Abstract

Converting a file means opening data that someone else created, and parsing untrusted input is one of the most reliable ways to provoke unexpected behaviour in software. We evaluated how a conversion workload behaves when it is treated as inherently untrusted and confined accordingly. Against a synthetic adversarial corpus of 12,400 crafted inputs spanning malformed documents, decompression bombs, deeply nested structures, oversized media, and files that attempt to reach external resources, every job either produced a valid result or failed inside its own boundary. We observed zero sandbox escapes, zero impact on neighbouring jobs, and zero successful network egress. This study formalises the containment model behind PrivConvert.

Background

A file converter is, by definition, a program that reads input it did not produce. Documents, images, archives, and e-books are not passive data; they are richly structured formats with parsers, decoders, embedded references, and layout engines behind them. A maliciously crafted file can try to trigger excessive memory use, push a decoder into a pathological state, or coax a converter into fetching something from the network on the attacker's behalf.

The conventional answer is to harden the parser: patch bugs as they are found, add input checks, and hope the next malformed file does not find a gap. That approach is necessary but never sufficient, because the input space of real-world file formats is effectively unbounded. The more durable answer is to assume the parser will eventually misbehave and to ensure that when it does, the blast radius is a single, disposable job - not the host, not other users, and not the network.

This study asks a focused question: when a conversion is confined and then fed deliberately hostile input, does the confinement hold?

The Challenge

A general-purpose conversion service has to accept a wide range of formats, which means it carries a wide attack surface. We grouped the threats we wanted to contain into five families:

For each family, the question is not only “does the converter reject it” but “if the converter is pushed past its limits, does the failure stay where it started.”

Our Approach

We treat every conversion as a self-contained, throwaway unit of work. Each job runs inside its own isolated environment with three properties enforced from the outside rather than requested politely from within:

The corpus was generated synthetically and run through this confinement in repeated batches, including concurrent batches designed to look for interference between simultaneous jobs. We measured four outcomes per input: whether it was handled cleanly (converted or rejected with a defined error), whether it escaped its environment, whether it affected any other job, and whether it managed to reach the network.

One disposable job ! hostile file Other jobs The host Network
Fig 1. Whatever a hostile file does, it stays inside one disposable job.
Classification Notice

The mechanisms that enforce isolation, the way resource ceilings are applied, and the components that make up the conversion pipeline are proprietary to topriv and are not described here. This study reports the behaviour we observe and the guarantees we hold ourselves to - not the implementation that produces them. Security that depends on secrecy is fragile; but publishing a blueprint serves no one but an attacker.

Results

We ran all 12,400 inputs through the confinement, in both sequential and concurrent configurations. For every family of hostile input, the result was the same: the job was handled inside its own boundary, nothing escaped, nothing touched a neighbour, and nothing reached the network.

Containment by Input Family

Input Family Samples Contained Escapes Cross-job Reached Net
Malformed / truncated documents 3,200 100% 0 0 0
Decompression bombs 2,600 100% 0 0 0
Deeply nested / recursive 1,900 100% 0 0 0
Oversized / high-resolution media 1,800 100% 0 0 0
Embedded external references 1,500 100% 0 0 0 / 1,500 blocked
Encoding / parser edge cases 1,400 100% 0 0 0

Key observation: The inputs that tried hardest to do damage were the most boring to watch. A decompression bomb that would overwhelm an unprotected parser simply hit its ceiling and was stopped, with no effect on any job running alongside it. Every embedded request for a remote resource was issued into a void - 1,500 attempts, 1,500 blocked, none successful.

Behaviour Under Concurrency

Containment is easy to demonstrate one job at a time; the interesting test is what happens when many jobs run together and one of them misbehaves. We interleaved hostile inputs with ordinary conversions under sustained concurrent load and watched for interference: a failing job slowing down its neighbours, leaking state into them, or causing a wider stall.

Across the concurrent batches, a job exceeding its limits failed on its own and returned a defined error. Neighbouring conversions completed normally, and throughput degraded gracefully rather than collapsing. Failures were deterministic - the same hostile input produced the same contained outcome on every run - which is the property that lets us reason about the system instead of hoping.

Implications for PrivConvert

This containment model is the foundation of how PrivConvert handles every file. Because each conversion is treated as untrusted and confined from the outside, a malicious upload has nowhere useful to go: it cannot reach your data, anyone else's data, the host, or the network, and the moment the job ends its state is discarded. That is what lets PrivConvert offer conversion without storing your files and without asking you to trust that the converter is bug-free.

For a plain-language walk-through of the same ideas, see our blog post Secure by Design: How PrivConvert Isolates Every File Conversion.

Limitations

This study measures containment, not the absence of bugs. A parser flaw can still cause an individual conversion to fail; the claim we test is that such a failure stays inside one disposable job. The corpus is synthetic and, like any adversarial corpus, cannot be exhaustive - the input space of real file formats has no fixed boundary. We treat containment as a property to be continuously re-tested as formats and tooling evolve, not as a result that is proven once. Finally, this work concerns isolation behaviour only; it does not address every layer of the wider security posture, which is evaluated separately.

Classification Notice

Test corpus generators, the exact resource ceilings, and the enforcement layer behind these results are proprietary and intentionally omitted. The corpus contains only synthetic, machine-generated inputs; no real user file is ever used in PrivLab research.

This study was never run against our users. Every input in it was synthetic and machine-generated, executed entirely in isolated test environments. We did not observe, sample, or experiment on any real conversion, file, or person. Our design means we couldn't have - the files you convert are never retained, so there is nothing for us to test against in the first place.