caradoc a pragmatic approach to pdf parsing and validation
play

Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE - PowerPoint PPT Presentation

Jan 09, 2024 •485 likes •842 views

Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec Workshop 2016 Guillaume Endignoux Olivier Levillain Jean-Yves Migeon cole Polytechnique, France EPFL, Switzerland ANSSI, France Thursday 26 th

  1. Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec Workshop 2016 Guillaume Endignoux Olivier Levillain Jean-Yves Migeon École Polytechnique, France EPFL, Switzerland ANSSI, France Thursday 26 th May, 2016 1 / 29

  2. Portable Document Format ? A commonly used format, but many security issues: 500+ reported vulnerabilities in Adobe Reader 1 (since 1999). Discrepancies between implementations. Syntax facilitates polymorphism 2 (PDF+ZIP, PDF+JPEG, etc.). 1 http://www.cvedetails.com 2 See for example PoC||GTFO 2 / 29

  3. Portable Document Format ? A commonly used format, but many security issues: 500+ reported vulnerabilities in Adobe Reader 1 (since 1999). Discrepancies between implementations. Syntax facilitates polymorphism 2 (PDF+ZIP, PDF+JPEG, etc.). In our work, we aim at verifying PDFs from syntactic level. Two approaches to validate files: Blacklist : does not detect new malware... Whitelist : higher rejection rate, but accepted files are clean. 1 http://www.cvedetails.com 2 See for example PoC||GTFO 2 / 29

  4. Table of contents Syntactic and structural problems: a quick tour 1 2 Caradoc: a pragmatic solution 3 Application to real-world files 3 / 29

  5. Table of contents Syntactic and structural problems: a quick tour 1 2 Caradoc: a pragmatic solution 3 Application to real-world files 4 / 29

  6. PDF syntax 101 A PDF document is made of objects: null booleans: true , false numbers: 123 , -4.56 strings: (foo) names: /bar arrays: [1 2 3] , [(foo) /bar] dictionaries: << /key (value) /foo 123 >> references: 1 0 obj ... endobj and 1 0 R streams: << ... >> stream ... endstream 5 / 29

  7. Structure of a PDF file %PDF-1.7 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj Header 2 0 obj Object << /Type /Pages /Count 1 /Kids [3 0 R] >> endobj Object ... xref 0 6 Reference table 0000000000 65536 f 0000000009 00000 n Trailer 0000000060 00000 n ... End-of-file trailer << /Size 6 /Root 1 0 R >> startxref 428 %%EOF Organization of a simple PDF file. 6 / 29

  8. Structure of a PDF file %PDF-1.7 xref 0 6 Header 0000000000 65536 f 0000000009 00000 n Objects 0000000060 00000 n More complex structures: ... ... Original file trailer << /Size 6 /Root 1 0 R >> Table + trailer #1 incremental updates, startxref 428 End-of-file #1 %%EOF object streams, Objects xref ... 0 3 Incremental 0000000002 65536 f linearization. Table + trailer #2 0000000567 00001 n update 0000000000 00001 f 6 1 End-of-file #2 0000001234 00000 n trailer << /Size 7 /Root 1 1 R /Prev 428 >> startxref 1347 %%EOF Incremental update. 7 / 29

  9. Logical structure of a PDF file Document of 17 pages (about 1000 objects). 8 / 29

  10. Graph organization The graph of objects is organized into sub-structures, especially trees. Page tree. Catalog Root of the page tree Node Page 3 Page 4 Page 1 Page 2 9 / 29

  11. Graph organization The table of contents uses doubly-linked lists. Table of contents. Outline root Catalog Chapter Chapter Chapter Section Section Section 10 / 29

  12. Problematic structure An attacker may write an invalid structure. Invalid table of contents. Outline root Catalog Chapter Chapter Chapter Section Section Section 11 / 29

  13. Demonstration Demonstration: two examples Loop in the outline structure https://github.com/ANSSI-FR/caradoc/blob/master/test_files/negative/outlines/cycle.pdf Polymorphic file https://github.com/ANSSI-FR/caradoc/blob/master/test_files/negative/polymorph/polymorph.pdf These files were reported to software editors. 12 / 29

  14. Demonstration These problems may lead to several attacks: Attacks on the structure (denial of service). Evasion techniques (attacks taking advantage of implementation discrepancies). 13 / 29

  15. Table of contents Syntactic and structural problems: a quick tour 1 2 Caradoc: a pragmatic solution 3 Application to real-world files 14 / 29

  16. Solution proposals Caradoc verifies a document at three levels: File syntax. Objects consistency (type checking). Higher-level verifications (graph, etc.). 15 / 29

  17. Syntax restriction At syntax level, guarantee extraction of objects without ambiguity: Grammar formalization 3 (BNF). Structure restrictions (no updates, no linearization , etc.). Systematic rejection of “corrupted” files. 3 https://github.com/ANSSI-FR/caradoc/tree/master/doc/grammar 16 / 29

  18. Syntax restriction At syntax level, guarantee extraction of objects without ambiguity: Grammar formalization 3 (BNF). Structure restrictions (no updates, no linearization , etc.). Systematic rejection of “corrupted” files. When a conforming reader reads a PDF file with a damaged or missing cross-reference table, it may attempt to rebuild the table by scanning all the objects in the file. — ISO 32000-1:2008, annex C.2 3 https://github.com/ANSSI-FR/caradoc/tree/master/doc/grammar 16 / 29

  19. Type checking At object level: guarantee semantic consistency. For this purpose: type checking algorithm. 17 / 29

  20. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Example on a Hello World file. 18 / 29

  21. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  22. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  23. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  24. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  25. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  26. Type checking action page destination annotation resource outline content stream font name tree other Types of a 17-page document. 20 / 29

  27. More complex verifications At a higher level: Verification of tree structures (page tree, outlines, etc.). Other verifications easily integrable in the future (fonts, images, existing analyses, etc.). 21 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Pragmatic Approach Towards The Regulation of Botanical Food

A Pragmatic Approach Towards The Regulation of Botanical Food

A Pragmatic Approach Towards The Regulation of Botanical Food Supplements Overview 1. Botanicals 2. Basic Principles 3. Current Situation 4. Safety 1. Quality standards 2. Inventory of the

557 views • 16 slides
A Hierarchal Approach to Validation Experiments in Magnetic Fusion Science Validation

A Hierarchal Approach to Validation Experiments in Magnetic Fusion Science Validation

A Hierarchal Approach to Validation Experiments in Magnetic Fusion Science Validation Experiments Working Group US Transport Task Force P.W. Terry, T. Carter, C. Hegna, C. Holland, M. GIlmore, M. Greenwald, B. LaBombard, R. Majeski, D.E.

593 views • 24 slides
A pragmatic approach to the phenomenon of presupposition conditionalization Amaia Garcia-Odon

A pragmatic approach to the phenomenon of presupposition conditionalization Amaia Garcia-Odon

A pragmatic approach to the phenomenon of presupposition conditionalization Amaia Garcia-Odon UPV-EHU/ U. Konstanz DIP Colloquium Outline The projection problem of presupposition 1 The proposal 2 Pragmatic constraints on projection

618 views • 47 slides
Workshop on process validation Session 2: Enhanced approach Kowid Ho Process validation for

Workshop on process validation Session 2: Enhanced approach Kowid Ho Process validation for

Workshop on process validation Session 2: Enhanced approach Kowid Ho Process validation for process development following traditional vs enhanced approach Same objective: To establish scientific evidence that a process is capable of

347 views • 6 slides
Module 4: XML Representation Concepts Parsing and Validation Schemas Munindar P. Singh, CSC

Module 4: XML Representation Concepts Parsing and Validation Schemas Munindar P. Singh, CSC

Module 4: XML Representation Concepts Parsing and Validation Schemas Munindar P. Singh, CSC 513, Spring 2008 c p.106 What is Metadata? Literally, data about data Description of data that captures some useful property regarding its

1.02k views • 59 slides
Tuesday 9 th April 2013 Process Validation-Enhanced Approach Continuous Process Verification

Tuesday 9 th April 2013 Process Validation-Enhanced Approach Continuous Process Verification

EMA Expert Workshop on Validation of Manufacturing for Biological Medicinal Products Tuesday 9 th April 2013 Process Validation-Enhanced Approach Continuous Process Verification Brendan Hughes Agenda Definition and purpose of validation

730 views • 18 slides
Interoperability Now! A pragmatic Approach to Interoperability in Language Technology Sven C.

Interoperability Now! A pragmatic Approach to Interoperability in Language Technology Sven C.

Interoperability Now! A pragmatic Approach to Interoperability in Language Technology Sven C. Andr Founder and CEO of ONTRAM Inc./Andr AG Based on a Collaboration Effort with Kilgray, Welocalize, Medtronic and Bioloom W3C Multilingual

506 views • 24 slides
Pragmatic Agility Pragmatic Agility Presented by: Andy Hunt The Pragmatic Programmers

Pragmatic Agility Pragmatic Agility Presented by: Andy Hunt The Pragmatic Programmers

W11 Concurrent Session Wednesday 11/12/2008 12:45 PM 2:15 PM Pragmatic Agility Pragmatic Agility Presented by: Andy Hunt The Pragmatic Programmers Presented at: Agile Development Practices 2008 November 10 - 14, Orlando, FL., USA 330

61 views • 3 slides
Redis Cluster a pragmatic approach to distribution All nodes are directly connected with a

Redis Cluster a pragmatic approach to distribution All nodes are directly connected with a

Redis Cluster a pragmatic approach to distribution All nodes are directly connected with a service channel. TCP baseport+4000, example 6379 -&gt; 10379. Node to Node protocol is binary, optimized for bandwidth and speed. Clients talk to

624 views • 17 slides
Industry 4.0 in Glass Needs a pragmatic approach Presented by: Christian Megret September

Industry 4.0 in Glass Needs a pragmatic approach Presented by: Christian Megret September

Industry 4.0 in Glass Needs a pragmatic approach Presented by: Christian Megret September 2017 Confidential Property of Schneider Electric Industry 4.0: According to Wikipedia Industry 4.0 is a name for the current trend of automation and

621 views • 20 slides
CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing Bottom-up parsing Recursive-descent Shift-reduce parsers parsing LR(0) parsing LL(1) parsing LR(0) items LL(1) parsing

429 views • 29 slides
Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Outline Review LL parsing Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm Constructing LR parsing tables 2 Top-Down Parsing: Review Top-Down Parsing: Review Top-down parsing expands a

470 views • 13 slides
A Three-Layered Approach to Facade Parsing Anelo Martinovi 1 Markus Mathias 1 Julien

A Three-Layered Approach to Facade Parsing Anelo Martinovi 1 Markus Mathias 1 Julien

Introduction Our Approach Results And Evaluation Summary A Three-Layered Approach to Facade Parsing Anelo Martinovi 1 Markus Mathias 1 Julien Weissenberg 2 Luc Van Gool 1 , 2 1 ESAT-PSI/VISICS, KU Leuven 2 Computer Vision Laboratory, ETH

338 views • 31 slides
Tuesday 9 th April 2013 Process Validation-Enhanced Approach Scale down models Frank Zettl Key

Tuesday 9 th April 2013 Process Validation-Enhanced Approach Scale down models Frank Zettl Key

EMA Expert Workshop on Validation of Manufacturing for Biological Medicinal Products Tuesday 9 th April 2013 Process Validation-Enhanced Approach Scale down models Frank Zettl Key elements enhanced approach Extensive and intensive process

409 views • 16 slides
Performance of Scientific Applications Lonnie D. Crosby, R. Glenn Brook, Bhanu Rekapalli,

Performance of Scientific Applications Lonnie D. Crosby, R. Glenn Brook, Bhanu Rekapalli,

A Pragmatic Approach to Improving the Large-scale Parallel I/O Performance of Scientific Applications Lonnie D. Crosby, R. Glenn Brook, Bhanu Rekapalli, Mikhail Sekachev, Aaron Vose, and Kwai Wong A Pragmatic Approach Data Movement

393 views • 17 slides
North Meadows Secondary Plan MUNICIPALITY OF STRATHROY-CARADOC Initial Public Meeting May 15,

North Meadows Secondary Plan MUNICIPALITY OF STRATHROY-CARADOC Initial Public Meeting May 15,

North Meadows Secondary Plan MUNICIPALITY OF STRATHROY-CARADOC Initial Public Meeting May 15, 2019 Why We Are Here Introductions and Overview Examine opportunities to accommodate growth and development Gather thoughts and

197 views • 17 slides
PDF in Smalltalk Chris1an Haider Introduc1on PDF is a

PDF in Smalltalk Chris1an Haider Introduc1on PDF is a

PDF in Smalltalk Chris1an Haider Introduc1on PDF is a graphics Model a document Format Graphics 2D Vector Graphics Mathema1cal Paths

718 views • 42 slides
This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu

This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu

This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu @zer0mem TTF TECHNIQUE what ? data to kernel Pinging TTF bitmap wants to help! Different bit of math instead

735 views • 50 slides
Graphics Lecture 18 COP 3252 Summer 2017 June 6, 2017 Graphics classes In the original

Graphics Lecture 18 COP 3252 Summer 2017 June 6, 2017 Graphics classes In the original

Graphics Lecture 18 COP 3252 Summer 2017 June 6, 2017 Graphics classes In the original version of Java, graphics components were in the AWT library (Abstract Windows Toolkit) Was okay for developing simple GUI applications For

537 views • 18 slides
Cons nstruc ucting g Knowledg dge e Gr Graph ph from Un Unstruc uctur ured d Tex ext

Cons nstruc ucting g Knowledg dge e Gr Graph ph from Un Unstruc uctur ured d Tex ext

Cons nstruc ucting g Knowledg dge e Gr Graph ph from Un Unstruc uctur ured d Tex ext Kundan Kumar Siddhant Manocha Image Source: www.ibm.com/smarterplanet/us/en/ibmwatson/ MOTIVATION Image

1.02k views • 24 slides
HTML Hyper Text Markup Language HTML 4.0 has strict compliance with XML standard

HTML Hyper Text Markup Language HTML 4.0 has strict compliance with XML standard

HTML and XML Venkat Subramaniam svenkat@cs.uh.edu 1 HTML Hyper Text Markup Language HTML 4.0 has strict compliance with XML standard Presentation details presented with information using markups Browsers act as

607 views • 35 slides
Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical

Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical

Statistical graphics with Statistical graphics with ggplot2 ggplot2 Programming for Statistical Programming for Statistical Science Science Shawn Santo Shawn Santo 1 / 59 1 / 59 Supplementary materials Full video lecture available in

613 views • 59 slides
Quantitative Text Analysis. Applications to Social Media Research Pablo Barber a London

Quantitative Text Analysis. Applications to Social Media Research Pablo Barber a London

Quantitative Text Analysis. Applications to Social Media Research Pablo Barber a London School of Economics www.pablobarbera.com Course website: pablobarbera.com/text-analysis-vienna Automated Analysis of Social Media Text Workflow:

1.13k views • 12 slides
Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing

Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing

Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base Pieter Agten Wilfried Daniels Raoul Strackx Job Noorman Anthony Van Herrewege Christophe Huygens Bart Preneel Ingrid Verbauwhede Frank

806 views • 67 slides

More recommend