Vulnerability Extrapolation Give me more bugs like that Blackhat Briefings Fabian fabs Yamaguchi Recurity Labs GmbH, Germany
|
|
- Patience Price
- 6 years ago
- Views:
Transcription
1 Vulnerability Extrapolation Give me more bugs like that Blackhat Briefings 2011 Fabian fabs Yamaguchi Recurity Labs GmbH, Germany
2 Agenda Patterns you find when auditing code Exploiting these patterns: Vulnerability Extrapolation Using machine learning to get there A method to assist in manual code audits based on this idea The method in practice A detailed showcase
3 Exploring a new code base Like an area of mathematics you don t yet know. It s not completely different from the mathematics you already know. But there are secrets specific to this area: Vocabulary Reoccurring patterns in argumentation Weird tricks used in proofs Understanding the specifics of the area makes it a lot easier to reason about it.
4 It s also a lot like DOOM Dropped into some code-base, no idea where you are Only a handgun to begin with Secrets of this particular.wad matter! Where do I get weapons around here? Effective ways of killing these monsters?
5 It s all the same -attitude Let s not be too romantic about what we do: Things tend to break in the same way over and over again. Think of how you automatically stop scrolling whenever you see sprintf. Or those lists of dangerous functions used by old-school tools like RATS, ITS4 and flawfinder. The method employs heuristics.
6 Or think of the success of fuzzers Fuzzers use patterns in input that will get many targets very upset. Often very effective. Why? Because things tend to break in the same way over and over again. Try giving it a lemon.
7 or Taint Propagation Example: Monitor flow of integer from read to malloc, detect unsafe operations and monitor if integer is ever checked. API usage patterns, we ve seen blow up again and again. Taint Sources Operations Taint Sinks
8 Overfished These methods are too generic. They find what people screw up in most applications. And that s also what most people have looked at in the application.
9 Specifics matter! For software that people actually care about, you can be sure all the lowhanging fruit is gone. grep ing for memcpy : not much of a strategy anymore. Why? Because that s what the last 100 people did before you came along. It is no longer optional to learn about the specifics of the code base!
10 Which is why manual audits are so successful Because auditors find the weak programming patterns used in this application. Find the interfaces that are causing trouble in this application! Find the secrets in this.wad! (Seriously, there was a ghostbusters.wad)
11 An example Poppler (CVE ) s ta tic c a iro _ s u rfa c e _ t * c re a te _ s u rfa c e _ fro m _ th u m b n a il_ d a ta ( g u c h a r * d a ta, g in t w id th, g in t h e ig h t, g in t ro w s trid e ) { g u c h a r * c a iro _ p ix e ls ; c a iro _ s u rfa c e _ t * s u rfa c e ; s ta tic c a iro _ u s e r_ d a ta _ k e y _ t key; in t j; c a iro _ p ix e ls = ( g u c h a r *)g_ m a llo c ( 4 * w id th * h e ig h t); s u rfa c e = c a iro _ im a g e _ s u rfa c e _ c re a te _ fo r_ d a ta ((unsigned c h a r *) c a iro _ p ix e ls, C A IR O _ F O R M A T _ R G B 2 4, w id th, h e ig h t, 4 * w id th ); c a iro _ s u rfa c e _ s e t_ u s e r_ d a ta ( s u rfa c e, & key, c a iro _ p ix e ls, ( c a iro _ d e s tro y _ fu n c _ t) g _ fre e ); [..] r e tu r n s u rfa c e ;
12 Do you see the bugs? The integer overflow is obvious. The missing check, not so much. You need to know the API to see this! /* This function always returns a valid pointer, but it will return a * pointer to a "nil" surface in the case of an error such as out of * memory or an invalid stride value. In case of invalid stride value * the error status of the returned surface will be * %CAIRO_STATUS_INVALID_STRIDE. You can use * cairo_surface_status() to check for this. */
13 Evince Bug, silently fixed. s ta tic c a iro _ s u rfa c e _ t * d jv u _ d o c u m e n t_ re n d e r ( E v D o c u m e n t * d o c u m e n t, E v R e n d e rc o n te x t * rc) { [..] # ifd e f H A V E _ C A IR O _ F O R M A T _ S T R ID E _ F O R _ W ID T H row stride = cairo_form at_stride_for_w idth (CAIRO_FORM AT_RGB24, p a g e _ w id th ); # e ls e ro w s trid e = p a g e _ w id th * 4 ; # e n d if p ix e ls = ( g c h a r *) g _ m a llo c ( p a g e _ h e ig h t * ro w s trid e ); s u rfa c e = c a iro _ im a g e _ s u rfa c e _ c re a te _ fo r_ d a ta ((guchar *)pixels, C A IR O _ F O R M A T _ R G B 2 4, p a g e _ w id th, p a g e _ h e ig h t, ro w s trid e ); c a iro _ s u rfa c e _ s e t_ u s e r_ d a ta ( s u rfa c e, & key, p ix e ls, ( c a iro _ d e s tro y _ fu n c _ t) g _ fre e ); [..] r e tu r n s u rfa c e ; version
14 A simple case This case is simple, because the APIsymbols, which lead to these two bugs were exactly the same. But does that have to be the case?
15 Another Example: libtiff CVE CVE s ta tic in t T IF F F e tc h S h o rtp a ir ( T IF F * tif, T IF F D ire n try * d ir) { s w itc h ( d ir->tdir_ ty p e ) { c a s e T IF F _ B Y T E : c a s e T IF F _ S B Y T E : { u in t8 v [ 4 ]; r e tu r n T IF F F e tc h B y te A rra y ( tif, d ir, v ) && T IF F S e tf ie ld ( tif, d ir->tdir_ ta g, v [ 0 ], v [ 1 ]); c a s e T IF F _ S H O R T : c a s e T IF F _ S S H O R T : { u in t1 6 v [ 2 ]; r e tu r n T IF F F e tc h S h o rta rra y ( tif, d ir, v ) && T IF F S e tf ie ld ( tif, d ir->tdir_ ta g, v [ 0 ], v [ 1 ]); d e fa u lt : r e tu r n 0 ;
16 Another Example: libtiff CVE CVE s ta tic in t T IF F F e tc h S u b je c td is ta n c e ( T IF F * tif, T IF F D ire n try * d ir) s ta tic in t { T IF F F e tc h S h o rtp a ir ( T IF F * tif, TuIF in F Dt3 ire2 n try l[ 2 *]; d ir) { flo a t v ; in t ok = 0 ; s w itc h ( d ir->tdir_ ty p e ) { c a s e T IF F _ B Y T E : c a s e T IF F _ S B Y T E : if ( T IF F F e tc h D a ta ( tif, d ir, ( c h a r *)l) { u in t8 v [ 4 ]; && c v tr a tio n a l( tif, d ir, l[ 0 ], l[ 1 ], & v )) { r e tu r n T IF F F e tc h B y te/* A rra y ( tif, d ir, v ) && T IF F S e tf ie * ld XXX: ( tif, dn ir->td um erator ir_ ta g 0xFFFFFFFF, v [ 0 ], v [ 1 ]); m eans that we have infinite * distance. Indicate that with a negative floating point c a s e T IF F _ S H O R T : * SubjectDistance value. c a s e T IF F _ S S H O R T : */ { ok = T IF F S e tf ie ld ( tif, d ir->tdir_ ta g, u in t1 6 v [ 2 ]; ( l[ 0 ]!= 0 x F F F F F F F F )? v : - v ); r e tu r n T IF F F e tc h S h o rta rra y ( tif, d ir, v ) && T IF F S e tf ie ld ( tif, d ir->tdir_ ta g, v [ 0 ], v [ 1 ]); d e fa u lt : r e tu r n ok; r e tu r n 0 ;
17 LibTIFF: Bug Analysis TIFFFetchShortArray is actually a wrapper around TIFFFetchData. The two are pretty much synonyms. These functions are part of an API local to libtiff. Badly designed API: the amount of data to be copied into the buffer is passed in one of the fields of the dir-structure and not explicitly! Developers missed this in both cases and it s hard to blame them.
18 The times of grep memcpy./*.c may be over. But that does not mean patterns of API use that lead to vulnerabilities no longer exist!
19 Vulnerability Extrapolation Given a function known to be vulnerable, determine functions similar to this one in terms of application-specific API usage patterns. Why? Because these are most likely to contain another incarnation of this bug. Why? Because developers tend to make the same mistakes over and over and over again. Especially if motivated by a bad API. Vulnerability Extrapolation exploits the information leak you get every time a vulnerability is disclosed!
20 What needs to be done We need to be able to determine how similar functions are in terms of these programming patterns. We need to find a way to extract these programming patterns from a code-base in the first place. How do we do that?
21 Similarity A decomposition Decomposition into shape and rotation: If rotation is just a detail, these are pretty similar. Signal Processing: Decomposition into components of different frequencies: Noise is suspected to be of high frequency while the signal is of lower frequency. In Face-Recognition, faces are decomposed into weighted sums of commonly found patterns + a noise-term.
22 Signal and Noise Checking if two things are similar always requires a decomposition into The big picture and the details or signal and noise. In general, if the big picture is the same and only the details differ, things are pretty similar. What s signal and what s noise depends on the problem you re dealing with.
23 Decomposing Code s ta tic in t T IF F F e tc h S u b je c td is ta n c e ( T IF F * tif, T IF F D ire n try * d ir) { detail u in t3 2 l[ 2 ]; flo a t v ; in t ok = 0 ; if ( T IF F F e tc h D a ta ( tif, d ir, ( c h a r *)l) && c v tr a tio n a l( tif, d ir, l[ 0 ], l[ 1 ], & v )) { /* * XXX: N um erator 0xFFFFFFFF m eans that we have infinite * distance. Indicate that with a negative floating point * SubjectDistance value. */ r e tu r n ok; Big picture ok = T IF F S e tf ie ld ( tif, d ir->td ir_ ta g, ( l[ 0 ]!= 0 x F F F F F F F F )? v : - v ); Function = Dominant Pattern + Noise Once you know a code-base, you start to decompose automatically: Dominant patterns of API use: Some FetchData- Function followed by TIFFSetField Symbols occurring in this function but not necessarily in any of the other functions employing the pattern
24 Think of it as zooming out Increasing level of detail/frequency s ta tic in t T IF F F e tc h S u b je c td is ta n c e ( T IF F * tif, T IF F D ire n try * d ir) { u in t3 2 l[ 2 ]; flo a t v ; in t ok = 0 ; Decreasing dominance of pattern if ( T IF F F e tc h D a ta ( tif, d ir, ( c h a r *)l) && c v tr a tio n a l( tif, d ir, l[ 0 ], l[ 1 ], & v )) { /* * XXX: N um erator 0xFFFFFFFF m eans that we have infinite * distance. Indicate that with a negative floating point * SubjectDistance value. */ ok = T IF F S e tf ie ld ( tif, d ir->tdir_ ta g, ( l[ 0 ]!= 0 x F F F F F F F F )? v : - v ); Usage Pattern Usage Pattern Usage Pattern r e tu r n ok; Linear approximation of each function by the most dominant API usage patterns of the code-base it is contained in!
25 Extracting dominant patterns How do we identify the most dominant API usage patterns of a code-base? How do other fields identify dominant patterns in their data?
26 Principal Component Analysis in Face Recognition Images have a natural vectorial representation. Each image can be interpreted as a $numberofpixelsdimensional vector. Directions in this space correspond to dependencies among pixels. Brightness of first pixel of second pixel of last pixel A set of images can be represented by a set of vectors.
27 Images with two pixels Brightness of Pixel 2 Brightness of Pixel 1 The most dominant pattern: Either both pixels light up, or both don t. As opposed to, for example, either pixel 1 lights up and pixel 2 doesn t and vice versa. Geometrically, this corresponds to the direction where the data varies most. In other words, if you were to project onto the red vector, you d best describe the data with a single dimension.
28 We can make direct use of this! Directions of highest variance correspond to dominant patterns in the data. These correspond to the eigenvectors of the data covariance matrix. A singular value decomposition can be used to obtain these. Let s make use of this to determine dominant API usage patterns!
29 Mapping code to the vector space Describe functions by the API-symbols they contain. API-symbols are extracted using a fuzzy parser. Each API-symbol is associated with a dimension. func1(){ int *ptr = malloc(64); fetcharray(pb, ptr);
30 Approximation of functions by most dominant API usage patterns! PCA implemented by truncated Singular Value Decomposition. Directions of highest variance Strength of pattern on diagonal Representation of functions in terms of these dominant patterns
31 A closer look at the decomposition Data Matrix (Contains all function-vectors) Strength of pattern Each column of U is a dominant pattern. Each row is a representation of an API-symbol in terms of the most dominant patterns Representation of functions in terms of the most dominant patterns
32 In summary
33 A toy problem to gain an intuition Group 1 v o id g u if u n c 1 ( G tk W id g e t * w id g e t) { in t j; g u i_ m a k e _ w in d o w ( w id g e t); G tk B u tto n * b u tto n ; b u tto n = g u i_ n e w _ b u tto n (); g u i_ s h o w _ w in d o w (); v o id g u if u n c 2 ( G tk W id g e t * w id g e t) { g u i_ m a k e _ w in d o w ( w id g e t); G tk B u tto n * m y B u tto n ; b u tto n 1 = g u i_ n e w _ b u tto n (); b u tto n 2 = g u i_ n e w _ b u tto n (); b u tto n 3 = g u i_ n e w _ b u tto n (); fo r ( in t i = 10; i!= i; i++) d o _ g u i_ s tu ff();
34 Group2 v o id n e tf u n c 1 () { in t fd; in t i = 0 ; s tru c t s o c k a d d r_ in in; fd = s o c k e t( a rg u m e n ts ); re c v ( fd, m o re A rg u m e n ts ); v o id n e tf u n c 2 () { in t fd; s t r u c t s o c k a d d r_ in in; h o s te n t h o s t; fd = s o c k e t( a rg u m e n ts ); re c v ( fd, m o re A rg u m e n ts ); g e th o s tb y n a m e ( h o s t) if( c o n d itio n ){ i++; s e n d ( fd, i, a rg ); s e n d ( fd, i, a rg ); c lo s e ( fd); if( c o n d itio n ){ in t i = 0 ; i++; s e n d ( fd, i, a rg ); c lo s e ( fd);
35 Group 3 v o id lis tf u n c 1 ( in t e le m ) { G L is t m y L is t; if(! lis t_ c h e c k ( m y L is t)){ d o _ lis t_ e rro r_ s tu ff(); r e tu r n ; lis t_ a d d ( m y L is t, e le m ); v o id lis tf u n c 2 ( in t e le m ) { G L is t m y L is t; if(! lis t_ c h e c k ( m y L is t)){ d o _ lis t_ e rro r_ s tu ff(); r e t u r n ; lis t_ re m o v e ( m y L is t, e le m ); lis t_ d e le te ( m y L is t);
36 Projection onto the first two principal components Core API Functions Occurs in this context but does not constitute the pattern
37 We get a lot more than just a method to extrapolate! We get a projection of all functions and API symbols into a space where API symbols constituting a pattern are close to one another. functions using the same pattern are close to one another. functions are close to the dominant API symbols of their most dominant patterns. You can browse code in this space.
38 But visualization isn t the way to go for real code-bases ;)
39 It turns out tables don t look as fancy but are a lot more useful. At least if the visualization you re doing is as bare-bones as the one just shown. Let s browse FFmpeg.
40 DecodingContexts: Synonyms Decoders in FFmpeg form a group of functions related by API use. Each decoder has its own decoding-context. They are thus noise - terms to be found at a similar angle. foo
41 String-API in FFMpeg foo foo
42 Functions similar to function - Vulnerability Extrapolation Take a function that used to be vulnerable as an input. Measure distances to other functions to determine those functions, which are most similar. Let s try that for FFmpeg.
43 Original bug: CVE s ta tic in t flic _ d e c o d e _ fra m e _ 8 B P P ( A V C o d e c C o n te x t * a v c tx, v o id * d a ta, in t * d a ta _ s iz e, c o n s t u in t8 _ t * b u f, in t b u f_ s iz e ) { [..] p ix e ls = s - > fr a m e.d a ta [ 0 ] ; [..] c a s e F L I_ D E L T A : y _ p tr = 0 ; c o m p re s s e d _ lin e s = A V _ R L 1 6 (&buf[ s tre a m _ p tr]); s tre a m _ p tr += 2 ; w h ile ( c o m p re s s e d _ lin e s > 0 ) { lin e _ p a c k e ts = A V _ R L 1 6 ( & b u f[ s tre a m _ p tr] ) ; s tre a m _ p tr += 2 ; if ((line_ p a c k e ts & 0 x C ) == 0 x C ) { / / lin e s k ip o p c o d e lin e _ p a c k e ts = - lin e _ p a c k e ts ; y _ p tr + = lin e _ p a c k e ts * s - > fr a m e.lin e s iz e [ 0 ] ; e ls e if ((line_ p a c k e ts & 0 x C ) == 0 x ) { [..] e ls e if ((line_ p a c k e ts & 0 x C ) == 0 x ) { / / "la s t b y t e " o p c o d e p ix e ls [ y _ p tr + s - > fr a m e.lin e s iz e [ 0 ] - 1 ] = lin e _ p a c k e ts & 0 x ff; e ls e { [..] y _ p tr + = s - > fr a m e.lin e s iz e [ 0 ] ; b r e a k ; [..] Decoder-Pattern: Usually a variable of type AvCodecContext AV_RL*-Functions used as sources. Lot s of primitive types with specified width used. Use of memcpy, memset, etc. unchecked index, Write to arbitrary location in memory.
44 Extrapolation The closest match contained the same vulnerability but it was fixed when the initial function was fixed. [You cannot expect this decoder to be the optimal prototype for the decoder class, so yes, it will find nondecoders.] 0-Bug
45 0-Bug s ta tic v o id v m d _ d e c o d e ( V m d V id e o C o n te x t * s ) { [...] in t fra m e _ x, fra m e _ y ; in t fra m e _ w id th, fra m e _ h e ig h t; in t d p _ s iz e ; fr a m e _ x = A V _ R L 1 6 ( & s - > b u f[ 6 ] ) ; fr a m e _ y = A V _ R L 1 6 ( & s - > b u f[ 8 ] ) ; fr a m e _ w id th = A V _ R L 1 6 ( & s - > b u f[ 1 0 ] ) - fr a m e _ x + 1 ; fr a m e _ h e ig h t = A V _ R L 1 6 ( & s - > b u f[ 1 2 ] ) - fr a m e _ y + 1 ; [...] if ( s ->size >= 0 ) { / * o r ig in a lly U n p a c k F r a m e in V A G 's c o d e * / pb = p ; m e th = * pb++; [...] d p = & s - > fr a m e.d a ta [ 0 ] [ fr a m e _ y * s - > fr a m e.lin e s iz e [ 0 ] + fr a m e _ x ] ; d p _ s iz e = s ->fram e.lin e s iz e [ 0 ] * s ->avctx->height; pp = & s ->prev_ fra m e.d a ta [ 0 ][fram e _ y * s ->prev_ fra m e.lin e s iz e [ 0 ] + fra m e _ x ]; s w itc h ( m e th ) { [...] c a s e 2 : fo r ( i = 0 ; i < fra m e _ h e ig h t; i++) { m e m c p y ( d p, p b, fr a m e _ w id th ) ; pb += fra m e _ w id th ; dp += s ->fram e.lin e s iz e [ 0 ]; pp += s ->prev_ fra m e.lin e s iz e [ 0 ]; b r e a k ; [...] Decoder-Pattern: Usually a variable of type AvCodecContext AV_RL*-Functions used as sources. Lot s of primitive types with specified width used. Use of memcpy, memset, etc. Again an unchecked index into the pixelbuffer!
46 From 0-Bug to 0-day Demonstrate that this can be turned into this.
47 Writing a binary exploit in 2011 Writing binary exploits in 2011 is an adventure you do not want to miss. ASLR and DEP have arrived to stay. The heap is hardened. Every bug is kind of different right now and new generic techniques are just emerging. But when you look deep into the code and use it creatively, you can get it done
48 The memory corruption aspect s ta tic v o id v m d _ d e c o d e ( V m d V id e o C o n te x t * s ) { s ta tic v o id v m d _ d e c o d e (V m d V id e o C o n te x t * s ) { [...] in t fra m e _ x, fra m e _ y ; in t fram e _ w idth, fram e _ height; in t d p _ s iz e ; fram e _ x = AV_ RL16( & s -> buf[6 ] ) ; fram e _ y = AV_ RL16( & s -> buf[8 ] ) ; fram e _ w idth = AV_ RL16( & s -> buf[10] ) - fram e _ x + 1 ; fram e _ height = AV_ RL16( & s -> buf[12] ) - fram e _ y + 1 ; if ((fra m e _ w id th == s ->a v c tx ->w id th && fra m e _ h e ig h t == s ->a v c tx ->h e ig h t) && ( fra m e _ x fra m e _ y )) { s ->x_ o ff = fra m e _ x ; s ->y_ o ff = fra m e _ y ; fra m e _ x -= s ->x_ o ff; fra m e _ y -= s ->y_ o ff; if ( fra m e _ x fra m e _ y ( fra m e _ w id th!= s ->a v c tx ->w id th ) ( fra m e _ h e ig h t!= s ->a v c tx ->h e ig h t)) { m e m c p y ( s ->fra m e.d a ta [ 0 ], s ->p re v _ fra m e.d a ta [ 0 ], s ->a v c tx ->h e ig h t * s ->fra m e.lin e s iz e [ 0 ]); [...] if ( s ->size >= 0 ) { / * o r ig in a lly U n p a c k F r a m e in V A G 's c o d e * / pb = p ; m e th = * pb++; [...] dp = & s -> fram e.data [0 ] [fram e _ y * s -> fram e.linesize [0 ] + fram e _ x ] ; d p _ s iz e = s ->fra m e.lin e s iz e [ 0 ] * s ->a v c tx ->h e ig h t; pp = & s ->p re v _ fra m e.d a ta [ 0 ][fra m e _ y * s ->p re v _ fra m e.lin e s iz e [ 0 ] + fra m e _ x ]; s w itc h ( m e th ) { [...] c a s e 2 : b r e a k ; [...] [...] in t fra m e _ x, fra m e _ y ; in t fra m e _ w id th, fra m e _ h e ig h t; in t d p _ s iz e ; fr a m e _ x = A V _ R L 1 6 ( & s - > b u f[ 6 ] ) ; fr a m e _ y = A V _ R L 1 6 ( & s - > b u f[ 8 ] ) ; fo r ( i = 0 ; i < fra m e _ h e ig h t; i++) { m e m c p y (d p, p b, fra m e _ w id th ) ; pb += fra m e _ w id th ; fr a m e _ w id th = A V _ R L 1 6 ( & s - > b u f[ 1 0 ] ) - fr a m e _ x + 1 ; fr a m e _ h e ig h t = A V _ R L 1 6 ( & s - > b u f[ 1 2 ] ) - fr a m e _ y + 1 ; [...] if ( s ->s iz e >= 0 ) { dp += s ->fra m e.lin e s iz e [ 0 ]; / * o r ig in a lly U n p a c k F r a m e in V A G 's c o d e * / pb = p ; m e th = * pb++; [...] d p = & s - > fr a m e.d a ta [ 0 ] [ fr a m e _ y * s - > fr a m e.lin e s iz e [ 0 ] + fr a m e _ x ] ; d p _ s iz e = s ->fram e.lin e s iz e [ 0 ] * s ->avctx->height; pp = & s ->p re v _ fra m e.d a ta [ 0 ][fra m e _ y * s ->p re v _ fra m e.lin e s iz e [ 0 ] + fra m e _ x ]; s w itc h ( m e th ) { [...] c a s e 2 : pp += s ->p re v _ fra m e.lin e s iz e [ 0 ]; fo r ( i = 0 ; i < fra m e _ h e ig h t; i++) { m e m c p y ( d p, p b, fr a m e _ w id th ) ; pb += fra m e _ w id th ; dp += s ->fra m e.lin e s iz e [ 0 ]; pp += s ->p re v _ fra m e.lin e s iz e [ 0 ]; b r e a k ; [...]
49 Our Bug v.s. ASLR Due to ASLR, the startaddress of the heap will change from run to run. The relative address of the pixel-buffer within the heap will not be affected by ASLR. As long as we choose an offset that remains within the boundaries of the heap, ASLR does not hurt us yet. run n run n+1
50 What this bug gives us The ability to write up to bytes of data specified by us to a location relative to the pixel-buffer. Constraint: Offsets in the interval [-65535; -1] cannot be specified.
51 What do we overwrite? s ta tic in t v m d v id e o _ d e c o d e _ fra m e ( A V C o d e c C o n te x t * a v c tx, v o id * d a ta, in t * d a ta _ s iz e, A V P a c k e t * a v p k t) { [..] v m d _ d e c o d e ( s ) ; / * m a k e th e p a le tte a v a ila b le o n th e w a y o u t * / m e m c p y ( s ->fra m e.d a ta [ 1 ], s ->p a le tte, P A L E T T E _ C O U N T * 4 ); / * s h u f f le f r a m e s * / F F S W A P ( A V F ra m e, s ->fram e, s ->prev_ fra m e ); if ( s ->fram e.d a ta [ 0 ]) a v c tx - > r e le a s e _ b u ffe r ( a v c tx, & s - > fr a m e ) ; [..] r e tu r n b u f_ s iz e ; Overwrite the release_buffer pointer! Of course, that s in the interval of offsets we can t use
52 The state changing aspect s ta tic v o id v m d _ d e c o d e ( V m d V id e o C o n te x t * s ) { s ta tic v o id v m d _ d e c o d e ( V m d V id e o C o n te x t * s ) { && [...] [...] in t fra t mfra e _ x m, frae m_ e _ x y,; fra m e _ y ; in t fra m e _ w id th, fra m e _ h e ig h t; t d p _ s iz e ; in t fra m e _ w id th, fra m e _ h e ig h t; in t d p _ s iz e ; fra m e _ x = A V _ R L 1 6 (&s ->b u f[ 6 ]); fra m e _ y = A V _ R L 1 6 (&s ->b u f[ 8 ]); fra m e _ w id th = A V _ R L 1 6 (&s->buf[ 10]) - fra m e _ x + 1 ; fra m e _ h e ig h t = A V _ R L 1 6 (&s->buf[ 12]) - fra m e _ y + 1 ; fra m e _ x = A V _ R L 1 6 (&s ->b u f[ 6 ]); if ( ( fr a m e _ w id th = = s - > a v c tx - > w id th & & fr a m e _ h e ig h t = = s - > a v c tx - > h e ig h t) & & (fram e_x fram e_y)) { fra m e _ y = A V _ R L 1 6 (&s ->b u f[ 8 ]); s-> x_off = fram e_x; s-> y_off = fram e_y; fra m e _ w id th = A V _ R L 1 6 (&s->buf[ 10]) - fra m e _ x + 1 ; a m e _ x - = s - > x _ o ff; fra a mme _ y e -_ = hs - e> y ig_ oh ff; t = A V _ R L 1 6 (&s->buf[ 12]) - fra m e _ y + 1 ; if ( fra m e _ x fra m e _ y ( fra m e _ w id th!= s ->a v c tx ->w id th ) [...] ( fra m e _ h e ig h t!= s ->a v c tx ->h e ig h t)) { if ( ( fr a m e _ w id th = = s - > a v c tx - > w id th & & fr a m e _ h e ig h t = = s - > a v c tx - > h e ig h t) m e m c p y ( s ->fra m e.d a ta [ 0 ], s ->p re v _ fra m e.d a ta [ 0 ], s ->avctx ->h eigh t * s ->fram e.lin esize [ 0 ]); if ( s ->s iz e >= 0 ) { (fram e_x fram e_y)) { / * originally U npackfram e in VA G 's code * / pb = p ; m e th = * pb++; s-> x_off = fram e_x; [...] dp = & s ->fra m e.d a ta [ 0 ][fra m e _ y * s ->fra m e.lin e s iz e [ 0 ] + fra m e _ x ]; s-> y_off = fram e_y; dp_ size = s ->fram e.lin esize [ 0 ] * s ->avctx ->h eigh t; pp = & s ->p re v _ fra m e.d a ta [ 0 ][fra m e _ y * s ->p re v _ fra m e.lin e s iz e [ 0 ] + fra m e _ x ]; s w itc h ( m e th ) { [...] c a s e 2 : fr a mfo r e ( i _ = x 0 ; i - < = fra ms e -_ > h e igx h_ t; i++) o ff; { m e m c p y ( dp, pb, fra m e _ w id th ); pb += fra m e _ w id th ; fr a m e _ y - = s - > y _ o ff; dp += s ->fram e.lin e s iz e [ 0 ]; [...] b r e a k ; [...] pp += s ->p re v _ fra m e.lin e s iz e [ 0 ];
53 First frame We exploit the bug using two video frames. First frame: Put the decoder in a state where s->x_off contains our desired signinverted offset. First frame State 1: s->x_off = $offset Second frame State 2: frame_x = -s->x_off OVERWRITE
54 Second frame Second frame: Makes the decoder set frame_x to s>x_off and thus we add a negative offset to the pixelbuffer. First frame State 1: s->x_off = $offset Second frame State 2: frame_x = -s->x_off OVERWRITE
55 Now we can overwrite the pointer! Specify the sign-inverted desired offset in the first frame s frame_x and do not trigger memory corruption. The offset will be saved in s- >x_off. In the second frame, set frame_x to 0 so that frame_x will be set to s->x_off. Trigger memory corruption with this second frame.
56 Now, where do we jump? We re in luck: the base image of mplayer is not compiled as position-independent code. A small portion of code will be at constant addresses despite ASLR! What about this? 0x080cc5c2: mov %eax, (%esp) 0x080cc5c5: call <system@plt>
57 When shellcode contains shell-commands When the call is made, %eax has just been used as an auxiliary register to hold a pointer to avctx. avctx will be interpreted as a string of commands for /bin/sh! Lightly spray the heap with avctx-structures accordingly. Of course, this is not 100% stable but works remarkably well
58 DEMO
59 Evaluation: How good does it work in general? Of course, if no further similar bug exists in the code-base, this will not work. Second: We did not look for the same bug but for the same usage-pattern. That does not mean the pattern has to be used wrong in the cases we find as well. We just know the things to look for with this pattern.
60 What we can show If we do API-discovery by hand, we can check whether the method would have found these groups as well. Manually extracted code from the Linux kernel and FFmpeg was used to evaluate the method.
61 Evaluation Before PCA After PCA
62 Summary There are lots of patterns in your bugs. There s an info-leak when you disclose a bug: You re providing a sample of what went wrong in this specific code-base. Fixing a bug without performing proper extrapolation may be contra-productive You may be disclosing related 0-day!
63 Where to go from here for this method in particular. This will probably work well on binaries. While PCA was the vanilla algorithm to try out, there are better representations: NMF looks a lot more promising. We re currently investigating whether structural features can improve the method.
64 Some ideas and for security in general. Learn context-free grammars from input to generate fuzzers. Cluster fuzz-traces to group input that hits the same bug. More robust OS- and rate-limiter detection in port-scanning. Heap-chunk usage patterns to identify how APIs interact at runtime?
65 Final words Whenever you encounter patterns in security research or need to make a fuzzy decision, you may want to give machine learning a shot. It can be beneficial and refreshing to find ways of applying research from other fields to your problems.
66 Questions? Fabian Yamaguchi Vulnerability Researcher Recurity Labs GmbH, Berlin, Germany
Class Diagrams. CSC 440/540: Software Engineering Slide #1
Class Diagrams CSC 440/540: Software Engineering Slide # Topics. Design class diagrams (DCDs) 2. DCD development process 3. Associations and Attributes 4. Dependencies 5. Composition and Constraints 6.
More informationLU N C H IN C LU D E D
Week 1 M o n d a y J a n u a ry 7 - C o lo u rs o f th e R a in b o w W e w ill b e k ic k in g o ff th e h o lid a y s w ith a d a y fu ll o f c o lo u r! J o in u s fo r a ra n g e o f a rt, s p o rt
More informationc. What is the average rate of change of f on the interval [, ]? Answer: d. What is a local minimum value of f? Answer: 5 e. On what interval(s) is f
Essential Skills Chapter f ( x + h) f ( x ). Simplifying the difference quotient Section. h f ( x + h) f ( x ) Example: For f ( x) = 4x 4 x, find and simplify completely. h Answer: 4 8x 4 h. Finding the
More informationInformation System Desig
n IT60105 Lecture 7 Unified Modeling Language Lecture #07 Unified Modeling Language Introduction to UML Applications of UML UML Definition Learning UML Things in UML Structural Things Behavioral Things
More informationGrain Reserves, Volatility and the WTO
Grain Reserves, Volatility and the WTO Sophia Murphy Institute for Agriculture and Trade Policy www.iatp.org Is v o la tility a b a d th in g? De pe n d s o n w h e re yo u s it (pro d uc e r, tra d e
More information600 Billy Smith Road, Athens, VT
600 Billy Smith Road, Athens, VT Curtis Trousdale, Owner, Broker, Realtor Cell: 802-233-5589 curtis@preferredpropertiesvt.com 2004 Williston Road, South Burlington VT 05403 www.preferredpropertiesvt.com
More informationPr[X = s Y = t] = Pr[X = s] Pr[Y = t]
Homework 4 By: John Steinberger Problem 1. Recall that a real n n matrix A is positive semidefinite if A is symmetric and x T Ax 0 for all x R n. Assume A is a real n n matrix. Show TFAE 1 : (a) A is positive
More informationCapacitor Discharge called CD welding
TROUBLE SHOOTING OF STUD WELDING (EQUPMENT) We see several time, that the two main principles of Studwelding are mixed up therefor I will start to repeat short the welding methods. Capacitor Discharge
More informationLan Performance LAB Ethernet : CSMA/CD TOKEN RING: TOKEN
Lan Performance LAB Ethernet : CSMA/CD TOKEN RING: TOKEN Ethernet Frame Format 7 b y te s 1 b y te 2 o r 6 b y te s 2 o r 6 b y te s 2 b y te s 4-1 5 0 0 b y te s 4 b y te s P r e a m b le S ta r t F r
More informationVäxjö University. Software Security Testing. A Flexible Architecture for Security Testing. School of Mathematics and System Engineering
School of Mathematics and System Engineering Reports from MSI - Rapporter från MSI Växjö University Software Security Testing A Flexible Architecture for Security Testing Martin Andersson Aug 2008 MSI
More informationFinal Review Sheet. B = (1, 1 + 3x, 1 + x 2 ) then 2 + 3x + 6x 2
Final Review Sheet The final will cover Sections Chapters 1,2,3 and 4, as well as sections 5.1-5.4, 6.1-6.2 and 7.1-7.3 from chapters 5,6 and 7. This is essentially all material covered this term. Watch
More informationMath 110, Spring 2015: Midterm Solutions
Math 11, Spring 215: Midterm Solutions These are not intended as model answers ; in many cases far more explanation is provided than would be necessary to receive full credit. The goal here is to make
More informationMachine Learning (Spring 2012) Principal Component Analysis
1-71 Machine Learning (Spring 1) Principal Component Analysis Yang Xu This note is partly based on Chapter 1.1 in Chris Bishop s book on PRML and the lecture slides on PCA written by Carlos Guestrin in
More informationMath 3361-Modern Algebra Lecture 08 9/26/ Cardinality
Math 336-Modern Algebra Lecture 08 9/26/4. Cardinality I started talking about cardinality last time, and you did some stuff with it in the Homework, so let s continue. I said that two sets have the same
More informationA L A BA M A L A W R E V IE W
A L A BA M A L A W R E V IE W Volume 52 Fall 2000 Number 1 B E F O R E D I S A B I L I T Y C I V I L R I G HT S : C I V I L W A R P E N S I O N S A N D TH E P O L I T I C S O F D I S A B I L I T Y I N
More informationANNUAL MONITORING REPORT 2000
ANNUAL MONITORING REPORT 2000 NUCLEAR MANAGEMENT COMPANY, LLC POINT BEACH NUCLEAR PLANT January 1, 2000, through December 31, 2000 April 2001 TABLE OF CONTENTS Executive Summary 1 Part A: Effluent Monitoring
More informationIsomorphisms and Well-definedness
Isomorphisms and Well-definedness Jonathan Love October 30, 2016 Suppose you want to show that two groups G and H are isomorphic. There are a couple of ways to go about doing this depending on the situation,
More informationQuadratic Equations Part I
Quadratic Equations Part I Before proceeding with this section we should note that the topic of solving quadratic equations will be covered in two sections. This is done for the benefit of those viewing
More informationLab 4. Current, Voltage, and the Circuit Construction Kit
Physics 2020, Spring 2009 Lab 4 Page 1 of 8 Your name: Lab section: M Tu Wed Th F TA name: 8 10 12 2 4 Lab 4. Current, Voltage, and the Circuit Construction Kit The Circuit Construction Kit (CCK) is a
More informationSTEEL PIPE NIPPLE BLACK AND GALVANIZED
Price Sheet Effective August 09, 2018 Supersedes CWN-218 A Member of The Phoenix Forge Group CapProducts LTD. Phone: 519-482-5000 Fax: 519-482-7728 Toll Free: 800-265-5586 www.capproducts.com www.capitolcamco.com
More informationRobust Programs with Filtered Iterators
Robust Programs with Filtered Iterators Jiasi Shen, Martin Rinard MIT EECS & CSAIL 1 Standard Scenario Input file Program Output 2 Structured Input Units Input Input unit Input unit Input unit unit Program
More information1 General Tips and Guidelines for Proofs
Math 20F, 2015SS1 / TA: Jor-el Briones / Sec: A01 / Handout Page 1 of 5 1 General Tips and Guidelines for Proofs Proofs, or really any question that asks you to justify or explain something, are a huge
More informationOperation Manual for Automatic Leveling Systems
Operation Manual for Automatic Leveling Systems 11/12 Power Gear #82-L0379 Rev. 0E Operation Manual for Automatic Leveling Systems with Touch Pad # 140-1226 and Control Box # 140-1229 Contents Before You
More informationMySQL 5.1. Past, Present and Future. Jan Kneschke MySQL AB
MySQL 5.1 Past, Present and Future Jan Kneschke MySQL AB Agenda Past S Q L T re e s m e e ts D y n a m ic S Q L P re s e n t E v e n ts P a rtitio n in g F u tu re V e rtic a l P a rtitio n in g About
More informationMOLINA HEALTHCARE, INC. (Exact name of registrant as specified in its charter)
UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 8-K Current Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Date of Report (Date of earliest event
More informationAGRICULTURE SYLLABUS
Agriculture Forms 1-4.qxp_Layout 1 26/10/2016 12:29 PM Page 1 ZIMBABWE MInISTRY OF PRIMARY AnD SECOnDARY EDUCATIOn AGRICULTURE SYLLABUS FORM 1-4 2015-2022 Curriculum Development and Technical Services,
More informationTECHNICAL MANUAL OPTIMA PT/ST/VS
TECHNICAL MANUAL OPTIMA PT/ST/VS Page 2 NT1789 Rév.A0 TABLE OF CHANGES The information contained in this document only concerns : OPTIMA PT/ST/VS type, MCM 440 PT/OT type, MCM550 ST type. Technical Manual
More informationMITOCW ocw-18_02-f07-lec02_220k
MITOCW ocw-18_02-f07-lec02_220k The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free.
More informationPrincipal Component Analysis
Principal Component Analysis Laurenz Wiskott Institute for Theoretical Biology Humboldt-University Berlin Invalidenstraße 43 D-10115 Berlin, Germany 11 March 2004 1 Intuition Problem Statement Experimental
More informationUNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C FORM 8-K
UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 8-K CURRENT REPORT Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Date of Report (Date of earliest event
More informationTTM TECHNOLOGIES, INC. (Exact Name of Registrant as Specified in Charter)
Table of Contents UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, DC 20549 FORM 8-K CURRENT REPORT Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 November 15, 2006
More informationWhat Every Programmer Should Know About Floating-Point Arithmetic DRAFT. Last updated: November 3, Abstract
What Every Programmer Should Know About Floating-Point Arithmetic Last updated: November 3, 2014 Abstract The article provides simple answers to the common recurring questions of novice programmers about
More informationUnsupervised Machine Learning and Data Mining. DS 5230 / DS Fall Lecture 7. Jan-Willem van de Meent
Unsupervised Machine Learning and Data Mining DS 5230 / DS 4420 - Fall 2018 Lecture 7 Jan-Willem van de Meent DIMENSIONALITY REDUCTION Borrowing from: Percy Liang (Stanford) Dimensionality Reduction Goal:
More informationLecture 4: Constructing the Integers, Rationals and Reals
Math/CS 20: Intro. to Math Professor: Padraic Bartlett Lecture 4: Constructing the Integers, Rationals and Reals Week 5 UCSB 204 The Integers Normally, using the natural numbers, you can easily define
More information7.2 P rodu c t L oad/u nload Sy stem s
7.2 P rodu c t L oad/u nload Sy stem s The 10" or 12" augers, or the 10" conveyor are high capacity load/unload systems with hydraulic controls to manoeuvre and operate. The hydraulic assist allows the
More informationLecture 27: Theory of Computation. Marvin Zhang 08/08/2016
Lecture 27: Theory of Computation Marvin Zhang 08/08/2016 Announcements Roadmap Introduction Functions Data Mutability Objects This week (Applications), the goals are: To go beyond CS 61A and see examples
More informationSoftware Architecture. CSC 440: Software Engineering Slide #1
Software Architecture CSC 440: Software Engineering Slide #1 Topics 1. What is software architecture? 2. Why do we need software architecture? 3. Architectural principles 4. UML package diagrams 5. Software
More informationUNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C Form 8-K/A (Amendment No. 2)
UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 Form 8-K/A (Amendment No. 2) Current Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Date of Report
More informationDIFFERENTIAL EQUATIONS
DIFFERENTIAL EQUATIONS Basic Concepts Paul Dawkins Table of Contents Preface... Basic Concepts... 1 Introduction... 1 Definitions... Direction Fields... 8 Final Thoughts...19 007 Paul Dawkins i http://tutorial.math.lamar.edu/terms.aspx
More information, p 1 < p 2 < < p l primes.
Solutions Math 347 Homework 1 9/6/17 Exercise 1. When we take a composite number n and factor it into primes, that means we write it as a product of prime numbers, usually in increasing order, using exponents
More informationClassification. The goal: map from input X to a label Y. Y has a discrete set of possible values. We focused on binary Y (values 0 or 1).
Regression and PCA Classification The goal: map from input X to a label Y. Y has a discrete set of possible values We focused on binary Y (values 0 or 1). But we also discussed larger number of classes
More informationFunctional pottery [slide]
Functional pottery [slide] by Frank Bevis Fabens A thesis submitted in partial fulfillment of the requirements for the degree of Master of Fine Arts Montana State University Copyright by Frank Bevis Fabens
More informationgender mains treaming in Polis h practice
gender mains treaming in Polis h practice B E R L IN, 1 9-2 1 T H A P R IL, 2 O O 7 Gender mains treaming at national level Parliament 25 % of women in S ejm (Lower Chamber) 16 % of women in S enat (Upper
More informationAutomata Theory CS S-12 Turing Machine Modifications
Automata Theory CS411-2015S-12 Turing Machine Modifications David Galles Department of Computer Science University of San Francisco 12-0: Extending Turing Machines When we added a stack to NFA to get a
More informationEffective Entropy for Memory Randomization Defenses
Effective Entropy for Memory Randomization Defenses William Herlands, Thomas Hobson, Paula Donovan 7 th Workshop on Cyber Security Experimentation and Test 18 August 2014 This work is sponsored by Assistant
More informationIV. Matrix Approximation using Least-Squares
IV. Matrix Approximation using Least-Squares The SVD and Matrix Approximation We begin with the following fundamental question. Let A be an M N matrix with rank R. What is the closest matrix to A that
More information, (1) e i = ˆσ 1 h ii. c 2016, Jeffrey S. Simonoff 1
Regression diagnostics As is true of all statistical methodologies, linear regression analysis can be a very effective way to model data, as along as the assumptions being made are true. For the regression
More informationMath 308 Midterm Answers and Comments July 18, Part A. Short answer questions
Math 308 Midterm Answers and Comments July 18, 2011 Part A. Short answer questions (1) Compute the determinant of the matrix a 3 3 1 1 2. 1 a 3 The determinant is 2a 2 12. Comments: Everyone seemed to
More informationCOMS 4721: Machine Learning for Data Science Lecture 10, 2/21/2017
COMS 4721: Machine Learning for Data Science Lecture 10, 2/21/2017 Prof. John Paisley Department of Electrical Engineering & Data Science Institute Columbia University FEATURE EXPANSIONS FEATURE EXPANSIONS
More informationExercises * on Principal Component Analysis
Exercises * on Principal Component Analysis Laurenz Wiskott Institut für Neuroinformatik Ruhr-Universität Bochum, Germany, EU 4 February 207 Contents Intuition 3. Problem statement..........................................
More informationCHAPTER 8: MATRICES and DETERMINANTS
(Section 8.1: Matrices and Determinants) 8.01 CHAPTER 8: MATRICES and DETERMINANTS The material in this chapter will be covered in your Linear Algebra class (Math 254 at Mesa). SECTION 8.1: MATRICES and
More informationCprE 281: Digital Logic
CprE 281: Digital Logic Instructor: Alexander Stoytchev http://www.ece.iastate.edu/~alexs/classes/ Signed Numbers CprE 281: Digital Logic Iowa State University, Ames, IA Copyright Alexander Stoytchev Administrative
More informationMachine Learning, Fall 2009: Midterm
10-601 Machine Learning, Fall 009: Midterm Monday, November nd hours 1. Personal info: Name: Andrew account: E-mail address:. You are permitted two pages of notes and a calculator. Please turn off all
More informationB ooks Expans ion on S ciencedirect: 2007:
B ooks Expans ion on S ciencedirect: 2007: 1 INFORUM, 22-24 May, Prague Piotr Golkiewicz Account Manager Elsevier B.V. Email: p.golkiewicz@elsevier.com Mobile: +48 695 30 60 17 2 Pres entation Overview
More informationIE418 Integer Programming
IE418: Integer Programming Department of Industrial and Systems Engineering Lehigh University 2nd February 2005 Boring Stuff Extra Linux Class: 8AM 11AM, Wednesday February 9. Room??? Accounts and Passwords
More informationCPSC 340: Machine Learning and Data Mining. More PCA Fall 2017
CPSC 340: Machine Learning and Data Mining More PCA Fall 2017 Admin Assignment 4: Due Friday of next week. No class Monday due to holiday. There will be tutorials next week on MAP/PCA (except Monday).
More informationS U E K E AY S S H A R O N T IM B E R W IN D M A R T Z -PA U L L IN. Carlisle Franklin Springboro. Clearcreek TWP. Middletown. Turtlecreek TWP.
F R A N K L IN M A D IS O N S U E R O B E R T LE IC H T Y A LY C E C H A M B E R L A IN T W IN C R E E K M A R T Z -PA U L L IN C O R A O W E N M E A D O W L A R K W R E N N LA N T IS R E D R O B IN F
More informationBreakup of weakly bound nuclei and its influence on fusion. Paulo R. S. Gomes Univ. Fed. Fluminense (UFF), Niteroi, Brazil
Breakup of weakly bound nuclei and its influence on fusion Paulo R. S. Gomes Univ. Fed. Fluminense (UFF), Niteroi, Brazil Forum Brasil-JINR Dubna, June, 2015 For a comprehensive review of this subject
More informationExploratory Factor Analysis and Principal Component Analysis
Exploratory Factor Analysis and Principal Component Analysis Today s Topics: What are EFA and PCA for? Planning a factor analytic study Analysis steps: Extraction methods How many factors Rotation and
More informationCSCI3390-Assignment 2 Solutions
CSCI3390-Assignment 2 Solutions due February 3, 2016 1 TMs for Deciding Languages Write the specification of a Turing machine recognizing one of the following three languages. Do one of these problems.
More informationBeechwood Music Department Staff
Beechwood Music Department Staff MRS SARAH KERSHAW - HEAD OF MUSIC S a ra h K e rs h a w t r a i n e d a t t h e R oy a l We ls h C o l le g e of M u s i c a n d D ra m a w h e re s h e ob t a i n e d
More informationLet s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc.
Finite State Machines Introduction Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc. Such devices form
More informationBayesian Classifiers and Probability Estimation. Vassilis Athitsos CSE 4308/5360: Artificial Intelligence I University of Texas at Arlington
Bayesian Classifiers and Probability Estimation Vassilis Athitsos CSE 4308/5360: Artificial Intelligence I University of Texas at Arlington 1 Data Space Suppose that we have a classification problem The
More informationCS168: The Modern Algorithmic Toolbox Lecture #8: How PCA Works
CS68: The Modern Algorithmic Toolbox Lecture #8: How PCA Works Tim Roughgarden & Gregory Valiant April 20, 206 Introduction Last lecture introduced the idea of principal components analysis (PCA). The
More informationData Mining Techniques
Data Mining Techniques CS 6220 - Section 3 - Fall 2016 Lecture 12 Jan-Willem van de Meent (credit: Yijun Zhao, Percy Liang) DIMENSIONALITY REDUCTION Borrowing from: Percy Liang (Stanford) Linear Dimensionality
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationA primer on matrices
A primer on matrices Stephen Boyd August 4, 2007 These notes describe the notation of matrices, the mechanics of matrix manipulation, and how to use matrices to formulate and solve sets of simultaneous
More informationExploratory Factor Analysis and Principal Component Analysis
Exploratory Factor Analysis and Principal Component Analysis Today s Topics: What are EFA and PCA for? Planning a factor analytic study Analysis steps: Extraction methods How many factors Rotation and
More informationA REVIEW OF RESIDUES AND INTEGRATION A PROCEDURAL APPROACH
A REVIEW OF RESIDUES AND INTEGRATION A PROEDURAL APPROAH ANDREW ARHIBALD 1. Introduction When working with complex functions, it is best to understand exactly how they work. Of course, complex functions
More informationComp 11 Lectures. Mike Shah. July 12, Tufts University. Mike Shah (Tufts University) Comp 11 Lectures July 12, / 33
Comp 11 Lectures Mike Shah Tufts University July 12, 2017 Mike Shah (Tufts University) Comp 11 Lectures July 12, 2017 1 / 33 Please do not distribute or host these slides without prior permission. Mike
More informationCS281 Section 4: Factor Analysis and PCA
CS81 Section 4: Factor Analysis and PCA Scott Linderman At this point we have seen a variety of machine learning models, with a particular emphasis on models for supervised learning. In particular, we
More informationLecture 4: Training a Classifier
Lecture 4: Training a Classifier Roger Grosse 1 Introduction Now that we ve defined what binary classification is, let s actually train a classifier. We ll approach this problem in much the same way as
More informationForm and content. Iowa Research Online. University of Iowa. Ann A Rahim Khan University of Iowa. Theses and Dissertations
University of Iowa Iowa Research Online Theses and Dissertations 1979 Form and content Ann A Rahim Khan University of Iowa Posted with permission of the author. This thesis is available at Iowa Research
More informationCalculus II. Calculus II tends to be a very difficult course for many students. There are many reasons for this.
Preface Here are my online notes for my Calculus II course that I teach here at Lamar University. Despite the fact that these are my class notes they should be accessible to anyone wanting to learn Calculus
More informationIntroduction to Machine Learning. PCA and Spectral Clustering. Introduction to Machine Learning, Slides: Eran Halperin
1 Introduction to Machine Learning PCA and Spectral Clustering Introduction to Machine Learning, 2013-14 Slides: Eran Halperin Singular Value Decomposition (SVD) The singular value decomposition (SVD)
More informationM a n a g e m e n t o f H y d ra u lic F ra c tu rin g D a ta
M a n a g e m e n t o f H y d ra u lic F ra c tu rin g D a ta M a rc h 2 0 1 5, A n n a F ilip p o v a a n d J e re m y E a d e 1 W h a t is H y d ra u lic F ra c tu rin g? Im a g e : h ttp ://w w w.h
More informationOne-to-one functions and onto functions
MA 3362 Lecture 7 - One-to-one and Onto Wednesday, October 22, 2008. Objectives: Formalize definitions of one-to-one and onto One-to-one functions and onto functions At the level of set theory, there are
More informationHypothesis testing I. - In particular, we are talking about statistical hypotheses. [get everyone s finger length!] n =
Hypothesis testing I I. What is hypothesis testing? [Note we re temporarily bouncing around in the book a lot! Things will settle down again in a week or so] - Exactly what it says. We develop a hypothesis,
More informationA Primer on Statistical Inference using Maximum Likelihood
A Primer on Statistical Inference using Maximum Likelihood November 3, 2017 1 Inference via Maximum Likelihood Statistical inference is the process of using observed data to estimate features of the population.
More informationEXAM 2 REVIEW DAVID SEAL
EXAM 2 REVIEW DAVID SEAL 3. Linear Systems and Matrices 3.2. Matrices and Gaussian Elimination. At this point in the course, you all have had plenty of practice with Gaussian Elimination. Be able to row
More informationA new ThermicSol product
A new ThermicSol product Double-Faced Thermo-Electric Solar-Panel TD/PV & Solar Tracker & Rotation Device An EU-patent protected product TP4-referens.pdf D o y o u w a n t to c o n v e rt it i n to G re
More informationCS 124 Math Review Section January 29, 2018
CS 124 Math Review Section CS 124 is more math intensive than most of the introductory courses in the department. You re going to need to be able to do two things: 1. Perform some clever calculations to
More informationHigh Capacity Double Pillar Fully Automatic Bandsaw. p h a r o s 2 8 0
High Capacity Double Pillar Fully Automatic Bandsaw p h a r o s 2 8 0 A high-quality product from German mechanical engineering pharos - a beacon amongst automatic bandsaws Klaeger has been a leading manufacturer
More informationWe are here. Assembly Language. Processors Arithmetic Logic Units. Finite State Machines. Circuits Gates. Transistors
CSC258 Week 3 1 Logistics If you cannot login to MarkUs, email me your UTORID and name. Check lab marks on MarkUs, if it s recorded wrong, contact Larry within a week after the lab. Quiz 1 average: 86%
More informationIntroduction to Error Analysis
Introduction to Error Analysis This is a brief and incomplete discussion of error analysis. It is incomplete out of necessity; there are many books devoted entirely to the subject, and we cannot hope to
More informationCSE373: Data Structures and Algorithms Lecture 2: Math Review; Algorithm Analysis. Hunter Zahn Summer 2016
CSE373: Data Structures and Algorithms Lecture 2: Math Review; Algorithm Analysis Hunter Zahn Summer 2016 Today Finish discussing stacks and queues Review math essential to algorithm analysis Proof by
More informationDimensionality Reduction: PCA. Nicholas Ruozzi University of Texas at Dallas
Dimensionality Reduction: PCA Nicholas Ruozzi University of Texas at Dallas Eigenvalues λ is an eigenvalue of a matrix A R n n if the linear system Ax = λx has at least one non-zero solution If Ax = λx
More informationOne sided tests. An example of a two sided alternative is what we ve been using for our two sample tests:
One sided tests So far all of our tests have been two sided. While this may be a bit easier to understand, this is often not the best way to do a hypothesis test. One simple thing that we can do to get
More informationChapter 15. Probability Rules! Copyright 2012, 2008, 2005 Pearson Education, Inc.
Chapter 15 Probability Rules! Copyright 2012, 2008, 2005 Pearson Education, Inc. The General Addition Rule When two events A and B are disjoint, we can use the addition rule for disjoint events from Chapter
More informationOrdinary Least Squares Linear Regression
Ordinary Least Squares Linear Regression Ryan P. Adams COS 324 Elements of Machine Learning Princeton University Linear regression is one of the simplest and most fundamental modeling ideas in statistics
More informationTutorial on Principal Component Analysis
Tutorial on Principal Component Analysis Copyright c 1997, 2003 Javier R. Movellan. This is an open source document. Permission is granted to copy, distribute and/or modify this document under the terms
More informationPhysics 225 Relativity and Math Applications. Fall Unit 7 The 4-vectors of Dynamics
Physics 225 Relativity and Math Applications Fall 2011 Unit 7 The 4-vectors of Dynamics N.C.R. Makins University of Illinois at Urbana-Champaign 2010 Physics 225 7.2 7.2 Physics 225 7.3 Unit 7: The 4-vectors
More informationLecture 13. Principal Component Analysis. Brett Bernstein. April 25, CDS at NYU. Brett Bernstein (CDS at NYU) Lecture 13 April 25, / 26
Principal Component Analysis Brett Bernstein CDS at NYU April 25, 2017 Brett Bernstein (CDS at NYU) Lecture 13 April 25, 2017 1 / 26 Initial Question Intro Question Question Let S R n n be symmetric. 1
More informationPredicting AGI: What can we say when we know so little?
Predicting AGI: What can we say when we know so little? Fallenstein, Benja Mennen, Alex December 2, 2013 (Working Paper) 1 Time to taxi Our situation now looks fairly similar to our situation 20 years
More informationPRINCIPAL COMPONENTS ANALYSIS
121 CHAPTER 11 PRINCIPAL COMPONENTS ANALYSIS We now have the tools necessary to discuss one of the most important concepts in mathematical statistics: Principal Components Analysis (PCA). PCA involves
More informationIntroduction to Algebra: The First Week
Introduction to Algebra: The First Week Background: According to the thermostat on the wall, the temperature in the classroom right now is 72 degrees Fahrenheit. I want to write to my friend in Europe,
More informationCS168: The Modern Algorithmic Toolbox Lecture #7: Understanding Principal Component Analysis (PCA)
CS68: The Modern Algorithmic Toolbox Lecture #7: Understanding Principal Component Analysis (PCA) Tim Roughgarden & Gregory Valiant April 0, 05 Introduction. Lecture Goal Principal components analysis
More informationCPSC 340: Machine Learning and Data Mining. Sparse Matrix Factorization Fall 2018
CPSC 340: Machine Learning and Data Mining Sparse Matrix Factorization Fall 2018 Last Time: PCA with Orthogonal/Sequential Basis When k = 1, PCA has a scaling problem. When k > 1, have scaling, rotation,
More informationMITOCW ocw f99-lec30_300k
MITOCW ocw-18.06-f99-lec30_300k OK, this is the lecture on linear transformations. Actually, linear algebra courses used to begin with this lecture, so you could say I'm beginning this course again by
More informationUNITED STATES SECURITIES AND EXCHANGE COMMISSION FORM 8-K. Farmer Bros. Co.
UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 8-K CURRENT REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 Date of Report (Date of earliest event
More information