Hubbry Logo
Polyglot (computing)Polyglot (computing)Main
Open search
Polyglot (computing)
Community hub
Polyglot (computing)
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Polyglot (computing)
Polyglot (computing)
Polyglot (computing)
View on Wikipedia
from Wikipedia

In computing, a polyglot is a computer program or script (or other file) written in a valid form of multiple programming languages or file formats.[1] The name was coined by analogy to multilingualism. A polyglot file is composed by combining syntax from two or more different formats.[2]

When the file formats are to be compiled or interpreted as source code, the file can be said to be a polyglot program, though file formats and source code syntax are both fundamentally streams of bytes, and exploiting this commonality is key to the development of polyglots.[3] Polyglot files have limited practical applications in compatibility,[4] but can also present a security risk when used to bypass validation or to exploit a vulnerability.

History

[edit]
See also: History of steganography

Polyglot programs have been crafted as challenges and curios in hacker culture since at least the early 1990s. A notable early example, named simply polyglot was published on the Usenet group rec.puzzles in 1991, supporting eight languages, though this was inspired by even earlier programs.[5] In 2000, a polyglot program was named a winner in the International Obfuscated C Code Contest.[6]

In the 21st century, polyglot programs and files gained attention as a covert channel mechanism for propagation of malware.[3][7] Polyglot files have limited practical applications in compatibility.[8]

Construction

[edit]

A polyglot is composed by combining syntax from two or more different formats, leveraging various syntactic constructs that are either common between the formats, or constructs that are language specific but carrying different meaning in each language. A file is a valid polyglot if it can be successfully interpreted by multiple interpreting programs. For example, a PDF-Zip polyglot might be opened as both a valid PDF document and decompressed as a valid zip archive. To maintain validity across interpreting programs, one must ensure that constructs specific to one interpreter are not interpreted by another, and vice versa. This is often accomplished by hiding language-specific constructs in segments interpreted as comments or plain text of the other format.[1]

Examples

[edit]

C, PHP, and Bash

[edit]

Two commonly used techniques for constructing a polyglot program are to make use of languages that use different characters for comments, and to redefine various tokens as others in different languages. These are demonstrated in this public domain polyglot written in ANSI C, PHP and bash:

Highlighted for Bash 

 #define a /*
 #<?php
 echo "\010Hello, world!\n";// 2> /dev/null > /dev/null \ ;
 // 2> /dev/null; x=a;
 $x=5; // 2> /dev/null \ ;
 if (($x))
 // 2> /dev/null; then
 return 0;
 // 2> /dev/null; fi
 #define e ?>
 #define b */
 #include <stdio.h>
 #define main() int main(void)
 #define printf printf(
 #define true )
 #define function
 function main()
 {
 printf "Hello, world!\n"true/* 2> /dev/null | grep -v true*/;
 return 0;
 }
 #define c /*
 main
 #*/

Highlighted for PHP 

 #define a /*
 #<?php
 echo "\010Hello, world!\n";// 2> /dev/null > /dev/null \ ;
 // 2> /dev/null; x=a;
 $x=5; // 2> /dev/null \ ;
 if (($x))
 // 2> /dev/null; then
 return 0;
 // 2> /dev/null; fi
 #define e ?>
 #define b */
 #include <stdio.h>
 #define main() int main(void)
 #define printf printf(
 #define true )
 #define function
 function main()
 {
 printf "Hello, world!\n"true/* 2> /dev/null | grep -v true*/;
 return 0;
 }
 #define c /*
 main
 #*/

Highlighted for C 

 #define a /*
 #<?php
 echo "\010Hello, world!\n";// 2> /dev/null > /dev/null \ ;
 // 2> /dev/null; x=a;
 $x=5; // 2> /dev/null \ ;
 if (($x))
 // 2> /dev/null; then
 return 0;
 // 2> /dev/null; fi
 #define e ?>
 #define b */
 #include <stdio.h>
 #define main() int main(void)
 #define printf printf(
 #define true )
 #define function
 function main()
 {
 printf "Hello, world!\n"true/* 2> /dev/null | grep -v true*/;
 return 0;
 }
 #define c /*
 main
 #*/

Note the following:

  • A hash sign marks a preprocessor statement in C, but is a comment in both bash and PHP.
  • "//" is a comment in both PHP and C and the root directory in bash.
  • Shell redirection is used to eliminate undesirable outputs.
  • Even on commented out lines, the "<?php" and "?>" PHP indicators still have effect.
  • The statement "function main()" is valid in both PHP and bash; C #defines are used to convert it into "int main(void)" at compile time.
  • Comment indicators can be combined to perform various operations.
  • "if (($x))" is a valid statement in both bash and PHP.
  • printf is a bash shell builtin which is identical to the C printf except for its omission of brackets (which the C preprocessor adds if this is compiled with a C compiler).
  • The final three lines are only used by bash, to call the main function. In PHP the main function is defined but not called and in C there is no need to explicitly call the main function.

SNOBOL4, Win32Forth, PureBasicv4.x, and REBOL

[edit]

The following is written simultaneously in SNOBOL4, Win32Forth, PureBasicv4.x, and REBOL:

Highlighted for SNOBOL 

 *BUFFER : A.A ; .( Hello, world !) @ To Including?
 Macro SkipThis; OUTPUT = Char(10) "Hello, World !"
 ;OneKeyInput  Input('Char', 1, '[-f2-q1]')  ; Char
 End; SNOBOL4 + PureBASIC + Win32Forth + REBOL = <3
 EndMacro: OpenConsole() : PrintN("Hello, world !")
 Repeat : Until Inkey() :  Macro SomeDummyMacroHere
 REBOL  [ Title:  "'Hello, World !' in 4 languages"
 CopyLeft:  "Developed in 2010 by Society" ]  Print
 "Hello, world !"  EndMacro:  func  [][]  set-modes
 system/ports/input [binary: true] Input  set-modes
 system/ports/input  [binary: false] NOP:: EndMacro
 ; Wishing to refine it with new language ? Go on !

Highlighted for Forth 

 *BUFFER : A.A ; .( Hello, world !) @ To Including?
 Macro SkipThis; OUTPUT = Char(10) "Hello, World !"
 ;OneKeyInput  Input('Char', 1, '[-f2-q1]')  ; Char
 End; SNOBOL4 + PureBASIC + Win32Forth + REBOL = <3
 EndMacro: OpenConsole() : PrintN("Hello, world !")
 Repeat : Until Inkey() :  Macro SomeDummyMacroHere
 REBOL  [ Title:  "'Hello, World !' in 4 languages"
 CopyLeft:  "Developed in 2010 by Society" ]  Print
 "Hello, world !"  EndMacro:  func  [][]  set-modes
 system/ports/input [binary: true] Input  set-modes
 system/ports/input  [binary: false] NOP:: EndMacro
 ; Wishing to refine it with new language ? Go on !

Highlighted for BASIC 

 *BUFFER : A.A ; .( Hello, world !) @ To Including?
 Macro SkipThis; OUTPUT = Char(10) "Hello, World !"
 ;OneKeyInput  Input('Char', 1, '[-f2-q1]')  ; Char
 End; SNOBOL4 + PureBASIC + Win32Forth + REBOL = <3
 EndMacro: OpenConsole() : PrintN("Hello, world !")
 Repeat : Until Inkey() :  Macro SomeDummyMacroHere
 REBOL  [ Title:  "'Hello, World !' in 4 languages"
 CopyLeft:  "Developed in 2010 by Society" ]  Print
 "Hello, world !"  EndMacro:  func  [][]  set-modes
 system/ports/input [binary: true] Input  set-modes
 system/ports/input  [binary: false] NOP:: EndMacro
 ; Wishing to refine it with new language ? Go on !

Highlighted for REBOL 

 *BUFFER : A.A ; .( Hello, world !) @ To Including?
 Macro SkipThis; OUTPUT = Char(10) "Hello, World !"
 ;OneKeyInput  Input('Char', 1, '[-f2-q1]')  ; Char
 End; SNOBOL4 + PureBASIC + Win32Forth + REBOL = <3
 EndMacro: OpenConsole() : PrintN("Hello, world !")
 Repeat : Until Inkey() :  Macro SomeDummyMacroHere
 REBOL  [ Title:  "'Hello, World !' in 4 languages"
 CopyLeft:  "Developed in 2010 by Society" ]  Print
 "Hello, world !"  EndMacro:  func  [][]  set-modes
 system/ports/input [binary: true] Input  set-modes
 system/ports/input  [binary: false] NOP:: EndMacro
 ; Wishing to refine it with new language ? Go on !

MS-DOS batch file and Perl

[edit]

The following file runs as an MS-DOS batch file, then re-runs itself in Perl:

Highlighted for DOS batch 

 @rem = ' --PERL--
 @echo off
 perl "%~dpnx0" %*
 goto endofperl
 @rem ';
 #!perl
 print "Hello, world!\n";
 __END__
 :endofperl

Highlighted for Perl 

 @rem = ' --PERL--
 @echo off
 perl "%~dpnx0" %*
 goto endofperl
 @rem ';
 #!perl
 print "Hello, world!\n";
 __END__
 :endofperl

This allows creating Perl scripts that can be run on MS-DOS systems with minimal effort. Note that there is no requirement for a file to perform exactly the same function in the different interpreters.

Types

[edit]

Polyglot types include:[3]

  • stacks, where multiple files are concatenated with each other
  • parasites where a secondary file format is hidden within comment fields in a primary file format
  • zippers where two files are mutually arranged within each others' comments
  • cavities, where a secondary file format is hidden within null-padded areas of the primary file.

Benefits

[edit]

Polyglot markup

[edit]

Polyglot markup has been proposed as a useful combination of the benefits of HTML5 and XHTML.[9] Such documents can be parsed as either HTML (which is SGML-compatible) or XML, and will produce the same DOM structure either way. For example, in order for an HTML5 document to meet these criteria, the two requirements are that it must have an HTML5 doctype, and be written in well-formed XHTML. The same document can then be served as either HTML or XHTML, depending on browser support and MIME type.

As expressed by the html-polyglot recommendation,[9] to write a polyglot HTML5 document, the following key points should be observed:

  1. Processing instructions and the XML declaration are both forbidden in polyglot markup
  2. Specifying a document’s character encoding
  3. The DOCTYPE
  4. Namespaces
  5. Element syntax (i.e. End tags are not optional. Use self-closing tags for void elements.)
  6. Element content
  7. Text (i.e. pre and textarea should not start with newline character)
  8. Attributes (i.e. Values must be quoted)
  9. Named entity references (i.e. Only amp, lt, gt, apos, quot)
  10. Comments (i.e. Use <!-- syntax -->)
  11. Scripting and styling polyglot markup

The most basic possible polyglot markup document would therefore look like this:[9] 

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang="">
  <head>
    <title>The title element must not be empty.</title>
  </head>
  <body>
  </body>
</html>

In a polyglot markup document non-void elements (such as script, p, div) cannot be self-closing even if they are empty, as this is not valid HTML.[10] For example, to add an empty textarea to a page, one cannot use <textarea/>, but has to use <textarea></textarea> instead.

Composing formats

[edit]

The DICOM medical imaging format was designed to allow polyglotting with TIFF files, allowing efficient storage of the same image data in a file that can be interpreted by either DICOM or TIFF viewers.[11]

Compatibility

[edit]

The Python 2 and Python 3 programming languages were not designed to be compatible with each other, but there is sufficient commonality of syntax that a polyglot Python program can be written than runs in both versions.[12]

Security implications

[edit]

A polyglot of two formats may steganographically compose a malicious payload within an ostensibly benign and widely accepted wrapper format, such as a JPEG file that allows arbitrary data in its comment field. A vulnerable JPEG renderer could then be coerced into executing the payload, handing control to the attacker. The mismatch between what the interpreting program expects, and what the file actually contains, is the root cause of the vulnerability.[1]

SQL Injection is a trivial form of polyglot, where a server naively expects user-controlled input to conform to a certain constraint, but the user supplies syntax which is interpreted as SQL code.

Note that in a security context, there is no requirement for a polyglot file to be strictly valid in multiple formats; it is sufficient for the file to trigger unintended behaviour when being interpreted by its primary interpreter.

Highly flexible or extensible file formats have greater scope for polyglotting, and therefore more tightly constrained interpretation offers some mitigation against attacks using polyglot techniques. For example, the PDF file format requires that the magic number %PDF appears at byte offset zero, but many PDF interpreters waive this constraint and accept the file as valid PDF as long as the string appears within the first 1024 bytes. This creates a window of opportunity for polyglot PDF files to smuggle non-PDF content in the header of the file.[3] The PDF format has been described as "diverse and vague", and due to significantly varying behaviour between different PDF parsing engines, it is possible to create a PDF-PDF polyglot that renders as two entirely different documents in two different PDF readers.[13]

Detecting malware concealed within polyglot files requires more sophisticated analysis than relying on file-type identification utilities such as file. In 2019, an evaluation of commercial anti-malware software determined that several such packages were unable to detect any of the polyglot malware under test.[3][2]

In 2019, the DICOM medical imaging file format was found to be vulnerable to malware injection using a PE-DICOM polyglot technique.[14] The polyglot nature of the attack, combined with regulatory considerations, led to disinfection complications: because "the malware is essentially fused to legitimate imaging files", "incident response teams and A/V software cannot delete the malware file as it contains protected patient health information".[15]

GIFAR attack

[edit]

A Graphics Interchange Format Java Archives (GIFAR) is a polyglot file that is simultaneously in the GIF and JAR file format.[16] This technique can be used to exploit security vulnerabilities, for example through uploading a GIFAR to a website that allows image uploading (as it is a valid GIF file), and then causing the Java portion of the GIFAR to be executed as though it were part of the website's intended code, being delivered to the browser from the same origin.[17] Java was patched in JRE 6 Update 11, with a CVE published in December 2008.[18][19]

GIFARs are possible because GIF images store their header in the beginning of the file, and JAR files (as with any ZIP archive-based format) store their data at the end.[20]

[edit]
Look up polyglot in Wiktionary, the free dictionary.
  • Polyglot programming, referring to the practise of building systems using multiple programming languages, but not necessarily in the same file.[21][22]
  • Polyglot persistence is similar, but about databases.

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Polyglot (computing)

View on Grokipedia
from Grokipedia
In computing, a polyglot is a computer program, script, or other file written in a valid form of multiple programming languages or file formats. The term is coined by analogy to a polyglot person who speaks multiple languages. Polyglot files are constructed by exploiting overlaps in syntax or structure between formats, allowing the same byte stream to be interpreted correctly by different parsers or compilers. While they have niche applications in demonstrating compatibility or creating versatile tools, polyglots can pose security risks, such as evading input validation or exploiting vulnerabilities in parsers.

Definition and Fundamentals

Definition

In computing, a polyglot is a computer file or program that is valid in multiple file formats or can be correctly interpreted and executed as source code in more than one programming language or by different parsers, without requiring any modifications. This property arises from exploiting syntactic overlaps, structural ambiguities, or flexible parsing rules that allow the same content to conform to the specifications of distinct formats or languages simultaneously. Polyglots differ fundamentally from monoglots, which are files or programs designed and structured exclusively for a single file format or programming language, relying on unique signatures, headers, or syntax that preclude validity in other contexts. By contrast, polyglots intentionally or incidentally capitalize on shared elements—such as common delimiters, optional metadata, or forgiving grammars—to achieve multi-format compliance, often for purposes like demonstrations, , or evasion techniques in adversarial scenarios. The concept draws from the linguistic term "polyglot," denoting proficiency in multiple languages, adapted to computing to describe these versatile artifacts that bridge disparate technical domains. Readers are assumed to have basic familiarity with source code parsing, where compilers or interpreters analyze text against language grammars, and file formats, which define structured data layouts like headers and payloads.

Key Characteristics

Polyglot files in computing exhibit syntactic flexibility by leveraging overlapping or tolerant elements across multiple formats, such as one language's comment syntax serving as executable code in another or extraneous data being ignored by parsers. This allows a single file to conform to the specifications of two or more formats without inherent conflicts, often through methods like embedding secondary content in comment sections (parasite technique) or appending compatible structures (stack technique). For instance, formats like or PDF tolerate additional bytes or malformed sections, enabling such dual validity. A core property is parsability, where the file must be syntactically and semantically valid in each target or format, producing no parsing errors when processed by respective interpreters or viewers. This is achieved by exploiting language-specific mechanisms that ignore or reinterpret elements, such as whitespace, delimiters, null-padded areas, or mutual comment markers that conceal code from one parser while exposing it to another. Consequently, the file behaves correctly in diverse contexts, like rendering as an in one application while executing as a script in another. Polyglots enhance portability by being executable or interpretable across environments that support the involved languages or formats, facilitating cross-platform deployment without modification. This trait is particularly valuable in scenarios requiring compatibility across disparate systems, as the file adapts based on the invoking runtime or tool. Complexity in polyglots is typically gauged by the number of supported formats, with most involving two or more (e.g., dual-format combinations like JPG+PHP), though achieving validity in three or additional ones escalates construction difficulty exponentially due to the need for precise alignments in offsets, signatures, and tolerances. Detection poses significant challenges, as standard tools like the Unix file command often misidentify polyglots by matching only the primary signature, leading to evasion of format-specific analyses.

Historical Development

Early Origins

The concept of polyglot code in computing emerged during the and within Unix environments, where developers began experimenting with files that could function validly as scripts in multiple interpreters or compilers. These early efforts often involved combining shell scripts with compiled languages like , leveraging features such as shebangs (introduced in 4.2BSD Unix in 1983) to specify interpreters and multi-line comments to embed one language's code harmlessly within another. Such techniques allowed a single to serve dual purposes, such as executing simple commands via the while also compiling as source code. Key pioneers included hackers from the era and early Unix development communities, who crafted these dual-mode files to optimize workflows in resource-constrained systems. For instance, participants in the nascent (IOCCC), started in 1984 by Landon Curt Noll and Larry Bassel at , explored polyglot constructions as intellectual challenges that highlighted language overlaps. A seminal example is Jack Applin's 1986 IOCCC entry, recognized as one of the first documented polyglots, which outputs "Hello, world!" when interpreted as , compiled with Fortran 77, or compiled with . These innovations were primarily motivated by the era's hardware limitations, including scarce storage on systems like the PDP-11 minicomputers, where minimizing file counts enhanced efficiency and compatibility across Unix tools. Polyglots enabled without duplicating files, aligning with the of small, composable programs. However, pre-1990s constraints—such as limited processing power, absence of modern scripting languages like (developed in 1987), and reliance on text-based terminals—kept polyglots rare and confined to simple, script-focused applications rather than complex binaries.

Evolution and Milestones

The concept of polyglots in computing saw significant growth in the , coinciding with the expansion of web scripting languages and the proliferation of open-source sharing platforms such as and BBS systems. A landmark achievement was the 1991 polyglot program developed by Kevin Bungard, Peter Lisle, and Chris Tham, which was simultaneously valid and executable in seven languages: , Pascal, , , , Unix shell script, and x86 . This example, outputting "hello polyglots" across all interpretations, exemplified early experimentation with multi-language code validity and was distributed publicly to foster community exploration. Examples like PHP-Bash polyglots emerged during this period, leveraging similarities between and shell environments to create hybrid scripts for tasks. In the 2000s, polyglots gained further traction through (esolang) communities and the nascent movement, where brevity and ingenuity were prized. The 2001 "10th Anniversary Edition" of the 1991 polyglot added as an eighth language, demonstrating ongoing refinement and extension of classic designs. Polyglot quines, which require the code to self-replicate identically while remaining valid in multiple languages, elevated the technical complexity within esolang and golfing circles. The 2010s and marked a shift toward practical integrations in , particularly in workflows. Polyglot configurations, such as those exploiting YAML's status as a strict superset of , enabled single files to function interchangeably as YAML or JSON, streamlining tool compatibility in . Community-driven events, including the 2012 Polyglot Challenge on , spurred widespread participation and innovation by tasking participants with creating polyglots that output language-specific identifiers. Recent trends in the include applications in like multi-format Dockerfiles that adapt to diverse runtime environments.

Construction Techniques

Basic Principles

The core strategy for constructing polyglot source code involves identifying elements of syntax that are shared across multiple programming languages, such as semicolons for statement termination in languages like C and JavaScript, while employing language-specific mechanisms to ignore or bypass incompatible portions of the code. These ignores typically leverage comments, which vary by language—for instance, the # symbol comments out lines in Python and shell scripts but may serve as a preprocessor directive in C—or whitespace, which is often insignificant in most languages. This approach ensures that each interpreter or compiler parses the file as valid syntax for its respective language without errors from extraneous elements. Shebang lines and header tricks form a foundational technique, particularly for Unix-like systems, where the initial #! directive specifies an interpreter (e.g., #!/bin/sh for shell) but functions as a comment in languages like Perl or Python that treat # as a line comment starter. For example, a header like #!/bin/sh followed by an eval statement can invoke Perl execution while remaining valid shell syntax, allowing the file to operate as either a shell script or a Perl program depending on the invocation method. This dual validity relies on the shebang being ignored by non-shell interpreters, enabling seamless compatibility across environments. The layering approach structures the code such that an outer encompasses inner ones, with each layer designed for sequential validity—often by terminating the outer language's execution early (e.g., via an exit or that is benign in inner languages) before transitioning to the next. This method divides the source into discrete sections, using delimiters like multi-line comments or string literals to encapsulate language-specific code, ensuring that parsers for inner languages overlook the outer layers as inert. Testing polyglots requires validation against multiple interpreters or compilers to confirm syntactic and semantic correctness in each language, including checks for runtime and output consistency. Common pitfalls include encoding mismatches, such as characters interpreted differently across tools, or variations in boolean evaluation (e.g., empty strings as false in some languages but not others), which can lead to unexpected failures. To create a simple biglot for two languages, such as a file valid as both shell and , begin by writing the primary logic in after a shell-compatible header; for instance, start with #!/bin/sh followed by an eval 'exec [perl](/page/Perl) -S &#36;0 "$@"' invocation if the condition is met, ensuring the is skipped in direct execution via a conditional like if 0. Next, append Perl-specific code, using elements like backticks for any shell command execution within that align with shell syntax when ignored. Finally, test execution under both interpreters (e.g., ./script.sh and [perl](/page/Perl) script.pl) to verify identical outputs and handle any path or argument differences.

Advanced Methods

Advanced methods for constructing polyglots extend beyond simple concatenations by incorporating sophisticated to manage interactions among more than two languages or formats simultaneously. In multiglot , creators balance multiple programming languages—often exceeding two—through techniques such as conditional includes and language-specific constructs that remain inert in other interpreters. For instance, comments ignored in one language can serve as code in another, while shebang lines or environment variables trigger language-specific execution paths. , which are unique byte sequences identifying file formats, play a crucial role in format-based polyglots by allowing parsers to detect and prioritize embedded structures without corrupting the primary format. Format embedding techniques enable seamless integration of disparate structures, particularly for data polyglots. A prominent example is ZIP-in-JAR embedding, where a file—essentially a ZIP archive with a manifest—incorporates additional ZIP payloads by aligning headers and central directories to avoid overlap, ensuring the file validates as both a Java archive and a compressed archive. Similarly, HTML-with-XML namespaces facilitate polyglot markup by declaring namespaces that render the document valid in both and contexts, leveraging shared syntax while embedding XML-specific elements without breaking parsers. These methods rely on precise header manipulation to maintain validity across interpreters. Automated tools have streamlined polyglot construction since the mid-2010s, reducing manual trial-and-error. The open-source Truepolyglot generator, developed around 2019, automates PDF-ZIP polyglots by embedding ZIP archives within PDF objects, adjusting offsets to align magic bytes and ensure dual validity with tools like Adobe Reader and 7-Zip. Regex-based builders, such as the Mitra tool, use pattern matching to generate polyglots across formats like ELF binaries and images, supporting parasite and near-polyglot variants through modular scriptable components. These tools optimize for compatibility by simulating parser behaviors. More recent tools, such as PolyZip (developed around 2024), automate embedding ZIP archives into diverse formats like images and audio files. Creating advanced polyglots presents significant challenges, particularly in resolving conflicts and minimizing . String delimiters often conflict across languages or formats—for example, a quote in a Python string might mimic a operator—necessitating escape sequences or neutral markers like #--PAYLOAD--# to delineate sections without altering semantics. Optimization for minimal size involves stripping redundant metadata and aligning structures to overlap bytes, as extraneous data can exceed format limits or trigger validation failures; techniques like offset skipping via tools such as dd help extract embedded content efficiently.

Types of Polyglots

Source Code Polyglots

Source code polyglots are files containing text that constitutes valid source code for multiple programming languages, enabling compilation or interpretation by each language's respective tools to generate programs with similar behavioral outcomes. These constructs exploit syntactic overlaps, comments, or directives to ensure the irrelevant portions are ignored in each context, allowing the core logic to execute uniformly. Common pairings involve interpreted languages such as Python and , which share flexible syntaxes amenable to shared constructs, or hybrids blending compiled languages like with interpreted ones like , where differences in compilation models are bridged through conditional includes or shebangs. Shell script hybrids, for instance, often combine Bash with or , leveraging script headers to route execution appropriately. A prominent example is a polyglot supporting , C++, Perl, , and both Python 2 and 3, which compiles and runs under C/C++ or interprets directly in the scripting languages, outputting the executing language's name to demonstrate validity. Another case merges and shell, using Ruby's block comments (=begin/=end) to encapsulate shell-specific code, resulting in shell execution printing one message and Ruby another. These polyglots find use in cross-language testing, where a single file validates behavioral equivalence across interpreters or compilers without duplicating codebases, and in legacy migrations, enabling gradual by showcasing interoperable logic in source form. Success metrics emphasize identical runtime , achieved via shared algorithmic logic—such as arithmetic computations or manipulations—that remains invariant despite language-specific parsing, with outputs unified through environment detection or neutral constructs like standard I/O calls. While traditional examples dominate, modern languages like Go and receive less emphasis in polyglot constructions due to their stricter syntaxes.

Data Format Polyglots

Data format polyglots refer to non-executable files that conform to the specifications of multiple data serialization or configuration formats, enabling them to be validly parsed and interpreted by corresponding parsers without modification. These files exploit syntactic and structural overlaps between formats to function as multiple data structures, such as key-value pairs, hierarchical objects, or tabular data. A prominent example is the compatibility between and , where YAML 1.2 is designed as a strict superset of JSON, allowing any valid JSON document to be parsed directly as YAML. Common examples illustrate these schema overlaps. For configuration purposes, / polyglots are widely used, as YAML parsers can handle JSON's object notation, arrays, and strings seamlessly, providing flexibility in environments requiring both formats. Similarly, INI files share a key-value structure with Java files; a simple INI-style file without sections adheres to the format recognized by Java's java.util.Properties class, making it interchangeable for basic settings in cross-platform applications. In tabular data, CSV and TSV files rely on delimited text, where a tab-separated file can be parsed as TSV natively or as CSV by specifying a tab , emphasizing the adaptability of delimited schemas. These polyglots find applications in responses and configuration files within polyglot environments, where services in diverse languages benefit from format-agnostic data exchange. For instance, architectures often employ / configs to enable shared settings across , Python, and components, reducing format conversion overhead. Validation of data format polyglots typically involves lenient parsers that accommodate ambiguities between formats, contrasting with strict modes that enforce precise syntax. For /, lenient YAML parsers (e.g., those implementing the Core schema) accept JSON without issues, but strict JSON parsers reject YAML extensions like comments or anchors, posing challenges in mixed environments. This requires developers to select forgiving parsing libraries and test across modes to ensure reliable deserialization, particularly in where inconsistent validation can lead to deployment failures.

Notable Examples

Classic Multi-Language Scripts

One notable example of a classic multi-language script combines , , and Bash to produce equivalent output across interpreters. This polyglot leverages syntax overlaps where the Bash shebang line serves as a PHP comment, and C code is treated as ignored output redirection in Bash and comments in PHP. The script begins with a preprocessor directive in C that is interpreted as a variable definition in Bash, followed by PHP code embedded within C comments, and concludes with C's main function masked as shell redirections. When executed as a Bash script, it ignores the C and PHP portions due to redirection operators like > /dev/null, printing "Hello, world!" via the printf equivalent in Bash. In PHP, the C code becomes comments starting with /*, allowing the echo statement to execute. As C, the PHP tags are comments, and the main function compiles and runs normally, yielding the same output. This construction exploits line-by-line parsing differences, ensuring syntactic validity without conflicts, though it requires specific invocation (e.g., ./script for Bash, php script for PHP, gcc script -o out && ./out for C). An early Windows polyglot from the same era integrates MS-DOS batch and Perl, commonly used to embed Perl scripts within batch files for hybrid execution. The header employs @rem as a batch comment prefix, which doubles as Perl's POD (Plain Old Documentation) delimiter when the file is renamed with a .bat extension. A typical structure is: @rem --*-Perl-*-- followed by @perl.exe -x "%~f0" %* and @goto :eof, then the Perl shebang #!perl and code. In batch mode, @rem silences the Perl mode indicator, invokes perl.exe with the -x flag to skip to the shebang, passes the script path (%~f0) and arguments (%*), and jumps to end-of-file to ignore Perl lines. Perl's -x option skips initial non-Perl lines until #!perl, treating the batch header as ignorable text and executing the subsequent code. This achieves output equivalence, such as running a simple print statement in Perl while the batch handles invocation, without altering the core logic. Such scripts were prevalent in pre-PowerShell Windows environments for portability. Niche examples from the 1980s to 2000s, such as those exploiting overlaps in SNOBOL4, Win32Forth, v4.x, and , demonstrate polyglots in less common languages. A 2010 example outputs "Hello, world!" across these by using SNOBOL4's label-based statements and functions (e.g., *BUFFER : A.A) as comments or no-ops in Forth and , while v4.x macros like Macro SkipThis; ignore preceding lines via EndMacro. Win32Forth interprets the SNOBOL4 patterns as stack operations, and 's block syntax ([ Title: "'Hello, World !' in 4 languages" ]) aligns with dummy macros in . Execution equivalence relies on each language skipping irrelevant sections: SNOBOL4 via end statements, Forth via semicolons, via macro boundaries, and via NOP::. These scripts highlight overlaps in comment styles and whitespace handling but are dated; v4.x, last updated in 2012, is obsolete by 2025, superseded by version 6.x which dropped support for older Windows versions and deprecated functions.

Specialized Format Polyglots

Specialized format polyglots extend the concept of polyglot files into data structures and modern application contexts, where ambiguity between formats enables dual validity without relying on executable code. One prominent example is the GIFAR, a hybrid file combining a GIF image with a Java Archive (JAR) file. Constructed by concatenating a valid GIF header and image data with the binary content of a JAR file as trailing "garbage," the resulting file parses as a legitimate image when processed top-down by image viewers or web servers, while the embedded JAR can be executed as a Java applet if referenced via an HTML <applet> tag. This exploits inconsistencies in file validation, allowing the image to display normally while the applet runs arbitrary code in the browser's context. Discovered in 2008, GIFAR demonstrates how format ambiguity in multimedia files can lead to unintended code execution, though modern browsers have mitigated such risks through stricter applet handling. In contemporary DevOps practices, polyglot configurations leverage the compatibility between YAML and JSON formats, particularly for Kubernetes manifests. Since YAML is designed as a human-readable superset of JSON, any valid JSON manifest file is inherently parsable as YAML without modification, enabling seamless interoperability across tools that prefer one format over the other. For instance, a Kubernetes deployment manifest written in JSON adheres to both standards, allowing it to be applied using kubectl in either syntax while maintaining the same declarative structure for resources like pods and services. This polyglot nature simplifies workflows in polyglot environments, where teams might use JSON for programmatic generation and YAML for manual editing. Verification of such dual-format files can be performed with tools like jq for JSON parsing, which succeeds on compatible YAML inputs due to the superset relationship, or yq, a YAML processor that employs jq-like syntax for querying both formats uniformly. Web development has seen polyglot files that blend HTML markup, CSS stylesheets, and JavaScript scripts into a single valid document, capitalizing on browser parsing flexibility. A file might begin with an HTML doctype and structure, embed CSS rules within <style> tags that double as valid stylesheet content if extracted, and include JavaScript in <script> elements that executes correctly or parses as modular code. Proof-of-concept examples, such as those combining CSS and JavaScript syntax to function in both stylesheet and script contexts, illustrate how shared lexical rules—like comments (/* */) and property-like declarations—allow a single file to serve multiple roles without errors. These constructs are particularly useful in minimalistic web prototypes or obfuscation techniques, where the file remains valid across MIME types like text/html, text/css, or application/javascript.

Benefits and Applications

Interoperability and Compatibility

Polyglot computing facilitates by allowing a single artifact, such as a script or , to operate validly across diverse programming languages, runtimes, or operating systems, thereby enabling deployment in heterogeneous environments without requiring separate versions. For instance, polyglot scripts can function as both Bash scripts on and batch files on Windows, streamlining cross-platform execution and reducing the need for environment-specific adaptations. This approach yields significant compatibility gains by minimizing toolchain dependencies, as a polyglot file leverages shared structures interpretable by multiple parsers or interpreters, which is particularly useful for avoiding multiple file variants in compatibility scenarios. For example, polyglot binaries can be crafted to be valid executables on both (ELF format) and Windows (PE format), aiding in portable deployment for tools like bootloaders or utilities. Benchmarks demonstrate improved portability with polyglot approaches, while minimizing the proliferation of file variants needed for compatibility.

Markup and Composed Formats

Polyglot markup enables documents to conform to multiple markup language specifications simultaneously, such as that is also valid as or compatible with SGML parsers. This dual validity arises from adhering to a of rules that bridge the syntactic differences between HTML's forgiving parsing and XML's stricter requirements, resulting in identical document object models (DOMs) across parsers. The (W3C) formalized these principles in its Polyglot Markup specification, which defines documents parsable as both HTML and XML while maintaining compliance with web standards. Key techniques for achieving polyglot markup include the use of declarations, such as the xmlns="http://www.w3.org/1999/xhtml" attribute in the <[html](/page/HTML)> element, which signals XML parsers to treat the document within the XHTML namespace without disrupting HTML rendering. Additionally, employing lowercase element and attribute names, self-closing tags for void elements (e.g., <br/>), and the encoding ensures multi-parser acceptance, as these align with both tolerance and XML rigidity. These methods allow documents to be served via text/html for broad browser support or application/xhtml+xml for stricter XML processing, enhancing web standards compliance by reducing parsing discrepancies. In composed formats, polyglots leverage nested structures where one format embeds components of another, facilitating in document ecosystems. For instance, specially crafted polyglot files can be valid as both PDF and , where PDF content streams use PostScript-derived syntax for describing vector paths, fonts, and images; such files, though not routine, demonstrate portability across viewers and interpreters like , which handles both formats. The PDF specification (ISO 32000) describes this syntactic overlap, enabling advanced layouts in compatible workflows without separate files. Applications of these polyglot approaches in markup and composed formats include browser rendering fallbacks, where an XML parser can gracefully handle HTML-like content if the primary mode fails, and enhanced document portability for syndication across legacy SGML systems, modern web platforms, and print environments. In the , this has extended to polyglots embedded in , where binary modules are crafted to double as valid markup, supporting portable execution of high-performance code in diverse web contexts without format-specific loaders.

Risks and Security Implications

General Vulnerabilities

Polyglot files and code in introduce inherent risks due to their dual or multi-format nature, which can exploit ambiguities in how different parsers or interpreters process the same input. Multiple parsers may interpret the content differently, leading to injection risks where malicious payloads are executed unexpectedly if one parser overlooks elements that another processes as code. For instance, a file valid as both an and an might bypass content filters designed for visual media, allowing embedded scripts to run in a scripting environment. This has been documented in attack chains where polyglots evade detection by masquerading as benign formats. In contexts, polyglots embedded in dependencies pose significant threats by hiding in sections ignored by primary parsers, such as appended data at the end of archive files that appears innocuous during routine scans. Attackers can leverage this to distribute backdoors via seemingly legitimate packages, amplifying propagation in ecosystems like software repositories. Recent campaigns, including spear-phishing operations targeting organizations, have used polyglots to conceal backdoor installations, exploiting trust in common file types like PDFs or containing hidden executables. inconsistencies further exacerbate these risks, particularly when version mismatches across languages or tools cause unintended execution; for example, differing interpretations of syntax in polyglot can trigger buffer overflows or if parsers apply incompatible rules. To mitigate these vulnerabilities, organizations should employ strict validation tools that thoroughly inspect files across all potential formats, alongside sandboxing to isolate execution environments and prevent unintended behaviors. Tools like PolyConv, a machine learning-based detector, have demonstrated high efficacy in identifying polyglots with a 99.20% F1 score, while content disarmament solutions such as ImSan can sanitize malicious elements in image-based polyglots. Additionally, adopting multi-parser verification and dependency auditing protocols helps address parsing discrepancies and exposures.

Specific Attack Vectors

One prominent example of a polyglot-based attack is the GIFAR exploit, which emerged in the and combines a image header with a file structure to evade content filters. The attack works by prepending the GIF magic bytes (such as "GIF89a") to a ZIP-based JAR archive containing a malicious and executable classes, allowing the file to render harmlessly as an image in browsers while executing as a if processed by a runtime. This dual validity exploits discrepancies in file type verification, where image scanners overlook the embedded ZIP payload, bypassing protections like those in early web proxies. Polyglot malware often embeds executable code in seemingly benign formats, such as or within images, to break browser sandboxes and deliver payloads. A notable case involves or files augmented with JavaScript, where the image header masks script tags or event handlers that trigger (XSS) upon rendering, as seen in campaigns that exploited browser parsers to execute remote code. In 2022, the IcedID banking trojan utilized CHM+HTA polyglots—HTML Application files with embedded JavaScript—to evade email gateways and deploy stealers, demonstrating how such constructs can chain into sandbox escapes by mimicking help files while running scripts. Another vector involves polyglots on Windows systems, where .bat scripts embed commands or executables to facilitate . Tools like Powerglot encode offensive scripts into polyglot formats, such as BAT+PS1 hybrids, allowing attackers to bypass execution policies and elevate from user to admin contexts via self-extracting mechanisms that unpack and run payloads undetected by signature-based antivirus. Post-2020, polyglot variants have evolved to target mobile applications, particularly by embedding malicious code in images within APK files, which are ZIP archives prone to such manipulations. For instance, attackers append image headers (e.g., or ) to APK components, enabling evasion of scanners that validate visuals separately from binaries. This adaptation exploits mobile OS file routing, where image processors ignore embedded ZIP structures carrying trojanized APKs. By 2025, defenses against these vectors have advanced with multi-format scanners like OPSWAT's MetaDefender, which disassembles files across types to detect polyglots, and ML-based tools such as PolyConv, achieving over 99% accuracy in identifying stacked formats like GIFAR or image+APK hybrids. These countermeasures address earlier gaps by enforcing holistic validation beyond magic bytes, though attackers continue to refine evasion tactics.

Overlapping Terminology

In , the term "polyglot" for programs or files valid in multiple languages or formats overlaps with "multilingual code," which similarly denotes source code interpretable across different programming paradigms without modification. This synonymy arises in contexts like esoteric programming, where such constructs demonstrate language interoperability within a single artifact. However, "polyglot programming" and "polylingual software" introduce confusion, as they typically describe broader practices of integrating multiple languages across a project's components—such as using Java for backend logic and JavaScript for frontend—rather than confining validity to one file. These terms, often used interchangeably in literature, emphasize system-level over the file-level ambiguity central to polyglots. A key distinction lies in structure: true polyglots maintain validity as a single, unified file or parsable in each supported language, contrasting with wrappers (scripts that invoke external interpreters for other languages) or dual-file setups (separate files for each language sharing data). Informal descriptors like "chameleon files" occasionally appear in discussions to evoke files that adapt to multiple parsers, akin to polyglots, but lack formal and often focus on malicious evasion rather than benign multi-validity. Polyglots differ from "bifurcated scripts," which involve explicitly splitting code into distinct files for language-specific execution, forgoing the seamless, single-file property. Common misuses conflate polyglots with software (i18n), which adapts applications for diverse human languages through locale-specific resources, not by crafting multi-language code validity. The term "polyglot" gained standardization in the 2000s through (esolang) documentation, where it formalized the concept of multi-language programs amid growing interest in language boundaries. By the , related phrasing like "format-agnostic files" emerged in for storage independent of specific serialization schemes, such as Parquet or , but this pertains to interoperability in pipelines rather than executable multi-validity.

Broader Programming Paradigms

Polyglot quines represent a sophisticated intersection of self-referential programming and multi-language validity, where source code is executable in multiple languages and, upon execution in any of them, outputs its own source code exactly. The mechanics rely on exploiting syntactic overlaps and language-specific ignorable elements, such as comments or preprocessors, to ensure the code remains valid and self-replicating across interpretations; for instance, directives in one language may be treated as comments in another, allowing unified output generation. This form of self-reference extends traditional quines by demanding compatibility with diverse parsers, highlighting polyglots' role in exploring computational boundaries. Beyond recreation, polyglots embody deliberate , serving as a technique for in contexts like challenges, where minimizing length across multiple valid interpretations reduces overall complexity. In scenarios, this ambiguity aids anti-reverse efforts, as polyglot files can masquerade as benign formats (e.g., documents) while embedding executable code, evading detection by file-type filters or static analyzers. Such applications underscore polyglots' utility in concealing intent without altering core functionality, though they raise concerns in cybersecurity. Within broader paradigms, polyglots align closely with esoteric programming languages (esolangs), which prioritize conceptual experimentation over practicality; esolangs often feature in polyglot constructions to test limits, as documented in dedicated wikis fostering such innovations.

References

  1. https://dl.acm.org/doi/10.1145/2508859.2516685
  2. https://arxiv.org/pdf/2407.01529
  3. https://www.ioccc.org/README.html
  4. https://www.spinellis.gr/blog/20100112/index.html
  5. https://www.ioccc.org/1986/applin/index.html
  6. http://ideology.com.au/polyglot/
  7. https://esolangs.org/wiki/Polyglot
  8. https://esolangs.org/wiki/Quine
  9. https://yaml.org/spec/1.2.2/
  10. https://codegolf.stackexchange.com/questions/7261/write-a-polyglot-that-prints-the-languages-name
  11. https://codegolf.stackexchange.com/questions/101159/tips-for-creating-polyglots
  12. https://perldoc.perl.org/perlrun
  13. https://dl.acm.org/doi/fullHtml/10.1145/3546096.3546106
  14. https://arxiv.org/html/2407.01529v1
  15. https://www.w3.org/TR/html-polyglot/
  16. https://github.com/ansemjo/truepolyglot
  17. https://github.com/corkami/mitra
  18. https://github.com/InfoSecREDD/PolyZip
  19. https://www.berylliumsec.com/blog/creating-polyglot-files-png-python-scripts-binary
  20. https://github.com/floyd-fuh/C-CPP-Perl-Ruby-Python-Polyglot
  21. https://notes.burke.libbey.me/ruby-shell-polyglot/
  22. https://hal.science/hal-04588744v1/document
  23. https://dl.acm.org/doi/pdf/10.1145/3663529.3663787
  24. https://docs.oracle.com/cd/E23095_01/Platform.93/ATGProgGuide/html/s0204propertiesfileformat01.html
  25. https://ebay.github.io/tsv-utils/docs/comparing-tsv-and-csv.html
  26. https://yaml.org/spec/1.2/spec.html
  27. https://fietkau.plus/old_presentations/kbs_polyglots.pdf
  28. https://devblogs.microsoft.com/oldnewthing/20170804-00/?p=96765
  29. https://wiki.glitchdata.com/index.php/Polyglot_(computing)
  30. https://www.purebasic.com/documentation/mainguide/history.html
  31. https://www.usenix.org/system/files/login/articles/123-grossman.pdf
  32. https://arstechnica.com/information-technology/2008/08/newly-found-hybrid-attack-embeds-java-applet-in-gif-file/
  33. https://hackaday.com/2008/08/04/the-gifar-image-vulnerability/
  34. https://kubernetes.io/docs/concepts/overview/working-with-objects/
  35. https://spacelift.io/blog/kubernetes-manifest-file
  36. https://news.ycombinator.com/item?id=30052633
  37. https://github.com/wcroachie/css-js-polyglot
  38. https://dl.acm.org/doi/10.1145/3286978.3286997
  39. https://github.com/llamasoft/polyshell
  40. https://www.sultanik.com/blog/FilePolyglottery
  41. https://patrickventuzelo.com/2020/01/blogpost-how-to-create-a-valid-polyglot-html-js-webassembly-module/
  42. https://dl.acm.org/doi/10.1145/3696410.3714814
  43. https://www.kaspersky.com/blog/polyglot-malware-masking-technique/53263/
  44. https://www.csoonline.com/article/3837964/polyglot-files-used-to-spread-new-backdoor.html
  45. https://wnesecurity.com/what-are-polyglot-files-and-how-do-hackers-use-them/
  46. https://www.portswigger.net/daily-swig/malvertising-fiends-using-polyglot-exploits-in-real-world-attacks
  47. https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/
  48. https://github.com/mindcrypt/powerglot
  49. https://attack.mitre.org/software/S1185/
  50. https://www.opswat.com/blog/how-metadefender-prevents-sophisticated-polyglot-image-attacks
  51. https://www.researchgate.net/publication/377125748_Polyglot_Software_Development_Wait_What
  52. https://inria.hal.science/hal-04383286/file/IEEE_Software___Polyglot_Software_Development__Copy_-1.pdf
  53. https://www.glasswall.com/us/blog/unmasking-polyglot-files-how-glasswalls-cdr-technology-tackles-this-stealthy-threat
  54. https://datascience.codata.org/articles/dsj-2016-012
  55. https://corecursive.com/quines-polyglot-code/
  56. https://www.researchgate.net/publication/328517529_Code_Golf_and_Obfuscation_with_Genetic_Algorithm_Based_Symbolic_Regression
  57. https://vickieli.dev/hacking/polyglot/
  58. https://www.theseus.fi/bitstream/10024/806359/2/Benchbana_Omar.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.