Way back in 2005 Bruce Schnier did a post on ODF and security, comparing it to closed binary formats.
https://www.schneier.com/blog/archives/2005/12/opendocument_fo.html
The comments are still relevant, for example, features vs safety balance.
Thursday, 11 December 2014
Monday, 24 November 2014
Kickstarter Campaign now Live!
The Kickstart campaign is now live!
https://www.kickstarter.com/projects/849734365/secure-open-document-format/
https://www.kickstarter.com/projects/849734365/secure-open-document-format/
Sunday, 23 November 2014
Submitted to KickStarter
Finally submitted the proposal to Kickstart for review.
The preview is here, with updated video, text, Q&A and logo.
https://www.kickstarter.com/projects/849734365/942335070?token=49dbb743
The video is on youtube too:
The preview is here, with updated video, text, Q&A and logo.
https://www.kickstarter.com/projects/849734365/942335070?token=49dbb743
The video is on youtube too:
Friday, 21 November 2014
Kickstarter
I've not had much luck exploring the various official funding sources for cyber security - which is puzzling given how much priority is given to cyber.
So I'm going to try social crowd funding through kickstarter.
Have a look at the preview proposal - I'd appreciate you submitting feedback. The words need to be refined and a video produced - should be fun!
Maybe the wisdom of crowds is greater than official bureaucracy?
So I'm going to try social crowd funding through kickstarter.
Have a look at the preview proposal - I'd appreciate you submitting feedback. The words need to be refined and a video produced - should be fun!
Maybe the wisdom of crowds is greater than official bureaucracy?
Sunday, 2 November 2014
Problem, Strategy, Profile Document Online
The document which describes the problem, solution strategy, and secure profile will be developed in full view online at:
Link will always be visible in the Links panel on the top right of this blog.
Feel free to provide ideas, corrections, suggestions to @secureodf or secureodf at gmail dot com.
Link will always be visible in the Links panel on the top right of this blog.
Feel free to provide ideas, corrections, suggestions to @secureodf or secureodf at gmail dot com.
Saturday, 1 November 2014
Security Research Map
In my search to raise visibility and seek the right funding I've added a profile to the EU's Security Research Map:
Sunday, 26 October 2014
Functional Implementation of Validators
Should document validators be written in imperative or functional languages?
They could be done in both, of course, but there are benefits to implementing them in a disciplined functioal language.
Functional languages force you to break down the problem and describe it declaratively. Ths is good discipline because it means your understanding of the problem has to be precise with clear input/output behaviours.
Furthemore, each sub-problem is addressed by smaller functions, each of which must always behave in predictable ways, with guarantees that there will be no interference from the state of other parts of the program - there are no global variables or the state of other objects which can affect the function at all - that's the guarantee of functional programming.
It seems to me that functional programming discipline is ideal for reducing risks in security enforcing software.
I think I'll try clojure to prototype a validator.
They could be done in both, of course, but there are benefits to implementing them in a disciplined functioal language.
Functional languages force you to break down the problem and describe it declaratively. Ths is good discipline because it means your understanding of the problem has to be precise with clear input/output behaviours.
Furthemore, each sub-problem is addressed by smaller functions, each of which must always behave in predictable ways, with guarantees that there will be no interference from the state of other parts of the program - there are no global variables or the state of other objects which can affect the function at all - that's the guarantee of functional programming.
It seems to me that functional programming discipline is ideal for reducing risks in security enforcing software.
I think I'll try clojure to prototype a validator.
Saturday, 11 October 2014
Executable Content
There is another thing we want to include in our definition of secure document profiles - we don't want any of the content to trigger any kind of unpredictable execution on the client.
Javascript in PDFs, or VBScript in Office files, would fail this test.
In reality, each element of the document's content, the XML tags and fields, need to be acted upon - otherwise they would be useless. So in some sense they do all cause execution to happen.
The difference is between document elements which
You might argue that the execution permitted by the latter category will always be constrained - it may only run in a sandbox, or within the application process with its privileges, and wouldn't have arbitrary access to the network or the disk or the users contacts. You'd probably be right.
So this leads us to the question of how high do we want to set the "paranoia" bar. I want to set it as high as I can, and we'll revisit this issue when we hit actual functionality decisions. The guiding philosophy here is to only allow just enough functionality to be useful for the most common functions. Being able to set bold, underline etc falls within that category but executing macros and other scripts is a minority requirement.
Another reason why the latter category of code execution will not be allowed is the reality that software has bugs. That's a reality, you can't pretend there is code without bugs. Bugs means the application reading a document could be subverted to execute malicious code.
Now if a buggy application only ever ingested upper-case ASCII [A-Z] with document sizes of 1-144 characters only, then it is really difficult to subvert the application. On the other hand, if the application was allowed to execute very widely scoped <scripts> then it is easier to subvert it.
This boundary between the two types of execution appears to me to be fuzzy. I'll need to do more digging. I'd appreciate any thoughts via twitter @secureodf.
Javascript in PDFs, or VBScript in Office files, would fail this test.
In reality, each element of the document's content, the XML tags and fields, need to be acted upon - otherwise they would be useless. So in some sense they do all cause execution to happen.
The difference is between document elements which
- Cause predefined, constrained and predictable execution - such as <bold> might, and
- Allow execution to happen which cannot be defined beforehand, and so cannot be finely constrained, such as <script> might.
You might argue that the execution permitted by the latter category will always be constrained - it may only run in a sandbox, or within the application process with its privileges, and wouldn't have arbitrary access to the network or the disk or the users contacts. You'd probably be right.
So this leads us to the question of how high do we want to set the "paranoia" bar. I want to set it as high as I can, and we'll revisit this issue when we hit actual functionality decisions. The guiding philosophy here is to only allow just enough functionality to be useful for the most common functions. Being able to set bold, underline etc falls within that category but executing macros and other scripts is a minority requirement.
Another reason why the latter category of code execution will not be allowed is the reality that software has bugs. That's a reality, you can't pretend there is code without bugs. Bugs means the application reading a document could be subverted to execute malicious code.
Now if a buggy application only ever ingested upper-case ASCII [A-Z] with document sizes of 1-144 characters only, then it is really difficult to subvert the application. On the other hand, if the application was allowed to execute very widely scoped <scripts> then it is easier to subvert it.
This boundary between the two types of execution appears to me to be fuzzy. I'll need to do more digging. I'd appreciate any thoughts via twitter @secureodf.
Wednesday, 8 October 2014
Verifiably Correct Content
Now that we've started to successfully remove elements from the ODF XML we now need to think about what we want to leave in, and how we might define testable constraints for it.
We used the word "verifiable" in the first post. Let's expand on that:
So these are the constraints - and they must be precise enough for us to define tests for pass / fail for them - the content must be verifiable.
UPDATE - I added the requirement for non-executable content, see next post,
We used the word "verifiable" in the first post. Let's expand on that:
All content conforms to a set which we know to be safe.
- Only certain XML keys are permitted. The name of the tags and attributes must be exactly correct, matching a finite set of known-good variants. Misspellings are not permitted.
- Only certain XML values are permitted. This means the stuff between <x> and </x>, and the stuff assigned to attributes like <x attribe="yyy"> must be from a known good set.
- Where fields have user or automatically generated content, like the actual text of a document, or the names of automatically generated styles, this content must have range and size constraints. Range means each piece of this content be know-good, like very simple ASCII for example. Size means the content must not be smaller or larger than known-good limits, to prevent buffer overruns or even unexpected behavior with zero-length content.
- The order in which content appears must also be right. We can't predict how ODF readers will behave
- The content must be complete. That is required (vs optional) items should not be missing, as this can lead to unpredictable behaviour in reader applications.
So these are the constraints - and they must be precise enough for us to define tests for pass / fail for them - the content must be verifiable.
UPDATE - I added the requirement for non-executable content, see next post,
Tuesday, 7 October 2014
Minimal XML Test Document
So after being able to rebuild an ODF from component files as per the previous post, I wanted to first see if I could find a minimal set of XML which would successfully load and open into LibreOffice and MS Office 2007.
So this worked! I was surprised by how much I could pare away.
The results are 3 files as follows, and this isn't a bad place to start describing a minimal XML subset of ODF.
We'll keep paring away....
META-INF/manifest.xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text" manifest:full-path="/" />
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml" />
</manifest:manifest>
content.xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<office:document-content office:version="1.1" xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ooo="http://openoffice.org/2004/office" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events">
<!-- Generated by SecureODT - max comments chars needed -->
<office:body>
<office:text>
<text:p>
<text:span>test</text:span>
</text:p>
<text:p>
<text:span>1<text:s/>2<text:s/>3<text:s/>4</text:span>
</text:p>
<text:p>
<text:span>abc<text:s/>123<text:s/>def<text:s/>456</text:span>
</text:p>
<text:p />
</office:text>
</office:body>
</office:document-content>
mimetype.xml
application/vnd.oasis.opendocument.text
So this worked! I was surprised by how much I could pare away.
The results are 3 files as follows, and this isn't a bad place to start describing a minimal XML subset of ODF.
We'll keep paring away....
META-INF/manifest.xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text" manifest:full-path="/" />
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml" />
</manifest:manifest>
content.xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<office:document-content office:version="1.1" xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ooo="http://openoffice.org/2004/office" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events">
<!-- Generated by SecureODT - max comments chars needed -->
<office:body>
<office:text>
<text:p>
<text:span>test</text:span>
</text:p>
<text:p>
<text:span>1<text:s/>2<text:s/>3<text:s/>4</text:span>
</text:p>
<text:p>
<text:span>abc<text:s/>123<text:s/>def<text:s/>456</text:span>
</text:p>
<text:p />
</office:text>
</office:body>
</office:document-content>
mimetype.xml
application/vnd.oasis.opendocument.text
ODF Explode and ReZip Fails
I thought I'd do a very basic test first by unzipping an ODT file to see what was inside it, and then rezip it into a new ODT file.
This failed. I'm trying to work out why.
The following should work:
UPDATE - the issue seems to be the file path ames of the entries in the zipped file which should not include the folder name itself. That is folder/file.xml is bad, but file.xml is ok. If you create a zip from within the unzipped folder, that works. That is, if you create test1.zip from within the test/ folder the resultant test1.zip can be renamed test1.odt and that file opens fine.
This failed. I'm trying to work out why.
The following should work:
- Save simple ODT from Google Docs (or LibreOffice) test.odt
- Rename test.odt to test.zip and unzip it to a folder test/
- Explore the contents of the test/ folder which contains stuff like contents.xml and a manifest.xml
- Don't make any changes to any xml files
- Rezip the test/ folder as test1.zip, rename it to test1.odt
- Open it using LibreOffice.
UPDATE - the issue seems to be the file path ames of the entries in the zipped file which should not include the folder name itself. That is folder/file.xml is bad, but file.xml is ok. If you create a zip from within the unzipped folder, that works. That is, if you create test1.zip from within the test/ folder the resultant test1.zip can be renamed test1.odt and that file opens fine.
Secure ODF Profile
Welcome!
It strikes me that office productivity documents are a significant vector for malware and not much is being done to design a document format which specifically tries to prevent or mitigate these exploits.
This blog will track the development of a subset of the Open Document Format (ODF) which meet the following criteria:
These objective will be refined as we proceed.
It strikes me that office productivity documents are a significant vector for malware and not much is being done to design a document format which specifically tries to prevent or mitigate these exploits.
This blog will track the development of a subset of the Open Document Format (ODF) which meet the following criteria:
- Verifiable - All content is fully and strictly verifiable, with no scope for unexpected behaviour or overloading.
- Minimal - Just enough structure and options to meet user functionality.
- Libre - Fully open and independently implementable.
These objective will be refined as we proceed.
Subscribe to:
Posts (Atom)