toward automated grammar extraction
play

Toward Automated Grammar Extraction via Semantic Labeling of - PowerPoint PPT Presentation

Oct 19, 2022 •186 likes •643 views

Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations Carson Harmon Bradford Larsen Evan Sultanik LangSec Workshop at IEEE Security & Privacy, May 21, 2020 The Problem The Problem The Problem # !

  1. Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations Carson Harmon Bradford Larsen Evan Sultanik LangSec Workshop at IEEE Security & Privacy, May 21, 2020

  2. The Problem

  3. The Problem

  4. The Problem # ! ✓ ⛔

  5. The Problem $

  6. The Problem ✓ ✓ $ ✓ ✓

  7. High Level Goals Create semantic map of the functions in a parser, which will improve grammar extraction. & ' % ???

  8. High Level Goals Create semantic map of the functions in a parser, which will improve grammar extraction. parser_function1 & ↳ byte 0, 10, 50 Object Stream % parser_function2 ↳ byte 10, 74 Xref parser_function3 ↳ byte 20 JFIF

  9. High Level Goals Create semantic map of the functions in a parser, which will improve grammar extraction. parser_function1 & ↳ byte 0, 10, 50 Ultimate Goal: Automatically Object Stream extract a minimal grammar % specifying the files accepted by a parser_function2 parser ↳ byte 10, 74 Hypothesis: The majority of the Xref potential for maliciousness and schizophrenia will exist in the parser_function3 symmetric di ff erence of the ↳ byte 20 grammars accepted by a format’s parser implementations JFIF

  10. Approach Semantic Ground Truth Instrumentation Associative Labeling Label the Type Composition Use universal taint analysis Merge the results of the first Hierarchy of the input files to track all input bytes two steps to produce a through the execution of a labeling of which functions parser operate on which types Detect backtracking Detect error handling Di ff erential analysis

  11. Approach Semantic Ground Truth Instrumentation Associative Labeling Label the Type Composition Use universal taint analysis Merge the results of the first Hierarchy of the input files to track all input bytes two steps to produce a through the execution of a labeling of which functions parser operate on which types Detect backtracking ✓ Detect error handling Di ff erential analysis

  12. Approach Semantic Ground Truth Instrumentation Associative Labeling Grammar Extraction (future work) Label the Type Composition Use universal taint analysis Merge the results of the first Hierarchy of the input files to track all input bytes two steps to produce a through the execution of a labeling of which functions parser operate on which types Detect backtracking ✓ Detect error handling Di ff erential analysis

  13. Prior Work: Semantic Labeling Polyglot-Aware File Identification Resilient Parsing Syntax Tree iNES [0x0 → 0x12220] Modify parsers for best e ff ort ' ↳ Magic [0x0 → 0x3] Header [0x4 → 0xF] ??? iNES ROM Instrument to track input byte o ff sets ⋮ PRG [0xC210 → 0x1020F] Label regions of the input CHR [0x10210 → 0x12220] PDF PDF [0x10 → 0x2EF72F] Produce ground truth ↳ Magic [0x10 → 0x1E] ZIP Object 1.0 [0x1F → 0x12221] ↳ Dictionary [0x2A → 0x3E] Stream [0x3F → 0x12219] ↳ JFIF Image [0x46 → 0x1220F] ↳ JPEG Segment […] ↳ Magic […] Marker […] ⋮

  14. PolyFile Ground Truth '

  15. PolyFile Ground Truth '

  16. Prior Work: Parser Instrumentation LLVM Instrumentation Taint Tracking Operate on LLVM/IR Shadow memory inspired by Novel datastructure for the Data Flow Sanitizer e ffi ciently storing taint labels Can work with all open (dfsan) source parsers dfsan status quo: Negligible CPU overhead 훩 (1) lookups Eventually support closed- 훩 ( n ² ) storage source binaries by lifting to O ( n ) memory overhead, LLVM ( e.g. , with McSEMA where n is the number of PolyTracker: or Remill) instructions executed by the O (log n ) lookups parser O ( n ) storage

  17. PolyTracker Instrumentation { "ensure_solid_xref" : [ 2276587, 2276588 ], "fmt_obj" : [ 2465223, 2465224, 2465225, 2465226, 2465227, 2465228, 2465240, 2465241, 2465242, 2465243, 2465244, 2465245, 2465246, 2465258, 2465259, 2465260, 2465261, 2465262 ] }

  18. PolyTracker Instrumentation { iNES [0x0 → 0x12220] "ensure_solid_xref" : [ 2276587, ↳ Magic [0x0 → 0x3] 2276588 Header [0x4 → 0xF] ], "fmt_obj" : [ ⋮ 2465223, PRG [0xC210 → 0x1020F] 2465224, 2465225, CHR [0x10210 → 0x12220] 2465226, PDF [0x10 → 0x2EF72F] 2465227, ↳ Magic [0x10 → 0x1E] 2465228, 2465240, Object 1.0 [0x1F → 0x12221] 2465241, ↳ Dictionary [0x2A → 0x3E] 2465242, 2465243, Stream [0x3F → 0x12219] 2465244, ↳ JFIF Image [0x46 → 0x1220F] 2465245, 2465246, ↳ JPEG Segment […] 2465258, ↳ Magic […] 2465259, 2465260, Marker […] 2465261, ⋮ 2465262 ] }

  19. PolyTracker Instrumentation { iNES [0x0 → 0x12220] "ensure_solid_xref" : [ 2276587, Trailer ↳ Magic [0x0 → 0x3] ensure_solid_xref 2276588 XRef Header [0x4 → 0xF] ], "fmt_obj" : [ ⋮ Object 2465223, fmt_obj PRG [0xC210 → 0x1020F] Dictionary 2465224, 2465225, CHR [0x10210 → 0x12220] 2465226, PDF [0x10 → 0x2EF72F] 2465227, ↳ Magic [0x10 → 0x1E] 2465228, 2465240, Object 1.0 [0x1F → 0x12221] 2465241, ↳ Dictionary [0x2A → 0x3E] 2465242, 2465243, Stream [0x3F → 0x12219] 2465244, ↳ JFIF Image [0x46 → 0x1220F] 2465245, 2465246, ↳ JPEG Segment […] 2465258, ❓ ↳ Magic […] 2465259, 2465260, Marker […] 2465261, ⋮ 2465262 ] }

  20. The Challenge of Associative Labeling How can we associate types in the file format to the set of functions most specialized in operating on that type? Observations Raw mapping is not necessarily injective: A parser’s functional implementation will rarely There will rarely be a Parser 1 Parser 2 be isomorphic to the type perfect bijection between the Specialized Specialized hierarchy or syntax tree of types and functions Function Function Monolithic the input file Function Specialized Function

  21. Information Entropy Idea: Use information entropy to measure function specialization • For each type, collect the functions that operate on that type • Calculate P ( t, f ) = the probability that a specific type occurs within a function • Calculate the “genericism” of a function G : F → ℝ • Use G to sort the functions associated with a type, discarding all but the smallest (most specialized) standard deviation

  22. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types Parser 1 Monolithic Function

  23. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree

  24. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  25. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  26. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree parse_pdf_dictionary • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  27. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree parse_pdf_dictionary • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  28. Problem: Code is Too Cohesive The parser has many, tightly coupled functions collectively responsible for parsing a single type • If those functions are always called sequentially, then we ideally Parser 2 only want the single function that initiates the sequence Specialized Specialized Function Function • Calculate the dominator tree of the runtime control flow graph Specialized Function • For each type, remove any functions in the matching that have an ancestor in the dominator tree that is also in the matching

  29. Problem: Code is Too Cohesive The parser has many, tightly coupled functions collectively responsible for parsing a single type • If those functions are always called sequentially, then we ideally only want the single function that initiates the sequence • Calculate the dominator tree of the runtime control flow graph • For each type, remove any functions in the matching that have an ancestor in the dominator tree that is also in the matching

  30. pdf_load_xref pdf_read_start_xref pdf_prime_xref_index

  31. PDF pdf_load_xref XRef pdf_read_start_xref pdf_prime_xref_index

  32. PDF pdf_load_xref XRef pdf_read_start_xref pdf_prime_xref_index

  33. Results • Runs in O (| F | n log | T |) time ◦ F = # functions in the parser ◦ T = # types (or production rules) in the grammar ◦ n = # bytes in the input file • Mappings for various parsers and file formats • Implementation in the polymerge application distributed with PolyFile: ◦ pip3 install polyfile

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object Recognition I.Levner and V.Bulitko http://ircl.cs.ualberta.ca Outline Outline Motivation System Overview Feature Extraction Problem

601 views • 15 slides
Data Mining l The Extraction of useful information from data l The automated extraction of hidden

Data Mining l The Extraction of useful information from data l The automated extraction of hidden

Data Mining l The Extraction of useful information from data l The automated extraction of hidden predictive information from (large) databases l Business, Huge data bases, customer data, mine the data Also Medical, Genetic, Astronomy, etc. l

535 views • 32 slides
Automated Acquisition of Linguistic Knowledge for Robust Multilingual Grammar Development Valia

Automated Acquisition of Linguistic Knowledge for Robust Multilingual Grammar Development Valia

Introduction Acquisition of MWEs: Theoretical Background & Motivation Detection of MWEs candidates Evaluation of the Identification of MWEs Extension of the English Resource Grammar with MWEs Enhancing Robustness of the German Grammar

1.06k views • 103 slides
Semantics: Semantic Grammar & Information Extraction CMSC 35100 Natural Language Processing

Semantics: Semantic Grammar & Information Extraction CMSC 35100 Natural Language Processing

Semantics: Semantic Grammar & Information Extraction CMSC 35100 Natural Language Processing May 13, 2003 Potential Projects Develop a morphological transducer for a portion of a language of your choice Improve the output of a

565 views • 20 slides
Automated Extraction and Processing Solutions Ancillary equipment, products and services for the

Automated Extraction and Processing Solutions Ancillary equipment, products and services for the

P I C K S , S H O V E L S A N D C A N N A B I S Automated Extraction and Processing Solutions Ancillary equipment, products and services for the Cannabis Industry Fall 2017 quadroncannatech.com Green to Gold CSE: QCC

390 views • 18 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides
Automated Extraction of Accurate Delay/Timing Macromodels of Digital Gates and Latches using

Automated Extraction of Accurate Delay/Timing Macromodels of Digital Gates and Latches using

Automated Extraction of Accurate Delay/Timing Macromodels of Digital Gates and Latches using Trajectory Piecewise Methods Sandeep Dabas*, Ning Dong + Jaijeet Roychowdhury* * University of Minnesota, Twin Cities, USA + Texas Instruments, Dallas,

223 views • 19 slides
Automated and Accurate Geometry Extraction and Shape Optimisation of 3D Topology Optimisation

Automated and Accurate Geometry Extraction and Shape Optimisation of 3D Topology Optimisation

Automated and Accurate Geometry Extraction and Shape Optimisation of 3D Topology Optimisation Results London 15 th of October 2019 Femto Engineering Marco Swierstra www.nafems.org Introduction Topology optimisation Design

458 views • 22 slides
Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee

Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee

Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee Bing Liu Aspect Extraction Extracting aspect terms Aspect Terms This camera takes beautiful pictures but its price is

975 views • 74 slides
PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau, Gerard de Melo PhD Candidate, Tsinghua University Visiting Student, Columbia University http://www.larayang.com/ Content Evaluating Summary

575 views • 35 slides
Automated Anatomical Likelihood Driven Extraction and Branching Detection of Aortic Arch in 3-D

Automated Anatomical Likelihood Driven Extraction and Branching Detection of Aortic Arch in 3-D

Nagoya University Automated Anatomical Likelihood Driven Extraction and Branching Detection of Aortic Arch in 3-D Chest CT Marco Feuerstein a , Takayuki Kitasaka b,c , Kensaku Mori a,c a Graduate School of Information Science, Nagoya University b

150 views • 14 slides
Picks, Shovels & Cannabis: Automated Extraction and Processing Solutions Ancillary equipment,

Picks, Shovels & Cannabis: Automated Extraction and Processing Solutions Ancillary equipment,

Picks, Shovels & Cannabis: Automated Extraction and Processing Solutions Ancillary equipment, products and services for the Cannabis Industry 2017 om gold Su Summer 2017 qu quadr dronca cannatech ch.c .com gr green to go

593 views • 20 slides
Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho Abstract The industry practice for test automation through graphical user interface (GUI) is script-based. In some tools the scripts can be recorded from

193 views • 8 slides
mwetoolkit: A tool for automated extraction of multi-word expressions Vtor De Arajo Carlos

mwetoolkit: A tool for automated extraction of multi-word expressions Vtor De Arajo Carlos

mwetoolkit: A tool for automated extraction of multi-word expressions Vtor De Arajo Carlos Ramisch Multi-word expressions Combinations of words that present linguistical or statistical idiosyncrasies Phrasal verbs: carry up, consist

403 views • 16 slides
Development R&D Review Automated Grouping Model Extraction from BIM Data Unified Fire-Egress

Development R&D Review Automated Grouping Model Extraction from BIM Data Unified Fire-Egress

Development R&D Review Automated Grouping Model Extraction from BIM Data Unified Fire-Egress Visualization www.thunderheadeng.com Recent Development Work PyroSim Updated Simulator Support: FDS 5.5, 5.6, 5.7 Preview Support for

556 views • 55 slides
Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK

Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK

Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK FIRST 2006 Conference, Baltimore, USA 25-30th June 2006 Agenda Identifying the problem Definition of a network threat signature

583 views • 32 slides
PROBABILITY THEORY Lecture 1 Basics Lecture 2 Independence and Bernoulli Trials

PROBABILITY THEORY Lecture 1 Basics Lecture 2 Independence and Bernoulli Trials

TABLE OF CONTENTS PROBABILITY THEORY Lecture 1 Basics Lecture 2 Independence and Bernoulli Trials Lecture 3 Random Variables Lecture 4 Binomial Random Variable Applications, Conditional Probability Density Function and

779 views • 35 slides
Polyteam Semantics Team Semantics Axiomatizations in team semantics Polyteams and Jonni

Polyteam Semantics Team Semantics Axiomatizations in team semantics Polyteams and Jonni

Polyteam Semantics Jonni Virtema Backround Polyteam Semantics Team Semantics Axiomatizations in team semantics Polyteams and Jonni Virtema poly-dependence Axioms of University of Helsinki, Finland poly-dependence

513 views • 34 slides
Exponential-Time Approximation of Hard Problems Lukasz Kowalik joint work with: Marek Cygan,

Exponential-Time Approximation of Hard Problems Lukasz Kowalik joint work with: Marek Cygan,

Exponential-Time Approximation of Hard Problems Lukasz Kowalik joint work with: Marek Cygan, Marcin Pilipczuk and Mateusz Wykurz University of Warsaw, Poland Dahstuhl Seminar on Moderately Exponential Time Algorithms, 19-24.10.2008 Lukasz

647 views • 53 slides
Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz,

Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz,

Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz, Kenneth G. Paterson and Christoph Striecks CRYPTO 2013 - Santa Barbara, CA, U.S.A. August 20, 2013 Programmable Hash Functions (PHFs) Part 1

545 views • 38 slides
Faster hitting-sets for certain ROABP Nitin Saxena (IIT Kanpur, India) (Based on joint works with

Faster hitting-sets for certain ROABP Nitin Saxena (IIT Kanpur, India) (Based on joint works with

Faster hitting-sets for certain ROABP Nitin Saxena (IIT Kanpur, India) (Based on joint works with Rohit, Rishabh, Arpita) 2016, , Tel-Aviv Contents Polyn lynomia ial id l identi tity ty te test stin ing ABP ROABP ideas

538 views • 24 slides
Mathematically Structured but not Necessarily Functional Programming Andrej Bauer Department of

Mathematically Structured but not Necessarily Functional Programming Andrej Bauer Department of

Mathematically Structured but not Necessarily Functional Programming Andrej Bauer Department of Mathematics and Physics University of Ljubljana, Slovenia Mathematically Structured Functional Programming Reykjavik, July 2008 Ways of

533 views • 22 slides
Buffers and centroids Zev Ross President, ZevRoss Spatial Analysis DataCamp Spatial Analysis

Buffers and centroids Zev Ross President, ZevRoss Spatial Analysis DataCamp Spatial Analysis

DataCamp Spatial Analysis with sf and raster in R SPATIAL ANALYSIS WITH SF AND RASTER IN R Buffers and centroids Zev Ross President, ZevRoss Spatial Analysis DataCamp Spatial Analysis with sf and raster in R Use a projected coordinate

664 views • 42 slides
Active Learning for Supervised Classification Maria-Florina Balcan Carnegie Mellon University

Active Learning for Supervised Classification Maria-Florina Balcan Carnegie Mellon University

Active Learning for Supervised Classification Maria-Florina Balcan Carnegie Mellon University Active Learning of Linear Separators Maria-Florina Balcan Carnegie Mellon University Two Minute Version Modern applications: massive amounts of raw

460 views • 28 slides

More recommend