Ange Albertini is a reverse engineer and author of Corkami.
First and foremost he explained what a polyglot file is. A polyglot is a special file that has more than one type in the same file. For example, Ange Albertini demonstrated a polyglot which is a pdf, a pdf reader, a java executable and an html file inside of one file. The second polyglot he demonstrated was a file which had the characteristics that when you encrypted it with AES you get a PNG image and if it´s encrypted with another key you will get a flash video and when you encrypted it with DES you get a PDF document. He pointed out that a file format is not just a sequence of byte it´s rather a computer dialect to communicate between communities. He also highlighted that people don’t really care about what is behind the file format they only what to use it and communicate with other people.
The next part of his talk was about the InfoSec background of file formats. Nowadays standard operations systems support many file formats and for each file format they use a parser for it. So the attack surface is bigger than it was in the past. He recommends that we should reduce the attack surface by limiting the supported file formats. Further he explained that if the specification of a file format are not accurate enough, the parser of the file would probably be exploitable or buggy. Ange Albertini demonstrated this problem by creating six pdfs to work only for one specific pdf reader. So when you open one of the six pdf with another pdf reader it would crash. Therefor it’s important that the specification of a file format is accurate and clear. The last problem he displayed was that many file formats have deprecated (not used anymore) features, like zip with the Multiple Disk Spanning feature. Because of that he advises that we should updated specification and disable features which are no longer needed in terms of security aspects.
You can check out Ange’s slides here and thanks again Ange for speaking at TROOPERS!