Page contents:
- Overview
- Installation
- Testing locally in the Git directory
- Directory layout
- Supported file formats
- Examples
- Testing Certificate Authority fields
Additional documentation:
- Using c2pa-attacks: How to use the
c2pa-attacks
CLI. - Injection attack files: Description of example attack files in the
attacks
directory. - Utilities: Overview of the available utility scripts for managing and generating c2pa-attacks files.
- Appendix: References and links for more information.
The C2PA Attacks Tool, c2pa-attacks
, performs security testing on a Content Credentials application (an application that uses the CAI SDKs and tools). The tool generates images with associated C2PA manifest stores to test the application for security vulnerabilities such as cross-site scripting and injection attacks against the file parser. It takes a file of attack strings, adds each string into the designated manifest field, and produces a corresponding malicious C2PA image for testing. The tool does not automatically check to see if the attack was successful. It should be noted that this version of the tool only supports version 1 of the C2PA specification.
This tool facilitates security testing early in the development cycle of Content Credentials applications. For such applications, often the first step in processing an asset is to validate the signature and reject any whose public key is not from a trusted CA. That said, it is still good to test the parsers since malicious adversaries could find ways to get unexpected data into C2PA manifest fields. In addition, it is conceivable that a Content Credentials application could parse manifest data without validating the certificate. Therefore, it is critical that the application safely handles unexpected input.
Each Content Credentials application has its own unique behavior and technology stack. Therefore, this tool provides a framework that you can customize for your specific needs. The files provided with this tool are examples for initial experimentation. You will need to create customized attack files for your specific environment. Refer to the appendix for information on how to cover more file types, more injections, and other forms of code coverage.
NOTE: This tool is a modification of the open-source C2PA c2patool, but is not a replacement for it. The c2patool contains much more functionality and is a companion for this tool during analysis and testing.
Install Rust.
To use the tool, you also must have certificates for signing the content.
Enter this command to install or update the tool:
cargo install c2pa-attacks
To ensure you have the latest version, enter this command:
c2pa-attacks -V
The tool will display the version installed. Compare the version number displayed with the latest release version shown in the repository releases page. To update to the latest version, reinstall the tool using the command shown above.
If you just want to do local testing builds, then you can specify the make command followed by your corresponding OS platform. If you are using linux or the Windows Subsystem for Linux (WSL), then you will need development utilities such as make
and build-essential
already installed. To build c2pa-attacks, refer to the Makefile to identify the OS platform options for your environment:
rm -rf ./target/*
make build-release-{YOUR_OS_PLATFORM}-{YOUR_CPU}
./target/{YOUR_OS_PLATFORM}/release/c2pa-attacks
The tool's directory layout is:
src
contains the tool's source code.docs
contains documentation.attacks
contains example files that can be used as the basis for injection attacks. See the README in that directory for details.sample
contains example certificates and signing keys, example manifest files that reference them, and other related example files.
Your target application may not recognize the example certificates. If so, you can generate your own certificates from an approved CA for your platform and then use them as described in the Appendix. The C2PA technical specification describes requirements for signing certificates.
The sample
directory contains
malicious_certificate.key
andmalicious_certificate.pem
- A certificate / key pair with random characters in the common name, organization, and organizational unit fields for testing a certificate parser's capability to handle unexpected characters. These are from a self-signed CA, so they will not work on an environment that enforces a trusted CA list.malicious_certificate.json
- A manifest that is the same astest.json
except that it specifies to use the malicious certificates for signing.
The tool works with the following types of asset files (also referred to as assets).
MIME type | extensions | read only |
---|---|---|
image/jpeg |
jpg, jpeg |
|
image/png |
png |
|
image/avif |
avif |
X |
image/heic |
heic |
X |
image/heif |
heif |
X |
video/mp4 |
mp4 |
|
application/mp4 |
mp4 |
|
audio/mp4 |
m4a |
|
video/quicktime |
mov |
|
application/x-c2pa-manifest-store |
c2pa |
NOTE: Quicktime (.mov
) format is not yet fully supported.
If you want to quickly create all possible test files without running each command individually, then the generate_sample_out.sh
script in the utilities
directory can be used to get started. More information on that tool is available in utility directory's README file. However, it is recommended that you still read through the examples below to understand what that script will produce.
These example uses of the tool use the provided files in the attacks
and sample
directories. The examples operate on the sample image file sample/C.jpg
which has attached Content Credentials and the sample/test.json
manifest file.
The following examples create output in the sample_out
directory.
The following command is an example of using direct substitution. For a general explanation of using direct substitution, see Using c2pa-attacks.
The following example reads attack strings one line at a time from the file attacks/xss.attack
file and injects them into the test.json
manifest file's author name field. The command saves its output in the sample_out
directory. The -f
flag forces overwrite of any existing files.
c2pa-attacks ./sample/C.jpg \
-m ./sample/test.json \
-t author \
-a ./attacks/xss.attack \
-o ./sample_out/C_mod2.jpg -f
This command outputs malicious files in the sample_out
directory:
author_xss_0_C_mod2.jpg
has an associated manifest with the first line fromxss.attack
injected into the author name field.author_xss_1_C_mod2.jpg
has an associated manifest with the second line fromxss.attack
injected into the author name field.- And so on.
The following command is an example of using regex substituion. For a general explanation of using regex substitution, see Using c2pa-attacks.
This example command reads attack strings one line at a time from the xss.attack
file and injects them into the author_name_regex.json
manifest file by replacing occurrences of the string "C2PA_ATTACK". The command saves its output in the sample_out
directory. The -f
flag forces overwrite of any existing files.
/c2pa-attacks ./sample/C.jpg \
-m ./sample/author_name_regex.json \
-a ./attacks/xss.attack \
-t regex \
-o ./sample_out/C_mod2.jpg -f
This command outputs malicious files in the sample_out
directory:
regex_xss_0_C_mod2.jpg
has an associated manifest with "C2PA_ATTACK" replaced with the first line fromxss.attack
.regex_xss_0_C_mod2.jpg
has an associated manifest with "C2PA_ATTACK" replaced with the second line fromxss.attack
.- And so on.
Security researchers can create self-signed certificate authorities and leaf certificates based on them. The C2PA project provides tools for generating certificates using OpenSSL in this repository: https://github.com/c2pa-org/testing-private/tree/main/cert-generation.
Within this project, the sample directory has a certificate with some unexpected values in common fields that can be used for signing. These certificates are based on a self-signed CA so any tools that validate against a trusted CA list won't accept them. However, you can use them to ensure that your certificate parsers can handle unexpected characters. They do not represent a comprehensive attack suite but it is a place to start.
To use the certificates with unexpected characters, use the malicious_certificate.json
manifest file when running your tests. It will use the malicious_certificate.pem
file and the malicious_certificate.key
file to sign the C2PA images. For more complete testing, you can use the C2PA testing-private repository mentioned above to create your own certificate chains. If you just need to test certificates with different algorithms, then there is a baseline suite located here: https://github.com/contentauth/c2pa-rs/tree/main/sdk/tests/fixtures/certs.
Install the c2patool so you can inspect individual files that this tool outputs. For more information, see c2patool - C2PA command line tool.