advances in grammar mining and testing
play

Advances in Grammar Mining and Testing Andreas Zeller CISPA / - PowerPoint PPT Presentation

Jan 03, 2023 •203 likes •840 views

Advances in Grammar Mining and Testing Andreas Zeller CISPA / Saarland University https://github.com/vrthra/pygmalion @AndreasZeller Saarbrcken @AndreasZeller CISPA | Center for IT-Security, Privacy and Accountability Scienti

  1. Advances in Grammar Mining and Testing Andreas Zeller CISPA / Saarland University https://github.com/vrthra/pygmalion @AndreasZeller

  2. Saarbrücken @AndreasZeller

  3. ─┐ CISPA | Center for IT-Security, Privacy and Accountability └─

  4. Scienti fj c excellence in fundamental research 50,000,000 € /year • 500+ researchers ─┐ CISPA | Center for IT-Security, Privacy and Accountability └─

  5. Fuzzing 
 Random Testing at the System Level [;x1-GPZ+wcckc];,N9J+?#6^6\e?]9lu2_%'4GX"0VUB[E/r ~fApu6b8<{%siq8Zh.6{V,hr?;{Ti.r3PIxMMMv6{xS^+'Hq!AxB"YXRS@! Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH JIIvHz>_*.\>JrlU32~eGP? lR=bF3+;y$3lodQ<B89!5"W2fK*vE7v{')KC-i,c{<[~m!]o;{.'}Gj\(X} EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0| Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gka<W=Z. %T5WGHZpI30D<Pq>&]BS6R&j?#tP7iaV}-}`\?[_[Z^LBMPG- FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy!^zkhdf3C5PAkR?V hn| 3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@55ap\zIyl"'f, $ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@WjhZ}r[Scun&sBCS,T[/ vY'pduwgzDlVNy7'rnzxNwI)(ynBa>%|b`;`9fG]P_0hdG~$@6 3]KAeEnQ7lU)3Pn,0)G/6N-wyzj/MTd#A;r

  6. Fuzzing 
 Random Testing at the System Level Fuzzer UNIX utilities “ab’d&gfdfggg” grep • sh • sed … 25%–33%

  7. Grammar Fuzzing • Suppose you want to test a parser – 
 to compile and execute a program • To get deep into the program, you need 
 syntactically correct inputs Parser @AndreasZeller

  8. LangFuzz (2012) • Fuzz tester for JavaScript and other languages • Uses a full- fm edged grammar to generate inputs • Uses grammar 
 to parse existing inputs

  9. JavaScript Grammar If Statement IfStatement full ⇒ if ParenthesizedExpression Statement full | if ParenthesizedExpression Statement noShortIf else Statement full IfStatement noShortIf ⇒ if ParenthesizedExpression Statement noShortIf else Statement noShortIf Switch Statement SwitchStatement ⇒ switch ParenthesizedExpression { } | switch ParenthesizedExpression { CaseGroups LastCaseGroup } CaseGroups ⇒ «empty» | CaseGroups CaseGroup CaseGroup ⇒ CaseGuards BlockStatementsPrefix LastCaseGroup CaseGuards BlockStatements

  10. A Generated Input 1 var haystack = "foo" ; 2 var re text = "^foo" ; 3 haystack += "x" ; 4 re text += "(x)" ; Parser 5 var re = new RegExp(re text); 6 re. test(haystack); 7 RegExp.input = Number(); 8 print(RegExp.$1); Figure 2: Test case generated by LangFuzz,

  11. Fuzzing JavaScript # defects 6 Mozilla TI 5 Google V8 4 (Chrome 10 Beta) 3 Mozilla TM (Firefox 4 Beta) 2 18 Chromium Security Rewards 1 12 Mozilla Security Bug Bounty Awards US$ 50,000+ in fj rst four weeks in 9 months 0 0 2 4 6 8 10 # days

  12. Learning Grammars If Statement IfStatement full ⇒ if ParenthesizedExpression Statement full | if ParenthesizedExpression Statement noShortIf else Statement full IfStatement noShortIf ⇒ if ParenthesizedExpression Statement noShortIf else Statement noShortIf Switch Statement SwitchStatement ⇒ switch ParenthesizedExpression { } | switch ParenthesizedExpression { CaseGroups LastCaseGroup } CaseGroups ⇒ «empty» | CaseGroups CaseGroup CaseGroup ⇒ CaseGuards BlockStatementsPrefix LastCaseGroup CaseGuards BlockStatements

  13. Learning Grammars • Let us characterize program behavior 
 via its input/output language • Assume I/O is a stream of characters (symbols) • Assume we can characterize this stream 
 via a formal language – regular expressions, grammars • We want to learn such a language from the program @AndreasZeller

  14. Learning Grammars http:// user:pass @ www.google.com:80 path / http:// user:pass @ www.google.com:80 path / Program @AndreasZeller

  15. Learning Grammars :// user:pass @ www.google.com:80 path / http:// user:pass @ www.google.com:80 path / http – protocol @AndreasZeller

  16. Learning Grammars :// user:pass @ :80 path / http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com @AndreasZeller

  17. Learning Grammars :// user:pass @ : / path http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 @AndreasZeller

  18. Learning Grammars :// : @ : / path http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 – login user pass @AndreasZeller

  19. Learning Grammars :// : @ : / http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 – login user pass – page request path @AndreasZeller

  20. Learning Grammars http:// user:pass @ www.google.com:80 path / http – protocol – host name www.google.com – port 80 – login user pass – page request path – terminals :// : @ : / @AndreasZeller

  21. Learning Grammars http:// user:pass @ www.google.com:80 path / http – protocol } processed in – host name di fg erent www.google.com functions – port 80 – login user pass stored in di fg erent – page request path variables – terminals :// : @ : / @AndreasZeller

  22. Tracking Input We track input characters throughout program execution: 1. Dynamic tainting labels all characters read (and derived values) with their origin 2. Recognizing inputs checks string variables whether they hold input fragments (simpler) @AndreasZeller

  23. Grammar Inference • Start with grammar $START ::= input $START ::= http://user:pass@www.google.com:80/path#ref @AndreasZeller

  24. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= http://user:pass@www.google.com:80/path#ref fragment = 'ref' url = '/path' path = '/path' scheme = 'http' netloc = 'user:pass@www.google.com:80' @AndreasZeller

  25. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= http://$NETLOC/path#ref 
 $NETLOC ::= user:pass@www.google.com:80 fragment = 'ref' url = '/path' path = '/path' scheme = 'http' @AndreasZeller

  26. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC/path#ref 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http fragment = 'ref' url = '/path' path = '/path' @AndreasZeller

  27. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC$PATH#ref 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http 
 $PATH ::= /path fragment = 'ref' url = '/path' @AndreasZeller

  28. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC$PATH#$FRAGMENT 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http 
 $PATH ::= /path $FRAGMENT ::= ref url = '/path' @AndreasZeller

  29. Grammar Inference • For each ( var , value ) we fj nd during execution, where value is a substring of input : 1. Replace all occurrences of value by $ VAR 2. Add a new rule $VAR ::= value $START ::= $SCHEME://$NETLOC$PATH#$FRAGMENT 
 $NETLOC ::= user:pass@www.google.com:80 
 $SCHEME ::= http 
 $PATH ::= $URL $FRAGMENT ::= ref $URL ::= /path @AndreasZeller

  30. Demo @AndreasZeller

  31. AUTOGRAM AUTOGRAM: a grammar miner for Java programs Uses active learning to infer • repetitions • optional parts • common elements (numbers, identi fj ers…) Höschele, Zeller: "Mining Input Grammars from Dynamic Taints", ASE 2016 @AndreasZeller

  32. URLs http://user:password@www.google.com:80/command?foo=bar&lorem=ipsum#fragment http://www.guardian.co.uk/sports/worldcup#results ftp://bob:12345@ftp.example.com/oss/debian7.iso URL ::= PROTOCOL '://' AUTHORITY PATH ['?' QUERY] ['#' REF] AUTHORITY ::= [USERINFO '@'] HOST [':' PORT] PROTOCOL ::= 'http' | 'ftp' USERINFO ::= /[a-z]+:[a-z]+/ HOST ::= /[a-z.]+/ PORT ::= '80' PATH ::= /\/[a-z0-9.\/]*/ QUERY ::= 'foo=bar&lorem=ipsum' REF ::= /[a-z]+/ @AndreasZeller

  33. INI Files INI ::= LINE+ [Application] LINE ::= SECTION_LINE '\r' 
 Version = 0.5 | OPTION_LINE ['\r'] WorkingDir = /tmp/mydir/ SECTION_LINE ::= '[' KEY ']' [User] OPTION_LINE ::= KEY ' = ' VALUE User = Bob KEY ::= /[a-zA-Z]*/ Password = 12345 VALUE ::= /[a-zA-Z0-9\/]/ @AndreasZeller

  34. JSON Input JSON ::= VALUE 
 VALUE ::= JSONOBJECT | ARRAY | STRINGVALUE | TRUE | FALSE | NULL | NUMBER TRUE ::= ’true’ FALSE ::= ’false’ { NULL ::= ’null’ NUMBER ::= [’-’] /[0-9]+/ "v": true, STRINGVALUE ::= ’"’ INTERNALSTRING ’"’ "x": 25, INTERNALSTRING ::= /[a-zA-Z0-9 ]+/ "y": -36, ARRAY ::= ’[’ … [VALUE [’,’ VALUE]+] } ’]’ JSONOBJECT ::= ’{’ [STRINGVALUE ’:’ VALUE [’,’ STRINGVALUE ’:’ VALUE] 
 +] 
 '}' @AndreasZeller

  35. Testing with Mined Grammars Inputs Program Tests Grammar @AndreasZeller

Recommend

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State University June 6, 2012 Carl Pollard Advances in Logical Grammar: Course Overview What this Course is About (1/2) Using mathematical logic to

218 views • 7 slides
A .NET-based Test-Data Generator for Combinatorial Grammar- and Schema-based Testing Vadim

A .NET-based Test-Data Generator for Combinatorial Grammar- and Schema-based Testing Vadim

A .NET-based Test-Data Generator for Combinatorial Grammar- and Schema-based Testing Vadim Zaytsev with: Ralf L ammel (VU), Wolfram Schulte (MSR) 14 April 2004 Grammar ware grammars grammar-dependent software In this project:

450 views • 17 slides
Combinatorial Interaction Testing for Test Selection in Grammar-Based Testing Elke Salecker,

Combinatorial Interaction Testing for Test Selection in Grammar-Based Testing Elke Salecker,

Combinatorial Interaction Testing for Test Selection in Grammar-Based Testing Elke Salecker, Sabine Glesner Technical University of Berlin, Germany Workshop on Combinatorial Testing (CT) 2012 Montreal, Canada Introduction Background Approach

632 views • 45 slides
Advances in Logical Grammar: Review of Typed Lambda Calculus Carl Pollard Department of

Advances in Logical Grammar: Review of Typed Lambda Calculus Carl Pollard Department of

Advances in Logical Grammar: Review of Typed Lambda Calculus Carl Pollard Department of Linguistics Ohio State University June 6, 2012 Carl Pollard Advances in Logical Grammar: Review of Typed Lam The Two Sides of Typed Lambda Calculus A

628 views • 27 slides
RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT

RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT

JOE ROZNER / @JROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT HERE Mostly clean room (ish) implementation of complex languages (context-free- ish) ~35k lines of grammar in total

400 views • 19 slides
Syntax-based test coverage (part 2) - grammar-based testing - Basic grammar concepts

Syntax-based test coverage (part 2) - grammar-based testing - Basic grammar concepts

Syntax-based test coverage (part 2) - grammar-based testing - Basic grammar concepts Syntax-based Coverage Criteria Specification-based Grammars Input Space Grammars Verificao e Validao de Software Departamento de Informtica

460 views • 27 slides
Advances in proof mining Andrei Sipos , September 14, 2020 University of Bucharest Lectureship

Advances in proof mining Andrei Sipos , September 14, 2020 University of Bucharest Lectureship

Advances in proof mining Andrei Sipos , September 14, 2020 University of Bucharest Lectureship Competition Bucures ti, Rom ania Proof mining This, as the title says, is a talk on proof mining : an applied subfield of mathematical logic

2.21k views • 156 slides
Tools for Testing Mitochondrial Disorders: The Latest Advances in Genetics and Genomics

Tools for Testing Mitochondrial Disorders: The Latest Advances in Genetics and Genomics

Tools for Testing Mitochondrial Disorders: The Latest Advances in Genetics and Genomics What is genomic sequencing and how does it change testing for mitochondrial disorders? Is NextGen testing appropriate for all people with

665 views • 43 slides
Smart Testing with AI Using Data Mining Presented by:

Smart Testing with AI Using Data Mining Presented by:

T16 Analytics in Testing Thursday, October 3rd, 2019 1:30 PM Smart Testing with AI Using Data Mining Presented by: Lorna

655 views • 32 slides
Topic III: Significance Testing Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III: Significance Testing Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III: Significance Testing Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T III.Intro- 1 T III: Significance Testing 1. Hypothesis Testing 1.1. Null Hypotheses and p -values 1.2.

362 views • 32 slides
Advances in Mutation Testing Research for C++ Pedro Delgado-Prez TAROT: Intro Talk June 2015

Advances in Mutation Testing Research for C++ Pedro Delgado-Prez TAROT: Intro Talk June 2015

Introduction Mutation Operators Conclusion Advances in Mutation Testing Research for C++ Pedro Delgado-Prez TAROT: Intro Talk June 2015 P. Delgado-Prez UCASE (University of Cdiz) Advances in Mutation Testing Research for C++ TAROT:

694 views • 45 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

774 views • 20 slides
Grammarware Application: Testing XML Validators Vadim Zaytsev 26 November 2004 1 The story of

Grammarware Application: Testing XML Validators Vadim Zaytsev 26 November 2004 1 The story of

Grammarware Application: Testing XML Validators Vadim Zaytsev 26 November 2004 1 The story of one grammar-based tool 2 Grammar ware and XML As it was told, grammarware is more than just compilers! eXtensible Markup Language has a

747 views • 38 slides
ADVANCES IN BIOMARKER TESTING FOR SEPSIS AND BACTERIAL INFECTIONS ERIC H GLUCK MD JD FCCP FCCM

ADVANCES IN BIOMARKER TESTING FOR SEPSIS AND BACTERIAL INFECTIONS ERIC H GLUCK MD JD FCCP FCCM

ADVANCES IN BIOMARKER TESTING FOR SEPSIS AND BACTERIAL INFECTIONS ERIC H GLUCK MD JD FCCP FCCM DIRECTOR OF CRITICAL SERVICES SWEDISH COVENANT HOSPTIAL DISCLOSURES: Speaking engagements and consulting: Thermo Fisher Scientific, Middletown,

861 views • 46 slides
Recent Advances in Designing, Monitoring, Modeling and Testing Deep Foundations in North America

Recent Advances in Designing, Monitoring, Modeling and Testing Deep Foundations in North America

Proceedings CIGMAT-2007 Conference &amp; Exhibition Recent Advances in Designing, Monitoring, Modeling and Testing Deep Foundations in North America C. Vipulanandan, Ph.D., P.E. P P Chairman, Professor and Director of Center for Innovative

534 views • 25 slides
Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The

Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The

Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The rules of language, comprising syntax and inflectional morphology Syntax The hierarchical structure of language Lexical Words (Open Class) Noun

539 views • 31 slides
Web Mining Web Mining Web mining is the use of data mining techniques to automatically

Web Mining Web Mining Web mining is the use of data mining techniques to automatically

What is Web Mining? What is Web Mining? Web Mining Web Mining Web mining is the use of data mining techniques to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) Web mining aims to

566 views • 22 slides
Introduction to English Linguistics 4: Grammar and Syntax Grammar and Syntax Grammar The rules

Introduction to English Linguistics 4: Grammar and Syntax Grammar and Syntax Grammar The rules

Introduction to English Linguistics 4: Grammar and Syntax Grammar and Syntax Grammar The rules of language, comprising syntax and inflection Syntax The hierarchical structure of language Lexical Words, Open Class Noun Adjective

739 views • 39 slides
Advances in In-Situ Testing of Ventilation Control Devices for Underground Mines Greg Kay

Advances in In-Situ Testing of Ventilation Control Devices for Underground Mines Greg Kay

Advances in In-Situ Testing of Ventilation Control Devices for Underground Mines Greg Kay Aquacrete, Newcastle, NSW, Australia Michael Salu Parsons Brinckerhoff, Brisbane, QLD, Australia ABSTRACT: As underground mines increasingly face the

739 views • 6 slides
Specialised vs Declarative Data Mining Software Testing Applications Nadjib Lazaar , CNRS,

Specialised vs Declarative Data Mining Software Testing Applications Nadjib Lazaar , CNRS,

Specialised vs Declarative Data Mining Software Testing Applications Nadjib Lazaar , CNRS, University of Montpellier Join works with: M. Maamar, Y. Lebbah, S. Loudni, C. Bessiere, et. al. SIMULA, Oslo, 11 oct. 2018 DATA MINING 2 DATA

1.47k views • 103 slides
How random walks led to advances in testing minor-freeness C. Seshadhri (UC Santa Cruz) WOLA

How random walks led to advances in testing minor-freeness C. Seshadhri (UC Santa Cruz) WOLA

How random walks led to advances in testing minor-freeness C. Seshadhri (UC Santa Cruz) WOLA 2019 1 My coauthors Akash Kumar, Purdue Andrew Stolman, UCSC WOLA 2019 2 Classics [Kuratowski 30, Wagner 37] G is not planar, iff it contains

621 views • 59 slides
GRAMMAR THROUGH HUMOR BRANDY SHOOKS &amp; WHITNEY SCHARER TEACHING GRAMMAR THROUGH HUMOR Having

GRAMMAR THROUGH HUMOR BRANDY SHOOKS &amp; WHITNEY SCHARER TEACHING GRAMMAR THROUGH HUMOR Having

TEACHING GRAMMAR THROUGH HUMOR BRANDY SHOOKS &amp; WHITNEY SCHARER TEACHING GRAMMAR THROUGH HUMOR Having difficulty getting your students interested and excited about grammar? Participants in this session will gain tools to present grammar in

675 views • 28 slides
ggmap Available on CRAN! Recent Advances in Spatial Visualization David J. Kahle, Ph.D. @

ggmap Available on CRAN! Recent Advances in Spatial Visualization David J. Kahle, Ph.D. @

ggmap Available on CRAN! Recent Advances in Spatial Visualization David J. Kahle, Ph.D. @ Department of Statistical Science B A Y L OR u n i v e r s i t y components of this talk 1. ggplot2 and the layered grammar of graphics 2. ggmap

1.08k views • 68 slides
Combinatory Categorial Grammar The effort to develop natural language grammars and

Combinatory Categorial Grammar The effort to develop natural language grammars and

Combinatory Categorial Grammar Goal Mildly-context sensitive grammar framework, with provable polynomial parseability To present the intuitions behind Combinatory Categorial Grammar as a framework for relating the structure of a linguistic

280 views • 13 slides

More recommend