Weaponizing Unicode: Homographs Beyond IDNs CON 26/DEF CON 26...5 WTF, Why? “The human race will...

1

Weaponizing Unicode: Homographs Beyond IDNs

2

Who Am I

The Tarquin (aka Aaron M Brown)Senior Security Engineer

Amazon.com

@TheTarquin

3

Disclaimers

4

5

WTF, Why?

“The human race will begin solving its problems on the day that it ceases taking itself so seriously.” - Malaclypse the Younger

6

Scope, Context, and Prior Art

http://www.xn--exmple-qxe.com/

7

8

The Dark Corners of Unicode

ꓮvs vs ᴀ vs � �

9

Scope of the Problem

Α

Uppercase Greek Alpha u+0391

10

Scope of the Problem

ı̇

Latin Small Letter Dotless I (u+0131) + Combining Dot Above (u+0307)

11

Scope of the Problem

�

Mathematical MonoSpace Capital Z u+1D689

12

Scope of the Problem

₨

Rupee Sign, u+20A8

13

Not to be Confused With

₹

Indian Rupee Sign, u+20B9

14

Oh come on, Unicode

ᚁ

Ogham letter Beith u+1681

15

Let’s Hack Shit

16

Search and Indexing

17

Do you want to play a game‽

18

Defeating Plagiarism Detection

19

Defeating Plagiarism Detection

20

Lol text analysis

21

Lol text analysis

22

Lol spellcheck

23

Lesson 1: Unicode support usually just means “passed my unit tests”.

24

Defeating ML Systems

“Explanations exist; they have existed for all time; there is always a well-

known solution to every human problem [which is] neat, plausible, and

wrong.” - H. L. Mencken

25

Default Data Set

26

Homographs, in MY Training Set?

27

100% Homographs in Neg Training

28

10% Homographs in Neg Training

29

Sabotaging a Cinematic Masterwork

30

Sabotaging a Cinematic Masterwork

31

Sabotaging a Cinematic Masterwork

32

Lesson 2: ML overindexes on human-invisible patterns. If a human

could see them, we wouldn’t be using ML.

33

34

But emojis aren’t the real problem

35

Demo

36

Lesson 3: Homographs work because people don’t see the the text; they see whatever it

represents.

37

Canary Traps, And Repudiation

Canary Traps: when you want to know who’s “singing”

38

Canary Traps, And Repudiation

39

Homographs, Canary Traps, And Repudiation

40

Homograph Bombs

Go ́ód ñ̃evvs, h cke ₨�⇥ ⇤

41

And now, for the world’s most boring demo...

42

Tool Intro: samesame

Because small, sharp tools are the best.

43

Tool Intro: samesame

44

Defense

“Every man takes the limits of his own field of vision for the limits of the world.” - Arthur Schopenhauer

45

Demo Time!

46

OCR Defense

Why do this instead of $alternative?

47

Lesson 4: Defenses work best when they directly exploit attacker

incentives

48

Conclusions!

Phenomenology is king.

Hacking computer is fun; hacking people is more effective

Unicode is a delightfully absurd monstrosity and I love it.

49

GreetzAmazon colleagues especially David Gabler and Nikki Parekh

The Additional Payphones Crew: cibyr, cobells, giskard, dirac, and turbo

All the DefCon organizers, goons, and other crew

50

�ƀ� ө ᶌ &Αɨ��� ⲅ � ��Ꭵԁ�