Doppelgänger - novel protection against unknown file format vulnerabilities presented at DeepSec 2007

by Rich Smith,

Summary : The presentation intends to discuss the development of a general technique for protection against unknown threats to applications through maliciously constructed data files. The technique is general in nature and could be applied in many ways. Two proof of concept applications will be discussed, one of which can be demonstrated. There has been a steady increase in attacks taking advantage of defects in client applications through malformed data files (WMF, ANI etc). Such attacks rely on having specifically crafted data inside files associated with affected applications, and are increasingly utilising unknown, unpatched vulnerabilities (0-day) in specifically targeted attacks against both industry and government. By definition signature based approaches to try and identify and stop such 0-day file format attacks are bound to fail. The Doppelgänger approach is a novel defence against this class of client side attacks – its key difference being that it is able to defend against both known and unknown threats to client applications from malformed data files. Doppelgänger achieves this through the random transformations of a files data content, while maintaining an informational and functional equivalence.