HTML Renderer in Pure PostScript cited in a security research paper
Just noticed a passing reference to my HTML Renderer in Pure PostScript project in the extended abstract of an interesting scientific paper[1] that focuses on how weaknesses in the PostScript interpreter security model can result in information leakage, compromising the anonymity of document reviewers.
The attack vector follows the notion that the same PostScript document can be rendered differently depending upon information that can be obtained from the interpreter's context; environment variables and contents of the filesystem. Amongst other exploits this raises the possibility of creating a contract that changes after having been electronically signed.
[1] Michael Backes, Markus Durmuth, Dominique Unruh. Information Flow in the Peer-Reviewing Process. In proceedings of IEEE Symposium on Security and Privacy 2007.
The attack vector follows the notion that the same PostScript document can be rendered differently depending upon information that can be obtained from the interpreter's context; environment variables and contents of the filesystem. Amongst other exploits this raises the possibility of creating a contract that changes after having been electronically signed.
[1] Michael Backes, Markus Durmuth, Dominique Unruh. Information Flow in the Peer-Reviewing Process. In proceedings of IEEE Symposium on Security and Privacy 2007.
posted by Terry Burton at 1:23 AM
0 Comments:
Post a Comment
<< Home