Publikation: Office Document Security and Privacy
Lade...
Dateien
Zu diesem Dokument gibt es keine Dateien.
Datum
2020
Autor:innen
Herausgeber:innen
ISSN der Zeitschrift
Electronic ISSN
ISBN
Bibliografische Daten
Verlag
Schriftenreihe
Auflagebezeichnung
Internationale Patentnummer
Angaben zur Forschungsförderung
Projekt
Open Access-Veröffentlichung
Core Facility der Universität Konstanz
Titel in einer weiteren Sprache
Publikationstyp
Beitrag zu einem Konferenzband
Publikationsstatus
Published
Erschienen in
YAROM, Yuval, ed.. WOOT'20 : 14th USENIX Workshop on Offensive Technologies. Berkeley, CA: USENIX Association, 2020
Zusammenfassung
OOXML and ODF are the de facto standard data formats for word processing, spreadsheets, and presentations. Both are XML-based, feature-rich container formats dating back to the early 2000s. In this work, we present a systematic analysis of the capabilities of malicious office documents. Instead of focusing on implementation bugs, we abuse legitimate features of the OOXML and ODF specifications. We categorize our attacks into five classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Invasion of privacy attacks that track the usage of the document. (3) Information disclosure attacks exfiltrating personal data out of the victim's computer. (4) Data manipulation on the victim's system. (5) Code execution on the victim's machine. We evaluated the reference implementations – Microsoft Office and LibreOffice – and found both of them to be vulnerable to each tested class of attacks. Finally, we propose mitigation strategies to counter these attacks.
Zusammenfassung in einer weiteren Sprache
Fachgebiet (DDC)
004 Informatik
Schlagwörter
Konferenz
WOOT'20 : 14th USENIX Workshop on Offensive Technologies, 11. Aug. 2020
Rezension
undefined / . - undefined, undefined
Zitieren
ISO 690
MÜLLER, Jens, Fabian ISING, Christian MAINKA, Vladislav MLADENOV, Sebastian SCHINZEL, Jörg SCHWENK, 2020. Office Document Security and Privacy. WOOT'20 : 14th USENIX Workshop on Offensive Technologies, 11. Aug. 2020. In: YAROM, Yuval, ed.. WOOT'20 : 14th USENIX Workshop on Offensive Technologies. Berkeley, CA: USENIX Association, 2020BibTex
@inproceedings{Muller2020Offic-50777,
year={2020},
title={Office Document Security and Privacy},
url={https://www.usenix.org/conference/woot20/presentation/muller},
publisher={USENIX Association},
address={Berkeley, CA},
booktitle={WOOT'20 : 14th USENIX Workshop on Offensive Technologies},
editor={Yarom, Yuval},
author={Müller, Jens and Ising, Fabian and Mainka, Christian and Mladenov, Vladislav and Schinzel, Sebastian and Schwenk, Jörg}
}RDF
<rdf:RDF
xmlns:dcterms="http://purl.org/dc/terms/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:bibo="http://purl.org/ontology/bibo/"
xmlns:dspace="http://digital-repositories.org/ontologies/dspace/0.1.0#"
xmlns:foaf="http://xmlns.com/foaf/0.1/"
xmlns:void="http://rdfs.org/ns/void#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema#" >
<rdf:Description rdf:about="https://kops.uni-konstanz.de/server/rdf/resource/123456789/50777">
<dc:creator>Ising, Fabian</dc:creator>
<dcterms:available rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2020-09-10T12:30:07Z</dcterms:available>
<dc:creator>Schinzel, Sebastian</dc:creator>
<dc:contributor>Schwenk, Jörg</dc:contributor>
<dcterms:issued>2020</dcterms:issued>
<dc:creator>Müller, Jens</dc:creator>
<dc:language>eng</dc:language>
<dc:contributor>Müller, Jens</dc:contributor>
<dc:contributor>Mladenov, Vladislav</dc:contributor>
<dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
<bibo:uri rdf:resource="https://kops.uni-konstanz.de/handle/123456789/50777"/>
<dcterms:abstract xml:lang="eng">OOXML and ODF are the de facto standard data formats for word processing, spreadsheets, and presentations. Both are XML-based, feature-rich container formats dating back to the early 2000s. In this work, we present a systematic analysis of the capabilities of malicious office documents. Instead of focusing on implementation bugs, we abuse legitimate features of the OOXML and ODF specifications. We categorize our attacks into five classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Invasion of privacy attacks that track the usage of the document. (3) Information disclosure attacks exfiltrating personal data out of the victim's computer. (4) Data manipulation on the victim's system. (5) Code execution on the victim's machine. We evaluated the reference implementations – Microsoft Office and LibreOffice – and found both of them to be vulnerable to each tested class of attacks. Finally, we propose mitigation strategies to counter these attacks.</dcterms:abstract>
<dc:creator>Mainka, Christian</dc:creator>
<dc:rights>terms-of-use</dc:rights>
<dc:contributor>Schinzel, Sebastian</dc:contributor>
<dcterms:rights rdf:resource="https://rightsstatements.org/page/InC/1.0/"/>
<dc:contributor>Mainka, Christian</dc:contributor>
<dc:date rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2020-09-10T12:30:07Z</dc:date>
<dc:contributor>Ising, Fabian</dc:contributor>
<dc:creator>Mladenov, Vladislav</dc:creator>
<dc:creator>Schwenk, Jörg</dc:creator>
<dcterms:title>Office Document Security and Privacy</dcterms:title>
<foaf:homepage rdf:resource="http://localhost:8080/"/>
<void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/>
<dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
</rdf:Description>
</rdf:RDF>Interner Vermerk
xmlui.Submission.submit.DescribeStep.inputForms.label.kops_note_fromSubmitter
URL der Originalveröffentl.
Prüfdatum der URL
2020-09-10
Prüfungsdatum der Dissertation
Finanzierungsart
Kommentar zur Publikation
Allianzlizenz
Corresponding Authors der Uni Konstanz vorhanden
Internationale Co-Autor:innen
Universitätsbibliographie
Nein
