Writing Parsers Like it is 2017

Chifflier, Pierre; Couprie, Geoffroy

doi:10.1109/spw.2017.39

Cited by 7 publications

(6 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…3. In our evaluation, we also show that our approach is applicable in contexts in which no usable data flow of input fragments to variables exists, as well as for advanced parsers such as PEG parsers and parser combinators which make the state of the art for writing secure parsers [8]. None of these is possible with Autogram, again extending the state of the art.…”

Section: Introductionmentioning

confidence: 87%

“…When compared against learning from dynamic data flows (so far the only approach for inference of human-readable grammars), we found our approach to be superior in both precision and recall. (3) In our evaluation, we also show that our approach is applicable in contexts in which no usable data flow of input fragments to variables exists such as modern parsing techniques like parser combinators which make the state of the art for writing secure parsers [17,19].…”

Section: Introductionmentioning

confidence: 93%

“…While the large majority of parsers is written by hand in the traditional recursive descent approach [41], another parsing technique has become popular recently. Parser combinators [19] are recommended over parser generators due to the various inflexibilities such as handling ambiguities, context-sensitive features [38], and bad error messages [35] 7 when using parser generators. Indeed, parser combinators are often recommended [17] as recognizers where no usable dataflow to unique variables exist.…”

Section: Rq 3 Modern Parsing Techniquesmentioning

confidence: 99%

See 2 more Smart Citations

Mining input grammars from dynamic control flow

Gopinath

Mathis

Zeller

2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

A program is characterized by its input model, and a formal input model can be of use in diverse areas including vulnerability analysis, reverse engineering, fuzzing and software testing, clone detection and refactoring. Unfortunately, input models for typical programs are often unavailable or out of date. While there exist algorithms that can mine the syntactical structure of program inputs, they either produce unwieldy and incomprehensible grammars, or require heuristics that target specific parsing patterns.In this paper, we present a general algorithm that takes a program and a small set of sample inputs and automatically infers a readable context-free grammar capturing the input language of the program. We infer the syntactic input structure only by observing access of input characters at different locations of the input parser. This works on all program stack based recursive descent input parsers, including PEG and parser combinators, and can do entirely without program specific heuristics. Our Mimid prototype produced accurate and readable grammars for a variety of evaluation subjects, including expr, URLparse, and microJSON.

show abstract

Section: Introductionmentioning

confidence: 87%

Section: Introductionmentioning

confidence: 93%

Section: Rq 3 Modern Parsing Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Mining input grammars from dynamic control flow

Gopinath

Mathis

Zeller

2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

show abstract

“…In practical terms, systems programming languages with an emphasis on memory safety and strict typing are particularly useful for testing the security of new protocols [5]. For this reason, our prototype generates Rust code, with parsers using the nom parser combinator library [6].…”

Section: Parser Generatorsmentioning

confidence: 99%

Parsing Protocol Standards to Parse Standard Protocols

McQuistin

Band

Jacob

et al. 2020

Proceedings of the Applied Networking Research Workshop

View full text Add to dashboard Cite

show abstract

“…A possible angle to address this problem is to rely on development-stage abstractions providing secure constructs, such as parser generators and parser combinators [7,20,28]. While effective, such solutions are only applicable to software for which the source code is available.…”

Section: Introductionmentioning

confidence: 99%

A Binary Analysis Approach to Retrofit Security in Input Parsing Routines

Menon

Hauser

Shoshitaishvili³

et al. 2018

2018 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

In spite of numerous attempts to mitigate memory corruption vulnerabilities in low-level code over the years, those remain the most common vector of software exploitation today. A common cause of such vulnerabilities is the presence of errors in string manipulation, which are often found in input parsers, where the format of input data is verified and eventually converted into an internal program representation. This process, if done manually in an ad-hoc manner, is error prone and easily leads to unsafe and potentially exploitable behavior. While principled approaches to input validation exist, such as those based on parser generators (e.g., Lex [20] and Ragel [28]), these require a formalization of the input grammar, which is not always a straightforward process and tends to dissuade programmers. As a result, a large portion of input parsing routines as found in commodity software is still implemented in an ad-hoc way, causing numerous security issues. We propose to address this problem from a post-development perspective, by targeting software presenting security risks in opaque, closed-source environments where software components have already been deployed and integrated, and where re-implementation is not an option (e.g., as part of an embedded device's proprietary firmware). Our system is able to effectively detect vulnerability patterns in binary software and to retrofit security mechanisms preventing exploitation. In a semi-automated setting, it was able to discover an unknown security bug.

show abstract

Writing Parsers Like it is 2017

Cited by 7 publications

References 3 publications

Mining input grammars from dynamic control flow

Mining input grammars from dynamic control flow

Parsing Protocol Standards to Parse Standard Protocols

A Binary Analysis Approach to Retrofit Security in Input Parsing Routines

Contact Info

Product

Resources

About