advances in grammar mining and testing
play

Advances in Grammar Mining and Testing Andreas Zeller CISPA / - PowerPoint PPT Presentation

Jan 03, 2023 •203 likes •840 views

Advances in Grammar Mining and Testing Andreas Zeller CISPA / Saarland University https://github.com/vrthra/pygmalion @AndreasZeller Saarbrcken @AndreasZeller CISPA | Center for IT-Security, Privacy and Accountability Scienti

  1. Advances in Grammar Mining and Testing Andreas Zeller CISPA / Saarland University https://github.com/vrthra/pygmalion @AndreasZeller

  2. Saarbrücken @AndreasZeller

  3. ─┐ CISPA | Center for IT-Security, Privacy and Accountability └─

  4. Scienti fj c excellence in fundamental research 50,000,000 € /year • 500+ researchers ─┐ CISPA | Center for IT-Security, Privacy and Accountability └─

  5. Fuzzing 
 Random Testing at the System Level [;x1-GPZ+wcckc];,N9J+?#6^6\e?]9lu2_%'4GX"0VUB[E/r ~fApu6b8<{%siq8Zh.6{V,hr?;{Ti.r3PIxMMMv6{xS^+'Hq!AxB"YXRS@! Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH JIIvHz>_*.\>JrlU32~eGP? lR=bF3+;y$3lodQ<B89!5"W2fK*vE7v{')KC-i,c{<[~m!]o;{.'}Gj\(X} EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0| Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gka<W=Z. %T5WGHZpI30D<Pq>&]BS6R&j?#tP7iaV}-}`\?[_[Z^LBMPG- FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy!^zkhdf3C5PAkR?V hn| 3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@55ap\zIyl"'f, $ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@WjhZ}r[Scun&sBCS,T[/ vY'pduwgzDlVNy7'rnzxNwI)(ynBa>%|b`;`9fG]P_0hdG~$@6 3]KAeEnQ7lU)3Pn,0)G/6N-wyzj/MTd#A;r

  6. Fuzzing 
 Random Testing at the System Level Fuzzer UNIX utilities “ab’d&gfdfggg” grep • sh • sed … 25%–33%

  7. Grammar Fuzzing • Suppose you want to test a parser – 
 to compile and execute a program • To get deep into the program, you need 
 syntactically correct inputs Parser @AndreasZeller

  8. LangFuzz (2012) • Fuzz tester for JavaScript and other languages • Uses a full- fm edged grammar to generate inputs • Uses grammar 
 to parse existing inputs

  9. JavaScript Grammar If Statement IfStatement full ⇒ if ParenthesizedExpression Statement full | if ParenthesizedExpression Statement noShortIf else Statement full IfStatement noShortIf ⇒ if ParenthesizedExpression Statement noShortIf else Statement noShortIf Switch Statement SwitchStatement ⇒ switch ParenthesizedExpression { } | switch ParenthesizedExpression { CaseGroups LastCaseGroup } CaseGroups ⇒ «empty» | CaseGroups CaseGroup CaseGroup ⇒ CaseGuards BlockStatementsPrefix LastCaseGroup CaseGuards BlockStatements

  10. A Generated Input 1 var haystack = "foo" ; 2 var re text = "^foo" ; 3 haystack += "x" ; 4 re text += "(x)" ; Parser 5 var re = new RegExp(re text); 6 re. test(haystack); 7 RegExp.input = Number(); 8 print(RegExp.$1); Figure 2: Test case generated by LangFuzz,

  11. Fuzzing JavaScript # defects 6 Mozilla TI 5 Google V8 4 (Chrome 10 Beta) 3 Mozilla TM (Firefox 4 Beta) 2 18 Chromium Security Rewards 1 12 Mozilla Security Bug Bounty Awards US$ 50,000+ in fj rst four weeks in 9 months 0 0 2 4 6 8 10 # days

  12. Learning Grammars If Statement IfStatement full ⇒ if ParenthesizedExpression Statement full | if ParenthesizedExpression Statement noShortIf else Statement full IfStatement noShortIf ⇒ if ParenthesizedExpression Statement noShortIf else Statement noShortIf Switch Statement SwitchStatement ⇒ switch ParenthesizedExpression { } | switch ParenthesizedExpression { CaseGroups LastCaseGroup } CaseGroups ⇒ «empty» | CaseGroups CaseGroup CaseGroup ⇒ CaseGuards BlockStatementsPrefix LastCaseGroup CaseGuards BlockStatements

  13. Learning Grammars • Let us characterize program behavior 
 via its input/output language • Assume I/O is a stream of characters (symbols) • Assume we can characterize this stream 
 via a formal language – regular expressions, grammars • We want to learn such a language from the program @AndreasZeller

  14. Learning Grammars http:// user:pass @ www.google.com:80 path / http:// user:pass @ www.google.com:80 path / Program @AndreasZeller

  15. Learning Grammars :// user:pass @ www.google.com:80 path / http:// user:pass @ www.google.com:80 path / http – protocol @AndreasZeller

  16. Learning Grammars :// user:pass @ :80 path / http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com @AndreasZeller

  17. Learning Grammars :// user:pass @ : / path http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 @AndreasZeller

  18. Learning Grammars :// : @ : / path http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 – login user pass @AndreasZeller

  19. Learning Grammars :// : @ : / http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 – login user pass – page request path @AndreasZeller

  20. Learning Grammars http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 – login user pass – page request path – terminals :// : @ : / @AndreasZeller

  21. Learning Grammars http:// user:pass @ www.google.com:80 path / http – protocol } processed in – host name di fg erent www.google.com functions – port 80 – login user pass stored in di fg erent – page request path variables – terminals :// : @ : / @AndreasZeller

  22. Tracking Input We track input characters throughout program execution: 1. Dynamic tainting labels all characters read (and derived values) with their origin 2. Recognizing inputs checks string variables whether they hold input fragments (simpler) @AndreasZeller

  23. Grammar Inference • Start with grammar $START ::= input $START ::= http://user:pass@www.google.com:80/path#ref @AndreasZeller

  24. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= http://user:pass@www.google.com:80/path#ref fragment = 'ref' url = '/path' path = '/path' scheme = 'http' netloc = 'user:pass@www.google.com:80' @AndreasZeller

  25. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= http://$NETLOC/path#ref 
 $NETLOC ::= user:pass@www.google.com:80 fragment = 'ref' url = '/path' path = '/path' scheme = 'http' @AndreasZeller

  26. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC/path#ref 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http fragment = 'ref' url = '/path' path = '/path' @AndreasZeller

  27. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC$PATH#ref 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http 
 $PATH ::= /path fragment = 'ref' url = '/path' @AndreasZeller

  28. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC$PATH#$FRAGMENT 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http 
 $PATH ::= /path $FRAGMENT ::= ref url = '/path' @AndreasZeller

  29. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC$PATH#$FRAGMENT 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http 
 $PATH ::= $URL $FRAGMENT ::= ref $URL ::= /path @AndreasZeller

  30. Demo @AndreasZeller

  31. AUTOGRAM AUTOGRAM: a grammar miner for Java programs Uses active learning to infer • repetitions • optional parts • common elements (numbers, identi fj ers…) Höschele, Zeller: "Mining Input Grammars from Dynamic Taints", ASE 2016 @AndreasZeller

  32. URLs http://user:password@www.google.com:80/command?foo=bar&lorem=ipsum#fragment http://www.guardian.co.uk/sports/worldcup#results ftp://bob:12345@ftp.example.com/oss/debian7.iso URL ::= PROTOCOL '://' AUTHORITY PATH ['?' QUERY] ['#' REF] AUTHORITY ::= [USERINFO '@'] HOST [':' PORT] PROTOCOL ::= 'http' | 'ftp' USERINFO ::= /[a-z]+:[a-z]+/ HOST ::= /[a-z.]+/ PORT ::= '80' PATH ::= /\/[a-z0-9.\/]*/ QUERY ::= 'foo=bar&lorem=ipsum' REF ::= /[a-z]+/ @AndreasZeller

  33. INI Files INI ::= LINE+ [Application] LINE ::= SECTION_LINE '\r' 
 Version = 0.5 | OPTION_LINE ['\r'] WorkingDir = /tmp/mydir/ SECTION_LINE ::= '[' KEY ']' [User] OPTION_LINE ::= KEY ' = ' VALUE User = Bob KEY ::= /[a-zA-Z]*/ Password = 12345 VALUE ::= /[a-zA-Z0-9\/]/ @AndreasZeller

  34. JSON Input JSON ::= VALUE 
 VALUE ::= JSONOBJECT | ARRAY | STRINGVALUE | TRUE | FALSE | NULL | NUMBER TRUE ::= ’true’ FALSE ::= ’false’ { NULL ::= ’null’ NUMBER ::= [’-’] /[0-9]+/ "v": true, STRINGVALUE ::= ’"’ INTERNALSTRING ’"’ "x": 25, INTERNALSTRING ::= /[a-zA-Z0-9 ]+/ "y": -36, ARRAY ::= ’[’ … [VALUE [’,’ VALUE]+] } ’]’ JSONOBJECT ::= ’{’ [STRINGVALUE ’:’ VALUE [’,’ STRINGVALUE ’:’ VALUE] 
 +] 
 '}' @AndreasZeller

  35. Testing with Mined Grammars Inputs Program Tests Grammar @AndreasZeller

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State University June 6, 2012 Carl Pollard Advances in Logical Grammar: Course Overview What this Course is About (1/2) Using mathematical logic to

218 views • 7 slides
A .NET-based Test-Data Generator for Combinatorial Grammar- and Schema-based Testing Vadim

A .NET-based Test-Data Generator for Combinatorial Grammar- and Schema-based Testing Vadim

A .NET-based Test-Data Generator for Combinatorial Grammar- and Schema-based Testing Vadim Zaytsev with: Ralf L ammel (VU), Wolfram Schulte (MSR) 14 April 2004 Grammar ware grammars grammar-dependent software In this project:

450 views • 17 slides
Combinatorial Interaction Testing for Test Selection in Grammar-Based Testing Elke Salecker,

Combinatorial Interaction Testing for Test Selection in Grammar-Based Testing Elke Salecker,

Combinatorial Interaction Testing for Test Selection in Grammar-Based Testing Elke Salecker, Sabine Glesner Technical University of Berlin, Germany Workshop on Combinatorial Testing (CT) 2012 Montreal, Canada Introduction Background Approach

632 views • 45 slides
Advances in Logical Grammar: Review of Typed Lambda Calculus Carl Pollard Department of

Advances in Logical Grammar: Review of Typed Lambda Calculus Carl Pollard Department of

Advances in Logical Grammar: Review of Typed Lambda Calculus Carl Pollard Department of Linguistics Ohio State University June 6, 2012 Carl Pollard Advances in Logical Grammar: Review of Typed Lam The Two Sides of Typed Lambda Calculus A

628 views • 27 slides
RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT

RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT

JOE ROZNER / @JROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT HERE Mostly clean room (ish) implementation of complex languages (context-free- ish) ~35k lines of grammar in total

400 views • 19 slides
Syntax-based test coverage (part 2) - grammar-based testing - Basic grammar concepts

Syntax-based test coverage (part 2) - grammar-based testing - Basic grammar concepts

Syntax-based test coverage (part 2) - grammar-based testing - Basic grammar concepts Syntax-based Coverage Criteria Specification-based Grammars Input Space Grammars Verificao e Validao de Software Departamento de Informtica

460 views • 27 slides
Advances in proof mining Andrei Sipos , September 14, 2020 University of Bucharest Lectureship

Advances in proof mining Andrei Sipos , September 14, 2020 University of Bucharest Lectureship

Advances in proof mining Andrei Sipos , September 14, 2020 University of Bucharest Lectureship Competition Bucures ti, Rom ania Proof mining This, as the title says, is a talk on proof mining : an applied subfield of mathematical logic

2.21k views • 156 slides
Tools for Testing Mitochondrial Disorders: The Latest Advances in Genetics and Genomics

Tools for Testing Mitochondrial Disorders: The Latest Advances in Genetics and Genomics

Tools for Testing Mitochondrial Disorders: The Latest Advances in Genetics and Genomics What is genomic sequencing and how does it change testing for mitochondrial disorders? Is NextGen testing appropriate for all people with

665 views • 43 slides
Smart Testing with AI Using Data Mining Presented by:

Smart Testing with AI Using Data Mining Presented by:

T16 Analytics in Testing Thursday, October 3rd, 2019 1:30 PM Smart Testing with AI Using Data Mining Presented by: Lorna

655 views • 32 slides
Topic III: Significance Testing Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III: Significance Testing Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III: Significance Testing Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T III.Intro- 1 T III: Significance Testing 1. Hypothesis Testing 1.1. Null Hypotheses and p -values 1.2.

362 views • 32 slides
Advances in Mutation Testing Research for C++ Pedro Delgado-Prez TAROT: Intro Talk June 2015

Advances in Mutation Testing Research for C++ Pedro Delgado-Prez TAROT: Intro Talk June 2015

Introduction Mutation Operators Conclusion Advances in Mutation Testing Research for C++ Pedro Delgado-Prez TAROT: Intro Talk June 2015 P. Delgado-Prez UCASE (University of Cdiz) Advances in Mutation Testing Research for C++ TAROT:

694 views • 45 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

774 views • 20 slides
Grammarware Application: Testing XML Validators Vadim Zaytsev 26 November 2004 1 The story of

Grammarware Application: Testing XML Validators Vadim Zaytsev 26 November 2004 1 The story of

Grammarware Application: Testing XML Validators Vadim Zaytsev 26 November 2004 1 The story of one grammar-based tool 2 Grammar ware and XML As it was told, grammarware is more than just compilers! eXtensible Markup Language has a

747 views • 38 slides
ADVANCES IN BIOMARKER TESTING FOR SEPSIS AND BACTERIAL INFECTIONS ERIC H GLUCK MD JD FCCP FCCM

ADVANCES IN BIOMARKER TESTING FOR SEPSIS AND BACTERIAL INFECTIONS ERIC H GLUCK MD JD FCCP FCCM

ADVANCES IN BIOMARKER TESTING FOR SEPSIS AND BACTERIAL INFECTIONS ERIC H GLUCK MD JD FCCP FCCM DIRECTOR OF CRITICAL SERVICES SWEDISH COVENANT HOSPTIAL DISCLOSURES: Speaking engagements and consulting: Thermo Fisher Scientific, Middletown,

861 views • 46 slides
Recent Advances in Designing, Monitoring, Modeling and Testing Deep Foundations in North America

Recent Advances in Designing, Monitoring, Modeling and Testing Deep Foundations in North America

Proceedings CIGMAT-2007 Conference &amp; Exhibition Recent Advances in Designing, Monitoring, Modeling and Testing Deep Foundations in North America C. Vipulanandan, Ph.D., P.E. P P Chairman, Professor and Director of Center for Innovative

534 views • 25 slides
Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The

Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The

Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The rules of language, comprising syntax and inflectional morphology Syntax The hierarchical structure of language Lexical Words (Open Class) Noun

539 views • 31 slides
A Mirage of Persistent I nequality? Comparative Educational Opportunity over the Long Haul Tony

A Mirage of Persistent I nequality? Comparative Educational Opportunity over the Long Haul Tony

A Mirage of Persistent I nequality? Comparative Educational Opportunity over the Long Haul Tony Tam Harry B.G. Ganzeboom May 15, 2009 The Starting Point Shavit and Blossfeld (1993, SB93) is a major citation hit, with Google Scholar now

360 views • 25 slides
Routing Computer Center, CS, NCTU Why dynamic route ? (1) Static route is ok only when

Routing Computer Center, CS, NCTU Why dynamic route ? (1) Static route is ok only when

Routing Computer Center, CS, NCTU Why dynamic route ? (1) Static route is ok only when Network is small There is a single connection point to other network No redundant route 2 Computer Center, CS, NCTU Why dynamic route ? (2)

623 views • 28 slides
Geothermal projects: Exploration, Drilling, Plant, Exploitation, Operation&amp; Maintenance

Geothermal projects: Exploration, Drilling, Plant, Exploitation, Operation&amp; Maintenance

Geothermal projects: Exploration, Drilling, Plant, Exploitation, Operation&amp; Maintenance Ruggero Bertani Geothermal Innovation &amp; Sustainability Enel Green Power Trieste, December 2015 The Geothermal Value Chain Integrated business

1.37k views • 67 slides
Intelligent Agents for Battle Command Services TITAN ATO ID&amp;M Dr. Israel Mayk C2

Intelligent Agents for Battle Command Services TITAN ATO ID&amp;M Dr. Israel Mayk C2

Intelligent Agents for Battle Command Services TITAN ATO ID&amp;M Dr. Israel Mayk C2 Directorate (C2D) US Army Research, Development and Engineering Command (RDECOM) Communications-Electronics Research, Development and Engineering Center

458 views • 21 slides
Peering Planning Cooperation w ithout Revealing Confidential I nform ation Arman Maghbouleh am

Peering Planning Cooperation w ithout Revealing Confidential I nform ation Arman Maghbouleh am

Peering Planning Cooperation w ithout Revealing Confidential I nform ation Arman Maghbouleh am at cariden dot com Apricot 2006 Perth, Australia w w w .cariden.com (c) cariden technologies Failover Matrices Cariden 1 APRI COT 2006 The I

567 views • 21 slides
CS641 Advanced Computer Networks Lecture 04 Bhaskaran Raman Department of CSE, IIT Bombay

CS641 Advanced Computer Networks Lecture 04 Bhaskaran Raman Department of CSE, IIT Bombay

CS641 Advanced Computer Networks Lecture 04 Bhaskaran Raman Department of CSE, IIT Bombay http://www.cse.iitb.ac.in/~br/ http://www.cse.iitb.ac.in/synerg/doku.php?id=public:courses:cs641-autumn10:start Outline for Today Recall: routing

337 views • 11 slides
Chapter 2: Configuring the Enhanced Interior Gateway Routing Protocol CCNP-RS ROUTE Ali

Chapter 2: Configuring the Enhanced Interior Gateway Routing Protocol CCNP-RS ROUTE Ali

Chapter 2: Configuring the Enhanced Interior Gateway Routing Protocol CCNP-RS ROUTE Ali Aydemir Chapter 2 Objectives Describe the basic operation of EIGRP. Plan and implement EIGRP routing. Configure and verify EIGRP routing.

2.02k views • 177 slides
Enterprise Routing Design Xin Sun (Florida International U.), Sanjay G. Rao (Purdue U.) and

Enterprise Routing Design Xin Sun (Florida International U.), Sanjay G. Rao (Purdue U.) and

Modeling the Complexity of Enterprise Routing Design Xin Sun (Florida International U.), Sanjay G. Rao (Purdue U.) and Geoffrey G. Xie (Naval Postgraduate School) 1 The costs of complexity We propose that this trend [towards more

469 views • 29 slides

More recommend