reconstructing corrupt deflated files
play

Reconstructing Corrupt DEFLATEd Files Ralf D. Brown Carnegie - PowerPoint PPT Presentation

Mar 09, 2023 •38 likes •438 views

Reconstructing Corrupt DEFLATEd Files Ralf D. Brown Carnegie Mellon University 3 August 2011 Why do we care about DEFLATE compression? DEFLATE is Ubiquitous Many file types are in fact ZIP archives: OOXML (.docx, .xslx, .pptx)

  1. Reconstructing Corrupt DEFLATEd Files Ralf D. Brown Carnegie Mellon University 3 August 2011

  2. Why do we care about DEFLATE compression?

  3. DEFLATE is Ubiquitous ● Many file types are in fact ZIP archives: – OOXML (.docx, .xslx, .pptx) – OpenDocument (.odt, .odp, .odg, .ods) – ePub e-books, Comic Book archives (.epub, .cbz) – Java applications and Android apps (.jar, .apk) – WinAmp and Tribe 2 skins (.wsz, .vl2) ● Numerous other compressors use DEFLATE: – gzip – zlib – ALZip 3 August 2011 Carnegie Mellon Language Technologies Institute 3

  4. Off-the-Shelf ZIP Recovery Programs ● Can list archive contents based on central directory and/or scanning for local file headers ● Can extract intact archive members ● May be able to extract truncated members ● Can NOT extract members whose beginning is missing or overwritten ● Can NOT deal with split archives where one or more segments are missing 3 August 2011 Carnegie Mellon Language Technologies Institute 4

  5. Introducing ZipRec ● Prototype program to extract files from ZIP archives – Full recovery of intact members – Partial recovery of truncated members – Partial recovery from members missing beginning – Partial recovery from members with missing or corrupted middle ● Also offers some support for gzip files and zlib streams 3 August 2011 Carnegie Mellon Language Technologies Institute 5

  6. Example File ● HTML version of Cory Doctorow novel “Little Brother” (786,775 bytes) – Compressed using Info-Zip's zip version 3.0 – First 1024 bytes of archive removed 3 August 2011 Carnegie Mellon Language Technologies Institute 6

  7. Recovered Text Example 3 August 2011 Carnegie Mellon Language Technologies Institute 7

  8. Reconstructed Text Example 3 August 2011 Carnegie Mellon Language Technologies Institute 8

  9. Reconstructed Text Example 3 August 2011 Carnegie Mellon Language Technologies Institute 9

  10. Original Passage 3 August 2011 Carnegie Mellon Language Technologies Institute 10

  11. DEFLATE Compression ● By far the most common algorithm for ZIP files ● Two phases: – Replace repeated occurrences of multi-byte sequences within a 32 KB (optionally 64 KB) window with a reference to the previous occurrence – Apply Huffman coding to efficiently represent the mixed sequence of literal bytes and offset:length pairs ● Decompressor must track compressor's state – Missing the beginning of the bitstream prevents this 3 August 2011 Carnegie Mellon Language Technologies Institute 11

  12. DEFLATE: Chaining Occurrences t h e b e e s s t t o o f f t t h h e e r e s t o r t h e r e s t o o f f t t h h e e b e e s s t t 3 August 2011 Carnegie Mellon Language Technologies Institute 12

  13. DEFLATE: Chaining Occurrences t h e b e e s s t t o o f f t t h e h e r e s t o r t h e r e s t o o f f t t h h e e b e e s s t t 3 August 2011 Carnegie Mellon Language Technologies Institute 13

  14. DEFLATE: Chaining Occurrences t h e b e e s s t t o o f f t t h h e e r e s t o r t h e r e s t o o f f t t h e h e b e e s s t t t h e b e e s s t t o o f f t t h h e e r e s t o r t h e r e s t o o f f t t h e h e b e e s s t t 3 August 2011 Carnegie Mellon Language Technologies Institute 14

  15. DEFLATE: Chaining Occurrences t h e b e e s s t t o o f f 12/4 r 12/5 r 12/11 f 36/8 t h e b e e s s t t o o f f 12/4 r 12/5 r 12/6 24/11 36/4 3 August 2011 Carnegie Mellon Language Technologies Institute 15

  16. Recovering Compressor's State ● DEFLATE does not use adaptive Huffman coding, so the compressor breaks the stream into blocks, each of which may be – Uncompressed – Compressed with a predefined Huffman tree – Compressed with a tree transmitted in the stream ● Finding the start of a block gives us a known state for the Huffman compression – But not the contents of the back-reference window 3 August 2011 Carnegie Mellon Language Technologies Institute 16

  17. Finding the Start of a Block ● Three- BIT header (block type and last-block flag) ● Header can appear at any bit position ● Need to scan at every bit position, testing whether a validly-decompressible block starts at that bit – Valid header and Huffman tree – No invalid bit sequences in data stream ● Park et al (2008) did exactly such a scan in a brute- force manner – reported speed of 7 kilo bytes per second 3 August 2011 Carnegie Mellon Language Technologies Institute 17

  18. Efficiently Finding a Block Start ● Work from end of compressed stream – Provides a known end to each block – Eliminates half of the potential starting bits ● Do quick sanity checks before full decompression – is alphabet size legal? – is the Huffman tree of bit lengths legal? – if the Huffman tree passes muster, is there an end-of-data symbol at the end of the block? 3 August 2011 Carnegie Mellon Language Technologies Institute 18

  19. Partial Decompression ● Once we have found the first intact block, we can decompress from that point forward ● However, references to text prior to that point will be unknown ● Initially, most bytes are unknown, but the proportion decreases as we progress – Bytes can remain unknown far beyond the 64 KB window if a reference is made to a sequence containing an unknown byte 3 August 2011 Carnegie Mellon Language Technologies Institute 19

  20. Recovered Text 3 August 2011 Carnegie Mellon Language Technologies Institute 20

  21. Reconstructing Unknown Bytes ● Many of the unknown bytes have multiple occurrences – 75% of occurrences from copies of just 20% of the unknown bytes ● Many of those occurrences are the only unknown byte in a word – Can infer likely replacements ● Replacing some unknown bytes yields additional words from which we can infer replacements 3 August 2011 Carnegie Mellon Language Technologies Institute 21

  22. Eliminating Impossible Values t h e b e e ? t t o o f f t t h h e e r e s t o r t h e r e s t o o f f t t h h e e b e e s s t t Find all trigrams be? or e?t or “?t ” in training data. Eliminate all values not supported by training data trigrams from consideration. 3 August 2011 Carnegie Mellon Language Technologies Institute 22

  23. Inferring Unknown Bytes t h e b e e s s t t o ? f f t t h h e e r e s t ? r t h e r e s t ? f f t t h h e e b e e s s t t i,o o o 3 August 2011 Carnegie Mellon Language Technologies Institute 23

  24. Reconstructed Text (English) 3 August 2011 Carnegie Mellon Language Technologies Institute 24

  25. Reconstructed Text (Spanish, start of recovery) 3 August 2011 Carnegie Mellon Language Technologies Institute 25

  26. Reconstructed Text (Spanish, a little further) 3 August 2011 Carnegie Mellon Language Technologies Institute 26

  27. Reconstructed Text (Spanish, half-way) 3 August 2011 Carnegie Mellon Language Technologies Institute 27

  28. Reconstructed Text (Spanish, end of file) 3 August 2011 Carnegie Mellon Language Technologies Institute 28

  29. Limitations to Reconstruction ● Word-based – Will not work well with languages that don't use spaces – Current code can't handle multi-byte non-word characters ● Needs an appropriate language model – Differences between training data and the file being reconstructed degrade accuracy ● Mitigated by adding recovered literal text to model – Currently must supply the correct model manually 3 August 2011 Carnegie Mellon Language Technologies Institute 29

  30. Efficacy (1) ● Run in test mode, simulating a missing first byte for every archive member ● On ZipRec v0.9 source code (286 files, 3.8 MB) – 21 files consist of multiple packets – 97,053 literal bytes, 654,700 total bytes recoverable ● On a collection of downloaded zip archives (79 archives, 148 MB; containing 8310 files totalling 336 MB) – 859 files consist of multiple packets – 134 MB literal bytes, 199 MB total recoverable 3 August 2011 Carnegie Mellon Language Technologies Institute 30

  31. Efficacy (2) ● On disk image UAE10-009 from Real Data Corpus: – Detects ● 10,478 local file header signatures ● 11,725 central directory entries ● 550 end of central directory records – Extracts ● 6922 complete files (5309 short and stored uncompressed) ● 446 partial files ● Total 78 MB, of which 77 MB literal bytes 3 August 2011 Carnegie Mellon Language Technologies Institute 31

  32. Speed ● On the novel we have been using as an example: – unzip (intact file): 30ms – ZipRec recover: 290ms – ZipRec reconstruct: 58,000ms – 69,000ms ● On the ZipRec source code: – unzip (intact file): 105ms – ZipRec recover: 795ms – ZipRec reconstruct: 24,000ms ● Scanning disk image from Real Data Corpus: – about 2 minutes per gigabyte, including recovery 3 August 2011 Carnegie Mellon Language Technologies Institute 32

  33. Future Work ● Improved recovery – attempt to decompress the initial partial block using information from a first-pass reconstruction ● Improved reconstruction – automatic language identification to select proper model – higher-order language models ● GUI to manually fix reconstruction 3 August 2011 Carnegie Mellon Language Technologies Institute 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A framework for deflated BiCG and related solvers Martin H. Gutknecht Seminar for Applied

A framework for deflated BiCG and related solvers Martin H. Gutknecht Seminar for Applied

http://www.sam. ma th. et hz .h /~ mh g A framework for deflated BiCG and related solvers Martin H. Gutknecht Seminar for Applied Mathematics, ETH Zurich SIAM Conference on Applied Linear Algebra Valencia, 20 June 2012 Joint work

211 views • 19 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

507 views • 19 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

434 views • 22 slides
Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing system Organized into a hierarchy of directories Files / /etc /Applications /var /tmp /Users /etc/Apache /etc/master.passwd

232 views • 19 slides
Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files & Streams other media so that we dont lose it even if the computer is shut off Files can store more data than may fit in Yves Lesprance working memory

248 views • 4 slides
Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open files Different ways of reading files How to write out files How to read then search, count, etc. on files Concepts about

615 views • 26 slides
Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have used regular text files O>en called FLAT FILES These have a certain advantage,

554 views • 22 slides
The Foreign Corrupt Practices Act US legislation with global implications Illustration:

The Foreign Corrupt Practices Act US legislation with global implications Illustration:

The Foreign Corrupt Practices Act US legislation with global implications Illustration: Getty Images Dick Thornburgh, Edward J Fishman, Michael J Missal, Jeffrey B Maletta and Matt T Morley of K&L Gates LLP examine anti-corruption

304 views • 6 slides
Optimizing zlib for A deflated story Adenilson Cavalcanti BS. MSc. Staff Engineer - Arm San Jose

Optimizing zlib for A deflated story Adenilson Cavalcanti BS. MSc. Staff Engineer - Arm San Jose

Optimizing zlib for A deflated story Adenilson Cavalcanti BS. MSc. Staff Engineer - Arm San Jose (CA) What to optimize in Chromium What to optimize in Chromium Too big. Too many areas. What would be helpful? What to optimize in

865 views • 54 slides
Outline ! Introduction ! Basic

Outline ! Introduction ! Basic

File Structures An Introduction Outline ! Introduction ! Basic Concepts ! Secondary Storage ! Sequential Files ! Direct Files ! Indexed Files ! Tree-Based Files ! Multilist &

364 views • 35 slides
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

474 views • 29 slides
Foreign Corrupt Practices Act in Latin America Implementing FCPA Compliance Programs and

Foreign Corrupt Practices Act in Latin America Implementing FCPA Compliance Programs and

Presenting a live 90-minute webinar with interactive Q&A Foreign Corrupt Practices Act in Latin America Implementing FCPA Compliance Programs and Mitigating Legal Risks TUES DAY, FEBRUARY 14, 2012 1pm East ern | 12pm Cent ral |

983 views • 54 slides
Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed Sequential Files ! Multilevel Indexes ! Overflow Management ! Performance Analysis rasitjutrakul Indexed Files Ordered Random access sequential

536 views • 22 slides
Foreign Corrupt Practices Act Reform: A Path Toward Practical Compliance December 6, 2011

Foreign Corrupt Practices Act Reform: A Path Toward Practical Compliance December 6, 2011

Foreign Corrupt Practices Act Reform: A Path Toward Practical Compliance December 6, 2011 Squire, Sanders & Dempsey 1200 19 th Street, NW Suite 300 Washington, DC 20036 +1.202.626.6600 Beijing Berlin Birmingham Bratislava

625 views • 21 slides
FOUND IN TRANSLATION: Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic

FOUND IN TRANSLATION: Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic

FOUND IN TRANSLATION: Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic Language Trees from Translations from Translations from

178 views • 17 slides
Foreign Corrupt Practices Act in India Compliance Strategies for India's Unique Cultural and

Foreign Corrupt Practices Act in India Compliance Strategies for India's Unique Cultural and

Presenting a live 90 minute webinar with interactive Q&A Foreign Corrupt Practices Act in India Compliance Strategies for India's Unique Cultural and Governmental Intricacies THURS DAY, MAY 26, 2011 1pm Eastern | 12pm Central |

518 views • 47 slides
H AMPTON R OADS M ILITARY T RANSPORTATION N EEDS S TUDY 2018 U P D A T E P R E S E N T E D B Y : S

H AMPTON R OADS M ILITARY T RANSPORTATION N EEDS S TUDY 2018 U P D A T E P R E S E N T E D B Y : S

H AMPTON R OADS M ILITARY T RANSPORTATION N EEDS S TUDY 2018 U P D A T E P R E S E N T E D B Y : S A M B E L F I E L D H A M P T O N R O A D S T R A N S P O R TAT I O N P L A N N I N G O R G A N I Z AT I O N M E E T I N G A G E N D A I T E M # 1 3 J

184 views • 14 slides
Defense Security Service Defense Security Service Cybersecurity Operations Division

Defense Security Service Defense Security Service Cybersecurity Operations Division

UNCLASSIFIED//FOUO Defense Security Service Defense Security Service Cybersecurity Operations Division Counterintelligence UNCLASSIFIED//FOUO UNCLASSIFIED Defense Security Service DSS Mission Capability DSS Supports national security and

490 views • 33 slides
Integration Spiral Results Wende Peters, JH-APL wende.peters@jhuapl.edu iacd@jhuapl.edu

Integration Spiral Results Wende Peters, JH-APL wende.peters@jhuapl.edu iacd@jhuapl.edu

Integrated Adaptive Cyber Defense: Integration Spiral Results Wende Peters, JH-APL wende.peters@jhuapl.edu iacd@jhuapl.edu September 2015 Integrated Adaptive Cyber Defense Cybersecurity Reality in the Greater Cyber Ecosystem We arent

660 views • 53 slides
Big Data Platform Lessons Learned in Growing a Big Data Capability for Network Defense Who am I?

Big Data Platform Lessons Learned in Growing a Big Data Capability for Network Defense Who am I?

Big Data Platform Lessons Learned in Growing a Big Data Capability for Network Defense Who am I? - Technical Director, Enlighten IT Consulting, a MacAulay-Brown company - Software Engineering Consultant - Helped found Apache Rya - Chief

600 views • 17 slides
VacuNest S hape M emory T ooling shaping the future ~ today VacuNest is a NOVATEC technology

VacuNest S hape M emory T ooling shaping the future ~ today VacuNest is a NOVATEC technology

RCAB VacuNest S hape M emory T ooling shaping the future ~ today VacuNest is a NOVATEC technology VacuNest RCAB Shape Memory Tooling shaping the future ~ today PRIOR ART SOLUTIONS RCAB TECHNOLOGI ES DEDI CATED TOOLS FLEXI BLE PI N

406 views • 19 slides
Reweaving Local: Transition Towns & Timebanking A new way of thinking about time, wealth, and

Reweaving Local: Transition Towns & Timebanking A new way of thinking about time, wealth, and

Reweaving Local: Transition Towns & Timebanking A new way of thinking about time, wealth, and community 1 What is Timebanking? At its most basic level, a Timebank is a community of people who support each other. Time Banking

340 views • 16 slides
1 INTRODUCTION Indias GDP growth since the 90 s has been led by services sector

1 INTRODUCTION Indias GDP growth since the 90 s has been led by services sector

1 INTRODUCTION Indias GDP growth since the 90 s has been led by services sector Service sector growth has increased from 8.0% in 2012- 13 to 9.1% in 2013-14 and further to 10.6% in 2014-15. Currently India estimates Wholesale

874 views • 61 slides
Remittances over the Cycle: Dynamics and Smoothing Ergys Islamaj (Vassar College) Ayhan Kose

Remittances over the Cycle: Dynamics and Smoothing Ergys Islamaj (Vassar College) Ayhan Kose

Motivation Fiscal space Fiscal policy Effectiveness Institutions Policy implications Remittances over the Cycle: Dynamics and Smoothing Ergys Islamaj (Vassar College) Ayhan Kose (World Bank, DECPG) Supriyo De (World Bank, DECPG) S. Reza

700 views • 33 slides

More recommend