the state of hammer ready for ics
play

the state of hammer: ready for ics Sven M. Hallberg Adam Crain - PowerPoint PPT Presentation

Nov 08, 2022 •195 likes •467 views

the state of hammer: ready for ics Sven M. Hallberg Adam Crain Meredith L. Patterson Sergey Bratus 26 May 2016 1464.2 megaseconds since the Unix epoch LangSec workshop at IEEE Security & Privacy 2016 recap: the hammer parser combinator

  1. the state of hammer: ready for ics Sven M. Hallberg Adam Crain Meredith L. Patterson Sergey Bratus 26 May 2016 1464.2 megaseconds since the Unix epoch LangSec workshop at IEEE Security & Privacy 2016

  2. recap: the hammer parser combinator library • Primitive parsers HParser *seqno = h_bits(4, false); HParser *bit = h_bits(1, false); ... • Combined to form higher-level structures • h_choice , h_many , h_many1 , … • define own combinators 1

  3. spoiler Start with a grammar, stay with a grammar! But what is it? 2

  4. dnp3 protocol layers 3

  5. application layer AppHdr (ObjHdr Object*)* AppHdr = SeqNo Flags FunctionCode ObjHdr = Group Variation PC RSC Range Object = Prefix? ObjectData 4

  6. problem? The previous fails to express dependencies between • Flags and FunctionCode • FunctionCode and ( Group , Variation ) • RSC , Range , PC • ( Group , Variation ) and Object s 5

  7. a peek into the spec 6

  8. complexity shifting • Syntax spills into "semantics". 7

  9. complexity shifting (cont.) • Syntax spills… where?!? • "Obvious" constraints are not in spec 8

  10. hammer example: dnp3 "select" function pcb = dnp3_p_g12v2_binoutcmd_pcb_oblock; pcm = dnp3_p_g12v3_binoutcmd_pcm_oblock; crob = dnp3_p_g12v1_binoutcmd_crob; anaout = dnp3_p_anaout_oblock; sel_pcb = h_sequence(pcb, h_many1(pcm), NULL); sel_oblock = h_choice(sel_pcb, crob, anaout, NULL); select = h_many(sel_oblock); 9

  11. application: validating proxy 10

  12. elfbac integration • ELFbac : Intra -process memory isolation based on ELF sections • Can also restrict access to system calls • "Behavioral access control" to capture programmer intent Only main loop may call OS Only OS may write to input buffer Only parser may read from input buffer Rest of application can read parse results 11

  13. elfbac challenges • Application must be designed for separation • Normal malloc not (yet) captured • "Overcommit" makes custom heaps feasible • but memory accounting can still get in the way • we want to allocate address space • Hammer worked well with custom allocator • reusable 12

  14. validation • Fine-grained unit tests ( lots of unit tests) • Tests for common DNP3 bugs • Valgrind • Fuzzing: AFL and Aegis • Different compilers 13

  15. results "I survived American Fuzzy Lop" • length fields… • Directed tests: integer overflow • count fields… 14 • AFL: resource exhaustion in Hammer ( → fixed)

  16. langsec as a roadmap Grammar is not everything but… it seems to help with everything . • Parsers naturally decompose for testing • Well-factored code is easier to maintain and extend • Decomposition helps separation of privileges 15

  17. potential application issues • Speed impact • sequential tries vs. table lookups • CFGs are good! • Memory impact • generic data representation blows up packed structures • can we separate pure validation? 16

  18. implementation challenges • EDSL (Hammer) learning curve • Difficult to debug • opaque stack traces • error messages?!? • Framework limitations? • allocator support • sync or async I/O • incremental processing 17

  19. example stack trace 18

  20. lessons • Learn a protocol's true syntax! • Don't shift language complexity out of parsing • Do isolate/capture complexity • Avoid lengths and counts, if possible • Use CFG parsing algorithms for network protocols (!) 19

  21. end Code: github.com/pesco/dnp3 github.com/sergeybratus/proxy ELFbac: elfbac.org 19

  22. dnp3 protocol layers • Application: AppHdr (ObjHdr Object*)* • Transport (think TCP): (SeqNo Flags Payload)+ • Link (think Ethernet): Header CRC (Payload CRC)*

  23. hammer example: dnp3 "crob" object h_uint32(), dnp3_p_reserved(1), // 7 bits status, // off-time [ms] h_uint32(), // on-time [ms] // count h_sequence(h_bits(4, false), h_uint8(), tcc, // clear flag bit, // queue flag bit, // op type NULL));

  24. apphdr in our parser (excerpt) h_choice(unsfc, rspfc, NULL)); h_sequence(rspac, rspfc, iin, NULL), H_RULE (rsp_header, h_choice(h_sequence(unsac, unsfc, iin, NULL), h_sequence(anyreqac, ereqfc, NULL), NULL)); h_sequence(reqac, reqfc, NULL), H_RULE (req_header, h_choice(h_sequence(conac, confc, NULL), h_right(h_and(h_not(anyrspfc)), fc)); H_ARULE(erspfc, h_right(h_and(h_not(anyreqfc)), fc)); H_ARULE(ereqfc, H_RULE (anyrspfc, H_RULE (confc, h_choice(confc, reqfc, NULL)); H_RULE (anyreqfc, h_choice(fc_rsp, fc_ar, NULL)); H_RULE (rspfc, h_choice(fc_ur, fc_ar, NULL)); H_RULE (unsfc, h_int_range(fc, 0x01, 0x21)); H_RULE (reqfc, dnp3_p_int_exact(fc, DNP3_CONFIRM)); h_sequence(anyrspac, erspfc, iin, NULL), NULL));

  25. dnp3 could be context-free Obstacles: • Packet lengths • Object counts • Syntactic error handling • Complex header field relations

  26. parsing variable-length data DNP3 link layer: Header CRC (Payload CRC)* • Generate parsers for CRC'ed blocks of size 1-16 • Extend to parsers for sizes 0-255 • Dispatch on length field to appropriate parser

Recommend

Safely Remove a Hammer From the Equation Conventional Hammer Union Problems associated with

Safely Remove a Hammer From the Equation Conventional Hammer Union Problems associated with

Safely Remove a Hammer From the Equation Conventional Hammer Union Problems associated with Hammer Unions Staff injuries A typical job site contains 20-80 connections requiring to be struck 4-8 times on average presenting personnel with as

305 views • 17 slides
Using Integrative Modeling for a hammer, look out for your Advanced Heterogeneous System thumb,

Using Integrative Modeling for a hammer, look out for your Advanced Heterogeneous System thumb,

Arizonas First University. Thm (Kelly): If all you have is Using Integrative Modeling for a hammer, look out for your Advanced Heterogeneous System thumb, and all that. Simulation Corollary: If everyone has a hammer, then you will not use

974 views • 17 slides
Yolanda Sneed Project Director Florida Ready to Work and WIN Learning Florida Ready to Work

Yolanda Sneed Project Director Florida Ready to Work and WIN Learning Florida Ready to Work

Yolanda Sneed Project Director Florida Ready to Work and WIN Learning Florida Ready to Work Connecting employers, education and jobseekers to build a skilled workforce for Florida. What is Florida Ready to Work? State-funded employee

630 views • 47 slides
Washington State Board of Education Approved Career and College Ready High School Graduation

Washington State Board of Education Approved Career and College Ready High School Graduation

Washington State Board of Education Approved Career and College Ready High School Graduation Requirements Graduating Career and College Ready Students (pending legislative authorization and funding) Presentation to the Senate Early

505 views • 22 slides
Incremental Interactive Computation Matthew Hammer hammer@cs.umd.edu Tuesday, October 7, 2014

Incremental Interactive Computation Matthew Hammer hammer@cs.umd.edu Tuesday, October 7, 2014

Incremental Interactive Computation Matthew Hammer hammer@cs.umd.edu Tuesday, October 7, 2014 1 Incremental Interactive Computation Matthew Hammer hammer@cs.umd.edu Tuesday, October 7, 2014 2 Batch Computation vs Interactive Computation

592 views • 32 slides
1 Ready Medical Ready Medical Medically Ready DHA Presence Across the Globe Supporting COCOMs

1 Ready Medical Ready Medical Medically Ready DHA Presence Across the Globe Supporting COCOMs

1 Ready Medical Ready Medical Medically Ready DHA Presence Across the Globe Supporting COCOMs and Services 6 55 55 H Hospital itals 36 360 0 Outpa patient tient Cl Clin inic ics 9.4M 1.5M Benefi eficia ciarie ies In

1.04k views • 27 slides
Fixing MC for ARM v7-A Just a few corner cases how hard can it be? 1 MC Hammer?

Fixing MC for ARM v7-A Just a few corner cases how hard can it be? 1 MC Hammer?

Fixing MC for ARM v7-A Just a few corner cases how hard can it be? 1 MC Hammer? Framework for exhaustive testing of MC layer implementation for ARM First introduced at Euro LLVM 2012 35 issues found, fixes open sourced

445 views • 6 slides
MOSAIC for the ESO-ELT Franois Hammer (see http://www.mosaic-elt.eu) Also:

MOSAIC for the ESO-ELT Franois Hammer (see http://www.mosaic-elt.eu) Also:

MOSAIC for the ESO-ELT Franois Hammer (see http://www.mosaic-elt.eu) Also: Heidelberg/Gttingen, Stockholm/Lund/Uppsala, Helsinki/Turku, Madrid Complutense/IAA, Roma/Arcetri, Vienna, Lisboa/Porto Last newcomers: Geneva and Univ. of

607 views • 39 slides
PORTING THE HAMMER FILE SYSTEM TO LINUX Daniel Lorch June 10, 2009 Outline 2/13 Motivation 1.

PORTING THE HAMMER FILE SYSTEM TO LINUX Daniel Lorch June 10, 2009 Outline 2/13 Motivation 1.

Porting the HAMMER File System to Linux Daniel Lorch 1/13 PORTING THE HAMMER FILE SYSTEM TO LINUX Daniel Lorch June 10, 2009 Outline 2/13 Motivation 1. A Hammer File System Walkthrough 2. Tool Evaluation 3. Porting Work 4. Demo 5.

174 views • 13 slides
Se Seni nior Ye or Year 1 ar 101 01 College Ready, Career Ready, Life Ready Co Comm mmuni

Se Seni nior Ye or Year 1 ar 101 01 College Ready, Career Ready, Life Ready Co Comm mmuni

Se Seni nior Ye or Year 1 ar 101 01 College Ready, Career Ready, Life Ready Co Comm mmuni unicatio cation Newsletters, Callouts, Emails, Presentations, Conferences St Stay ay Info Inform rmed ed The Coronado High School (CHS)

1.39k views • 34 slides
Getting ready Getting ready for the LHC for the LHC Gnther Dissertori ETH Zrich

Getting ready Getting ready for the LHC for the LHC Gnther Dissertori ETH Zrich

Getting ready Getting ready for the LHC for the LHC Gnther Dissertori ETH Zrich Galileo-Galilei Institute Firenze 16.6.2006 Outline Introduction Now : Status of the Machine Detectors Pretty soon : Commissioning and

726 views • 46 slides
DevOps for IoT: A Hammer-io Extension Client/Advisor: Lotfi ben-Othmane Matt Bechtel, Brett

DevOps for IoT: A Hammer-io Extension Client/Advisor: Lotfi ben-Othmane Matt Bechtel, Brett

DevOps for IoT: A Hammer-io Extension Client/Advisor: Lotfi ben-Othmane Matt Bechtel, Brett Wilhelm, Chakib Ahlouche, Yussef Saleh http://sddec19-24.sd.ece.iastate.edu/ DevOps for IoT: A Hammer.io Extension sddec19-24 What is DevOps?

485 views • 29 slides
Cache-aware Scheduling and Performance Modeling with LLVM-Polly and Kerncraft Julian Hammer

Cache-aware Scheduling and Performance Modeling with LLVM-Polly and Kerncraft Julian Hammer

Cache-aware Scheduling and Performance Modeling with LLVM-Polly and Kerncraft Julian Hammer [RRZE] <julian.hammer@fau.de>, Johannes Doerfert [UdS] <doerfert@cs.uni-saarland.de>, Georg Hager [RRZE], Gerhard Wellein [RRZE] and

631 views • 35 slides
Is Your Radio Station Ready for License Renewal? Hosted by: The New York State Broadcasters

Is Your Radio Station Ready for License Renewal? Hosted by: The New York State Broadcasters

Is Your Radio Station Ready for License Renewal? Hosted by: The New York State Broadcasters Association, Inc. October 23, 2013 Presenters David L. Donovan, President of the NYSBA, Moderator Peter H. Doyle, Chief, Audio Division,

250 views • 14 slides
State Machine for GPRS MM READY timer expiry or GPRS Attach Force to STANDBY IDLE IDLE READY

State Machine for GPRS MM READY timer expiry or GPRS Attach Force to STANDBY IDLE IDLE READY

State Machine for GPRS MM READY timer expiry or GPRS Attach Force to STANDBY IDLE IDLE READY READY STANDBY STANDBY GPRS Detach, PDU transmission RAU Reject or GPRS Attach Reject (a) MS MM States for GPRS (a) MS MM States for GPRS

1.51k views • 11 slides
At LaTrobe University we are educating our students to be work ready, world ready and

At LaTrobe University we are educating our students to be work ready, world ready and

At LaTrobe University we are educating our students to be work ready, world ready and future ready, by drawing on rich educational technologies such as PebblePad, to increase the use of technology-enabled online learning. LaTrobe

618 views • 29 slides
If I had a hammer The role of infrastructure in creative, innovative clusters and the

If I had a hammer The role of infrastructure in creative, innovative clusters and the

If I had a hammer The role of infrastructure in creative, innovative clusters and the community in Saskatoon Peter W.B. Phillips, Graeme Webb and Michael Kunz Introduction Infrastructure is the answerwhat is the question?

555 views • 22 slides
ARE YOU READY TO SEND YOUR CHILD TO HIGH SCHOOL? Ready or not, here they come!!!

ARE YOU READY TO SEND YOUR CHILD TO HIGH SCHOOL? Ready or not, here they come!!!

ARE YOU READY TO SEND YOUR CHILD TO HIGH SCHOOL? Ready or not, here they come!!! Introductions Important Dates Freshman Guidebook Diploma Options End of Course Assessments Getting Involved

740 views • 35 slides
IU READY - DEMO https://us.ready.kuali.org/iub Business Continuity Mary Lou East-Emmons

IU READY - DEMO https://us.ready.kuali.org/iub Business Continuity Mary Lou East-Emmons

IU READY BCP Orientation Training PART 2 7/15/2011 IU READY for Indiana University PART #2 Emergency Management & Continuity IU READY - DEMO https://us.ready.kuali.org/iub Business Continuity Mary Lou East-Emmons Planning

397 views • 17 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
Why Assessments Work (or Not): USING A HAMMER TO CHANGE SPARKPLUGS GREG WIENS, PH.D. HEALTHY

Why Assessments Work (or Not): USING A HAMMER TO CHANGE SPARKPLUGS GREG WIENS, PH.D. HEALTHY

Why Assessments Work (or Not): USING A HAMMER TO CHANGE SPARKPLUGS GREG WIENS, PH.D. HEALTHY GROWING LEADERS TrueWiring.com/Expo 01 02 03 Download handouts This presentation FREE Assessment Instruments: DISC Spiritual Gifts

305 views • 13 slides
Yo Youre Ready for College Math, but but I Is Co s College R Ready f dy for Y r You? u?

Yo Youre Ready for College Math, but but I Is Co s College R Ready f dy for Y r You? u?

College Information for Gifted and Accelerated Students Yo Youre Ready for College Math, but but I Is Co s College R Ready f dy for Y r You? u? By Lessa Scherrer College Inside Track www.CollegeInsideTrack.com Early College Options

737 views • 37 slides
Reallocation of Resources Across Age in a Comparative European Setting Bernhard Hammer Alexia

Reallocation of Resources Across Age in a Comparative European Setting Bernhard Hammer Alexia

Reallocation of Resources Across Age in a Comparative European Setting Bernhard Hammer Alexia Prskawetz Inga Freund The research leading to these results has received funding from the Austrian Science Fund [Project I 347-G16

475 views • 25 slides
Get Ready for the New York State Paid Family Leave Law Presented By: Stephen DuFlo Guardian

Get Ready for the New York State Paid Family Leave Law Presented By: Stephen DuFlo Guardian

Get Ready for the New York State Paid Family Leave Law Presented By: Stephen DuFlo Guardian Life Insurance Company of America 5788 Widewaters Pkwy Dewitt NY, 13214 GUARDIAN and the GUARDIAN Logo are registered service marks of The Guardian

247 views • 14 slides

More recommend