Homoiconicity

Version 3.1 by Nicolas Gregoire on 2012/01/05 00:16

Definition

Homoiconicity is the property of a programming language that the code and the data are stored in the same format. For example, the following languages are homoiconics :

  • ASM : using bytes stored in memory
  • Lisp : using lists and theirs sub-types
  • XSLT : using the XML format

Triggering embedded code

In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A  blog post  by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)

Simple dynamic SVG images

We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG file is then generated on the fly by the (Turing complete) XSLT engine of the browser. In the following example, the XSLT code will

  • fingerprint the underlying XSLT engine
  • draw a circle (red if Webkit, green, otherwise)
  • display some properties

Evil SVG images

Exploitcolor depends of the  OS, ...) and exploit a specific vulnerability. This was demonstrated withCVE-2011-1774 and a Webkit exploit tested on Windows, Linux, iOS and webOS.

From a security point of view, it is important to audit

As the SVG format is valid XML too, t

The process is the following :

  • The source XML file (do not