Skip to content

Latest commit

 

History

History
66 lines (55 loc) · 5.76 KB

threat-modeling.md

File metadata and controls

66 lines (55 loc) · 5.76 KB

Threat Model Analysis for mozilla/pdf.js

Threat: Malicious PDF Exploiting Parser (Type Confusion)

  • Description: An attacker crafts a PDF with malformed object streams or cross-reference tables. The attacker leverages a type confusion vulnerability where pdf.js incorrectly interprets the type of an object, leading to unexpected behavior. For example, the attacker might trick the parser into treating a string as a function pointer.
    • Impact: Arbitrary code execution within the pdf.js worker, potentially leading to data exfiltration or a browser sandbox escape.
    • pdf.js Component Affected:
      • PDFParser (in src/core/parser.js) - The core PDF parsing logic.
      • Lexer (in src/core/parser.js) - Responsible for tokenizing the PDF data stream.
      • ObjectStream (in src/core/obj_stream.js) - Handling of object streams.
      • XRef (in src/core/xref.js) - Processing of cross-reference tables.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Update pdf.js: Apply the latest security updates to pdf.js.
      • Code Audits: (For pdf.js developers) Regular code audits and fuzzing of the parsing components to identify and fix type confusion vulnerabilities.
      • Memory Safety: (For pdf.js developers) Explore using memory-safe languages or techniques to reduce the impact of memory corruption vulnerabilities.

Threat: Malicious PDF Exploiting Font Parsing (Buffer Overflow)

  • Description: An attacker embeds a malformed font (e.g., OpenType, TrueType) within a PDF. The attacker exploits a buffer overflow vulnerability in the font parsing logic, where the font data exceeds the allocated buffer size, overwriting adjacent memory.
    • Impact: Code execution within the pdf.js worker.
    • pdf.js Component Affected:
      • FontLoader (in src/core/fonts.js) - Responsible for loading and parsing fonts.
      • CFFFont (in src/core/cff_font.js) - Handling of Compact Font Format (CFF) fonts.
      • OpenTypeFileBuilder (in src/core/fonts.js)
    • Risk Severity: High
    • Mitigation Strategies:
      • Update pdf.js: Apply security updates to pdf.js.
      • Fuzzing: (For pdf.js developers) Fuzz the font parsing components with various malformed font files.

Threat: Malicious PDF Exploiting Image Decoding (Integer Overflow)

  • Description: An attacker includes a maliciously crafted image (e.g., JPEG, JBIG2) within a PDF. The attacker exploits an integer overflow vulnerability in the image decoding logic, where calculations related to image dimensions or data sizes result in incorrect values, leading to memory corruption.
    • Impact: Code execution.
    • pdf.js Component Affected:
      • JpegStream (in src/core/jpg.js) - Handling of JPEG images.
      • Jbig2Image (in src/core/jbig2.js) - Handling of JBIG2 images.
      • ImageLoader (in src/core/image.js)
    • Risk Severity: High
    • Mitigation Strategies:
      • Update pdf.js: Apply security updates.
      • Input Validation: (For pdf.js developers) Implement robust input validation to check image dimensions and data sizes before processing.
      • Safe Integer Arithmetic: (For pdf.js developers) Use safe integer arithmetic libraries or techniques to prevent integer overflows.

Threat: JavaScript Execution in PDF (XSS)

  • Description: If JavaScript execution is enabled (not recommended), an attacker embeds malicious JavaScript code within a PDF. When the PDF is opened, the JavaScript code executes within the context of the pdf.js worker.
    • Impact: Cross-site scripting (XSS) attacks, data exfiltration.
    • pdf.js Component Affected:
      • JSEvaluator (if JavaScript is enabled) - Responsible for executing JavaScript code within the PDF.
      • AnnotationLayer (if JavaScript actions are associated with annotations).
    • Risk Severity: High (if JavaScript is enabled)
    • Mitigation Strategies:
      • Disable JavaScript Execution (Strongly Recommended): Set disableJavaScript: true in the pdf.js configuration. This is the default and most secure option.
      • Input Sanitization: (If JavaScript is enabled) Sanitize any user-provided data that might be used in JavaScript code within the PDF.

Threat: Sandbox Escape via SharedArrayBuffer (if enabled)

  • Description: If SharedArrayBuffer is enabled (which it may be for performance reasons, but introduces security risks), a vulnerability in pdf.js could be combined with a Spectre-style attack to read arbitrary memory from the parent process (the main browser thread).
    • Impact: Full browser compromise, access to cookies, local storage, and other sensitive data.
    • pdf.js Component Affected: Any component that uses SharedArrayBuffer for communication between the worker and the main thread. This is more of an architectural issue than a specific component.
    • Risk Severity: Critical (if SharedArrayBuffer is enabled and a suitable vulnerability exists)
    • Mitigation Strategies:
      • Disable SharedArrayBuffer (if possible): If SharedArrayBuffer is not strictly required, disable it to mitigate this risk.
      • Careful Code Review: (For pdf.js developers) Thoroughly review any code that uses SharedArrayBuffer to ensure it is not vulnerable to timing attacks or other exploits.