caradoc a pragmatic approach to pdf parsing and validation
play

Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE - PowerPoint PPT Presentation

Jan 09, 2024 •485 likes •842 views

Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec Workshop 2016 Guillaume Endignoux Olivier Levillain Jean-Yves Migeon cole Polytechnique, France EPFL, Switzerland ANSSI, France Thursday 26 th

  1. Caradoc: a Pragmatic Approach to PDF Parsing and Validation IEEE Security & Privacy LangSec Workshop 2016 Guillaume Endignoux Olivier Levillain Jean-Yves Migeon École Polytechnique, France EPFL, Switzerland ANSSI, France Thursday 26 th May, 2016 1 / 29

  2. Portable Document Format ? A commonly used format, but many security issues: 500+ reported vulnerabilities in Adobe Reader 1 (since 1999). Discrepancies between implementations. Syntax facilitates polymorphism 2 (PDF+ZIP, PDF+JPEG, etc.). 1 http://www.cvedetails.com 2 See for example PoC||GTFO 2 / 29

  3. Portable Document Format ? A commonly used format, but many security issues: 500+ reported vulnerabilities in Adobe Reader 1 (since 1999). Discrepancies between implementations. Syntax facilitates polymorphism 2 (PDF+ZIP, PDF+JPEG, etc.). In our work, we aim at verifying PDFs from syntactic level. Two approaches to validate files: Blacklist : does not detect new malware... Whitelist : higher rejection rate, but accepted files are clean. 1 http://www.cvedetails.com 2 See for example PoC||GTFO 2 / 29

  4. Table of contents Syntactic and structural problems: a quick tour 1 2 Caradoc: a pragmatic solution 3 Application to real-world files 3 / 29

  5. Table of contents Syntactic and structural problems: a quick tour 1 2 Caradoc: a pragmatic solution 3 Application to real-world files 4 / 29

  6. PDF syntax 101 A PDF document is made of objects: null booleans: true , false numbers: 123 , -4.56 strings: (foo) names: /bar arrays: [1 2 3] , [(foo) /bar] dictionaries: << /key (value) /foo 123 >> references: 1 0 obj ... endobj and 1 0 R streams: << ... >> stream ... endstream 5 / 29

  7. Structure of a PDF file %PDF-1.7 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj Header 2 0 obj Object << /Type /Pages /Count 1 /Kids [3 0 R] >> endobj Object ... xref 0 6 Reference table 0000000000 65536 f 0000000009 00000 n Trailer 0000000060 00000 n ... End-of-file trailer << /Size 6 /Root 1 0 R >> startxref 428 %%EOF Organization of a simple PDF file. 6 / 29

  8. Structure of a PDF file %PDF-1.7 xref 0 6 Header 0000000000 65536 f 0000000009 00000 n Objects 0000000060 00000 n More complex structures: ... ... Original file trailer << /Size 6 /Root 1 0 R >> Table + trailer #1 incremental updates, startxref 428 End-of-file #1 %%EOF object streams, Objects xref ... 0 3 Incremental 0000000002 65536 f linearization. Table + trailer #2 0000000567 00001 n update 0000000000 00001 f 6 1 End-of-file #2 0000001234 00000 n trailer << /Size 7 /Root 1 1 R /Prev 428 >> startxref 1347 %%EOF Incremental update. 7 / 29

  9. Logical structure of a PDF file Document of 17 pages (about 1000 objects). 8 / 29

  10. Graph organization The graph of objects is organized into sub-structures, especially trees. Page tree. Catalog Root of the page tree Node Page 3 Page 4 Page 1 Page 2 9 / 29

  11. Graph organization The table of contents uses doubly-linked lists. Table of contents. Outline root Catalog Chapter Chapter Chapter Section Section Section 10 / 29

  12. Problematic structure An attacker may write an invalid structure. Invalid table of contents. Outline root Catalog Chapter Chapter Chapter Section Section Section 11 / 29

  13. Demonstration Demonstration: two examples Loop in the outline structure https://github.com/ANSSI-FR/caradoc/blob/master/test_files/negative/outlines/cycle.pdf Polymorphic file https://github.com/ANSSI-FR/caradoc/blob/master/test_files/negative/polymorph/polymorph.pdf These files were reported to software editors. 12 / 29

  14. Demonstration These problems may lead to several attacks: Attacks on the structure (denial of service). Evasion techniques (attacks taking advantage of implementation discrepancies). 13 / 29

  15. Table of contents Syntactic and structural problems: a quick tour 1 2 Caradoc: a pragmatic solution 3 Application to real-world files 14 / 29

  16. Solution proposals Caradoc verifies a document at three levels: File syntax. Objects consistency (type checking). Higher-level verifications (graph, etc.). 15 / 29

  17. Syntax restriction At syntax level, guarantee extraction of objects without ambiguity: Grammar formalization 3 (BNF). Structure restrictions (no updates, no linearization , etc.). Systematic rejection of “corrupted” files. 3 https://github.com/ANSSI-FR/caradoc/tree/master/doc/grammar 16 / 29

  18. Syntax restriction At syntax level, guarantee extraction of objects without ambiguity: Grammar formalization 3 (BNF). Structure restrictions (no updates, no linearization , etc.). Systematic rejection of “corrupted” files. When a conforming reader reads a PDF file with a damaged or missing cross-reference table, it may attempt to rebuild the table by scanning all the objects in the file. — ISO 32000-1:2008, annex C.2 3 https://github.com/ANSSI-FR/caradoc/tree/master/doc/grammar 16 / 29

  19. Type checking At object level: guarantee semantic consistency. For this purpose: type checking algorithm. 17 / 29

  20. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Example on a Hello World file. 18 / 29

  21. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  22. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  23. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  24. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  25. Type checking trailer 1 0 obj << /Size 7 << /Type /Catalog /Pages 2 0 R >> /Root 1 0 R endobj /Info 6 0 R >> 6 0 obj << 2 0 obj /Author (G. E.) << /Type /Pages /Count 1 /Kids [3 0 R] >> >> endobj endobj 3 0 obj << 5 0 obj << /Type /Page /Name /F1 /MediaBox [0 0 700 200] /BaseFont /Helvetica /Parent 2 0 R /Type /Font /Contents 4 0 R /Subtype /Type1 /Resources << /Font << /F1 5 0 R >> >> >> endobj >> endobj 4 0 obj << /Length 35 >> stream BT /F1 100 Tf (Hello world !) Tj ET endstream endobj Constraint propagation. 19 / 29

  26. Type checking action page destination annotation resource outline content stream font name tree other Types of a 17-page document. 20 / 29

  27. More complex verifications At a higher level: Verification of tree structures (page tree, outlines, etc.). Other verifications easily integrable in the future (fonts, images, existing analyses, etc.). 21 / 29

Recommend

A Pragmatic Approach Towards The Regulation of Botanical Food

A Pragmatic Approach Towards The Regulation of Botanical Food

A Pragmatic Approach Towards The Regulation of Botanical Food Supplements Overview 1. Botanicals 2. Basic Principles 3. Current Situation 4. Safety 1. Quality standards 2. Inventory of the

557 views • 16 slides
A Hierarchal Approach to Validation Experiments in Magnetic Fusion Science Validation

A Hierarchal Approach to Validation Experiments in Magnetic Fusion Science Validation

A Hierarchal Approach to Validation Experiments in Magnetic Fusion Science Validation Experiments Working Group US Transport Task Force P.W. Terry, T. Carter, C. Hegna, C. Holland, M. GIlmore, M. Greenwald, B. LaBombard, R. Majeski, D.E.

593 views • 24 slides
A pragmatic approach to the phenomenon of presupposition conditionalization Amaia Garcia-Odon

A pragmatic approach to the phenomenon of presupposition conditionalization Amaia Garcia-Odon

A pragmatic approach to the phenomenon of presupposition conditionalization Amaia Garcia-Odon UPV-EHU/ U. Konstanz DIP Colloquium Outline The projection problem of presupposition 1 The proposal 2 Pragmatic constraints on projection

618 views • 47 slides
Workshop on process validation Session 2: Enhanced approach Kowid Ho Process validation for

Workshop on process validation Session 2: Enhanced approach Kowid Ho Process validation for

Workshop on process validation Session 2: Enhanced approach Kowid Ho Process validation for process development following traditional vs enhanced approach Same objective: To establish scientific evidence that a process is capable of

347 views • 6 slides
Module 4: XML Representation Concepts Parsing and Validation Schemas Munindar P. Singh, CSC

Module 4: XML Representation Concepts Parsing and Validation Schemas Munindar P. Singh, CSC

Module 4: XML Representation Concepts Parsing and Validation Schemas Munindar P. Singh, CSC 513, Spring 2008 c p.106 What is Metadata? Literally, data about data Description of data that captures some useful property regarding its

1.02k views • 59 slides
Tuesday 9 th April 2013 Process Validation-Enhanced Approach Continuous Process Verification

Tuesday 9 th April 2013 Process Validation-Enhanced Approach Continuous Process Verification

EMA Expert Workshop on Validation of Manufacturing for Biological Medicinal Products Tuesday 9 th April 2013 Process Validation-Enhanced Approach Continuous Process Verification Brendan Hughes Agenda Definition and purpose of validation

730 views • 18 slides
Interoperability Now! A pragmatic Approach to Interoperability in Language Technology Sven C.

Interoperability Now! A pragmatic Approach to Interoperability in Language Technology Sven C.

Interoperability Now! A pragmatic Approach to Interoperability in Language Technology Sven C. Andr Founder and CEO of ONTRAM Inc./Andr AG Based on a Collaboration Effort with Kilgray, Welocalize, Medtronic and Bioloom W3C Multilingual

506 views • 24 slides
Pragmatic Agility Pragmatic Agility Presented by: Andy Hunt The Pragmatic Programmers

Pragmatic Agility Pragmatic Agility Presented by: Andy Hunt The Pragmatic Programmers

W11 Concurrent Session Wednesday 11/12/2008 12:45 PM 2:15 PM Pragmatic Agility Pragmatic Agility Presented by: Andy Hunt The Pragmatic Programmers Presented at: Agile Development Practices 2008 November 10 - 14, Orlando, FL., USA 330

61 views • 3 slides
Redis Cluster a pragmatic approach to distribution All nodes are directly connected with a

Redis Cluster a pragmatic approach to distribution All nodes are directly connected with a

Redis Cluster a pragmatic approach to distribution All nodes are directly connected with a service channel. TCP baseport+4000, example 6379 -&gt; 10379. Node to Node protocol is binary, optimized for bandwidth and speed. Clients talk to

624 views • 17 slides
Industry 4.0 in Glass Needs a pragmatic approach Presented by: Christian Megret September

Industry 4.0 in Glass Needs a pragmatic approach Presented by: Christian Megret September

Industry 4.0 in Glass Needs a pragmatic approach Presented by: Christian Megret September 2017 Confidential Property of Schneider Electric Industry 4.0: According to Wikipedia Industry 4.0 is a name for the current trend of automation and

621 views • 20 slides
CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing Bottom-up parsing Recursive-descent Shift-reduce parsers parsing LR(0) parsing LL(1) parsing LR(0) items LL(1) parsing

429 views • 29 slides
Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Outline Review LL parsing Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm Constructing LR parsing tables 2 Top-Down Parsing: Review Top-Down Parsing: Review Top-down parsing expands a

470 views • 13 slides
A Three-Layered Approach to Facade Parsing Anelo Martinovi 1 Markus Mathias 1 Julien

A Three-Layered Approach to Facade Parsing Anelo Martinovi 1 Markus Mathias 1 Julien

Introduction Our Approach Results And Evaluation Summary A Three-Layered Approach to Facade Parsing Anelo Martinovi 1 Markus Mathias 1 Julien Weissenberg 2 Luc Van Gool 1 , 2 1 ESAT-PSI/VISICS, KU Leuven 2 Computer Vision Laboratory, ETH

338 views • 31 slides
Tuesday 9 th April 2013 Process Validation-Enhanced Approach Scale down models Frank Zettl Key

Tuesday 9 th April 2013 Process Validation-Enhanced Approach Scale down models Frank Zettl Key

EMA Expert Workshop on Validation of Manufacturing for Biological Medicinal Products Tuesday 9 th April 2013 Process Validation-Enhanced Approach Scale down models Frank Zettl Key elements enhanced approach Extensive and intensive process

409 views • 16 slides
Performance of Scientific Applications Lonnie D. Crosby, R. Glenn Brook, Bhanu Rekapalli,

Performance of Scientific Applications Lonnie D. Crosby, R. Glenn Brook, Bhanu Rekapalli,

A Pragmatic Approach to Improving the Large-scale Parallel I/O Performance of Scientific Applications Lonnie D. Crosby, R. Glenn Brook, Bhanu Rekapalli, Mikhail Sekachev, Aaron Vose, and Kwai Wong A Pragmatic Approach Data Movement

393 views • 17 slides
North Meadows Secondary Plan MUNICIPALITY OF STRATHROY-CARADOC Initial Public Meeting May 15,

North Meadows Secondary Plan MUNICIPALITY OF STRATHROY-CARADOC Initial Public Meeting May 15,

North Meadows Secondary Plan MUNICIPALITY OF STRATHROY-CARADOC Initial Public Meeting May 15, 2019 Why We Are Here Introductions and Overview Examine opportunities to accommodate growth and development Gather thoughts and

197 views • 17 slides
Health and Disease a Pragmatic Approach Dr.Poornima Baliga.B Pro Vice Chancellor(Faculty of

Health and Disease a Pragmatic Approach Dr.Poornima Baliga.B Pro Vice Chancellor(Faculty of

Health and Disease a Pragmatic Approach Dr.Poornima Baliga.B Pro Vice Chancellor(Faculty of Health Sciences) Manipal University Manipal-India Background The genesis of Manipal is an enthralling story of a genius, late Dr. T.M.A. Pai He had

595 views • 18 slides
A Pragmatic Family Centered Approach to Childhood Obesity Treatment Denise Wilfley (Angela Lima)

A Pragmatic Family Centered Approach to Childhood Obesity Treatment Denise Wilfley (Angela Lima)

A Pragmatic Family Centered Approach to Childhood Obesity Treatment Denise Wilfley (Angela Lima) Scott Rudolph University Professor of Psychiatry, Medicine, Pediatrics, and Psychological &amp; Brain Sciences Washington University September 19,

184 views • 17 slides
Caradoc Street (Co. Rd 81) Reconstruction March 27, 2019 Construction Limits Scope of Work

Caradoc Street (Co. Rd 81) Reconstruction March 27, 2019 Construction Limits Scope of Work

BIA Meeting Caradoc Street (Co. Rd 81) Reconstruction March 27, 2019 Construction Limits Scope of Work Roadwork Storm Sewers Sanitary Sewers and Services Watermains and Services Landscaping Features Utility Pole

521 views • 16 slides
DESIGN OF PRAGMATIC TRIALS Ana Quiones, PhD &amp; Jonathan Jackson, PhD April 16, 2020

DESIGN OF PRAGMATIC TRIALS Ana Quiones, PhD &amp; Jonathan Jackson, PhD April 16, 2020

National Institute on Aging (NIA) IMbedded Pragmatic Alzheimers Disease (AD) and AD-Related Dementias (AD/ADRD) Clinical Trials (IMPACT) Collaboratory (NIA U54AG063546) HEALTH EQUITY AS FOUNDATIONAL TO THE DESIGN OF PRAGMATIC TRIALS Ana

642 views • 31 slides
A Regulatory Approach to Validation of the CDM Structuring a CDM to improve validity of analyses.

A Regulatory Approach to Validation of the CDM Structuring a CDM to improve validity of analyses.

A Regulatory Approach to Validation of the CDM Structuring a CDM to improve validity of analyses. Common data model Workshop in Europe - 11-12 December 2017 An agency of the European Union Requirem ents for regulatory evidence Provide agreed,

488 views • 20 slides
Pragmatic Evolution of Super 6 and Sky Bet for Resiliency M i c h a e l M a i b a u m S k y B

Pragmatic Evolution of Super 6 and Sky Bet for Resiliency M i c h a e l M a i b a u m S k y B

Pragmatic Evolution of Super 6 and Sky Bet for Resiliency M i c h a e l M a i b a u m S k y B e t t i n g &amp; G a m i n g @ m m a i b a u m Pragmatic and Achievable Focus is on pragmatic, achievable improvements in availability

824 views • 47 slides
A Formal Model Approach for the Analysis and Validation of the Cooperative Path Planning of a UAV

A Formal Model Approach for the Analysis and Validation of the Cooperative Path Planning of a UAV

A Formal Model Approach for the Analysis and Validation of the Cooperative Path Planning of a UAV Team Antonios Tsourdos Brian White, Rafa bikowski, Peter Silson Suresh Jeyaraman and Madhavan Shanmugavel Guidance &amp; Control Group

826 views • 44 slides
Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A

Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A

Compiler Design and Construction Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A top-down parsing algorithm parses an input string of tokens by tracing out the steps in a leftmost derivation. Such an

1.12k views • 96 slides

More recommend