Caradoc: A Pragmatic Approach to PDF Parsing and Validation

Endignoux, Guillaume; Levillain, Olivier; Migeon, Jean-Yves

doi:10.1109/spw.2016.39

Cited by 17 publications

(7 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Caradoc [22] is an exception to the above. Endignoux et al focus on weaknesses in the PDF standard related to document structure.…”

Section: Static Pdf Malware Detectionmentioning

confidence: 94%

“…In the following paragraph, we briefly introduce the PDF format, focusing only on elements that are relevant to code extraction. We refer the interested reader to [22] for an extensive description of the Portable Document Format (PDF). For code extraction purposes, the four most important elements of the PDF syntax are: (1) direct objects, which are the basic building blocks of a PDF; (2) indirect objects, which are uniquely identified, and can be referenced from elsewhere in the document; (3) cross-reference tables, which contain the positions of objects in the file; and (4) content streams, which store various parts of the document content.…”

Section: Pre-processing Step: Extractionmentioning

confidence: 99%

See 1 more Smart Citation

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

Jordan,

Gauthier,

Hassanshahi

et al. 2018

Preprint

View full text Add to dashboard Cite

The popularity of the PDF format and the rich JavaScript environment that PDF viewers offer make PDF documents an attractive attack vector for malware developers. PDF documents present a serious threat to the security of organizations because most users are unsuspecting of them and thus likely to open documents from untrusted sources.We propose to identify malicious PDFs by using conservative abstract interpretation to statically reason about the behavior of the embedded JavaScript code. Currently, state-of-the-art tools either: (1) statically identify PDF malware based on structural similarity to known malicious samples; or (2) dynamically execute the code to detect malicious behavior. These two approaches are subject to evasion attacks that mimic the structure of benign documents or do not exhibit their malicious behavior when being analyzed dynamically. In contrast, abstract interpretation is oblivious to both types of evasions. A comparison with two state-of-the-art PDF malware detection tools shows that our conservative abstract interpretation approach achieves similar accuracy, while being more resilient to evasion attacks.

show abstract

“…Caradoc [22] is an exception to the above. Endignoux et al focus on weaknesses in the PDF standard related to document structure.…”

Section: Static Pdf Malware Detectionmentioning

confidence: 94%

Section: Pre-processing Step: Extractionmentioning

confidence: 99%

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

Jordan,

Gauthier,

Hassanshahi

et al. 2018

Preprint

View full text Add to dashboard Cite

show abstract

“…Prior work has developed tools to address these difficulties. For example, Nail [Bangert and Zeldovich 2014] is a tool to generate secure data parsers based on a specification, and Caradoc [Endignoux et al 2016] is a secure PDF parser and validator. BIEBER, in contrast to Nail, does not require the user to write a specification to build a secure parser, but rather infers a parser from the original application's executions and generates safe-by-construction code.…”

Section: Secure Parsersmentioning

confidence: 99%

Inferring Drop-in Binary Parsers from Program Executions

Dang,

Cambronero,

Rinard

2021

Preprint

View full text Add to dashboard Cite

We present BIEBER (Byte-IdEntical Binary parsER), the first system to model and regenerate a full working parser from instrumented program executions. To achieve this, BIEBER exploits the regularity (e.g., header fields and array-like data structures) that is commonly found in file formats. Key generalization steps derive strided loops that parse input file data and rewrite concrete loop bounds with expressions over input file header bytes. These steps enable BIEBER to generalize parses of specific input files to obtain parsers that operate over input files of arbitrary size. BIEBER also incrementally and efficiently infers a decision tree that reads file header bytes to route input files of different types to inferred parsers of the appropriate type. The inferred parsers and decision tree are expressed in an intermediate language that is independent of the original program; separate backends (C and Perl in our prototype) can translate the intermediate representation into the same language as the original program (for a safer drop-in replacement), or automatically port to a different language. An empirical evaluation shows that BIEBER can successfully regenerate parsers for six file formats (waveform audio [1654 files], MT76x0 .BIN firmware containers [5 files], OS/2 1.x bitmap images [9 files], Windows 3.x bitmaps [9971 files], Windows 95/NT4 bitmaps [133 files], and Windows 98/2000 bitmaps [859 files]), correctly parsing 100% (≥ 99.98% when using standard held-out cross-validation) of the corresponding corpora. The regenerated parsers contain automatically inserted safety checks that eliminate common classes of errors such as memory errors. We find that BIEBER can help reverse-engineer file formats, because it automatically identifies predicates for the decision tree that relate to key semantics of the file format. We also discuss how BIEBER helped us detect and fix two new bugs in stb_image as well as independently rediscover and fix a known bug.

show abstract

“…This will also involve defining a safe PDF subset. Preliminary work has demonstrated that it is feasible to develop provably safe and correct parsers for relatively simple and well-understood subsets of practical formats, including PDF [9]. A subsetting tool will be essential in ensuring that such tools can be applied to parse PDF's as they exist in the wild.…”

Section: B Transforming Documents To Subsetsmentioning

confidence: 99%

Research Report: ICARUS: Understanding De Facto Formats by Way of Feathers and Wax

Cowger

Lee

Schimanski

et al. 2020

2020 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

When a data format achieves a significant level of adoption, the presence of multiple format implementations expands the original specification in often-unforeseen ways. This results in an implicitly defined, de facto format, which can create vulnerabilities in programs handling the associated data files. In this paper we present our initial work on ICARUS: a toolchain for dealing with the problem of understanding and hardening de facto file formats. We show the results of our work in progress in the following areas: labeling and categorizing a corpora of data format samples to understand accepted variations of a format; the detection of sublanguages within the de facto format using both entropy-and taint-tracking-based methods, as a means of breaking down the larger problem of learning how the grammar has evolved; grammar inference via reinforcement learning, as a means of tying together the learned sublanguages; and the defining of both safe subsets of the de facto grammar, as well as translations from unsafe regions of the de facto grammar into safe regions. Real-world data formats evolve as they find use in real-world applications, and a comprehensive ICARUS toolchain for understanding and hardening the resulting de facto formats can identify and address security risks arising from this evolution. 327 2020 Symposium on Security and Privacy Workshops (SPW)

show abstract

Caradoc: A Pragmatic Approach to PDF Parsing and Validation

Cited by 17 publications

References 30 publications

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

Inferring Drop-in Binary Parsers from Program Executions

Research Report: ICARUS: Understanding De Facto Formats by Way of Feathers and Wax

Contact Info

Product

Resources

About