dissecting media file formats with kaitai struct
play

Dissecting media file formats with Kaitai Struct FOSDEM 2017 - PowerPoint PPT Presentation

Mar 24, 2024 •141 likes •396 views

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai Project http://kaitai.io/ Twitter: @kaitai_io File formats: a problem? Media software developers have to deal with multitude of different

  1. Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai Project http://kaitai.io/ Twitter: @kaitai_io

  2. File formats: a problem? ● Media software developers have to deal with multitude of different media file formats ● Some of them are proprietary and undocumented → need to be reverse engineered ● Some of them are documented, but still parsing binary files is pain

  3. The mission: from stream to memory (and back)

  4. Typical development workflow ● Write some parsing code in a certain programming language ● Write some extra debugging code (dump to screen, check assertions, etc) ● Debug it till you drop – with dumping – with debugger – with asserts, etc ● Want to support some other programming language? Redo from start.

  5. Almost every media format library has these “dumping” tools ● libpng (PNG) – pnginfo, pngcp, pngchunkdesc, pngchunks ● openjpeg2 (JPEG 2000) – opj_decompress, opj_compress, opj_dump ● libogg (Ogg) – ogginfo ● swftools (Adobe Flash) – swfdump, swfextract, swfrender, ...

  6. Errors in file format libraries are devastatingly dangerous ● Almost always remotely exploitable, frequently provide arbitrary code execution, information leaking, DoS ● libpng: since 2010: – 22 vulnerabilities – 15 DoS – 13 overflow / code execution ● libjpeg – 4 vulnerabilities – 3 infoleaks – 1 code execution

  7. File formats description: no single standard ELF Header Some object f le control structures can grow, because the ELF header contains their actual sizes. If the object f le format changes, a program may encounter control structures that are larger or smaller than expected. Programs might therefore ignore ‘‘extra’’ information. The treatment of ‘‘missing’’ informa- tion depends on context and will be specif ed when and if extensions are def ned. Figure 1-3: ELF Header # d e f i n e E I _ N I D E N T 1 6 t y p e d e f s t r u c t { u n s i g n e d c h a r e _ i d e n t [ E I _ N I D E N T ] ; E l f 3 2 _ H a l f e _ t y p e ; E l f 3 2 _ H a l f e _ m a c h i n e ; E l f 3 2 _ W o r d e _ v e r s i o n ; E l f 3 2 _ A d d r e _ e n t r y ; E l f 3 2 _ O f f e _ p h o f f ; E l f 3 2 _ O f f e _ s h o f f ; E l f 3 2 _ W o r d e _ f l a g s ; E l f 3 2 _ H a l f e _ e h s i z e ; E l f 3 2 _ H a l f e _ p h e n t s i z e ; E l f 3 2 _ H a l f e _ p h n u m ; E l f 3 2 _ H a l f e _ s h e n t s i z e ; E l f 3 2 _ H a l f e _ s h n u m ; E l f 3 2 _ H a l f e _ s h s t r n d x ; } E l f 3 2 _ E h d r ; e_ident The initial bytes mark the f le as an object f le and provide machine-independent data with which to decode and interpret the f le’s contents. Complete descriptions appear below, in ‘‘ELF Identif cation.’’ e_type This member identif es the object f le type. _ _______________________________________ Name Value Meaning   ET_NONE 0 No f le type   ET_REL 1 Relocatable f le   ET_EXEC 2 Executable f le

  8. File formats description: no single standard C 768 J. Postel ISI 28 August 1980 User Datagram Protocol ---------------------- troduction ---------- is User Datagram Protocol (UDP) is defined to make available a tagram mode of packet-switched computer communication in the vironment of an interconnected set of computer networks. This otocol assumes that the Internet Protocol (IP) [1] is used as the derlying protocol. is protocol provides a procedure for application programs to send ssages to other programs with a minimum of protocol mechanism. The otocol is transaction oriented, and delivery and duplicate protection e not guaranteed. Applications requiring ordered reliable delivery of reams of data should use the Transmission Control Protocol (TCP) [2]. rmat ---- 0 7 8 15 16 23 24 31 +--------+--------+--------+--------+ | Source | Destination | | Port | Port | +--------+--------+--------+--------+ | | | | Length | Checksum | +--------+--------+--------+--------+ | | data octets ... +---------------- ... User Datagram Header Format elds ---- urce Port is an optional field, when meaningful, it indicates the port the sending process, and may be assumed to be the port to which a ply should be addressed in the absence of any other information. If t used, a value of zero is inserted.

  9. File formats description: no single standard

  10. Debugging networking protocols: they've got Wireshark

  11. Enter Kaitai Struct ● Declarative file format specification language (.ksy) ● Compiles into ready-made parsers in many supported target programming languages ● Visualization, dumping and debugging tools ● .ksy is YAML-based → easy to write your own tools ● Free & libre: – GPLv3 for compiler – MIT/Apache2 for runtime

  12. Supported target languages ● C++ (STL) ● Perl ● C# ● PHP ● Java ● Python ● JavaScript ● Ruby Bonus: GraphViz support

  13. Natural API generated by KS

  14. A picture worth a thousand words: Web IDE

  15. Console visualizer: JPEG

  16. Declarative, not imperative

  17. Kaitai Struct data types ● Built-in data types: – Integers – Floats – Unaligned bit integers and bit fields (0.6+) – Strings: fixed size, terminator-delimited, up to end of stream – Raw byte arrays – Enums ● User-defined data types

  18. Kaitia Struct features ● Sequential parsing (“seq”) ● Out-of-order parsing (“instances”) ● Calculated attributes ● Checking for magic signatures (fixed content) ● Conditional parsing (“if”) ● Type switching on a condition (“switch”) ● Repetitions: – until the end of stream – predefined number of iterations – until a condition is met

  19. Expression language to C++

  20. Expression language to Python

  21. Expression language to JavaScript

  22. GraphViz visualization: WMF Wmf Wmf::SpecialHeader pos size type id 0 4 D7 CD C6 9A magic 4 2 00 00 handle 6 2 s2le left 8 2 s2le top 10 2 s2le right 12 2 s2le bottom 14 2 u2le inch 16 4 00 00 00 00 reserved 20 2 u2le checksum Wmf::Header pos size type id → 0 2 u2le MetafileType metafile_type 2 2 u2le header_size 4 2 u2le version 6 4 u4le size 10 2 u2le number_of_objects pos size type id 12 4 u4le max_record 0 ... SpecialHeader special_header 16 2 u2le number_of_members ... ... Header header ... ... Record records Wmf::Record repeat until _.function == :func_eof pos size type id 0 4 u4le size → 4 2 u2le Func function 6 ((size - 3) * 2) params

  23. Is it production-ready? ● We've got a growing repository of formats ● Image files: bmp, cr2, exif, gif, jpeg, pcx, png, tiff, tim (PlayStation), wmf, xwd ● Video files: Microsoft AVI (.avi), QuickTime .mov / MP4 / ISO/IEC 14496-14:2003 ● Audio files: Standard MIDI (.mid), RIFF (.wav), ID3 tags, Amiga .mod modules ● More media files: Blender's .blend, 3D Systems Stereolithography (.stl)

  24. And more... ● Archives: .lzh, .zip ● Documents: Microsoft's Compount File Binary (CFB, AKA OLE) ● Executables: DOS MZ, Windows PE, ELF, Mach-O, Python bytecode (.pyc), Java classes (.class), Adobe Flash (.swf) ● Filesystems: cramfs, ext2, iso9660, MBR partition tables, VirtualBox disk images (.vdi) ● Networking

  25. Thanks for your attention! Questions? http://kaitai.io/ GitHub: http://github.com/kaitai-io/kaitai_struct/ Twitter: @kaitai_io Gitter: https://gitter.im/kaitai_struct/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses Competing formats developed in parallel Some easy to read, some easy to write programs Dont have to stick to these formats, but parsers

210 views • 18 slides
FOSDEM17 OPEN MEDIA DEV ROOM Review and Wrap Up ! A. Kouadio - EBU This years Topics

FOSDEM17 OPEN MEDIA DEV ROOM Review and Wrap Up ! A. Kouadio - EBU This years Topics

FOSDEM17 OPEN MEDIA DEV ROOM Review and Wrap Up ! A. Kouadio - EBU This years Topics (Stress) Testing Fuzzing Quality Control Codecs MediaInfo AV1 Kaitai Struct Standards Subtitles (TTML) Audio - AES67/AES70 Frameworks for

290 views • 15 slides
Super Operations Dentry Operations Interacting with the VFS struct super_operations { struct

Super Operations Dentry Operations Interacting with the VFS struct super_operations { struct

V irtual Why add layers? Core Data Structures Only Exist Originally, operating systems supported just F ile system In Memory everything a process requires to file one file system. What changed? interact with an open file introduction of

65 views • 3 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

578 views • 15 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

413 views • 23 slides
types.h defs.h Page 1/1 Page 1/3 typedef unsigned int uint; struct buf; typedef unsigned short

types.h defs.h Page 1/1 Page 1/3 typedef unsigned int uint; struct buf; typedef unsigned short

types.h defs.h Page 1/1 Page 1/3 typedef unsigned int uint; struct buf; typedef unsigned short ushort; struct context; typedef unsigned char uchar; struct file; typedef uint pde_t; struct inode; struct pipe; 5 struct proc; struct spinlock;

191 views • 18 slides
CSE 451 Section 2 OSV Lab 1 Design 20wi Please pick up section handout as you come in :) File

CSE 451 Section 2 OSV Lab 1 Design 20wi Please pick up section handout as you come in :) File

CSE 451 Section 2 OSV Lab 1 Design 20wi Please pick up section handout as you come in :) File Information struct inode: information for the file on disk (e.g. type, location) struct file: current state of the open file (e.g. mode,

849 views • 28 slides
Open source software for the keen file formats Ramn photographer: file formats Casero Caas

Open source software for the keen file formats Ramn photographer: file formats Casero Caas

Open source software for the keen photographer: Open source software for the keen file formats Ramn photographer: file formats Casero Caas Introduction Digital workflow Ramn Casero Caas From camera to computer File formats

493 views • 32 slides
Scien&fic Data File Formats Han-Wei Shen The Ohio

Scien&fic Data File Formats Han-Wei Shen The Ohio

Scien&fic Data File Formats Han-Wei Shen The Ohio State University Scien&fic File Format Common scien&fic data file formats VTK

394 views • 25 slides
beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

450 views • 21 slides
beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

722 views • 25 slides
Graphic Design Year 7 This Lesson Know what is meant by a file extension and to give examples

Graphic Design Year 7 This Lesson Know what is meant by a file extension and to give examples

Graphic Design Year 7 This Lesson Know what is meant by a file extension and to give examples File Formats What are file formats/ extensions? A file format/ extension relates to the last three/ four letters at the end of a file name e.g.

610 views • 14 slides
PPM PART I Media and Media formats Images A) COLOR IMAGES A) Color spaces B) Image

PPM PART I Media and Media formats Images A) COLOR IMAGES A) Color spaces B) Image

PPM PART I Media and Media formats Images A) COLOR IMAGES A) Color spaces B) Image Formats B) IMAGE STANDARDS A) JPEG B) JPEG 2000 Color Images: color spaces Color perception Light source Observer (human eye) ( (

354 views • 31 slides
1 Fermion Field File Formats We note at the beginning, that we do not use a different format for

1 Fermion Field File Formats We note at the beginning, that we do not use a different format for

1 Fermion Field File Formats We note at the beginning, that we do not use a different format for source or sink fermion fields. They are both stored using the same lime records. The meta-data stored in the same lime-packed file is supposed to

53 views • 4 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Ext3/4 file systems Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats

Ext3/4 file systems Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats

Ext3/4 file systems Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture System Calls Kernel RCU File System Networking Sync Memory CPU Device Management Scheduler Drivers Hardware

598 views • 33 slides
srt st tr r

srt st tr r

srt st tr r s t Ptq

1.16k views • 67 slides
Heuristics for Nested Dissection to Reduce Fill-in in Sparse Matrix Factorizations Miguel

Heuristics for Nested Dissection to Reduce Fill-in in Sparse Matrix Factorizations Miguel

Heuristics for Nested Dissection to Reduce Fill-in in Sparse Matrix Factorizations Miguel Vargas-Flix, Salvador Botello-Rionda miguelvargas@cimat.mx, botello@cimat.mx Morelia, November 6, 2013 1/28 Sparse matrices In most problems of finite

646 views • 28 slides
Scaling limits of random dissections Igor Kortchemski (work with N. Curien and B. Haas) DMA

Scaling limits of random dissections Igor Kortchemski (work with N. Curien and B. Haas) DMA

Scaling limits of random dissections Igor Kortchemski (work with N. Curien and B. Haas) DMA cole Normale Suprieure SIAM Discrete Mathematics - June 2014 Motivation Definition: Boltzmann dissections Theorem Applications Proof Outline

879 views • 85 slides
Bivalve Anatomy & Classification Class Bivalvia ~15,000 species; includes clams, scallops,

Bivalve Anatomy & Classification Class Bivalvia ~15,000 species; includes clams, scallops,

Bivalve Anatomy & Classification Class Bivalvia ~15,000 species; includes clams, scallops, mussels, oysters 2-valved (hinged) shells w/ adductor muscles Body laterally flattened Lack of cephalization Spaceous mantle cavity

274 views • 13 slides
Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G.

Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G.

Supported by Cadence Design Systems, Inc., NSF, the Packard Foundation, and State of Georgias Yamacraw Initiative Closing the Smoothness and Uniformity Gap in Area Fill Synthesis Y. Chen , , A. B. Kahng, G. Robins, A. Zelikovsky A. B.

530 views • 27 slides
ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided

ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided

ULTIMATE ULTIMATE A Multicenter, Prospective, Randomized Trial Comparing Intravascular Ultrasound-guided versus Angiography-guided Implantation of Drug-Eluting Stent in All-comers Jun-Jie Zhang, MD, PhD Xiaofei Gao, Jing Kan, Zhen Ge, Leng

244 views • 9 slides
Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau, Bolei Zhou, Aditya Khosla, Aude Oliva, Antonio Torralba CS 381V Thomas Crosley and Wonjoon Goo Detectors Credit: slide from the original paper Unit

1.39k views • 39 slides
A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

379 views • 36 slides

More recommend