in search of shotgun parsers
play

In Search Of Shotgun Parsers Katie Underwood University of Calgary - PowerPoint PPT Presentation

Jan 22, 2023 •239 likes •783 views

In Search Of Shotgun Parsers Katie Underwood University of Calgary Michael Locasto SRI International May 25, 2016 Overview Context Defining The Shotgun Parser Tainted Path Length In Android Applications Our Definition In The Wild Future

  1. In Search Of Shotgun Parsers Katie Underwood University of Calgary Michael Locasto SRI International May 25, 2016

  2. Overview Context Defining The Shotgun Parser Tainted Path Length In Android Applications Our Definition In The Wild Future Work 2

  3. WHAT ARE WE LOOKING FOR? Defining The Shotgun Parser

  4. Why Shotgun? Input use and recognition intermixed throughout! 4

  5. What Are We Looking For? • Before we go searching for shotgun parsers, we need to know what we’re looking for! • How will we know a shotgun parser when we see one? • We frame our definition in the context of static taint analysis of control flow graphs 5

  6. Large Number of Variables Involved In Each Tainted Path How much program state is affected by properties 1 and 2? Use Before Full Recognition Is input data fully validated before being used? Hallmarks of the Shotgun Parser Large Spread Relative To Size How far does untrusted data propagate through the code? 6

  7. Large Number of Variables Involved In Each Tainted Path How much program state is affected by properties 1 and 2? Hallmarks of the Shotgun Parser Large Spread Relative To Size How far does untrusted data propagate through the code? Use Before Full Recognition Is input data fully validated before being used? 6

  8. Hallmarks of the Shotgun Parser Large Spread Relative To Size How far does untrusted data propagate through the code? Use Before Full Recognition Is input data fully validated before being used? Large Number of Variables Involved In Each Tainted Path How much program state is affected by properties 1 and 2? 6

  9. Let G be the static control-flow graph which describes Let P n be the connected subgraph induced by the vertices of G tainted by n , where d P n d G Let S P i i be the set of all taint-induced subgraphs on G Property 1: Spread Relative To Size • Consider an application A , which reads a set of untrusted inputs N 7

  10. Let P n be the connected subgraph induced by the vertices of G tainted by n , where d P n d G Let S P i i be the set of all taint-induced subgraphs on G Property 1: Spread Relative To Size • Consider an application A , which reads a set of untrusted inputs N • Let G be the static control-flow graph which describes A 7

  11. Let S P i i be the set of all taint-induced subgraphs on G Property 1: Spread Relative To Size • Consider an application A , which reads a set of untrusted inputs N • Let G be the static control-flow graph which describes A • Let P n be the connected subgraph induced by the vertices of G tainted by n ∈ N , where d ( P n ) ≤ d ( G ) 7

  12. Property 1: Spread Relative To Size • Consider an application A , which reads a set of untrusted inputs N • Let G be the static control-flow graph which describes A • Let P n be the connected subgraph induced by the vertices of G tainted by n ∈ N , where d ( P n ) ≤ d ( G ) • Let S = { P i | 1 ≤ i ≤ |N|} be the set of all taint-induced subgraphs on G 7

  13. Large S Evidence for presence of multiple shotgun parsers in Property 1: Spread Relative To Size Shotgun parser indicators: • d ( P n ) comparable to d ( G ) → Indicates input n not handled in principled manner 8

  14. Property 1: Spread Relative To Size Shotgun parser indicators: • d ( P n ) comparable to d ( G ) → Indicates input n not handled in principled manner • Large | S | → Evidence for presence of multiple shotgun parsers in A 8

  15. Property 2: Use Before Full Recognition • We can’t quantify whether arbitrary input to an arbitrary piece of code is “fully recognized” • We can start to define a set of standards for handling of specific data types 9

  16. Property 2: Use Before Full Recognition For example: • “For inputs of type O , you must do 5 reads of 4 bytes each, then write 20 bytes in a specific order” • Identify read/write memory events which take place after input is received 10

  17. Property 2: Use Before Full Recognition For example: • “For inputs of type O , you must do 5 reads of 4 bytes each, then write 20 bytes in a specific order” • Identify read/write memory events which take place after input is received 10

  18. Let P n now be a weighted graph, where each edge E x y corresponds to the number of variables tainted by n after node x Property 3: Number of Tainted Input Variables • Consider again a tainted subgraph P n 11

  19. Property 3: Number of Tainted Input Variables • Consider again a tainted subgraph P n • Let P n now be a weighted graph, where each edge E ( x , y ) corresponds to the number of variables tainted by n after node x 11

  20. Areas of P n where edge weight increases may merit further study Allows us to triage program statements / methods for further analysis Property 3: Number of Tainted Input Variables Shotgun parser indicators: • Large number of tainted variables compared to total number of variables → Indicates untrusted input affects significant proportion of program state 12

  21. Property 3: Number of Tainted Input Variables Shotgun parser indicators: • Large number of tainted variables compared to total number of variables → Indicates untrusted input affects significant proportion of program state • Areas of P n where edge weight increases may merit further study → Allows us to triage program statements / methods for further analysis 12

  22. The “worst case” shotgun parser exhibits all three properties in abundance! Definition Summary 13

  23. Definition Summary The “worst case” shotgun parser exhibits all three properties in abundance! 13

  24. CASE STUDY: ANDROID First Steps Towards Automated Detection

  25. Our Goals • Establish foundation for a recognizer • First look at “state of affairs” in Android applications • Start examining a different class of errors through the LangSec lens 15

  26. Our Approach • Static taint analysis of statement-level control flow graphs • Compute length of tainted path corresponding to each source • Analysis uses the Jimple intermediate representation Jimple CFG for one module of the classic game “Snake” 16

  27. FlowDroid We Add: • Tracking for all tainted paths, not only those terminating in a sink • Unique identifiers for each taint source • Open-source static analysis • Specific API call source for framework for Android each taint • Developed by the Secure Software Engineering Group at • Taint propagation Paderborn University/ TU handler functions to Darmstadt measure input path length https://blogs.uni-paderborn.de/sse/tools/flowdroid/ 17

  28. Our Implementation Each time a taint is propagated, our custom handler is invoked: • Capture incoming flow data object F and outgoing set of flow data objects F out • If F has not been seen before: • Init F . length = 0 • Store original source context of F . • For each flow fact f ∈ F out : • f . length = F . length + 1 • Store source context information for f 18

  29. Workflow 19

  30. Initial Results 20

  31. Some Thoughts.. • Our tool is: • The foundation of a full SGP recognizer • A prioritization method for app analysis 21

  32. OUR DEFINITION IN THE WILD Let’s Look At Real Stuff

  33. "ImageTragick'' (CVE-2016-3714) 23

  34. "ImageTragick'' (CVE-2016-3714) 23

  35. "ImageTragick'' (CVE-2016-3714) 23

  36. "ImageTragick'' (CVE-2016-3714) 24

  37. "ImageTragick'' (CVE-2016-3714) 24

  38. "ImageTragick'' (CVE-2016-3714) 24

  39. "ImageTragick'' (CVE-2016-3714) 24

  40. "ImageTragick'' (CVE-2016-3714) 24

  41. "ImageTragick'' (CVE-2016-3714) Observations: • (Relatively) long path • 7 direct function calls between input and (attempted) validation, but input is also passed elsewhere • Raw input is passed between (and used in) 5 different functions before being read into a native data structure • Input use and validation is intermixed • Unsuitable validation mechanism 25

  42. "Heartbleed'' (CVE-2014-0160) 26

  43. "Heartbleed'' (CVE-2014-0160) Observations: • Input passed via several function calls before processing, but not used along the way • Low degree of input use / validation intermixing, however... • Almost total lack of validation of heartbeat payload! 27

  44. Mongrel Web Server - HTTP 1.1 Parser Parsing Done Right! • Define a finite state machine for HTTP parsing (uses the Ragel compiler) • Finite state machine ≡ regular grammar • Input language is correctly, formally defined • Input data is correctly, formally recognized 28

  45. In The Context Of Our Definition... 29

  46. In The Context Of Our Definition... 29

  47. In The Context Of Our Definition... 29

  48. In The Context Of Our Definition... 29

  49. FUTURE WORK Where Do We Go From Here...

  50. Many Roads Lead From Here • “Climb the hill of Android” • Develop automated analysis frameworks based on our definition for other software ecosystems • Develop well-defined input/output patterns for common types (characterize “recognition”) • Rigorously characterize existing vulnerabilities • . . . 31

  51. Acknowledgements We gratefully acknowledge Steven Arzt from the Secure Software Engineering Group at TU Darmstadt for his ongoing assistance with technical questions about FlowDroid via the Soot mailing list 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Whol e Gen ome Sh ot gun S equencing Whol e Gen ome Sh ot gun S equencing Shotgun DNA

Whol e Gen ome Sh ot gun S equencing Whol e Gen ome Sh ot gun S equencing Shotgun DNA

Whol e Gen ome Sh ot gun S equencing Whol e Gen ome Sh ot gun S equencing Shotgun DNA Sequencing (Technology) DNA target sample SHEAR SIZE SELECT End Reads (Mates) LIGATE & Primer CLONE SEQUENCE Vector Shotgun DNA Sequencing

390 views • 12 slides
Shotgun Assembly of Labelled Graphs Charles Bordenave 3 , Uri Feige 3 , Elchanan Mossel 1 , 2 , 3 ,

Shotgun Assembly of Labelled Graphs Charles Bordenave 3 , Uri Feige 3 , Elchanan Mossel 1 , 2 , 3 ,

Shotgun Assembly of Labelled Graphs Charles Bordenave 3 , Uri Feige 3 , Elchanan Mossel 1 , 2 , 3 , Nathan Ross 1 , Nike Sun 2 1 Shotgun assembly of Labelled Graphs (arxiv.org/abs/1504.07682) 2 Shotgun Assembly of Random Regular Graphs,

1.05k views • 59 slides
Outline Background on Proteins and Shotgun Proteomics

Outline Background on Proteins and Shotgun Proteomics

E fficient Processing of Models for Large-scale Shotgun Proteomics Data Himanshu Grover, Ph.D. Vanathi Gopalakrishnan, Ph.D. University of Pi;sburgh

449 views • 32 slides
XML Parsers Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer

XML Parsers Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer

XML Parsers Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer Engineering Khon Kaen University 1 Overview What are XML Parsers? Programming Interfaces of XML Parsers DOM: Document Object Model

438 views • 33 slides
Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a

Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a

COMP 520 Fall 2010 Scanners and Parsers (1) Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a string of characters into a string of tokens: uses a combination of deterministic finite automata

1.08k views • 53 slides
Dependency and Phrasal Parsers of the Czech Language: A Comparison ak 1 , Tom s Holan 2 ,

Dependency and Phrasal Parsers of the Czech Language: A Comparison ak 1 , Tom s Holan 2 ,

Outline Motivation Compared Parsers Differences of the Parses Results Conclusions and Future Directions Dependency and Phrasal Parsers of the Czech Language: A Comparison ak 1 , Tom s Holan 2 , Vladim r Kadlec 1 , Vojt r 1 Ale s

734 views • 46 slides
LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers

LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers

LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers 3 Last modifled: Fri Mar 06 2015 at 13:50:06 EST Version: 1.7 16:58:46 2016/01/29 Compiled at 12:57 on 2016/02/26 Compiler Design LR Parsing

418 views • 16 slides
CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3 Top-down Parsing predictive parsers 4 Suggested reading: https://en.wikipedia.org/wiki/LL_parser Top-down Parsing contd.. Also called

750 views • 46 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Objectives Combinator Parsing Show how to build complex parsers by composing simpler parsers.

Objectives Combinator Parsing Show how to build complex parsers by composing simpler parsers.

Introduction Choices and Recursion Repeating and Composing Introduction Choices and Recursion Repeating and Composing Objectives Combinator Parsing Show how to build complex parsers by composing simpler parsers. Dr. Mattox Beckman

507 views • 5 slides
Instruction Parsers Nathan Jay Paradyn Project Scalable Tools Workshop Granlibakken, California

Instruction Parsers Nathan Jay Paradyn Project Scalable Tools Workshop Granlibakken, California

Random and Exhaustive T esting of Instruction Parsers Nathan Jay Paradyn Project Scalable Tools Workshop Granlibakken, California August 2016 Motivation Lots of tools parse binaries GNU 2 Instruction Parser Testing Motivation Parsers

697 views • 56 slides
SPAR ARQL: QL: More e than n a Shotgun tgun Weddin ing? 8 th Alberto Mendelzon International

SPAR ARQL: QL: More e than n a Shotgun tgun Weddin ing? 8 th Alberto Mendelzon International

June 5 2014 Recommender ommender Systems ms and SPAR ARQL: QL: More e than n a Shotgun tgun Weddin ing? 8 th Alberto Mendelzon International Workshop Cartagena, Colombia (AMW 2014) Victor Anthony Arras ascue Ayala Martin Przyjac

512 views • 27 slides
Lander-Waterman Statistics for Shotgun Sequencing Math 283: Ewens & Grant 5.1 Math 186: Not

Lander-Waterman Statistics for Shotgun Sequencing Math 283: Ewens & Grant 5.1 Math 186: Not

Lander-Waterman Statistics for Shotgun Sequencing Math 283: Ewens & Grant 5.1 Math 186: Not in book Prof. Tesler Math 186 & 283 Winter 2019 Prof. Tesler 5.1 Shotgun Sequencing Math 186 & 283 / Winter 2019 1 / 36 Genome

393 views • 36 slides
Lander-Waterman Statistics for Shotgun Sequencing Math 283: Ewens & Grant 5.1 Math 186: Not

Lander-Waterman Statistics for Shotgun Sequencing Math 283: Ewens & Grant 5.1 Math 186: Not

Lander-Waterman Statistics for Shotgun Sequencing Math 283: Ewens & Grant 5.1 Math 186: Not in book Prof. Tesler Math 186 & 283 Fall 2019 Prof. Tesler 5.1 Shotgun Sequencing Math 186 & 283 / Fall 2019 1 / 39 Genome sequencing

597 views • 39 slides
Taking Aim: Making Shotgun Wads that Wont Last Forever Dr. Kirk Havens Director Coastal

Taking Aim: Making Shotgun Wads that Wont Last Forever Dr. Kirk Havens Director Coastal

Taking Aim: Making Shotgun Wads that Wont Last Forever Dr. Kirk Havens Director Coastal Watersheds Program Virginia Institute of Marine Science College of William & Mary Dr. Donna Marie Bilkovic, David Stanhope, Kory Angstadt Plastic

651 views • 19 slides
Features of Statistical Parsers Mark Johnson Brown Laboratory for Linguistic Information

Features of Statistical Parsers Mark Johnson Brown Laboratory for Linguistic Information

Features of Statistical Parsers Mark Johnson Brown Laboratory for Linguistic Information Processing CoNLL 2005 1 Features of Statistical Parsers Confessions of a bottom-feeder: Dredging in the Statistical Muck Mark Johnson Brown Laboratory

879 views • 59 slides
of Voting Software Greg Dennis, Kuat Yessenov, Daniel Jackson Tobias Hartmann 1 2 2011,

of Voting Software Greg Dennis, Kuat Yessenov, Daniel Jackson Tobias Hartmann 1 2 2011,

Bounded Verification of Voting Software Greg Dennis, Kuat Yessenov, Daniel Jackson Tobias Hartmann 1 2 2011, www.e-voting.cc Electronic voting machines Used in the Netherlands since 1998 Introduced KOA Remote Voting System in 2004

801 views • 20 slides
Announcements PA1 available, due 01/28, 11:59p. Todays Plan Another sorting algorithm

Announcements PA1 available, due 01/28, 11:59p. Todays Plan Another sorting algorithm

Announcements PA1 available, due 01/28, 11:59p. Todays Plan Another sorting algorithm Runtime of recursive algorithms Correctness of recursive algorithms Warm-up Task: Given an array where 1 st and 2 nd halves are sorted, return

360 views • 8 slides
Shape Analysis Alon Milchgrub Overview Lisp review The concrete semantics The

Shape Analysis Alon Milchgrub Overview Lisp review The concrete semantics The

Shape Analysis Alon Milchgrub Overview Lisp review The concrete semantics The abstractions function The abstract semantics Discussion Lisp review In Lisp everything is a list The command cons concatenates two objects

840 views • 20 slides
Iterative Optimization in the Polyhedral Model: Part I, One-Dimensional Time Louis-Nol Pouchet ,

Iterative Optimization in the Polyhedral Model: Part I, One-Dimensional Time Louis-Nol Pouchet ,

Iterative Optimization in the Polyhedral Model: Part I, One-Dimensional Time Louis-Nol Pouchet , Cdric Bastoul, Albert Cohen and Nicolas Vasilache ALCHEMY, INRIA Futurs / University of Paris-Sud XI March 12, 2007 Fifth International

864 views • 47 slides
Reducing Gun Violence in Texas Joshua Horwitz Executive Director Jhorwitz@efsgv.org

Reducing Gun Violence in Texas Joshua Horwitz Executive Director Jhorwitz@efsgv.org

New Approaches to Reducing Gun Violence in Texas Joshua Horwitz Executive Director Jhorwitz@efsgv.org 202-408-7560 x1001 September 7, 2016 3 4 Source: CDCs WISQARS (Web -based Injury Statistics Query and Reporting System). Fatal

630 views • 17 slides
Suicide

Suicide

Suicide Prevention Center There is hope and there is help

257 views • 13 slides
Complete Legal Protection for Armed Self Defense We live in violent times Someone uses a gun for

Complete Legal Protection for Armed Self Defense We live in violent times Someone uses a gun for

Complete Legal Protection for Armed Self Defense We live in violent times Someone uses a gun for self defense once every 13 seconds. Every year, guns are used for self defense over 1.5 million times. It can happen to YOU! You may have to use

626 views • 17 slides
Talk outline Overview: Advantages and challenges of the SRF gun technology SRF gun

Talk outline Overview: Advantages and challenges of the SRF gun technology SRF gun

Survey of SRF guns First beam 21 st April 2011 Sergey Belomestnykh Collider-Accelerator Department, BNL July 25, 2011 SRF Conference Chicago July 25-29, 2011 Talk outline Overview: Advantages and challenges of the SRF gun

1.05k views • 26 slides

More recommend