Yudit Security

Apology

For no reasons given I must say that there might be no problem with Unicode BIDI at all, even though the second example was somewhat strange to some. Sorry for disturbing everybody with my mails. At yudit.org we will continue working on new scripts, like putting OLD Hungarian into PUA.

Yudit BIDI may never get fixed, but who knows? Yudit has its problems but it works. We are working on it to make it better.

We are leaving the rest of the page as it was before the solution came to my mind so that it would be in sync with mail archives.

Gaspar Sinai gsinai@yudit.org Tokyo 2002-02-18

-------- The text below is old, out of date and kept only for reference --------

A Possible Unicode Bi-Di Security Problem

Unicode Bidirectional Algorithm is non-reversable. That means that text can be converted to display order but thre is no reverse algorithm to convert it back to logical order. It is recommended that we work on logical buffer and map it back to visual order to avoid converting back.

Can you imagine the implications of this? Imagine someone signing a digital Unicode document. He is looking at his viewer but what he signs is the bit-stream. Will this naive user, be able to run an algorithm (that does not exist) in his head?

At yudit.org, we maintain the view that Unicode text is inherently unsecure, until the current bi-directional algorithm defined by the Unicode Consortium is changed to be reversable. There should be an algorithm defined that converts logical order to view order, and there should be a separate algorithm defined that converts view order to logical order. If such algorith-pair existed we could also run sanity check on our rendering software.

At yudit.org we will not sign digitally a Unicode document while this possiblity exists.

Please note that Yudit is using a a naive but reversible and not compatible subset of Unicode Bi-Di algorithm. Although Yudit would not to pass Unicode Bi-Di test, it will always show you what you expect in the bit-stream.

Gaspar Sinai gsinai@yudit.org Tokyo 2002-02-05

There is no real-life example of this exploit yet. But to demonstrate the seriousness of the problem I'll show you some real screen-shots.

Example 1

//---------- cut here
// Rename this to Test.java.
// compile: javac -encoding UTF8 Test.java
// run: java Test
// A trivial program that shows words in different order
// in java and Internet Explorer.
import javax.swing.*;
import java.awt.*;

class Test{
  public static void main (String args[]) {
    JFrame frame = new JFrame();
    JLabel label1 = new JLabel ("‮يا‬ and not ‮لكن‬ what I owe you is");
    JLabel label2 = new JLabel ("I said: ‮يا‬ and not ‮لكن‬");
    JLabel label3 = new JLabel ("‮يا‬ ‮لكن‬ (first, second)");
    frame.getContentPane().setLayout (new BorderLayout());
    frame.getContentPane().add (BorderLayout.NORTH, label1);
    frame.getContentPane().add (BorderLayout.CENTER, label2);
    frame.getContentPane().add (BorderLayout.SOUTH, label3);
    frame.pack();
    frame.show();
  }
}
//---------- cut here

One possible reason why you see this is explained here.

Example 2

This file was sent to my friend and he viewed it with Outlook Express. I used this java program to view the same file.

Screenshots:
images/outlook-ne.gif