horn binary serialization analysis
play

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on - PowerPoint PPT Presentation

Oct 14, 2022 •167 likes •502 views

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification and Synthesis Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Type

  1. Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification and Synthesis Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org

  2. Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Type Data Length CRC 0 3 4 N N+1 N+4 N+5 N+8 Cat.png

  3. Contribution ● Given a layout specification, Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Is there a parser that can parse any instance stream? Or: is the layout deserializable? In practice: describe a left-to-right parser behaviour using Horn clauses and forward chaining

  4. 1:Formalize a layout specification ● f [Id] : fixed length field ● v [Id] : variable length field ( varfield ) → ß)[Id] : pointer field ● (Id' offset span → (Length 4)Length Length Type Data CRC 0 3 4 7 8 N N+1 N+4 f v f

  5. 2:Give a name to all fields → (Length 4)Length 0 f 1 v 2 f 3 Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  6. 3:Formalize parser's knowledge ● The parser knows... ● Beg(i) : where field i begins ● Len(i) : field i 's length ● Ptr(o,s,i) : field i is a pointer, with offset at o and spanning s fields ● Val(i) : field i 's contents.

  7. 4a:Formalize parser's behaviour → (Length 4)Length 0 f 1 v 2 f 3 Length Type Data CRC 0 3 4 7 8 N N+1 N+4 True Beg(0) ⇒ True ⇒ Len(0) True Len(1) ⇒ True Len(3) ⇒ True Ptr(0,4,0) ⇒

  8. 4b:Formalize parser's behaviour ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(0) Beg(1) Len(0) Val(0) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  9. 4c:Formalize parser's behaviour ● Ptr(o,s,i) Val (i) ∧ Beg(o) Beg(o+s) ⇒ ∧ Jump right ● Ptr(o,s,i) Val (i) ∧ Beg(o+s) Beg(o) ⇒ ∧ Jump left ● Follow a pointer backward or forward. Ptr(0,4,0) Val(0) Beg(4) Beg(0) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  10. 4cc:(example, continued) ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(1) Beg(2) Beg(4) Len(1) Val(1) Len(3) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  11. 4cc:(example, continued) ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(1) Beg(2) Beg(3) Beg(4) Len(1) Val(1) Val(3) Len(3) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  12. 4cc:(example, continued) ● Beg(i) ∧ Len(i) Beg(i+1) ∧ Val(i) ⇒ forward ● Beg(i+1) ∧ Len(i) Beg(i) ∧ Val(i) ⇒ backward ● Read a field backward or forward. Beg(1) Beg(2) Beg(3) Beg(4) Len(1) Val(1) Val(3) Len(3) Length Type Data CRC 0 3 4 7 8 N N+1 N+4

  13. 4d:Formalize parser's behaviour ● Beg(i) Beg(i+1) ⇒ Len(i) ∧ join ● Compute the length of a field. Beg(3) Beg(2) Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Len(2)

  14. 4d:Formalize parser's behaviour ● Beg(i) Beg(i+1) ⇒ Len(i) ∧ join ● Compute the length of a field. Beg(3) Beg(2) Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Len(2)

  15. Deserializability Check Algorithm ● Transform a layout into a Horn KB: O(3n) ● Apply forward chaining: O(3n) ● Is Len(i) for all i in a layout in KB? O(n) Yes: Layout is deserializable No: Layout is not deserializable.

  16. Implementation → (Length 4)Length f v f → (Length 4)Length 0 f 1 v 2 f 3 Axioms CLIPS ∀ i ⇒ Yes Python len(i) ?

  17. N ecessary condition for deserialization ● If layout L is deserializable, THEN in L – for every v i – There is a (foo → s ) p , x foo q ● Such that q ≤ i < q+s – e.g. : f v f → – (Length 4) Length 0 f 1 v 2 f 3 – But: (Foo 4)Foo v v v →

  18. Repetition (Kleene star) : []* → (Foo 2)Foo f [f v f ]*

  19. Repetition (Kleene star) : []* → (Foo 2)Foo f [f v f ]* → (Foo 2) Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 s l e b a l t s i L s l e b a l l a r u t a n f o d a e t s n i

  20. Non valid layout specs → ● (Bar 2) 0 [fBar v f]* 1 – Referencing into an inner scope. Pointers cannot offset into inner scopes → (Bar 2) 0 [fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f fBar v f

  21. []* : Predicates → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 ● Rep(i,l) : field i is a repetition containing l fields ● Replen(i) : the parser knows repetition i 's length

  22. What about the axioms? ● Lifted to the list label level: ● e.g: ⇒ Len(b.a) Beg(b.a) Beg(b.a+1) join ∧ Ptr(b.a,s,i) Val(i) Beg(b.a) ∧ ∧ Jump right ⇒ Beg(b.a+s) b,i :list s,a : natural

  23. []* : Axioms → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 ● True ⇒ Rep(i,l) in this layout: True ⇒ Rep(2,3) ● Rep(b.a,l) Beg(b.a) Beg(b.a+1) ∧ ∧ ⇒ RepLen(b.a) ● Rep(b.a,l) Beg(b.a) Beg(b.a.0) ∧ ⇒ ● Rep(b.a,l) Beg(b.a+1) Beg(b.a.l) ∧ ⇒

  24. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 Forward Jump Forward right

  25. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 forward join backward ● Rep(2,3) Beg(2) Beg(2.0) ∧ ⇒ ● Rep(2,3) Beg(3) Beg(2.3) ∧ ⇒

  26. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 f 2.3 v 2.4 f 2.5 ]* 2 Forward Jump Forward forward → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2

  27. []* : → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 f 2.3 v 2.4 f 2.5 ]* 2 backward forward ● Rep(2,3) Beg(2) Beg(2.0) ∧ ⇒ ● Rep(2,3) Beg(3) Beg(2.3) ∧ ⇒ → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2

  28. Dirty trick → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 ]* 2 → (Foo 2)Foo 0 f 1 [f 2.0 v 2.1 f 2.2 f 2.3 v 2.4 f 2.5 ]* 2 Take each repetition field and double its content.

  29. If L2 is (not) deserializable Then all LN>2 are (not) deserializable Dirty trick F o r m a l l y g u a r a n t e e Take each repetition field and double its content. d : I f L 2 i s d e s e r i a l i z a b l e , (Just once, not for the doubled repetitions!) T h e n L i s d e s e r i a l i z a b l e → L (A 2)A 0 f 1 [f 2.0 → [(B 1)B, v]* 2.1 f 2.2 ]* 2 → L2 (A 2)A 0 f 1 [f 2.0 O(kn) → → [(B 1)B v (C 1)C v]* 2.1 → f 2.2 f 2.3 [D 1)D v]* 2.4 f 2.5 ]* 2 Axioms are left undisturbed.

  30. Implementation → (Length 4)Length [f v]* f NO → (Length 4)Length [f v f v]* f → (Length 4)Length 0 [f 2.0 v 2.1 f 2.2 v 2.3 ]* 2 f 3 ∀ i ⇒ len(i) ? CLIPS Axioms ∀ Rep(i,j) ⇒ RepLen(i) ? Python

  31. Intended application areas ● Serialization libraries ● Data definition language C!C – Rule-based parser generation? – Associate to each proof of deserializability a parser.

  32. Related work – Erlang, haskell, c... – Pads – Protocol buffers, avro, cap'n'proto, bson...

  33. Summary ● Axiomatization of left-to-right stream parsing ● Implementation: Python+CLIPS ● Interesting results: – Necessary condition for deserializability – Doubling repetitions Gabriele Paganelli https://github.com/gapag/horn-binary-deserialization https://gapag.noblogs.org/ gapag@distruzione.org

Recommend

Session 9 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 9 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 9 Serialization/JSON Session 9 Serialization/JSON 1 Lecture Objectives Understand the need for serialization Understand various approaches to serialization Understand the use of JSON as a popular approach to serialization

339 views • 11 slides
Serialization ELCO Tianjin Dresden Oberstenfeld From the Sensor to the Human and back again

Serialization ELCO Tianjin Dresden Oberstenfeld From the Sensor to the Human and back again

Serialization ELCO Tianjin Dresden Oberstenfeld From the Sensor to the Human and back again The source of our success Serialization Serialization Table of contents 1. Brief history 2. Serialisation methods in

792 views • 62 slides
Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 14 Serialization/JSON Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization Understand various approaches to serialization Understand the use of JSON as a popular approach to

327 views • 16 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Data Data Serialization Serialization with with Symfony Symfony &amp; &amp; Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony &amp; &amp; Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony &amp; &amp; Drupal Drupal SensioLabs Hugo Hamon Hugo Hamon Head of training at SensioLabs Book author Speaker at Conferences Symfony contributor Travel lover @hhamon

1.32k views • 110 slides
JHF Horn construction status and K2K horn experience YAMANOI Yutaka (KEK) K2K Horn system

JHF Horn construction status and K2K horn experience YAMANOI Yutaka (KEK) K2K Horn system

JHF Horn construction status and K2K horn experience YAMANOI Yutaka (KEK) K2K Horn system The operation result of K2K Horns Trivial troubles (2002-2003) Status of JHF Horns Basic parameters Mechanism and Merit of FSW

390 views • 20 slides
Buffalo Bone Button Presentation https://www.indiamart.com/horn-natural-kamptee/ buffalo horn

Buffalo Bone Button Presentation https://www.indiamart.com/horn-natural-kamptee/ buffalo horn

Buffalo Bone Button Presentation https://www.indiamart.com/horn-natural-kamptee/ buffalo horn plate for optical frames, buffalo horn blanks, buffalo bone buttons. buffalo horn knife scales, water buffalo horn plates, ebony wood, genuine buffalo

525 views • 5 slides
staypu: object validation and serialization &amp; should this even be a package? Scott

staypu: object validation and serialization &amp; should this even be a package? Scott

staypu: object validation and serialization &amp; should this even be a package? Scott Chamberlain ( @sckottie ) pain point: serialization converting data in one format to another format especially painful when complex other languages

329 views • 19 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Pharmaceutical Serialization: Track &amp; Trace in the USA Aisha Nabiyeva David Wu Advisor:

Pharmaceutical Serialization: Track &amp; Trace in the USA Aisha Nabiyeva David Wu Advisor:

Pharmaceutical Serialization: Track &amp; Trace in the USA Aisha Nabiyeva David Wu Advisor: Bruce Arntzen How do we implement Serialization? Translating theory. to Reality Supply Chain Traceability Installation of necessary

1.44k views • 15 slides
Around The Horn ESG INVESTING Michael McLaughlin, CFA AAM Portfolio Manager Credit Analysis:

Around The Horn ESG INVESTING Michael McLaughlin, CFA AAM Portfolio Manager Credit Analysis:

Around The Horn ESG INVESTING Michael McLaughlin, CFA AAM Portfolio Manager Credit Analysis: Incorporating ESG Into Our Process ESG risks are important to ESG considerations are consider when assessing explicitly factored into our future

185 views • 3 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications

GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications

GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications Reena Nair Tony Field What causes serialization bottlenecks? Resource Contention Load Imbalance Hardware Software Execution Time CPU Locks

474 views • 20 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter:

Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter:

Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter: @joerumz What is JAM? J oes A utomated M essages The Problem Game servers need to communicate with each other Manual serialization is

1.78k views • 131 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement

Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement

Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement for Java Serialization in dCache Lea Morschel for dCache Team, November 7 2019 About dCache A distributed petabyte-scale storage system for

713 views • 42 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
kotlinx.serialization 1.0 Leonid Startsev @sandwwraith October 13, 2020 Kotlin multiplatform /

kotlinx.serialization 1.0 Leonid Startsev @sandwwraith October 13, 2020 Kotlin multiplatform /

Kotlin 1.4 Online Event kotlinx.serialization 1.0 Leonid Startsev @sandwwraith October 13, 2020 Kotlin multiplatform / multi-format reflectionless serialization Kotlin multiplatform / multi-format reflectionless serialization Things well

1.02k views • 71 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
NuMI/NOvA Horn 1 Stripline Vibration Measurements Kris Anderson Fermi National

NuMI/NOvA Horn 1 Stripline Vibration Measurements Kris Anderson Fermi National

NuMI/NOvA Horn 1 Stripline Vibration Measurements Kris Anderson Fermi National Accelerator Lab 25-September-2014 NBI Workshop 2014 Overview Some Background Information Regarding Horn 1 Stripline Analysis 400kW

580 views • 34 slides
Analysis of Parameterised Timed Systems using Horn Constraints Hossein Hojjat Philipp Rmmer

Analysis of Parameterised Timed Systems using Horn Constraints Hossein Hojjat Philipp Rmmer

Analysis of Parameterised Timed Systems using Horn Constraints Hossein Hojjat Philipp Rmmer Pavle Subotic Wang Yi SynCoP+PV 23 April 2017 Context Starting point: Work on general-purpose fjxed-point solvers Application to timed

532 views • 27 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
Pyramidal Horn Antenna Top View Side View Pyramidal Horn Antenna Condition for Physical

Pyramidal Horn Antenna Top View Side View Pyramidal Horn Antenna Condition for Physical

Pyramidal Horn Antenna Top View Side View Pyramidal Horn Antenna Condition for Physical Realization: Pyramidal Horn: Design Procedure Alternatively Directivity of Pyramidal Horn Antenna can be obtained using Directivity curves for E-and

1.1k views • 38 slides

More recommend