the funding logos of their. 933 00:34:42,199 --> 00:34:44,408 OK, so 934 00:34:44,409 --> 00:34:46,069 I still have plenty of time, do I? 935 00:34:46,070 --> 00:34:48,709 Yeah, I would love. 936 00:34:48,710 --> 00:34:49,710 Oh, I don't know. 937 00:34:50,810 --> 00:34:52,939 Well, yeah, I do, I do the 938 00:34:52,940 --> 00:34:54,169 news first. 939 00:34:54,170 --> 00:34:55,589 I mean, we still have a lot of time, 940 00:34:55,590 --> 00:34:57,589 right? Yeah. 941 00:34:57,590 --> 00:34:58,879 Oh yeah. So another one. 942 00:34:58,880 --> 00:35:00,569 I'll go back to this. 943 00:35:00,570 --> 00:35:01,609 Oh yeah. 944 00:35:01,610 --> 00:35:02,869 I love the conclusion. I can draw the 945 00:35:02,870 --> 00:35:05,149 conclusion in the book. 946 00:35:05,150 --> 00:35:06,079 So the conclusion. 947 00:35:06,080 --> 00:35:07,699 Don't forget what you learned today. 948 00:35:09,860 --> 00:35:12,019 Open in the Senate, are your 949 00:35:12,020 --> 00:35:14,389 pictures in a song player or a console 950 00:35:14,390 --> 00:35:16,789 emulator, just apply any cipher 951 00:35:16,790 --> 00:35:18,439 in case and double check what you 952 00:35:18,440 --> 00:35:19,440 printed. 953 00:35:33,440 --> 00:35:34,789 So a more serious 954 00:35:36,110 --> 00:35:38,539 advice for today, for security 955 00:35:38,540 --> 00:35:39,710 reasons, don't do anything 956 00:35:41,180 --> 00:35:43,699 and for resarch reason, try everything. 957 00:35:45,110 --> 00:35:47,179 And especially if you say that you got 958 00:35:47,180 --> 00:35:50,059 something to stop the marketing 959 00:35:50,060 --> 00:35:51,949 and just stop blaming people. 960 00:35:51,950 --> 00:35:53,989 Oh, they got owned because usually people 961 00:35:53,990 --> 00:35:55,729 blaming the other oh, they got on are 962 00:35:55,730 --> 00:35:57,319 usually people who just want to sell a 963 00:35:57,320 --> 00:35:59,499 security solution and 964 00:35:59,500 --> 00:36:01,639 see proof of profit or get the fuck out 965 00:36:01,640 --> 00:36:03,019 because that's annoying to see all the 966 00:36:03,020 --> 00:36:05,359 people earlier we heard this, but we 967 00:36:05,360 --> 00:36:06,709 we cannot prove it or anything. 968 00:36:06,710 --> 00:36:08,719 That's really annoying. I think as you 969 00:36:08,720 --> 00:36:10,789 can see, I like to open up say all the 970 00:36:10,790 --> 00:36:12,859 proof of concept of this deck are 971 00:36:12,860 --> 00:36:14,839 public and everything on they will be on 972 00:36:14,840 --> 00:36:17,269 the website a 973 00:36:17,270 --> 00:36:19,279 bit more seriously. 974 00:36:19,280 --> 00:36:21,349 So for the file formats, 975 00:36:21,350 --> 00:36:23,179 there are many abuses of the specs in 976 00:36:23,180 --> 00:36:25,339 many ways, as you can see, but 977 00:36:25,340 --> 00:36:28,159 the specs itself are often wrong 978 00:36:28,160 --> 00:36:29,749 or misleading. 979 00:36:29,750 --> 00:36:31,879 The thing is, there is no one 980 00:36:31,880 --> 00:36:34,039 who steps in and 981 00:36:34,040 --> 00:36:36,199 says, OK, now we want to have like 982 00:36:36,200 --> 00:36:38,779 a secure zipf, secure, 983 00:36:38,780 --> 00:36:39,799 zip secure. 984 00:36:39,800 --> 00:36:42,199 We just leave the people who originally 985 00:36:42,200 --> 00:36:44,389 created the spec maybe update 986 00:36:44,390 --> 00:36:45,919 them and then we follow them blindly. 987 00:36:45,920 --> 00:36:47,030 And there is we have 988 00:36:48,050 --> 00:36:50,269 had, you say, reaction of the infosec 989 00:36:50,270 --> 00:36:52,129 community when there is an expectation. 990 00:36:52,130 --> 00:36:54,559 But because the specs suck, 991 00:36:54,560 --> 00:36:56,329 there is nothing like say, OK, now let's 992 00:36:56,330 --> 00:36:58,579 enforce, I don't know, something like 993 00:36:58,580 --> 00:37:01,669 zip secure a new aura 994 00:37:01,670 --> 00:37:03,859 or something that 995 00:37:03,860 --> 00:37:06,079 would be more restricted to security 996 00:37:06,080 --> 00:37:08,179 and not keep it in 997 00:37:08,180 --> 00:37:09,829 control of the company that is just 998 00:37:09,830 --> 00:37:11,809 marketing their professional product. 999 00:37:11,810 --> 00:37:13,129 But it's still not really secure. 1000 00:37:13,130 --> 00:37:16,009 You know, a bit like a public 1001 00:37:16,010 --> 00:37:18,019 reviewing look, exactly like for crypto 1002 00:37:18,020 --> 00:37:19,020 cyphers. 1003 00:37:20,150 --> 00:37:21,859 Format specs don't have this. 1004 00:37:21,860 --> 00:37:23,949 And it's the 1005 00:37:23,950 --> 00:37:26,059 the um, the specs usually 1006 00:37:26,060 --> 00:37:29,449 are really misleading 1007 00:37:29,450 --> 00:37:31,669 and there are very few public 1008 00:37:31,670 --> 00:37:33,769 passes and even fewer detectors 1009 00:37:33,770 --> 00:37:35,419 like Postle that really understand what 1010 00:37:35,420 --> 00:37:37,279 the file format is about, not just the 1011 00:37:37,280 --> 00:37:39,379 structure and the world and everything. 1012 00:37:39,380 --> 00:37:40,400 And now it's 1013 00:37:41,580 --> 00:37:43,249 humanity goes in the wrong way, as 1014 00:37:43,250 --> 00:37:44,779 usually mankind. 1015 00:37:44,780 --> 00:37:47,059 And for example, standard tools like 1016 00:37:47,060 --> 00:37:49,429 Office, Adobe, 1017 00:37:49,430 --> 00:37:51,559 Adobe Reader, they 1018 00:37:51,560 --> 00:37:53,689 have a they had a secondary of 1019 00:37:53,690 --> 00:37:55,639 passing mode where they say, oh, this is 1020 00:37:55,640 --> 00:37:57,529 detect is looks like it's cartoon. 1021 00:37:57,530 --> 00:37:59,569 Maybe I could recover it. 1022 00:37:59,570 --> 00:38:00,529 And they have a site. 1023 00:38:00,530 --> 00:38:02,209 You can see that they have a secondary 1024 00:38:02,210 --> 00:38:03,679 mode that is even more lax than the 1025 00:38:03,680 --> 00:38:06,229 official one and just it 1026 00:38:06,230 --> 00:38:07,669 really puts back together. 1027 00:38:07,670 --> 00:38:09,709 Oh no, it's valid. OK, executed and 1028 00:38:09,710 --> 00:38:10,849 suddenly you have something that 1029 00:38:10,850 --> 00:38:12,859 shouldn't be valid at all. 1030 00:38:12,860 --> 00:38:14,839 This is just recovered. 1031 00:38:14,840 --> 00:38:16,999 Thankfully, it's good for user, 1032 00:38:17,000 --> 00:38:18,769 but for security it's not. 1033 00:38:18,770 --> 00:38:20,180 Or sometimes it's actually 1034 00:38:21,530 --> 00:38:23,659 annoying. Like, for example, Windorah has 1035 00:38:23,660 --> 00:38:25,129 a different parsing mode when it's 1036 00:38:25,130 --> 00:38:27,050 viewing the file in which extracting. 1037 00:38:28,680 --> 00:38:30,869 So, yeah, what you see is not 1038 00:38:30,870 --> 00:38:32,969 what you paid, what you what you list 1039 00:38:32,970 --> 00:38:35,039 is not what you extract and everything. 1040 00:38:35,040 --> 00:38:36,459 Yeah, very difficult. 1041 00:38:36,460 --> 00:38:38,279 And once again, this was a kind of 1042 00:38:38,280 --> 00:38:41,069 overall talk on the possibilities. 1043 00:38:41,070 --> 00:38:42,959 But for the technical details, check my 1044 00:38:42,960 --> 00:38:44,439 previous stocks because I went in 1045 00:38:44,440 --> 00:38:46,499 transcription with details to create 1046 00:38:46,500 --> 00:38:48,300 and everything or my articles in. 1047 00:38:51,060 --> 00:38:52,530 Thanks a lot to everybody 1048 00:38:53,580 --> 00:38:54,580 in. 1049 00:39:05,610 --> 00:39:07,679 I have some bad news, but maybe first. 1050 00:39:07,680 --> 00:39:08,939 Oh, yeah, so that's. 1051 00:39:08,940 --> 00:39:10,219 So do you have any questions? 1052 00:39:15,790 --> 00:39:17,799 So if you got any questions, please line 1053 00:39:17,800 --> 00:39:18,820 up at the microphones 1054 00:39:19,870 --> 00:39:22,089 and, uh, yeah, let's stuff 1055 00:39:22,090 --> 00:39:23,929 my phone to, um, 1056 00:39:25,000 --> 00:39:26,769 from your experience, do you think it is 1057 00:39:26,770 --> 00:39:28,899 possible to write a 1058 00:39:28,900 --> 00:39:31,119 file parser that will 1059 00:39:31,120 --> 00:39:33,609 will properly decode something 1060 00:39:33,610 --> 00:39:35,829 as seemingly easy as a 1061 00:39:35,830 --> 00:39:37,029 file? 1062 00:39:37,030 --> 00:39:38,889 Because Google a couple of years ago 1063 00:39:38,890 --> 00:39:41,289 decided they couldn't do it and 1064 00:39:41,290 --> 00:39:43,239 they decided, like for Gmail, when they 1065 00:39:43,240 --> 00:39:45,669 want to display pictures, images, 1066 00:39:45,670 --> 00:39:48,469 they they wanted to sanitize 1067 00:39:48,470 --> 00:39:49,899 the bitstream. 1068 00:39:49,900 --> 00:39:52,029 And finally they decided they couldn't do 1069 00:39:52,030 --> 00:39:54,099 it. So they changed their model. 1070 00:39:54,100 --> 00:39:56,019 So it runs in a different security 1071 00:39:56,020 --> 00:39:58,119 context. So do you think it's 1072 00:39:58,120 --> 00:40:01,059 possible to write a parser that 1073 00:40:01,060 --> 00:40:03,309 is clean and can produce a cleaned 1074 00:40:03,310 --> 00:40:06,009 up version of a file of 1075 00:40:06,010 --> 00:40:07,899 people? People are trying that. 1076 00:40:07,900 --> 00:40:09,189 I'm not trying personally. 1077 00:40:09,190 --> 00:40:11,319 I would first like the specs to be 1078 00:40:11,320 --> 00:40:13,570 a bit more reasonable, 1079 00:40:15,070 --> 00:40:17,499 but I don't know about the formerly 1080 00:40:17,500 --> 00:40:19,689 possibility of this and everything. 1081 00:40:19,690 --> 00:40:21,790 But it's what I see is that 1082 00:40:22,900 --> 00:40:24,969 when they say this buffer should be null, 1083 00:40:24,970 --> 00:40:26,799 the pastors are never saying, oh, if 1084 00:40:26,800 --> 00:40:28,719 there is an internal right here, let's 1085 00:40:28,720 --> 00:40:29,319 return. 1086 00:40:29,320 --> 00:40:31,959 If I am in secure mode and say no, 1087 00:40:31,960 --> 00:40:33,669 it should be null. So let's be a bit 1088 00:40:33,670 --> 00:40:34,780 German and strict and. 1089 00:40:39,240 --> 00:40:40,590 OK, then, microphone one, please. 1090 00:40:41,850 --> 00:40:43,919 So what would your concise 1091 00:40:43,920 --> 00:40:45,689 advice be for someone, say, designing a 1092 00:40:45,690 --> 00:40:47,099 new binary file format? 1093 00:40:47,100 --> 00:40:48,839 I mean, seems to me it start with a 1094 00:40:48,840 --> 00:40:49,919 simple header. 1095 00:40:49,920 --> 00:40:51,329 Make sure you check how you know that 1096 00:40:51,330 --> 00:40:52,769 there's no garbage at the end and then 1097 00:40:52,770 --> 00:40:53,770 that's at. 1098 00:40:54,700 --> 00:40:56,499 Well, first, it depends if your file 1099 00:40:56,500 --> 00:40:58,239 format is like made of pointers, like 1100 00:40:58,240 --> 00:41:00,009 it's made to be executable, executed by 1101 00:41:00,010 --> 00:41:02,199 anois or if it's like a structure, 1102 00:41:02,200 --> 00:41:04,329 there's a sequence of structure 1103 00:41:04,330 --> 00:41:06,009 like images. 1104 00:41:06,010 --> 00:41:09,009 But, uh, yeah, for those OS formats, 1105 00:41:09,010 --> 00:41:11,469 you should it's difficult 1106 00:41:11,470 --> 00:41:13,419 to enforce that because the loader 1107 00:41:13,420 --> 00:41:15,099 evolves and 1108 00:41:16,960 --> 00:41:17,960 you. 1109 00:41:19,240 --> 00:41:21,309 And then people have 1110 00:41:21,310 --> 00:41:22,389 their own interpretation with the 1111 00:41:22,390 --> 00:41:24,639 compiler, but at least I was thinking, 1112 00:41:24,640 --> 00:41:26,409 when I'm enforcing the actual content, 1113 00:41:26,410 --> 00:41:28,629 it's more with data file format and yet 1114 00:41:28,630 --> 00:41:30,639 OS at least the thing is with the OS, 1115 00:41:30,640 --> 00:41:32,709 usually you have one standard louder than 1116 00:41:32,710 --> 00:41:34,869 no one knows fully, but it's like 1117 00:41:34,870 --> 00:41:36,519 really defining the standard because it's 1118 00:41:36,520 --> 00:41:38,709 not like everybody likes to write his own 1119 00:41:38,710 --> 00:41:40,359 fladell for no reason. 1120 00:41:40,360 --> 00:41:41,649 And it's like we need to have two. 1121 00:41:41,650 --> 00:41:42,650 Thanks. 1122 00:41:43,190 --> 00:41:44,190 OK, microphone three. 1123 00:41:45,590 --> 00:41:47,059 Well, first of all, thanks for the talk 1124 00:41:47,060 --> 00:41:49,429 and also thanks for your work in your 1125 00:41:49,430 --> 00:41:50,719 ETFO. 1126 00:41:50,720 --> 00:41:52,129 I have one question. First of all, where 1127 00:41:52,130 --> 00:41:53,509 can I download this presentation? 1128 00:41:53,510 --> 00:41:55,579 And secondly, how many programs should I 1129 00:41:55,580 --> 00:41:56,580 try it with? 1130 00:42:00,500 --> 00:42:01,819 I need to find out. 1131 00:42:04,310 --> 00:42:07,249 OK, yeah, all of your extra spoilers 1132 00:42:07,250 --> 00:42:08,810 full, but I have my secret. 1133 00:42:10,070 --> 00:42:11,899 Thanks for this microphone. Well, yeah, 1134 00:42:11,900 --> 00:42:13,789 you mentioned that in the press pack. 1135 00:42:13,790 --> 00:42:15,349 There are basically two separate parts of 1136 00:42:15,350 --> 00:42:17,119 us, kind of one for viewing and one for 1137 00:42:17,120 --> 00:42:18,079 printing. 1138 00:42:18,080 --> 00:42:19,789 But that sounds like a really bad idea. 1139 00:42:19,790 --> 00:42:21,079 Do you know why that is? 1140 00:42:21,080 --> 00:42:22,829 Is it for historical reasons or. 1141 00:42:22,830 --> 00:42:24,949 No, it's not actually the same in 1142 00:42:24,950 --> 00:42:26,629 this case. It's not kind of two Pasos is 1143 00:42:26,630 --> 00:42:27,529 just you. 1144 00:42:27,530 --> 00:42:29,449 You use 1145 00:42:31,520 --> 00:42:33,679 it for what you do are the requirements 1146 00:42:33,680 --> 00:42:35,179 of the screen or the requirements of the 1147 00:42:35,180 --> 00:42:36,079 printer. 1148 00:42:36,080 --> 00:42:38,029 So it's actually you enabled or disabled 1149 00:42:38,030 --> 00:42:38,929 some content here. 1150 00:42:38,930 --> 00:42:40,499 It's not a discrepancy. 1151 00:42:40,500 --> 00:42:42,079 It's a part of the specs. 1152 00:42:42,080 --> 00:42:44,149 So the printing, the schizophrenia's 1153 00:42:44,150 --> 00:42:46,279 actually the only one that is 1154 00:42:46,280 --> 00:42:47,280 it's official. 1155 00:42:48,340 --> 00:42:50,529 Yeah, it's layers, and you make one 1156 00:42:50,530 --> 00:42:52,719 layer appear on by default for 1157 00:42:52,720 --> 00:42:55,029 printing and the other for viewing, 1158 00:42:55,030 --> 00:42:57,519 and it's because people are not used to 1159 00:42:57,520 --> 00:42:59,739 enable or disable layers, then you can 1160 00:42:59,740 --> 00:43:02,289 abuse that. But to me, I accidentally 1161 00:43:02,290 --> 00:43:04,389 found a few days ago with the manually 1162 00:43:04,390 --> 00:43:06,549 edited PDF, a different schizophrenic 1163 00:43:06,550 --> 00:43:08,739 from Chrome printing under Linux, 1164 00:43:08,740 --> 00:43:10,479 where suddenly a perimeter was ignoring. 1165 00:43:10,480 --> 00:43:12,369 You could have that, but I didn't have 1166 00:43:12,370 --> 00:43:13,809 the time to experiment that further. 1167 00:43:13,810 --> 00:43:15,699 And this time it was true schizophrenic. 1168 00:43:15,700 --> 00:43:18,009 Like what was what was on the screen 1169 00:43:18,010 --> 00:43:20,419 was different and it wasn't a feature 1170 00:43:20,420 --> 00:43:22,989 on its a feature for me, but 1171 00:43:22,990 --> 00:43:23,990 thank you. 1172 00:43:24,790 --> 00:43:27,099 Want free and thanks again for the talk 1173 00:43:27,100 --> 00:43:29,229 and I have a question, how did you find 1174 00:43:29,230 --> 00:43:31,479 out about all the possibilities, 1175 00:43:31,480 --> 00:43:32,769 about the different puzzles? 1176 00:43:32,770 --> 00:43:34,989 How did you find out what 1177 00:43:34,990 --> 00:43:36,009 you can exploit? 1178 00:43:36,010 --> 00:43:38,289 Did you just read the specs 1179 00:43:38,290 --> 00:43:40,599 and see, OK, I can come in there 1180 00:43:40,600 --> 00:43:43,059 and I can open there and it's still valid 1181 00:43:43,060 --> 00:43:45,549 and then I can combine these two formats 1182 00:43:45,550 --> 00:43:48,159 or that you just did exhaustive 1183 00:43:48,160 --> 00:43:50,379 testing. So it's a part of my workflow. 1184 00:43:50,380 --> 00:43:52,749 When I'm doing a poster, I'm reading 1185 00:43:52,750 --> 00:43:54,909 the specs a bit, but just enough 1186 00:43:54,910 --> 00:43:57,069 so that I can create a file manually. 1187 00:43:57,070 --> 00:43:59,199 But to be able to explain it in a 1188 00:43:59,200 --> 00:44:01,389 clear way and make it small, 1189 00:44:01,390 --> 00:44:03,609 I need to be sure that I know 1190 00:44:03,610 --> 00:44:05,709 what each byte, how each 1191 00:44:05,710 --> 00:44:07,209 byte is there, just in case I could 1192 00:44:07,210 --> 00:44:08,469 remove those bytes and make the file 1193 00:44:08,470 --> 00:44:10,749 smaller so that it fits on the poster and 1194 00:44:10,750 --> 00:44:12,879 then in the end actually created most of 1195 00:44:12,880 --> 00:44:14,019 this file manually. 1196 00:44:14,020 --> 00:44:15,020 So I have a good 1197 00:44:16,150 --> 00:44:17,559 I have total control of the file. 1198 00:44:17,560 --> 00:44:19,959 That's why I could mix the Java in PDF 1199 00:44:19,960 --> 00:44:21,429 all together, because they are all 1200 00:44:21,430 --> 00:44:23,829 written in Assembly 686. 1201 00:44:23,830 --> 00:44:24,830 But and 1202 00:44:26,020 --> 00:44:27,999 and then I can easily experiment, say, 1203 00:44:28,000 --> 00:44:29,769 what happens if I change a pointer here? 1204 00:44:29,770 --> 00:44:32,619 If I suddenly add buffer and 1205 00:44:32,620 --> 00:44:34,719 I get a blue screen or different result 1206 00:44:34,720 --> 00:44:36,959 or everything. So it's not 1207 00:44:36,960 --> 00:44:39,039 the differently 1208 00:44:39,040 --> 00:44:41,169 exploitation research, but it's because 1209 00:44:41,170 --> 00:44:42,789 I study because I want to make sure what 1210 00:44:42,790 --> 00:44:44,949 each byte is for, for the clarity, 1211 00:44:44,950 --> 00:44:46,419 for the final result of the clarity of 1212 00:44:46,420 --> 00:44:48,579 the poster. Then consequently I 1213 00:44:48,580 --> 00:44:50,319 can manipulate every structure of the 1214 00:44:50,320 --> 00:44:52,359 file freely. 1215 00:44:52,360 --> 00:44:54,549 And this happens sometimes. 1216 00:44:54,550 --> 00:44:56,559 But many of those were discovered by 1217 00:44:56,560 --> 00:44:58,059 accident, like OpenNet in different 1218 00:44:58,060 --> 00:45:00,699 viewer. And you get a crash or something. 1219 00:45:00,700 --> 00:45:02,649 OK, but it's not active fuzzing 1220 00:45:02,650 --> 00:45:05,019 exploitation. And I 1221 00:45:05,020 --> 00:45:06,609 just read the part of the specs that I 1222 00:45:06,610 --> 00:45:08,709 need to for my 1223 00:45:08,710 --> 00:45:10,899 limited understanding and I don't go 1224 00:45:10,900 --> 00:45:13,149 through the whole specs myself. 1225 00:45:13,150 --> 00:45:14,609 OK, thanks. 1226 00:45:14,610 --> 00:45:16,659 OK then we've got a question from the 1227 00:45:16,660 --> 00:45:18,669 Internet. Yeah, this question is actually 1228 00:45:18,670 --> 00:45:20,169 two questions are kind of a combined 1229 00:45:20,170 --> 00:45:22,329 question. Somebody wants to know 1230 00:45:22,330 --> 00:45:25,239 what are there any like countermeasures 1231 00:45:25,240 --> 00:45:27,549 and if they are, and how 1232 00:45:27,550 --> 00:45:29,919 could you detect that somebody that like 1233 00:45:29,920 --> 00:45:31,420 this advanced binary magic. 1234 00:45:33,960 --> 00:45:35,879 What are the countermeasures and sorry, 1235 00:45:35,880 --> 00:45:38,009 and if you can detect if somebody 1236 00:45:38,010 --> 00:45:39,449 did this stuff to a fire. 1237 00:45:41,400 --> 00:45:42,839 Well, you can still check if there is 1238 00:45:42,840 --> 00:45:45,149 something a day after the data, 1239 00:45:45,150 --> 00:45:47,339 you can still see it's 1240 00:45:47,340 --> 00:45:49,619 a problem that you 1241 00:45:49,620 --> 00:45:51,719 can you could check if a buffer 1242 00:45:51,720 --> 00:45:53,699 is big and it's not used, it's not a 1243 00:45:53,700 --> 00:45:55,619 reference anywhere in the source I'm 1244 00:45:55,620 --> 00:45:58,229 thinking about of fix a little later, 1245 00:45:58,230 --> 00:45:59,309 work on Flash. 1246 00:45:59,310 --> 00:46:01,199 And as far as I saw, it was a sanitizer 1247 00:46:01,200 --> 00:46:01,969 for flash files. 1248 00:46:01,970 --> 00:46:03,959 So it was really rewriting the flash 1249 00:46:03,960 --> 00:46:05,069 files in a clean way. 1250 00:46:05,070 --> 00:46:07,169 And as far as I know, no one was 1251 00:46:07,170 --> 00:46:08,159 really interested. 1252 00:46:08,160 --> 00:46:10,319 So even though it was fully 1253 00:46:10,320 --> 00:46:12,569 working tool. So not not 1254 00:46:12,570 --> 00:46:14,129 a people just want to open the files 1255 00:46:14,130 --> 00:46:16,349 anyway. It's it's so this work 1256 00:46:16,350 --> 00:46:18,179 should be done really at the specs level 1257 00:46:18,180 --> 00:46:20,189 and not as an extra tool. 1258 00:46:20,190 --> 00:46:22,409 So there are countermeasures, but when 1259 00:46:22,410 --> 00:46:24,239 they are well done then people don't use 1260 00:46:24,240 --> 00:46:25,240 them. 1261 00:46:26,380 --> 00:46:28,539 OK, I want to hi, 1262 00:46:28,540 --> 00:46:30,009 I would like to know whether you have 1263 00:46:30,010 --> 00:46:32,079 ever tested how your pilots 1264 00:46:32,080 --> 00:46:34,179 behave in a forensic environment like 1265 00:46:34,180 --> 00:46:36,309 X-rays and Case STK 1266 00:46:36,310 --> 00:46:37,779 or something like that? 1267 00:46:37,780 --> 00:46:38,949 Oh, not really. 1268 00:46:38,950 --> 00:46:41,149 I heard of funny results with the various 1269 00:46:41,150 --> 00:46:43,059 security tools, but I'm not trying 1270 00:46:43,060 --> 00:46:43,989 actively. 1271 00:46:43,990 --> 00:46:46,279 And you. 1272 00:46:46,280 --> 00:46:48,789 Yeah, I expect the 1273 00:46:48,790 --> 00:46:51,009 surprises, especially if 1274 00:46:51,010 --> 00:46:53,079 you see my previous talk on news 1275 00:46:53,080 --> 00:46:55,509 that was focused on schizophrenia, 1276 00:46:55,510 --> 00:46:57,099 where you have a zip file that was passed 1277 00:46:57,100 --> 00:46:58,389 in four different ways, different 1278 00:46:58,390 --> 00:46:59,829 depending on the tools. 1279 00:46:59,830 --> 00:47:02,289 But I don't try that a lack of time. 1280 00:47:02,290 --> 00:47:03,290 OK, thanks. 1281 00:47:04,020 --> 00:47:05,169 We've got another question from the 1282 00:47:05,170 --> 00:47:06,189 Internet. Yeah. 1283 00:47:06,190 --> 00:47:07,899 The question is, do you think we need to 1284 00:47:07,900 --> 00:47:10,479 return to raw and plaintext 1285 00:47:10,480 --> 00:47:12,759 ASCII and ask you outfought 1286 00:47:12,760 --> 00:47:14,709 textual representation? 1287 00:47:14,710 --> 00:47:16,629 No, but no, absolutely not. 1288 00:47:16,630 --> 00:47:18,879 But it's just that 1289 00:47:18,880 --> 00:47:20,409 if you think about it when you have the 1290 00:47:20,410 --> 00:47:22,419 specs and it says this is reserved and 1291 00:47:22,420 --> 00:47:24,459 should be zero one, how many parcels are 1292 00:47:24,460 --> 00:47:26,199 actually saying there's something wrong 1293 00:47:26,200 --> 00:47:27,200 because it's not zero? 1294 00:47:28,780 --> 00:47:31,089 Maybe I'm old fashioned, but definitely 1295 00:47:31,090 --> 00:47:32,739 as soon as you such a field and I can 1296 00:47:32,740 --> 00:47:34,989 write some whatever in there 1297 00:47:34,990 --> 00:47:37,269 and as long as I can allocate a buffer, 1298 00:47:37,270 --> 00:47:39,429 I can put whatever in there. 1299 00:47:39,430 --> 00:47:41,639 So no, 1300 00:47:41,640 --> 00:47:43,719 not going back, but at least 1301 00:47:43,720 --> 00:47:45,849 not being afraid to enforce a few things 1302 00:47:45,850 --> 00:47:48,479 like you have for like say go 1303 00:47:48,480 --> 00:47:50,319 them where people have public reviews 1304 00:47:50,320 --> 00:47:51,969 before things are going public housing. 1305 00:47:53,940 --> 00:47:55,460 OK, ever any more questions? 1306 00:47:58,060 --> 00:48:00,159 Not just a few of the bonds that I 1307 00:48:00,160 --> 00:48:01,249 had. 1308 00:48:01,250 --> 00:48:03,469 OK, OK, so 1309 00:48:03,470 --> 00:48:04,470 bond stage, 1310 00:48:05,530 --> 00:48:07,899 yeah, the the abstract 1311 00:48:07,900 --> 00:48:10,089 of that all that talk was 1312 00:48:10,090 --> 00:48:12,219 initially ASCII only because an abstract 1313 00:48:12,220 --> 00:48:14,619 needs to be asked and a PDF polyglot 1314 00:48:14,620 --> 00:48:16,299 with some mascot. 1315 00:48:16,300 --> 00:48:18,039 So that's probably why people were afraid 1316 00:48:18,040 --> 00:48:19,509 to actually check my abstract in the 1317 00:48:19,510 --> 00:48:20,510 first place. But 1318 00:48:21,820 --> 00:48:24,279 the far plan removed 1319 00:48:24,280 --> 00:48:26,379 all the new lines. So I went back to a 1320 00:48:26,380 --> 00:48:27,819 standard abstract. 1321 00:48:27,820 --> 00:48:29,769 But that was that's that's a file name of 1322 00:48:29,770 --> 00:48:31,099 the archive of the 1323 00:48:32,820 --> 00:48:35,289 a solar 1324 00:48:35,290 --> 00:48:37,689 designer did a great keynote 1325 00:48:37,690 --> 00:48:39,759 a few months ago and his keynote 1326 00:48:39,760 --> 00:48:41,979 was is the title was is InfoSec 1327 00:48:41,980 --> 00:48:43,989 again. And the keynote was a game 1328 00:48:45,340 --> 00:48:47,469 that he for which he used an old engine 1329 00:48:47,470 --> 00:48:49,629 and he used some very nice graphics with 1330 00:48:49,630 --> 00:48:51,939 that can ring a bell, including 1331 00:48:51,940 --> 00:48:52,899 a DeLorean. 1332 00:48:52,900 --> 00:48:55,269 And he the whole keynote 1333 00:48:55,270 --> 00:48:57,549 was a game that he played through and he 1334 00:48:57,550 --> 00:48:59,679 made all the interactions 1335 00:48:59,680 --> 00:49:00,909 you have. 1336 00:49:00,910 --> 00:49:02,979 I don't know if you go to fail 1337 00:49:02,980 --> 00:49:05,109 peak exploit patch 1338 00:49:05,110 --> 00:49:07,209 sites, really, but it's a bit difficult 1339 00:49:07,210 --> 00:49:09,399 for people to just enjoy his 1340 00:49:09,400 --> 00:49:11,349 game because it would have to run it into 1341 00:49:11,350 --> 00:49:12,699 the Xbox and everything and go through 1342 00:49:12,700 --> 00:49:14,469 the game without knowing really what to 1343 00:49:14,470 --> 00:49:16,089 do. Not everybody has the time. 1344 00:49:16,090 --> 00:49:18,219 So he created screenshots of all 1345 00:49:18,220 --> 00:49:20,419 the games and I just 1346 00:49:20,420 --> 00:49:22,269 I just wrote it by hand. 1347 00:49:22,270 --> 00:49:24,429 The PDF that contains all the screenshots 1348 00:49:24,430 --> 00:49:26,529 in the original resolution with Bundall, 1349 00:49:26,530 --> 00:49:28,629 the actual games so that you can run the 1350 00:49:28,630 --> 00:49:31,029 game from the PDF because why not? 1351 00:49:31,030 --> 00:49:33,099 So that's a good way to distribute it as 1352 00:49:33,100 --> 00:49:35,619 a single file with everything without 1353 00:49:35,620 --> 00:49:36,620 any huddle. 1354 00:49:37,830 --> 00:49:40,019 Judges, Quine, Quine, people you 1355 00:49:40,020 --> 00:49:42,209 see artistic, valid, Feisal's, Quine, 1356 00:49:42,210 --> 00:49:44,279 I don't do that much, but just in 1357 00:49:44,280 --> 00:49:44,519 case. 1358 00:49:44,520 --> 00:49:46,109 So Quine is just a file of Prichard's 1359 00:49:46,110 --> 00:49:47,399 outsource. 1360 00:49:47,400 --> 00:49:49,569 So basically this is a file that 1361 00:49:49,570 --> 00:49:51,899 prints is on source. 1362 00:49:51,900 --> 00:49:54,269 But once again, I don't use linkers. 1363 00:49:54,270 --> 00:49:56,729 I create the whole header 1364 00:49:56,730 --> 00:49:58,049 structure myself. 1365 00:49:58,050 --> 00:49:59,409 Then you can do that. 1366 00:49:59,410 --> 00:50:01,519 Yeah, you are very sexy 1367 00:50:01,520 --> 00:50:03,749 using the Campanello chip to my Stener 1368 00:50:03,750 --> 00:50:04,919 or Linko. 1369 00:50:04,920 --> 00:50:07,379 So you have Quantrill's and basically 1370 00:50:07,380 --> 00:50:09,449 you have an elf that creates the 1371 00:50:09,450 --> 00:50:11,999 source of a P and P 1372 00:50:12,000 --> 00:50:14,699 when you create the source of an elf. 1373 00:50:14,700 --> 00:50:17,009 But I'm really a little player 1374 00:50:17,010 --> 00:50:18,629 here because there's a Japanese guy who 1375 00:50:18,630 --> 00:50:20,069 did that with 50 languages. 1376 00:50:31,340 --> 00:50:33,439 Oh, yeah, a few other anti-corruption 1377 00:50:33,440 --> 00:50:35,629 proof of concept, the initial one saw you 1378 00:50:35,630 --> 00:50:37,549 encrypt these into these and etcetera. 1379 00:50:37,550 --> 00:50:39,589 So I had fun with random pictures once 1380 00:50:39,590 --> 00:50:40,590 again. 1381 00:50:41,000 --> 00:50:43,139 Uh, then you can also combine. 1382 00:50:43,140 --> 00:50:46,219 So this is a polyglot with the 1383 00:50:46,220 --> 00:50:49,129 hash collision and schizophrenic, because 1384 00:50:49,130 --> 00:50:50,569 if you think about it, it's always 1385 00:50:50,570 --> 00:50:52,999 possible. It's more artistic 1386 00:50:53,000 --> 00:50:54,409 and that's about it for today. 1387 00:50:54,410 --> 00:50:55,410 Thanks for your attention.