toward automated grammar extraction
play

Toward Automated Grammar Extraction via Semantic Labeling of - PowerPoint PPT Presentation

Oct 19, 2022 •186 likes •643 views

Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations Carson Harmon Bradford Larsen Evan Sultanik LangSec Workshop at IEEE Security & Privacy, May 21, 2020 The Problem The Problem The Problem # !

  1. Toward Automated Grammar Extraction via Semantic Labeling of Parser Implementations Carson Harmon Bradford Larsen Evan Sultanik LangSec Workshop at IEEE Security & Privacy, May 21, 2020

  2. The Problem

  3. The Problem

  4. The Problem # ! ✓ ⛔

  5. The Problem $

  6. The Problem ✓ ✓ $ ✓ ✓

  7. High Level Goals Create semantic map of the functions in a parser, which will improve grammar extraction. & ' % ???

  8. High Level Goals Create semantic map of the functions in a parser, which will improve grammar extraction. parser_function1 & ↳ byte 0, 10, 50 Object Stream % parser_function2 ↳ byte 10, 74 Xref parser_function3 ↳ byte 20 JFIF

  9. High Level Goals Create semantic map of the functions in a parser, which will improve grammar extraction. parser_function1 & ↳ byte 0, 10, 50 Ultimate Goal: Automatically Object Stream extract a minimal grammar % specifying the files accepted by a parser_function2 parser ↳ byte 10, 74 Hypothesis: The majority of the Xref potential for maliciousness and schizophrenia will exist in the parser_function3 symmetric di ff erence of the ↳ byte 20 grammars accepted by a format’s parser implementations JFIF

  10. Approach Semantic Ground Truth Instrumentation Associative Labeling Label the Type Composition Use universal taint analysis Merge the results of the first Hierarchy of the input files to track all input bytes two steps to produce a through the execution of a labeling of which functions parser operate on which types Detect backtracking Detect error handling Di ff erential analysis

  11. Approach Semantic Ground Truth Instrumentation Associative Labeling Label the Type Composition Use universal taint analysis Merge the results of the first Hierarchy of the input files to track all input bytes two steps to produce a through the execution of a labeling of which functions parser operate on which types Detect backtracking ✓ Detect error handling Di ff erential analysis

  12. Approach Semantic Ground Truth Instrumentation Associative Labeling Grammar Extraction (future work) Label the Type Composition Use universal taint analysis Merge the results of the first Hierarchy of the input files to track all input bytes two steps to produce a through the execution of a labeling of which functions parser operate on which types Detect backtracking ✓ Detect error handling Di ff erential analysis

  13. Prior Work: Semantic Labeling Polyglot-Aware File Identification Resilient Parsing Syntax Tree iNES [0x0 → 0x12220] Modify parsers for best e ff ort ' ↳ Magic [0x0 → 0x3] Header [0x4 → 0xF] ??? iNES ROM Instrument to track input byte o ff sets ⋮ PRG [0xC210 → 0x1020F] Label regions of the input CHR [0x10210 → 0x12220] PDF PDF [0x10 → 0x2EF72F] Produce ground truth ↳ Magic [0x10 → 0x1E] ZIP Object 1.0 [0x1F → 0x12221] ↳ Dictionary [0x2A → 0x3E] Stream [0x3F → 0x12219] ↳ JFIF Image [0x46 → 0x1220F] ↳ JPEG Segment […] ↳ Magic […] Marker […] ⋮

  14. PolyFile Ground Truth '

  15. PolyFile Ground Truth '

  16. Prior Work: Parser Instrumentation LLVM Instrumentation Taint Tracking Operate on LLVM/IR Shadow memory inspired by Novel datastructure for the Data Flow Sanitizer e ffi ciently storing taint labels Can work with all open (dfsan) source parsers dfsan status quo: Negligible CPU overhead 훩 (1) lookups Eventually support closed- 훩 ( n ² ) storage source binaries by lifting to O ( n ) memory overhead, LLVM ( e.g. , with McSEMA where n is the number of PolyTracker: or Remill) instructions executed by the O (log n ) lookups parser O ( n ) storage

  17. PolyTracker Instrumentation { "ensure_solid_xref" : [ 2276587, 2276588 ], "fmt_obj" : [ 2465223, 2465224, 2465225, 2465226, 2465227, 2465228, 2465240, 2465241, 2465242, 2465243, 2465244, 2465245, 2465246, 2465258, 2465259, 2465260, 2465261, 2465262 ] }

  18. PolyTracker Instrumentation { iNES [0x0 → 0x12220] "ensure_solid_xref" : [ 2276587, ↳ Magic [0x0 → 0x3] 2276588 Header [0x4 → 0xF] ], "fmt_obj" : [ ⋮ 2465223, PRG [0xC210 → 0x1020F] 2465224, 2465225, CHR [0x10210 → 0x12220] 2465226, PDF [0x10 → 0x2EF72F] 2465227, ↳ Magic [0x10 → 0x1E] 2465228, 2465240, Object 1.0 [0x1F → 0x12221] 2465241, ↳ Dictionary [0x2A → 0x3E] 2465242, 2465243, Stream [0x3F → 0x12219] 2465244, ↳ JFIF Image [0x46 → 0x1220F] 2465245, 2465246, ↳ JPEG Segment […] 2465258, ↳ Magic […] 2465259, 2465260, Marker […] 2465261, ⋮ 2465262 ] }

  19. PolyTracker Instrumentation { iNES [0x0 → 0x12220] "ensure_solid_xref" : [ 2276587, Trailer ↳ Magic [0x0 → 0x3] ensure_solid_xref 2276588 XRef Header [0x4 → 0xF] ], "fmt_obj" : [ ⋮ Object 2465223, fmt_obj PRG [0xC210 → 0x1020F] Dictionary 2465224, 2465225, CHR [0x10210 → 0x12220] 2465226, PDF [0x10 → 0x2EF72F] 2465227, ↳ Magic [0x10 → 0x1E] 2465228, 2465240, Object 1.0 [0x1F → 0x12221] 2465241, ↳ Dictionary [0x2A → 0x3E] 2465242, 2465243, Stream [0x3F → 0x12219] 2465244, ↳ JFIF Image [0x46 → 0x1220F] 2465245, 2465246, ↳ JPEG Segment […] 2465258, ❓ ↳ Magic […] 2465259, 2465260, Marker […] 2465261, ⋮ 2465262 ] }

  20. The Challenge of Associative Labeling How can we associate types in the file format to the set of functions most specialized in operating on that type? Observations Raw mapping is not necessarily injective: A parser’s functional implementation will rarely There will rarely be a Parser 1 Parser 2 be isomorphic to the type perfect bijection between the Specialized Specialized hierarchy or syntax tree of types and functions Function Function Monolithic the input file Function Specialized Function

  21. Information Entropy Idea: Use information entropy to measure function specialization • For each type, collect the functions that operate on that type • Calculate P ( t, f ) = the probability that a specific type occurs within a function • Calculate the “genericism” of a function G : F → ℝ • Use G to sort the functions associated with a type, discarding all but the smallest (most specialized) standard deviation

  22. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types Parser 1 Monolithic Function

  23. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree

  24. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  25. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  26. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree parse_pdf_dictionary • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  27. Problem: Code is Too Monolithic The parser has a single function responsible for parsing multiple types • Calculate the dominator tree of the syntax tree parse_pdf_dictionary • Remove a function from the matching for a type if there exists an ancestor of the type in the dominator tree that maps to the same function

  28. Problem: Code is Too Cohesive The parser has many, tightly coupled functions collectively responsible for parsing a single type • If those functions are always called sequentially, then we ideally Parser 2 only want the single function that initiates the sequence Specialized Specialized Function Function • Calculate the dominator tree of the runtime control flow graph Specialized Function • For each type, remove any functions in the matching that have an ancestor in the dominator tree that is also in the matching

  29. Problem: Code is Too Cohesive The parser has many, tightly coupled functions collectively responsible for parsing a single type • If those functions are always called sequentially, then we ideally only want the single function that initiates the sequence • Calculate the dominator tree of the runtime control flow graph • For each type, remove any functions in the matching that have an ancestor in the dominator tree that is also in the matching

  30. pdf_load_xref pdf_read_start_xref pdf_prime_xref_index

  31. PDF pdf_load_xref XRef pdf_read_start_xref pdf_prime_xref_index

  32. PDF pdf_load_xref XRef pdf_read_start_xref pdf_prime_xref_index

  33. Results • Runs in O (| F | n log | T |) time ◦ F = # functions in the parser ◦ T = # types (or production rules) in the grammar ◦ n = # bytes in the input file • Mappings for various parsers and file formats • Implementation in the polymerge application distributed with PolyFile: ◦ pip3 install polyfile

Recommend

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object

Automated Feature Extraction Automated Feature Extraction for Object Recognition for Object Recognition I.Levner and V.Bulitko http://ircl.cs.ualberta.ca Outline Outline Motivation System Overview Feature Extraction Problem

601 views • 15 slides
Data Mining l The Extraction of useful information from data l The automated extraction of hidden

Data Mining l The Extraction of useful information from data l The automated extraction of hidden

Data Mining l The Extraction of useful information from data l The automated extraction of hidden predictive information from (large) databases l Business, Huge data bases, customer data, mine the data Also Medical, Genetic, Astronomy, etc. l

535 views • 32 slides
Automated Acquisition of Linguistic Knowledge for Robust Multilingual Grammar Development Valia

Automated Acquisition of Linguistic Knowledge for Robust Multilingual Grammar Development Valia

Introduction Acquisition of MWEs: Theoretical Background & Motivation Detection of MWEs candidates Evaluation of the Identification of MWEs Extension of the English Resource Grammar with MWEs Enhancing Robustness of the German Grammar

1.06k views • 103 slides
Semantics: Semantic Grammar & Information Extraction CMSC 35100 Natural Language Processing

Semantics: Semantic Grammar & Information Extraction CMSC 35100 Natural Language Processing

Semantics: Semantic Grammar & Information Extraction CMSC 35100 Natural Language Processing May 13, 2003 Potential Projects Develop a morphological transducer for a portion of a language of your choice Improve the output of a

565 views • 20 slides
Automated Extraction and Processing Solutions Ancillary equipment, products and services for the

Automated Extraction and Processing Solutions Ancillary equipment, products and services for the

P I C K S , S H O V E L S A N D C A N N A B I S Automated Extraction and Processing Solutions Ancillary equipment, products and services for the Cannabis Industry Fall 2017 quadroncannatech.com Green to Gold CSE: QCC

390 views • 18 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides
Automated Extraction of Accurate Delay/Timing Macromodels of Digital Gates and Latches using

Automated Extraction of Accurate Delay/Timing Macromodels of Digital Gates and Latches using

Automated Extraction of Accurate Delay/Timing Macromodels of Digital Gates and Latches using Trajectory Piecewise Methods Sandeep Dabas*, Ning Dong + Jaijeet Roychowdhury* * University of Minnesota, Twin Cities, USA + Texas Instruments, Dallas,

223 views • 19 slides
Automated and Accurate Geometry Extraction and Shape Optimisation of 3D Topology Optimisation

Automated and Accurate Geometry Extraction and Shape Optimisation of 3D Topology Optimisation

Automated and Accurate Geometry Extraction and Shape Optimisation of 3D Topology Optimisation Results London 15 th of October 2019 Femto Engineering Marco Swierstra www.nafems.org Introduction Topology optimisation Design

458 views • 22 slides
Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee

Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee

Aspect Extraction with Automated Prior Knowledge Learning Zhiyuan (Brett) Chen Arjun Mukherjee Bing Liu Aspect Extraction Extracting aspect terms Aspect Terms This camera takes beautiful pictures but its price is

975 views • 74 slides
PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau,

PEAK: Pyramid Evaluation via Automated Knowledge Extraction Qian Yang , Rebecca J. Passonneau, Gerard de Melo PhD Candidate, Tsinghua University Visiting Student, Columbia University http://www.larayang.com/ Content Evaluating Summary

575 views • 35 slides
Automated Anatomical Likelihood Driven Extraction and Branching Detection of Aortic Arch in 3-D

Automated Anatomical Likelihood Driven Extraction and Branching Detection of Aortic Arch in 3-D

Nagoya University Automated Anatomical Likelihood Driven Extraction and Branching Detection of Aortic Arch in 3-D Chest CT Marco Feuerstein a , Takayuki Kitasaka b,c , Kensaku Mori a,c a Graduate School of Information Science, Nagoya University b

150 views • 14 slides
Picks, Shovels & Cannabis: Automated Extraction and Processing Solutions Ancillary equipment,

Picks, Shovels & Cannabis: Automated Extraction and Processing Solutions Ancillary equipment,

Picks, Shovels & Cannabis: Automated Extraction and Processing Solutions Ancillary equipment, products and services for the Cannabis Industry 2017 om gold Su Summer 2017 qu quadr dronca cannatech ch.c .com gr green to go

593 views • 20 slides
Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho Abstract The industry practice for test automation through graphical user interface (GUI) is script-based. In some tools the scripts can be recorded from

193 views • 8 slides
mwetoolkit: A tool for automated extraction of multi-word expressions Vtor De Arajo Carlos

mwetoolkit: A tool for automated extraction of multi-word expressions Vtor De Arajo Carlos

mwetoolkit: A tool for automated extraction of multi-word expressions Vtor De Arajo Carlos Ramisch Multi-word expressions Combinations of words that present linguistical or statistical idiosyncrasies Phrasal verbs: carry up, consist

403 views • 16 slides
Development R&D Review Automated Grouping Model Extraction from BIM Data Unified Fire-Egress

Development R&D Review Automated Grouping Model Extraction from BIM Data Unified Fire-Egress

Development R&D Review Automated Grouping Model Extraction from BIM Data Unified Fire-Egress Visualization www.thunderheadeng.com Recent Development Work PyroSim Updated Simulator Support: FDS 5.5, 5.6, 5.7 Preview Support for

556 views • 55 slides
Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK

Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK

Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK FIRST 2006 Conference, Baltimore, USA 25-30th June 2006 Agenda Identifying the problem Definition of a network threat signature

583 views • 32 slides
DIADEM data extraction methodology Web data as you want it T E A M 2 I N T R O D U C T I O N

DIADEM data extraction methodology Web data as you want it T E A M 2 I N T R O D U C T I O N

W E L C O M E 1 domain-centric intelligent automated DIADEM data extraction methodology Web data as you want it T E A M 2 I N T R O D U C T I O N 3 Cheng Wang Tim Furche Poster now Facebook Session II, 57 Today at

868 views • 34 slides
Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The

Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The

Introduction to English Linguistics 4: Grammar and Syntax I Grammar and Syntax Grammar The rules of language, comprising syntax and inflectional morphology Syntax The hierarchical structure of language Lexical Words (Open Class) Noun

539 views • 31 slides
Introduction to English Linguistics 4: Grammar and Syntax Grammar and Syntax Grammar The rules

Introduction to English Linguistics 4: Grammar and Syntax Grammar and Syntax Grammar The rules

Introduction to English Linguistics 4: Grammar and Syntax Grammar and Syntax Grammar The rules of language, comprising syntax and inflection Syntax The hierarchical structure of language Lexical Words, Open Class Noun Adjective

739 views • 39 slides
GRAMMAR THROUGH HUMOR BRANDY SHOOKS & WHITNEY SCHARER TEACHING GRAMMAR THROUGH HUMOR Having

GRAMMAR THROUGH HUMOR BRANDY SHOOKS & WHITNEY SCHARER TEACHING GRAMMAR THROUGH HUMOR Having

TEACHING GRAMMAR THROUGH HUMOR BRANDY SHOOKS & WHITNEY SCHARER TEACHING GRAMMAR THROUGH HUMOR Having difficulty getting your students interested and excited about grammar? Participants in this session will gain tools to present grammar in

675 views • 28 slides
Combinatory Categorial Grammar The effort to develop natural language grammars and

Combinatory Categorial Grammar The effort to develop natural language grammars and

Combinatory Categorial Grammar Goal Mildly-context sensitive grammar framework, with provable polynomial parseability To present the intuitions behind Combinatory Categorial Grammar as a framework for relating the structure of a linguistic

280 views • 13 slides
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary Tatlock, Dan Grossman 1 Extraction 2 Extraction K coq 2 Extraction K coq 2 Extraction K coq Extraction 2 Extraction K coq Extraction K

1.3k views • 106 slides
Grammar A grammar consists of the following: CS 3813: Introduction to Formal a set of

Grammar A grammar consists of the following: CS 3813: Introduction to Formal a set of

Grammar A grammar consists of the following: CS 3813: Introduction to Formal a set of terminals (same as an alphabet) Languages and Automata a set NT of nonterminal symbols, including a starting symbol S NT a set R of

426 views • 4 slides
Grammar Formalisms: C-structures are represented with trees. Lexical Functional Grammar (LFG)

Grammar Formalisms: C-structures are represented with trees. Lexical Functional Grammar (LFG)

Kallmeyer/Lichte/Maier Grammar Formalisms Kallmeyer/Lichte/Maier Grammar Formalisms Principle ideas of LFG (1) Lexical Functional Grammar (Kaplan & Bresnan, 1982): One level of constituent structure, c-structure, non-transformational.

524 views • 6 slides

More recommend