Yudit Security
Apology
For no reasons given I must say
that there might be no problem with Unicode BIDI at all,
even though the second example was somewhat strange to some.
Sorry for disturbing everybody with my mails.
At yudit.org we will continue working on new scripts,
like putting OLD Hungarian
into PUA.
Yudit BIDI may never get fixed, but who knows?
Yudit has its problems but it works. We are working on it
to make it better.
We are leaving the rest of the page as it was before
the solution came to my mind so that it would be in sync
with mail archives.
Gaspar Sinai gsinai@yudit.org
Tokyo 2002-02-18
-------- The text below is old, out of date and kept only for reference --------
A Possible Unicode Bi-Di Security Problem
Unicode Bidirectional Algorithm is non-reversable.
That means that text can be converted to display order
but thre is no reverse algorithm to convert it back
to logical order. It is recommended that we work on
logical buffer and map it back to visual order
to avoid converting back.
Can you imagine the implications of this? Imagine someone signing
a digital Unicode document. He is looking at his viewer but
what he signs is the bit-stream. Will this naive user,
be able to run an algorithm (that does not exist) in his head?
At yudit.org, we maintain the view that Unicode text is
inherently unsecure, until the current bi-directional algorithm
defined by the Unicode Consortium
is changed to be reversable. There should be an algorithm
defined that converts logical order to view order, and
there should be a separate algorithm defined that converts
view order to logical order. If such algorith-pair existed
we could also run sanity check on our rendering software.
At yudit.org we will not sign digitally a Unicode document
while this possiblity exists.
Please note that Yudit
is using a a naive but reversible and not compatible subset
of Unicode Bi-Di algorithm. Although Yudit would not to pass
Unicode Bi-Di test, it will always show you what you expect
in the bit-stream.
Gaspar Sinai gsinai@yudit.org
Tokyo 2002-02-05
There is no real-life example of this exploit yet.
But to demonstrate the seriousness of the problem
I'll show you some real screen-shots.
Example 1
//---------- cut here
// Rename this to Test.java.
// compile: javac -encoding UTF8 Test.java
// run: java Test
// A trivial program that shows words in different order
// in java and Internet Explorer.
import javax.swing.*;
import java.awt.*;
class Test{
public static void main (String args[]) {
JFrame frame = new JFrame();
JLabel label1 = new JLabel ("يا and not لكن what I owe you is");
JLabel label2 = new JLabel ("I said: يا and not لكن");
JLabel label3 = new JLabel ("يا لكن (first, second)");
frame.getContentPane().setLayout (new BorderLayout());
frame.getContentPane().add (BorderLayout.NORTH, label1);
frame.getContentPane().add (BorderLayout.CENTER, label2);
frame.getContentPane().add (BorderLayout.SOUTH, label3);
frame.pack();
frame.show();
}
}
//---------- cut here
One possible reason why you see this is explained
here.
Example 2
This file was sent to my friend
and he viewed it with Outlook Express.
I used this java program to view the same file.
Screenshots:
One possible reason why you see this is explained
here.
Other Links on Security in Unicode
Last updated: 2002-02-07
webmaster@yudit.org