Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on - - PowerPoint PPT Presentation

horn binary serialization analysis
SMART_READER_LITE
LIVE PREVIEW

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on - - PowerPoint PPT Presentation

Oct 14, 2022 167 likes •507 views

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification and Synthesis Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Type

slide-1
SLIDE 1

Horn Binary Serialization Analysis

Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org HCVS 2016 3rd Workshop

  • n Horn Clauses

for Verification and Synthesis

slide-2
SLIDE 2

Cat.png Length Type Data CRC 3 4 7 8 N N+1 N+4 Type Data Length CRC 3 4 N N+1 N+4 N+5 N+8

slide-3
SLIDE 3

Contribution

  • Given a layout specification,

Is there a parser that can parse any instance stream? Or: is the layout deserializable? In practice: describe a left-to-right parser behaviour using Horn clauses and forward chaining

Length Type Data CRC 3 4 7 8 N N+1 N+4

slide-4
SLIDE 4

1:Formalize a layout specification

  • f [Id] : fixed length field
  • v [Id] : variable length field (varfield)
  • (Id'

→ ß)[Id]: pointer field

Length Type Data CRC 3 4 7 8 N N+1 N+4

(Length 4)Length → f v f

  • ffset

span

slide-5
SLIDE 5

2:Give a name to all fields

Length Type Data CRC 3 4 7 8 N N+1 N+4

(Length 4)Length →

0 f1 v2 f3

slide-6
SLIDE 6

3:Formalize parser's knowledge

  • The parser knows...
  • Beg(i) : where field i begins
  • Len(i) : field i's length
  • Ptr(o,s,i): field i is a pointer,

with offset at o and spanning s fields

  • Val(i): field i's contents.
slide-7
SLIDE 7

4a:Formalize parser's behaviour

Length Type Data CRC 3 4 7 8 N N+1 N+4

(Length 4)Length →

0 f1 v2 f3

True Beg(0) ⇒ True ⇒ Len(0) True Len(1) ⇒ True Len(3) ⇒ True Ptr(0,4,0) ⇒

slide-8
SLIDE 8

4b:Formalize parser's behaviour

  • Beg(i)

∧ Len(i)

Beg(i+1) ⇒

∧ Val(i)

  • Beg(i+1)

∧ Len(i)

Beg(i) ⇒

∧ Val(i)

  • Read a field backward or forward.

Length Type Data CRC 3 4 7 8 N N+1 N+4 Beg(0) Len(0) Beg(1) Val(0) forward backward

slide-9
SLIDE 9

4c:Formalize parser's behaviour

  • Ptr(o,s,i) Val

∧ (i) ∧ Beg(o)

Beg(o+s) ⇒

  • Ptr(o,s,i) Val

∧ (i) ∧ Beg(o+s)

Beg(o) ⇒

  • Follow a pointer backward or forward.

Length Type Data CRC 3 4 7 8 N N+1 N+4 Ptr(0,4,0) Val(0) Beg(0) Beg(4) Jump right Jump left

slide-10
SLIDE 10

4cc:(example, continued)

  • Beg(i)

∧ Len(i)

Beg(i+1) ⇒

∧ Val(i)

  • Beg(i+1)

∧ Len(i)

Beg(i) ⇒

∧ Val(i)

  • Read a field backward or forward.

Length Type Data CRC 3 4 7 8 N N+1 N+4 Beg(1) Len(1) Beg(4) Len(3) Beg(2) Val(1) forward backward

slide-11
SLIDE 11

4cc:(example, continued)

  • Beg(i)

∧ Len(i)

Beg(i+1) ⇒

∧ Val(i)

  • Beg(i+1)

∧ Len(i)

Beg(i) ⇒

∧ Val(i)

  • Read a field backward or forward.

Length Type Data CRC 3 4 7 8 N N+1 N+4 Beg(1) Len(1) Beg(4) Len(3) Beg(2) Val(1) Beg(3) Val(3) forward backward

slide-12
SLIDE 12

4cc:(example, continued)

  • Beg(i)

∧ Len(i)

Beg(i+1) ⇒

∧ Val(i)

  • Beg(i+1)

∧ Len(i)

Beg(i) ⇒

∧ Val(i)

  • Read a field backward or forward.

Length Type Data CRC 3 4 7 8 N N+1 N+4 Beg(1) Len(1) Beg(4) Len(3) Beg(2) Val(1) Beg(3) Val(3) backward forward

slide-13
SLIDE 13

4d:Formalize parser's behaviour

  • Beg(i) Beg(i+1)

⇒ Len(i)

  • Compute the length of a field.

Beg(3) Length Type Data CRC 3 4 7 8 N N+1 N+4 Beg(2) Len(2) join

slide-14
SLIDE 14

4d:Formalize parser's behaviour

  • Beg(i) Beg(i+1)

⇒ Len(i)

  • Compute the length of a field.

Beg(3) Length Type Data CRC 3 4 7 8 N N+1 N+4 Beg(2) Len(2) join

slide-15
SLIDE 15

Deserializability Check Algorithm

  • Transform a layout into a Horn KB: O(3n)
  • Apply forward chaining: O(3n)
  • Is Len(i) for all i in a layout in KB? O(n)

Yes: Layout is deserializable No: Layout is not deserializable.

slide-16
SLIDE 16

Implementation

Python

CLIPS

(Length 4)Length f v f → Yes (Length 4)Length →

0 f1 v2 f3

Axioms ∀ i ⇒ len(i) ?

slide-17
SLIDE 17

Necessary condition for deserialization

  • If layout L is deserializable, THEN in L

– for every vi – There is a (foo → s)p , xfooq

  • Such that q ≤ i < q+s

– e.g. : f v f – (Length 4) Length

0 f1 v2 f3

– But: (Foo 4)Foo v v v

slide-18
SLIDE 18

Repetition (Kleene star) : []*

(Foo 2)Foo f [f v f ]* →

slide-19
SLIDE 19

Repetition (Kleene star) : []*

(Foo 2)Foo f [f v f ]* → (Foo 2) → Foo0 f1 [f2.0 v2.1 f2.2 ]*2

L i s t l a b e l s i n s t e a d

  • f

n a t u r a l l a b e l s

slide-20
SLIDE 20

Non valid layout specs

  • (Bar 2)

0[fBar v f]*1

– Referencing into an inner scope.

Pointers cannot

  • ffset into inner scopes

(Bar 2) →

0[fBar v f fBar v f fBar v f fBar v f

fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f

slide-21
SLIDE 21

[]*: Predicates

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

  • Rep(i,l) : field i is a repetition containing l

fields

  • Replen(i) : the parser knows repetition i's

length

slide-22
SLIDE 22

What about the axioms?

  • Lifted to the list label level:
  • e.g:

Beg(b.a) Beg(b.a+1) ∧

⇒ Len(b.a)

Ptr(b.a,s,i) Val(i) Beg(b.a) ∧ ∧

⇒ Beg(b.a+s)

b,i :list s,a :natural

join Jump right

slide-23
SLIDE 23

[]*: Axioms

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

  • True ⇒ Rep(i,l)

in this layout: True ⇒ Rep(2,3)

  • Rep(b.a,l) Beg(b.a) Beg(b.a+1)

∧ ∧

⇒ RepLen(b.a)

  • Rep(b.a,l) Beg(b.a)

Beg(b.a.0) ∧ ⇒

  • Rep(b.a,l) Beg(b.a+1)

Beg(b.a.l) ∧ ⇒

slide-24
SLIDE 24

[]*:

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

Forward Forward Jump right

slide-25
SLIDE 25

[]*:

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

  • Rep(2,3) Beg(2)

Beg(2.0) ∧ ⇒

  • Rep(2,3) Beg(3)

Beg(2.3) ∧ ⇒

join forward backward

slide-26
SLIDE 26

[]*:

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 f2.3 v2.4 f2.5 ]*2

Forward Forward Jump forward

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

slide-27
SLIDE 27

[]*:

  • Rep(2,3) Beg(2)

Beg(2.0) ∧ ⇒

  • Rep(2,3) Beg(3)

Beg(2.3) ∧ ⇒

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 f2.3 v2.4 f2.5 ]*2

forward backward

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

slide-28
SLIDE 28

Dirty trick

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 f2.3 v2.4 f2.5]*2

(Foo 2)Foo →

0 f1 [f2.0 v2.1 f2.2 ]*2

Take each repetition field and double its content.

slide-29
SLIDE 29

Dirty trick

Take each repetition field and double its content. (Just once, not for the doubled repetitions!)

(A 2)A →

0 f1 [f2.0

f2.2 f2.3 [D 1)D v]* →

2.4 f2.5]*2

Axioms are left undisturbed.

[(B 1)B v (C 1)C v]* → →

2.1

(A 2)A →

0 f1 [f2.0

F

  • r

m a l l y g u a r a n t e e d : I f L 2 i s d e s e r i a l i z a b l e , T h e n L i s d e s e r i a l i z a b l e L2 L

O(kn)

[(B 1)B, v]* →

2.1

f2.2]*2 If L2 is (not) deserializable Then all LN>2 are (not) deserializable

slide-30
SLIDE 30

Implementation

Python

CLIPS

(Length 4)Length [f v]* f → NO (Length 4)Length →

0 [f2.0 v2.1 f2.2 v2.3]*2 f3

Axioms ∀ i ⇒ len(i) ? ∀ Rep(i,j) ⇒ RepLen(i) ? (Length 4)Length [f v →

f v]* f

slide-31
SLIDE 31

Intended application areas

  • Serialization libraries
  • Data definition language C!C

– Rule-based parser generation? – Associate to each proof of deserializability a

parser.

slide-32
SLIDE 32

Related work

– Erlang, haskell, c... – Pads – Protocol buffers, avro, cap'n'proto, bson...

slide-33
SLIDE 33

Summary

  • Axiomatization of left-to-right stream

parsing

  • Implementation: Python+CLIPS
  • Interesting results:

– Necessary condition for deserializability – Doubling repetitions

Gabriele Paganelli https://github.com/gapag/horn-binary-deserialization https://gapag.noblogs.org/ gapag@distruzione.org