From ASCII to UTF-16: Leveraging Encodings to Break Software

Do you know what the difference between ASCII, Unicode, UTF-8, and UTF-16 is? These standards have been around for decades and are one of the most fundamental bases for seamless communication in our digital world. However, even seasoned IT professionals are commonly confused by these.

What makes encodings so interesting from a security point of view is the fact that these affect software on a deeper level. Missing knowledge or invalid assumptions about encodings can easily introduce severe security vulnerabilities. These are not merely theoretical considerations; we have recently uncovered critical vulnerabilities in Apache Guacamole, Joomla, and even PHP itself, which serve as tangible examples.

In this talk, we will put an end to any confusion about encodings. Attendees will gain a solid grasp of the most prevalent encodings and explore how this knowledge can be leveraged to break software. Through an in-depth examination of impactful real-world vulnerabilities, we will delve into the nuances of encodings and their practical applications in security.

The talk will be outlined as follows: - Encoding Basics - ASCII, Unicode, UTF-8, and UTF-16 - Security Implications - What can go wrong with Encodings? - Case Studies - Real-World Vulnerabilities in Popular Software - Break Software - What to look out for?