Homoiconicity

Version 12.1 by Nicolas Gregoire on 2012/01/05 00:35

General definition

Homoiconicity is the property of a programming language that the code and the data are stored in the same format. For example, the following languages are homoiconics :

  • Lisp : using lists and theirs sub-types
  • ASM : using bytes stored in memory
  • XSLT : using the XML format

In some memory corruption exploits, shellcode is transmitted as data and later executed when the execution flow is altered. This is possible because of homoiconicity. Executing code transmitted as data is sometimes possible with XSLT too. 

Triggering embedded code

In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A  blog post  by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)

Exploiting via dynamic SVG images

We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG image is generated on the fly by the (Turing complete) XSLT engine of the browser and rendered.

In the following example, the XSLT code will :

  • fingerprint the underlying XSLT engine
  • draw a circle (red if Webkit, green otherwise)
  • try to exploit CVE-2011-1774 if Webkit is detected

Screenshot of Opera :
svg-opera-small.png

Screenshot of Epiphany :
svg-webkit-small.png

Analysis of the exploit

Exploitcolor depends of the  OS, ...) and exploit a specific vulnerability. This was demonstrated with CVE-2011-1774 and a Webkit exploit tested on Windows, Linux, iOS and webOS.

From a security point of view, it is important to audit

As the SVG format is valid XML too, t

The process is the following :

  • The source XML file (do not