The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode.
In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc.
Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing.
Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities and the attack vector on Windows 8 and Windows 7 will be shown.
Ling Chuan Lee (a.k.a lclee_vx) founded F13 Labs. He has over 10 years of experience in reverse engineering, vulnerability analysis, penetration testing and fuzzing research. lclee_vx has presented his security research in Infiltrate 2013, Black Hat Euro 2012, PacSec 2012, DEFCON16, SYSCAN'10 HangZhou, IEEE MICC2009, IEEE ICACT 2011, CCC SIGINT 2010, Swiss CyberStorm 2011 and numerous other events. His research topics included in-depth reverse engineering, kernel vulnerability analysis, fuzzing and exploitation research.
Chan Lee Yee (a.k.a lychan25) founded F13 Labs. She has been working in cyber security industry for the last 6 years. Her research majors in the art of packing/unpacking, dynamic execution tracing, kernel thread vulnerability, and exploitation techniques. She has presented her security research in Infiltrate 2013, PacSec 2012, BlackHat Euro 2012, DEFCON16, HackInParis 2012, and numerous other events.