Recent security incidents push the imagination of some people to the limits. On today’s menu are U.S. Government satellites (done before albeit with a different vector), insulin pumps, automatic teller machines, smartphones linked to cars, and even vending machines in wilderness resort parks. What’s next? Executing code by the use of postcards or printed newspapers? Exactly!
You probably recognise this phrase: „This is a data file, it can never be executed as code.“ It’s nice to think of bits and bytes neatly separated into code and data. In fact some security models encourage this approach. In practice data tells a different story. You have very elaborate document and data formats with thousands of pages of specification. PDF, rich media and office documents are way more complex than you might think. This is why Daniel Pistelli will talk about the security of non-executable files at DeepSec 2011. Non-executable files are the main vector for attacks against computer systems and networks. His talk will shed light on the extent and the roots of the issues (not only in terms of infection). You will be introduced to the approaches to store and hide malicious data inside these file formats and what can be done in terms of prevention. Daniel will also cover ramifications for the embedded sector since we’ll probably see PDF readers for autocars or office software for vending machines and satellites.
This talk is intended for anyone who deals with viewing, creating, transporting, inspecting and using data, so bring your friends and their friends as well!