Reading Between the Lines: An Extensive Evaluation of the Security and Privacy Implications of EPUB Reading Systems

Gertjan Franken, Tom van Goethem, W. Joosen
{"title":"Reading Between the Lines: An Extensive Evaluation of the Security and Privacy Implications of EPUB Reading Systems","authors":"Gertjan Franken, Tom van Goethem, W. Joosen","doi":"10.1109/SP40001.2021.00015","DOIUrl":null,"url":null,"abstract":"In recent years, e-books have proven to be a very appealing alternative to physical books; nowadays, almost every written book is published in an electronic format next to its physical copy. In an attempt to promote consensus and to offer an alternative to emerging proprietary e-book formats, the Open eBook format was introduced, now known as the EPUB format. Building on existing web functionalities, this open format relies primarily on XHTML and CSS to construct e-books. As such, browser engines are often employed to render the contents of EPUBs. However, this implies that reading systems may face similar vulnerabilities as web browsers.In this paper, we report on a semi-automated evaluation of the security and privacy aspects of EPUB reading systems. This evaluation, which was performed on 97 EPUB reading systems covering seven platforms and five physical reading devices, revealed that almost none of the JavaScript-supporting reading systems sufficiently adhere to the EPUB specification’s security recommendations. Furthermore, our results indicate that 16 reading systems even allow an EPUB to leak information about the user’s file system, and in eight cases extract file contents. In addition to the semi-automated evaluation, we demonstrate that an attacker can launch even more potent attacks that may lead to a full compromise of a user’s system, by exploiting aspects specific to the implementation of reading systems used by millions of users. Finally, we investigate the root cause of the identified security and privacy issues, uncovering several flaws in both the implementation of EPUB reading system, as well as shortcomings of the EPUB specification.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"20 1","pages":"1730-1747"},"PeriodicalIF":0.0000,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40001.2021.00015","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

In recent years, e-books have proven to be a very appealing alternative to physical books; nowadays, almost every written book is published in an electronic format next to its physical copy. In an attempt to promote consensus and to offer an alternative to emerging proprietary e-book formats, the Open eBook format was introduced, now known as the EPUB format. Building on existing web functionalities, this open format relies primarily on XHTML and CSS to construct e-books. As such, browser engines are often employed to render the contents of EPUBs. However, this implies that reading systems may face similar vulnerabilities as web browsers.In this paper, we report on a semi-automated evaluation of the security and privacy aspects of EPUB reading systems. This evaluation, which was performed on 97 EPUB reading systems covering seven platforms and five physical reading devices, revealed that almost none of the JavaScript-supporting reading systems sufficiently adhere to the EPUB specification’s security recommendations. Furthermore, our results indicate that 16 reading systems even allow an EPUB to leak information about the user’s file system, and in eight cases extract file contents. In addition to the semi-automated evaluation, we demonstrate that an attacker can launch even more potent attacks that may lead to a full compromise of a user’s system, by exploiting aspects specific to the implementation of reading systems used by millions of users. Finally, we investigate the root cause of the identified security and privacy issues, uncovering several flaws in both the implementation of EPUB reading system, as well as shortcomings of the EPUB specification.
字里行间的阅读:EPUB阅读系统的安全和隐私影响的广泛评估
近年来,电子书已被证明是实体书的一个非常有吸引力的替代品;如今,几乎每一本书都以电子形式出版,旁边是实体书。为了促进共识,并为新兴的专有电子书格式提供另一种选择,开放电子书格式被引入,现在被称为EPUB格式。基于现有的网络功能,这种开放格式主要依靠XHTML和CSS来构建电子书。因此,经常使用浏览器引擎来呈现epub的内容。然而,这意味着读取系统可能面临与web浏览器类似的漏洞。在本文中,我们报告了EPUB读取系统的安全和隐私方面的半自动评估。在涵盖7个平台和5种物理阅读设备的97个EPUB阅读系统上进行的这项评估显示,几乎没有一个支持javascript的阅读系统能够充分遵守EPUB规范的安全建议。此外,我们的结果表明,16个读取系统甚至允许EPUB泄漏有关用户文件系统的信息,并在8个情况下提取文件内容。除了半自动评估之外,我们还演示了攻击者可以通过利用数百万用户使用的读取系统实现的特定方面,发起更强大的攻击,从而可能导致用户系统的完全妥协。最后,我们调查了安全问题和隐私问题的根本原因,揭示了EPUB读取系统实现中的几个缺陷,以及EPUB规范的不足。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信