horn binary serialization analysis
play

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on - PowerPoint PPT Presentation

Oct 14, 2022 •167 likes •502 views

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification and Synthesis Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Type

  1. Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification and Synthesis Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org

  2. Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Type Data Length CRC 0 3 4 N N+1 N+4 N+5 N+8 Cat.png

  3. Contribution ● Given a layout specification, Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Is there a parser that can parse any instance stream? Or: is the layout deserializable? In practice: describe a left-to-right parser behaviour using Horn clauses and forward chaining

  4. 1:Formalize a layout specification ● f [Id] : fixed length field ● v [Id] : variable length field ( varfield ) → ß)[Id] : pointer field ● (Id' offset span → (Length 4)Length Length Type Data CRC 0 3 4 7 8 N N+1 N+4 f v f

  5. 2:Give a name to all fields → (Length 4)Length 0 f 1 v 2 f 3 Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  6. 3:Formalize parser's knowledge ● The parser knows... ● Beg(i) : where field i begins ● Len(i) : field i 's length ● Ptr(o,s,i) : field i is a pointer, with offset at o and spanning s fields ● Val(i) : field i 's contents.

  7. 4a:Formalize parser's behaviour → (Length 4)Length 0 f 1 v 2 f 3 Length Type Data CRC 0 3 4 7 8 N N+1 N+4 True Beg(0) ⇒ True ⇒ Len(0) True Len(1) ⇒ True Len(3) ⇒ True Ptr(0,4,0) ⇒

  8. 4b:Formalize parser's behaviour ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(0) Beg(1) Len(0) Val(0) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  9. 4c:Formalize parser's behaviour ● Ptr(o,s,i) Val (i) ∧ Beg(o) Beg(o+s) ⇒ ∧ Jump right ● Ptr(o,s,i) Val (i) ∧ Beg(o+s) Beg(o) ⇒ ∧ Jump left ● Follow a pointer backward or forward. Ptr(0,4,0) Val(0) Beg(4) Beg(0) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  10. 4cc:(example, continued) ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(1) Beg(2) Beg(4) Len(1) Val(1) Len(3) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  11. 4cc:(example, continued) ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(1) Beg(2) Beg(3) Beg(4) Len(1) Val(1) Val(3) Len(3) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  12. 4cc:(example, continued) ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(1) Beg(2) Beg(3) Beg(4) Len(1) Val(1) Val(3) Len(3) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  13. 4d:Formalize parser's behaviour ● Beg(i) Beg(i+1) ⇒ Len(i) ∧ join ● Compute the length of a field. Beg(3) Beg(2) Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Len(2)

  14. 4d:Formalize parser's behaviour ● Beg(i) Beg(i+1) ⇒ Len(i) ∧ join ● Compute the length of a field. Beg(3) Beg(2) Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Len(2)

  15. Deserializability Check Algorithm ● Transform a layout into a Horn KB: O(3n) ● Apply forward chaining: O(3n) ● Is Len(i) for all i in a layout in KB? O(n) Yes: Layout is deserializable No: Layout is not deserializable.

  16. Implementation → (Length 4)Length f v f → (Length 4)Length 0 f 1 v 2 f 3 Axioms CLIPS ∀ i ⇒ Yes Python len(i) ?

  17. N ecessary condition for deserialization ● If layout L is deserializable, THEN in L – for every v i – There is a (foo → s ) p , x foo q ● Such that q ≤ i < q+s – e.g. : f v f → – (Length 4) Length 0 f 1 v 2 f 3 – But: (Foo 4)Foo v v v →

  18. Repetition (Kleene star) : []* → (Foo 2)Foo f [f v f ]*

  19. Repetition (Kleene star) : []* → (Foo 2)Foo f [f v f ]* → (Foo 2) Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 s l e b a l t s i L s l e b a l l a r u t a n f o d a e t s n i

  20. Non valid layout specs → ● (Bar 2) 0 [fBar v f]* 1 – Referencing into an inner scope. Pointers cannot offset into inner scopes → (Bar 2) 0 [fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f

  21. []* : Predicates → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 ● Rep(i,l) : field i is a repetition containing l fields ● Replen(i) : the parser knows repetition i 's length

  22. What about the axioms? ● Lifted to the list label level: ● e.g: ⇒ Len(b.a) Beg(b.a) Beg(b.a+1) join ∧ Ptr(b.a,s,i) Val(i) Beg(b.a) ∧ ∧ Jump right ⇒ Beg(b.a+s) b,i :list s,a : natural

  23. []* : Axioms → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 ● True ⇒ Rep(i,l) in this layout: True ⇒ Rep(2,3) ● Rep(b.a,l) Beg(b.a) Beg(b.a+1) ∧ ∧ ⇒ RepLen(b.a) ● Rep(b.a,l) Beg(b.a) Beg(b.a.0) ∧ ⇒ ● Rep(b.a,l) Beg(b.a+1) Beg(b.a.l) ∧ ⇒

  24. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 Forward Jump Forward right

  25. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 forward join backward ● Rep(2,3) Beg(2) Beg(2.0) ∧ ⇒ ● Rep(2,3) Beg(3) Beg(2.3) ∧ ⇒

  26. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 f 2.3 v 2.4 f 2.5 ]* 2 Forward Jump Forward forward → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2

  27. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 f 2.3 v 2.4 f 2.5 ]* 2 backward forward ● Rep(2,3) Beg(2) Beg(2.0) ∧ ⇒ ● Rep(2,3) Beg(3) Beg(2.3) ∧ ⇒ → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2

  28. Dirty trick → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 f 2.3 v 2.4 f 2.5 ]* 2 Take each repetition field and double its content.

  29. If L2 is (not) deserializable Then all LN>2 are (not) deserializable Dirty trick F o r m a l l y g u a r a n t e e Take each repetition field and double its content. d : I f L 2 i s d e s e r i a l i z a b l e , (Just once, not for the doubled repetitions!) T h e n L i s d e s e r i a l i z a b l e → L (A 2)A 0 f 1 [f 2.0 → [(B 1)B, v]* 2.1 f 2.2 ]* 2 → L2 (A 2)A 0 f 1 [f 2.0 O(kn) → → [(B 1)B v (C 1)C v]* 2.1 → f 2.2 f 2.3 [D 1)D v]* 2.4 f 2.5 ]* 2 Axioms are left undisturbed.

  30. Implementation → (Length 4)Length [f v]* f NO → (Length 4)Length [f v f v]* f → (Length 4)Length 0 [f 2.0 v 2.1 f 2.2 v 2.3 ]* 2 f 3 ∀ i ⇒ len(i) ? CLIPS Axioms ∀ Rep(i,j) ⇒ RepLen(i) ? Python

  31. Intended application areas ● Serialization libraries ● Data definition language C!C – Rule-based parser generation? – Associate to each proof of deserializability a parser.

  32. Related work – Erlang, haskell, c... – Pads – Protocol buffers, avro, cap'n'proto, bson...

  33. Summary ● Axiomatization of left-to-right stream parsing ● Implementation: Python+CLIPS ● Interesting results: – Necessary condition for deserializability – Doubling repetitions Gabriele Paganelli https://github.com/gapag/horn-binary-deserialization https://gapag.noblogs.org/ gapag@distruzione.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Session 9 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 9 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 9 Serialization/JSON Session 9 Serialization/JSON 1 Lecture Objectives Understand the need for serialization Understand various approaches to serialization Understand the use of JSON as a popular approach to serialization

339 views • 11 slides
Serialization ELCO Tianjin Dresden Oberstenfeld From the Sensor to the Human and back again

Serialization ELCO Tianjin Dresden Oberstenfeld From the Sensor to the Human and back again

Serialization ELCO Tianjin Dresden Oberstenfeld From the Sensor to the Human and back again The source of our success Serialization Serialization Table of contents 1. Brief history 2. Serialisation methods in

792 views • 62 slides
Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 14 Serialization/JSON Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization Understand various approaches to serialization Understand the use of JSON as a popular approach to

327 views • 16 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Data Data Serialization Serialization with with Symfony Symfony &amp; &amp; Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony &amp; &amp; Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony &amp; &amp; Drupal Drupal SensioLabs Hugo Hamon Hugo Hamon Head of training at SensioLabs Book author Speaker at Conferences Symfony contributor Travel lover @hhamon

1.32k views • 110 slides
JHF Horn construction status and K2K horn experience YAMANOI Yutaka (KEK) K2K Horn system

JHF Horn construction status and K2K horn experience YAMANOI Yutaka (KEK) K2K Horn system

JHF Horn construction status and K2K horn experience YAMANOI Yutaka (KEK) K2K Horn system The operation result of K2K Horns Trivial troubles (2002-2003) Status of JHF Horns Basic parameters Mechanism and Merit of FSW

390 views • 20 slides
Buffalo Bone Button Presentation https://www.indiamart.com/horn-natural-kamptee/ buffalo horn

Buffalo Bone Button Presentation https://www.indiamart.com/horn-natural-kamptee/ buffalo horn

Buffalo Bone Button Presentation https://www.indiamart.com/horn-natural-kamptee/ buffalo horn plate for optical frames, buffalo horn blanks, buffalo bone buttons. buffalo horn knife scales, water buffalo horn plates, ebony wood, genuine buffalo

525 views • 5 slides
staypu: object validation and serialization &amp; should this even be a package? Scott

staypu: object validation and serialization &amp; should this even be a package? Scott

staypu: object validation and serialization &amp; should this even be a package? Scott Chamberlain ( @sckottie ) pain point: serialization converting data in one format to another format especially painful when complex other languages

329 views • 19 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Pharmaceutical Serialization: Track &amp; Trace in the USA Aisha Nabiyeva David Wu Advisor:

Pharmaceutical Serialization: Track &amp; Trace in the USA Aisha Nabiyeva David Wu Advisor:

Pharmaceutical Serialization: Track &amp; Trace in the USA Aisha Nabiyeva David Wu Advisor: Bruce Arntzen How do we implement Serialization? Translating theory. to Reality Supply Chain Traceability Installation of necessary

1.44k views • 15 slides
Around The Horn ESG INVESTING Michael McLaughlin, CFA AAM Portfolio Manager Credit Analysis:

Around The Horn ESG INVESTING Michael McLaughlin, CFA AAM Portfolio Manager Credit Analysis:

Around The Horn ESG INVESTING Michael McLaughlin, CFA AAM Portfolio Manager Credit Analysis: Incorporating ESG Into Our Process ESG risks are important to ESG considerations are consider when assessing explicitly factored into our future

185 views • 3 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications

GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications

GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications Reena Nair Tony Field What causes serialization bottlenecks? Resource Contention Load Imbalance Hardware Software Execution Time CPU Locks

474 views • 20 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter:

Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter:

Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter: @joerumz What is JAM? J oes A utomated M essages The Problem Game servers need to communicate with each other Manual serialization is

1.78k views • 131 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Accelerated Data Processing on SoC with FPGA Marek Va sut &lt; marex@denx.de &gt; June 3, 2015

Accelerated Data Processing on SoC with FPGA Marek Va sut &lt; marex@denx.de &gt; June 3, 2015

Accelerated Data Processing on SoC with FPGA Marek Va sut &lt; marex@denx.de &gt; June 3, 2015 Marek Va sut &lt; marex@denx.de &gt; Accelerated Data Processing on SoC with FPGA Marek Vasut Software engineer at DENX S.E. since 2011

425 views • 31 slides
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley nikitab@cs.berkeley.edu Wireless Networking is Here Internet 802.11 wireless networking is on the rise installed base: ~ 15 million users currently a $1

803 views • 37 slides
1 Two-Dimensional Parity Internet Checksum Use 1-dimensional parity Idea Add up all

1 Two-Dimensional Parity Internet Checksum Use 1-dimensional parity Idea Add up all

Error Coding Parity 1-bit error detection with parity Transmission process may introduce errors into a message. Add an extra bit to a code to ensure an even (odd) number of 1s Single bit errors versus burst errors Every

284 views • 4 slides
Lecture 9 When The CRC and TCP Checksum Disagree Jonathan Stone, Craig Partridge Advanced

Lecture 9 When The CRC and TCP Checksum Disagree Jonathan Stone, Craig Partridge Advanced

Lecture 9 When The CRC and TCP Checksum Disagree Jonathan Stone, Craig Partridge Advanced Operating Systems 30 November, 2011 SOA/OS Lecture 9, When The CRC and TCP Checksum Disagree 1/26 Introduction Looking for errors Results

309 views • 26 slides
2013 Smart Services CRC Participants and Showcase Forum Meeting Innovation reflections 5

2013 Smart Services CRC Participants and Showcase Forum Meeting Innovation reflections 5

2013 Smart Services CRC Participants and Showcase Forum Meeting Innovation reflections 5 years on from the Review of the National Innovation System 4 December 2013 Mary OKane, NSW Chief Scientist and Engineer 5 years on from Review of

285 views • 27 slides
Pique curiosity, not diabetic fingers Axelle Apvrille (Fortinet) Travis Goodspeed July 2020

Pique curiosity, not diabetic fingers Axelle Apvrille (Fortinet) Travis Goodspeed July 2020

Pique curiosity, not diabetic fingers Axelle Apvrille (Fortinet) Travis Goodspeed July 2020 Hello! Travis Goodspeed Axelle Apvrille Digital watchmaker and Studebaker Principal Security Researcher at enthusiast, @travisgoodspeed Fortinet ,

433 views • 31 slides
Falconieri: Remote Provisioning Service as a Service A new, modern, open source and cloud native

Falconieri: Remote Provisioning Service as a Service A new, modern, open source and cloud native

Falconieri: Remote Provisioning Service as a Service A new, modern, open source and cloud native remote provisioning service gateway. Matteo Valentini @_Amygos Intro: Remote Provisioning Service Theory Intro: What is it a Remote

476 views • 29 slides
List-Decoding of Polar Codes Ido Tal and Alexander Vardy University of California San Diego 9500

List-Decoding of Polar Codes Ido Tal and Alexander Vardy University of California San Diego 9500

List-Decoding of Polar Codes Ido Tal and Alexander Vardy University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093, USA Problem and goal Channel polarization is slow. For short to moderate code lengths, polar codes have

1.53k views • 106 slides

More recommend