Homoiconicity

Version 7.1 by Nicolas Gregoire on 2012/01/05 00:23

Definition

Homoiconicity is the property of a programming language that the code and the data are stored in the same format. For example, the following languages are homoiconics :

  • ASM : using bytes stored in memory
  • Lisp : using lists and theirs sub-types
  • XSLT : using the XML format

Triggering embedded code

In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A  blog post  by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)

Exploiting via dynamic SVG images

We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG file is then generated on the fly by the (Turing complete) XSLT engine of the browser.

In the following example, the XSLT code will :

  • fingerprint the underlying XSLT engine
  • draw a circle (red if Webkit, green otherwise)
  • try to exploit CVE-2011-

In Opera :
svg-opera-small.png

In Epiphany :
svg-webkit-small.png

Evil SVG images

Exploitcolor depends of the  OS, ...) and exploit a specific vulnerability. This was demonstrated withCVE-2011-1774 and a Webkit exploit tested on Windows, Linux, iOS and webOS.

From a security point of view, it is important to audit

As the SVG format is valid XML too, t

The process is the following :

  • The source XML file (do not