The Pitfalls of Protocol Design: Attempting to Write a Formally Verified PDF Parser

2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI:10.1109/SPW.2014.36

Andreas Bogk, Marco Schopl

{"title":"The Pitfalls of Protocol Design: Attempting to Write a Formally Verified PDF Parser","authors":"Andreas Bogk, Marco Schopl","doi":"10.1109/SPW.2014.36","DOIUrl":null,"url":null,"abstract":"Parsers for complex data formats generally present a big attack surface for input-driven exploitation. In practice, this has been especially true for implementations of the PDF data format, as witnessed by dozens of known vulnerabilities exploited in many real world attacks, with the Acrobat Reader implementation being the main target. In this report, we describe our attempts to use Coq, a theorem prover based on a functional programming language making use of dependent types and the Curry-Howard isomorphism, to implement a formally verified PDF parser. We ended up implementing a subset of the PDF format and proving termination of the combinator-based parser. Noteworthy results include a dependent type representing a list of strictly monotonically decreasing length of remaining symbols to parse, which allowed us to show termination of parser combinators. Also, difficulties showing termination of parsing some features of the PDF format readily translated into denial of service attacks against existing PDF parsers-we came up with a single PDF file that made all the existing PDF implementations we could test enter an endless loop.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE Security and Privacy Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SPW.2014.36","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Parsers for complex data formats generally present a big attack surface for input-driven exploitation. In practice, this has been especially true for implementations of the PDF data format, as witnessed by dozens of known vulnerabilities exploited in many real world attacks, with the Acrobat Reader implementation being the main target. In this report, we describe our attempts to use Coq, a theorem prover based on a functional programming language making use of dependent types and the Curry-Howard isomorphism, to implement a formally verified PDF parser. We ended up implementing a subset of the PDF format and proving termination of the combinator-based parser. Noteworthy results include a dependent type representing a list of strictly monotonically decreasing length of remaining symbols to parse, which allowed us to show termination of parser combinators. Also, difficulties showing termination of parsing some features of the PDF format readily translated into denial of service attacks against existing PDF parsers-we came up with a single PDF file that made all the existing PDF implementations we could test enter an endless loop.

查看原文本刊更多论文

协议设计的陷阱:尝试编写一个正式验证的PDF解析器

复杂数据格式的解析器通常为输入驱动的攻击提供了很大的攻击面。在实践中，PDF数据格式的实现尤其如此，正如在许多现实世界的攻击中利用的数十个已知漏洞所证明的那样，Acrobat Reader实现是主要目标。在本报告中，我们描述了使用Coq的尝试，Coq是一种基于函数式编程语言的定理证明器，它利用依赖类型和Curry-Howard同构来实现正式验证的PDF解析器。我们最终实现了PDF格式的一个子集，并证明了基于组合器的解析器的终止。值得注意的结果包括一个表示待解析的剩余符号长度严格单调递减的列表的依赖类型，它允许我们显示解析器组合子的终止。此外，显示PDF格式的某些特性解析终止的困难很容易转化为针对现有PDF解析器的拒绝服务攻击——我们提出了一个PDF文件，使我们可以测试的所有现有PDF实现进入一个无限循环。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE Security and Privacy Workshops

自引率

0.00%

发文量