Protecting Systems From Exploits Using Language-Theoretic Security

Any computer program processing input from the user or network must validate the input. Input-handling vulnerabilities occur in programs when the software component responsible for filtering malicious input---the parser---does not perform validation adequately. Consequently, parsers are among the most targeted components since they defend the rest of the program from malicious input. This thesis adopts the Language-Theoretic Security (LangSec) principle to understand what tools and research are needed to prevent exploits that target parsers. LangSec proposes specifying the syntactic structure of the input format as a formal grammar. We then build a recognizer for this formal grammar to validate any input before the rest of the program acts on it. To ensure that these recognizers represent the data format, programmers often rely on parser generators or parser combinators tools to build the parsers. This thesis propels several sub-fields in LangSec by proposing new techniques to find bugs in implementations, novel categorizations of vulnerabilities, and new parsing algorithms and tools to handle practical data formats. To this end, this thesis comprises five parts that tackle various tenets of LangSec. First, I categorize various input-handling vulnerabilities and exploits using two frameworks. First, I use the mismorphisms framework to reason about vulnerabilities. This framework helps us reason about the root causes leading to various vulnerabilities. Next, we built a categorization framework using various LangSec anti-patterns, such as parser differentials and insufficient input validation. Finally, we built a catalog of more than 30 popular vulnerabilities to demonstrate the categorization frameworks. Second, I built parsers for various Internet of Things and power grid network protocols and the iccMAX file format using parser combinator libraries. The parsers I built for power grid protocols were deployed and tested on power grid substation networks as an intrusion detection tool. The parser I built for the iccMAX file format led to several corrections and modifications to the iccMAX specifications and reference implementations. Third, I present SPARTA, a novel tool I built that generates Rust code that type checks Portable Data Format (PDF) files. The type checker I helped build strictly enforces the constraints in the PDF specification to find deviations. Our checker has contributed to at least four significant clarifications and corrections to the PDF 2.0 specification and various open-source PDF tools. In addition to our checker, we also built a practical tool, PDFFixer, to dynamically patch type errors in PDF files. Fourth, I present ParseSmith, a tool to build verified parsers for real-world data formats. Most parsing tools available for data formats are insufficient to handle practical formats or have not been verified for their correctness. I built a verified parsing tool in Dafny that builds on ideas from attribute grammars, data-dependent grammars, and parsing expression grammars to tackle various constructs commonly seen in network formats. I prove that our parsers run in linear time and always terminate for well-formed grammars. Finally, I provide the earliest systematic comparison of various data description languages (DDLs) and their parser generation tools. DDLs are used to describe and parse commonly used data formats, such as image formats. Next, I conducted an expert elicitation qualitative study to derive various metrics that I use to compare the DDLs. I also systematically compare these DDLs based on sample data descriptions available with the DDLs---checking for correctness and resilience

On Session Languages

The LangSec approach defends against crafted input attacks by defining a formal language specifying correct inputs and building a parser that decides that language. However, each successive input is not necessarily in the same basic language---e.g., most communication protocols use formats that depend on values previously received, or on some other additional context. When we try to use LangSec in these real-world scenarios, most parsers we write need additional mechanisms to change the recognized language as the execution progresses. This paper discusses approaches researchers have previously taken to build parsers for such protocols and provides formal descriptions of new sets of languages that could be considered to be a sequence of languages, instead of a single language describing an entire protocol---thus bringing LangSec theory closer to practice

PhasorSec: Protocol Security Filters for Wide Area Measurement Systems

The addition of synchrophasors to the power grid to improve observability comes at the cost of an increased attack surface: the wide area measurement system. A common source of zero-days, that can be used to exploit the system, is improper input validation. The strict availability and timing requirements of the grid make it critical that input validation be done right and in a timely fashion. PhasorSec is a hardened security filter for the synchrophasor communication protocol, C37.118. PhasorSec is built using language theoretic principles which treat all input as a language with a specific grammar that defines what input must be accepted. An open-source version of the prototype is provided and evaluation in terms of CPU-time show that it is possible to meet the strict latency requirements. Experiments also demonstrate its effectiveness against the state-of-the-art AFL fuzzer

Long-term efficacy and safety of verteporfin photodynamic therapy in combination with anti-vascular endothelial growth factor for polypoidal choroidal vasculopathy

Purpose: The aim of the study was to analyze the outcomes of photodynamic therapy (PDT) with intravitreal anti-vascular endothelial growth factor (anti-VEGF) for patients with polypoidal choroidal vasculopathy (PCV) having visual acuity (VA) better than 20/60 in a real-world scenario in India. Methods: Retrospective review of 42 eyes of 40 patients (mean age 64.3 years) with best-corrected VA (BCVA) 20/60 or better and mean follow-up of 40 months (median 38 months; range 12–71 months) treated with PDT and anti-VEGF or triamcinolone for indocyanine green angiography (ICGA)-proven subfoveal PCV. Results: Mean BCVA improved from 0.22 logMAR at baseline to 0.15 at last visit (P < 0.001). On ICGA, polyp was observed in 42 eyes (100%) and branching vascular network (BVN) in 37 eyes (88.1%). Polyp regressed in 33 (78.6%) of 42 eyes and BVN in 26 (70.3%) of 37 eyes after combined therapy at 3 months. Mean greatest linear diameter reduced significantly (P < 0.001) from 7.22 mm to 4.11 mm. Standard-fluence PDT was performed in 35 eyes and reduced-fluence in 7 eyes. The mean number of PDT was 1.17 with mean number of injections being 6.38 at the end of follow-up. In five eyes, more than one PDT was administered. Of 42 eyes, 40 showed complete resolution of serous macular detachment (SMD) after the combined therapy at 3 months; 17 (42.5%) of the 40 eyes showed no recurrence of fluid on spectral domain optical coherence tomography till the last visit with a mean follow-up of 27 months. On long-term follow-up, SMD reoccurred in 23 eyes with a mean follow-up period of 9.64 ± 5.24 months. Of 38 eyes having a double-layer sign (DLS) on optical coherence tomography at baseline, 37 eyes were having regression of the DLS, that is, it either reduced or resolved at the final visit. At the final visit, 66.7% (P < 0.001) eyes were having fluid-free retina. No complication of subretinal hemorrhage was noted. Of the 42 eyes, only one eye had BCVA worse than 20/60 on the final visit. Conclusion: To the best of our knowledge, this is the first study to look into the long-term effect of combined PDT with anti-VEGF in PCV in eyes having good VA. Long-term effect of combined PDT appears to be a safe and effective treatment for PCV in eyes having good VA with better outcomes in real-world setting. This study further strengthens the superiority of the combined treatment modality for treatment of subfoveal PCV with no or minimal risk of complication on long-term follow-up