This December, Karsten Meyer zu Selhausen received the Eurobits Excellence Award 2019 for his master's thesis "Security of PDF Signatures" . Since 2017, eurobits e.V. – as the center for excellence within the IT security field located in Bochum – annually honors a thesis of a graduated student within the field of IT security for its scientific contribution and high relevance for IT security in practice.
Our IT security consultant Karsten was among the first to investigate the security of digital signatures applied to PDF files. The results of his master's thesis provided the basis for the paper "1 Trillion Dollar Refund – How To Spoof PDF Signatures" published at CCS '19  and helped to increase the security of the affected applications.
Hackmanit congratulates Karsten on winning the award and is happy that he is part of the team.
In the following, a short overview of the results of his master's thesis is given.
Digital Signatures in PDF Files
In contrast, to electronic signatures, which are simply an image of a handwritten signature added to a document, digital signatures allow to ensure the integrity of a document’s contents cryptographically. Authorities like the European Union empower digital signatures to have the same legal value as handwritten signatures in certain cases.
Since version 1.3 the PDF standard allows to add digital signatures directly to PDF files to prevent modifications without the recipient noticing. The protection provided by a digital signature is especially important in crucial environments which rely on PDF files - including the judicial system, tax matters and all sorts of legally binding contracts.
The way a signature contained in a PDF file is displayed to the user strongly depends on the application used to view the PDF file. Some applications, such as web browsers, do not support PDF signatures at all and therefore do not indicate their validity or presence to the user. Other applications might display a banner above the document's contents or a panel stating information about the signature including its author and its validity.
One popular example of signed PDF files are the invoices for purchases at Amazon. Figure 1 shows that Adobe Acrobat Reader DC recognizes the signature in an Amazon invoice and states that it is valid and the document was not altered after the application of the signature.
The attacks created during the master's thesis are divided into three different attack classes:
- Signature Exclusion: The basic idea of the first attack class is to prevent the application from being able to verify the signature. One example for this attack class is to simply remove parts of the signature information, such as the range of bytes covered by the signature or the signature value itself.
- Incremental Update Abuse: The second attack class abuses a PDF feature called "incremental update" which allows to modify PDF files by appending changes at the end of the file. Instead of applying a valid incremental update as described in the standard, the structure of the update is manipulated. This allows to change the displayed contents of the document while tricking the application used to view the file to think the document has not been updated after the signature was applied.
- Signature Wrapping: This attack class is inspired by XML Signature Wrapping. The basic idea is to "wrap" the signed data in another element and place it at the end of the file. Afterwards manipulations are added in between the beginning of the document and the unaltered signed data at the end. As the signed data is still present the signature can be verified successfully.
Evaluation of Desktop Applications
The evaluation included 34 desktop applications for Windows, macOS and Linux. All applications which could be evaluated were vulnerable to at least one attack class - except one application: Adobe Acrobat 9 for Linux. Released in 2013, version 9.5.5 is the last version of Adobe Reader developed for Linux and was only added to the evaluation as a reference. It is vulnerable to multiple other attacks and therefore must not be used outside of test environments.
The identified vulnerabilities allowed to bypass the integrity and authenticity protection of PDF signatures completely and to change the displayed content of signed documents arbitrarily. Figure 2 shows an example of a successful attack inspired by the paper "1 Trillion Dollar Refund – How To Spoof PDF Signatures" by Vladislav Mladenov. The displayed content of the document has been manipulated and shows a refund of one trillion US Dollar instead of an invoice for a purchase. Nevertheless, Adobe Acrobat Reader DC states the document is validly signed by Amazon and the document was not altered after the application of the signature.
The protection digital signatures provide to digital documents is especially important in critical environments such as the judicial system or tax matters. Additionally, PDF is a common choice for the exchange of digital documents. Nevertheless, the security of digital signatures in PDF documents has not been in the focus of research in the past. The goal of the thesis was to fill this gap by providing the first comprehensive evaluation of PDF processing applications regarding the security of digital signatures embedded in documents.
The results of the evaluation show that it was - and still is - necessary to survey the security of PDF signatures to ensure they fulfill their purpose of protecting the document's contents. The mere amount of vulnerable applications emphasizes that the applications' vendors need to pay more attention to security aspects during the signature validation and probably when processing PDF documents in general. The overall weak security of PDF signatures in common PDF processing applications is especially alarming as governmental institutions as well as private companies rely on the protection provided by digital signatures in PDF documents in various environments including the judicial system, tax matters and all sorts of legally binding contracts.
All identified vulnerabilities were responsibly disclosed to the applications' vendors in cooperation with the computer emergency response team ("CERT-Bund") of the german "Bundesamt für Sicherheit in der Informationstechnik" (BSI) to enable them to implement updates which fix the identified vulnerabilities.
 Karsten Meyer zu Selhausen. Security of PDF Signatures. Ruhr University Bochum, 2018. URL: https://www.nds.ruhr-uni-bochum.de/media/ei/arbeiten/2019/02/12/DIGITALVERSION_KMeyerZuSelhausen_SecurityOfPDFSignatures_2018-11-25.pdf
 Vladislav Mladenov et al. 1 Trillion Dollar Refund – How To Spoof PDF Signatures. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19), 2019. URL: https://www.pdf-insecurity.org/download/paper-pdf-signatures-ccs2019.pdf