abstract interpretation of symbolic execution for
play

Abstract Interpretation of Symbolic Execution for Information Flow - PowerPoint PPT Presentation

Jun 09, 2023 •28 likes •528 views

Abstract Interpretation of Symbolic Execution for Information Flow Analysis Reiner H ahnle joint work with: Richard Bubel & Benjamin Wei Chalmers University of Technology, Gothenburg, Sweden 23 October 2008 http://mobius.inria.fr

  1. Abstract Interpretation of Symbolic Execution for Information Flow Analysis Reiner H¨ ahnle joint work with: Richard Bubel & Benjamin Weiß Chalmers University of Technology, Gothenburg, Sweden 23 October 2008 http://mobius.inria.fr Reiner H¨ ahnle FMCO-8 081023 1 / 19

  2. Work in Progress Warning Reiner H¨ ahnle FMCO-8 081023 2 / 19

  3. Overview Mobius: Mobility, Ubiquity and Security Proof-carrying code for Java on mobile devices FP6 Integrated Project developing novel technologies for trustworthy global computing, using proof-carrying code to give users independent guarantees of the safety and security of Java applications for mobile phones and PDAs Innovative trust management, digital evidence of program behavior Static enforcement, checking code before it starts Modularity, building trusted applications from trusted components Reiner H¨ ahnle FMCO-8 081023 3 / 19

  4. Overview Mobius: Mobility, Ubiquity and Security Proof-carrying code for Java on mobile devices FP6 Integrated Project developing novel technologies for trustworthy global computing, using proof-carrying code to give users independent guarantees of the safety and security of Java applications for mobile phones and PDAs Innovative trust management, digital evidence of program behavior Static enforcement, checking code before it starts Modularity, building trusted applications from trusted components This talk Integration of the two Mobius approaches for PCC basis Type Systems, type checking Program Logics, theorem proving Reiner H¨ ahnle FMCO-8 081023 3 / 19

  5. Type Systems vs. Program Logics Type Systems Program Logics Automatic, decidable Interactive systems Low precision High precision Formal specification Fixed precision Scaling to Java ? Java Card + (byte/source) Reiner H¨ ahnle FMCO-8 081023 4 / 19

  6. Type Systems vs. Program Logics Type Systems Program Logics Automatic, decidable Interactive systems Low precision High precision Formal specification Fixed precision Scaling to Java ? Java Card + (byte/source) Integration? Synergies? Reiner H¨ ahnle FMCO-8 081023 4 / 19

  7. Integration of a Type System into a Program Logic Security properties often guaranteed by dedicated type systems Non-Interference Low (public) variables depend not on High (secret) ones Declassification Non-interference relativized to common knowledge Reiner H¨ ahnle FMCO-8 081023 5 / 19

  8. Integration of a Type System into a Program Logic Security properties often guaranteed by dedicated type systems Non-Interference Low (public) variables depend not on High (secret) ones Declassification Non-interference relativized to common knowledge H¨ ahnle et al., Integration of a Security Type System into a Program Logic, TCS 402(2/3), pp172–189, 2008 Translate Hunt-Sands flow-sensitive type system into program logic Type derivation = sequent calculus proof = symbolic execution Common semantics and calculus for type/deductive analysis Reiner H¨ ahnle FMCO-8 081023 5 / 19

  9. Integration of a Type System into a Program Logic Security properties often guaranteed by dedicated type systems Non-Interference Low (public) variables depend not on High (secret) ones Declassification Non-interference relativized to common knowledge H¨ ahnle et al., Integration of a Security Type System into a Program Logic, TCS 402(2/3), pp172–189, 2008 Translate Hunt-Sands flow-sensitive type system into program logic Type derivation = sequent calculus proof = symbolic execution Common semantics and calculus for type/deductive analysis Achieved integration, but at price of some drawbacks Adaptation to other type systems remains non-trivial effort Toy language, incompatible to KeY’s Java Card program logic Reiner H¨ ahnle FMCO-8 081023 5 / 19

  10. Basis for Reasoning about Java Card Programs KeY System: Java Program Logic & Verifier Sequent calculus for Java program logic Sequent calculus proof = symbolic execution + invariant rule Interactive prover with high degree of automation, e.g.: Correctness of Mondex reference implementation (1 interaction) Correctness of Java Card API reference implementation Java Card Java KeY Java Reiner H¨ ahnle FMCO-8 081023 6 / 19

  11. Symbolic Execution in a Program Logic Symbolic execution of conditional Γ , b . Γ , b . = true = ⇒ [ p; rest ] φ, ∆ = false = ⇒ [ q; rest ] φ, ∆ if Γ = ⇒ [ if (b) { p } else { q }; rest ] φ, ∆ May require case split into different symbolic execution branches Reiner H¨ ahnle FMCO-8 081023 7 / 19

  12. Symbolic Execution in a Program Logic Symbolic execution of conditional Γ , b . Γ , b . = true = ⇒ [ p; rest ] φ, ∆ = false = ⇒ [ q; rest ] φ, ∆ if Γ = ⇒ [ if (b) { p } else { q }; rest ] φ, ∆ May require case split into different symbolic execution branches Symbolic execution of loops: Γ = ⇒ [ if (b) { p; while (b) p}; r ] φ, ∆ unwindLoop Γ = ⇒ [ while (b) {p}; r ] φ, ∆ No termination if no fixed loop bound can be determined Reiner H¨ ahnle FMCO-8 081023 7 / 19

  13. The Challenge Modular integration of (security) type system with ( Java ) program logic Reiner H¨ ahnle FMCO-8 081023 8 / 19

  14. The Challenge Modular integration of (security) type system with ( Java ) program logic Program logic: x = (x % 2 * y)* z - 327; precise symbolic execution

  15. The Challenge Modular integration of (security) type system with ( Java ) program logic Program logic: x = (x % 2 * y)* z - 327; precise symbolic execution Hunt-Sands type system viewed as x = (x, y, z); bookkeeping of variable dependencies

  16. The Challenge Modular integration of (security) type system with ( Java ) program logic Program logic: x = (x % 2 * y)* z - 327; precise symbolic execution Abstraction Hunt-Sands type system viewed as x = (x, y, z); bookkeeping of variable dependencies Reiner H¨ ahnle FMCO-8 081023 8 / 19

  17. The Challenge Modular integration of (security) type system with ( Java ) program logic Program logic: x = (x % 2 * y)* z - 327; precise symbolic execution Abstraction Hunt-Sands type system viewed as x = (x, y, z); bookkeeping of variable dependencies Our Idea View type derivation as abstract interpretation of symbolic computation Reiner H¨ ahnle FMCO-8 081023 8 / 19

  18. Abstraction from Symbolic Execution Abstraction α Concrete Abstract Domain Domain Sets of Java states Set of typings t : Loc → 2 Loc { s : Loc → D} (set lattice) (set lattice) Concretization γ γ ( α ( S )) α ( S ) S Reiner H¨ ahnle FMCO-8 081023 9 / 19

  19. Abstraction from Symbolic Execution Abstraction α Concrete Abstract Domain Domain Sets of Java states Set of typings t : Loc → 2 Loc { s : Loc → D} (set lattice) (set lattice) Concretization γ γ ( α ( S )) α ( S ) S Symbolic execution as concrete domain in abstract interpretation Reiner H¨ ahnle FMCO-8 081023 9 / 19

  20. Program Logic vs. Abstract Interpretation Symbolic execution as concrete domain in abstract interpretation Program Logic Abstract Interpretation Program representation abstract syntax tree control flow graph Merging execution paths unusual, but possible yes Computation states implicit explicit Value Computation symbolic concrete Node semantics single path collecting Loop treatment invariant from user fixed point Termination in general, no if no ∞ chains Reiner H¨ ahnle FMCO-8 081023 10 / 19

  21. Program Logic vs. Abstract Interpretation Symbolic execution as concrete domain in abstract interpretation Program Logic Abstract Interpretation Program representation abstract syntax tree control flow graph Merging execution paths unusual, but possible yes Computation states implicit explicit Value Computation symbolic concrete Node semantics single path collecting Loop treatment invariant from user fixed point Termination in general, no if no ∞ chains Unwind control flow graph or permit sequent proof dag (Leino InfProL’05, Schmitt & Weiß VERIFY’07) Reiner H¨ ahnle FMCO-8 081023 10 / 19

  22. Program Logic vs. Abstract Interpretation Symbolic execution as concrete domain in abstract interpretation Program Logic Abstract Interpretation Program representation abstract syntax tree control flow graph Merging execution paths unusual, but possible yes Computation states implicit explicit Value Computation symbolic concrete Node semantics single path collecting Loop treatment invariant from user fixed point Termination in general, no if no ∞ chains Identify symbolic expression (formula) with set of its models Symbolic execution converges against collecting semantics Reiner H¨ ahnle FMCO-8 081023 10 / 19

  23. Program Logic vs. Abstract Interpretation Symbolic execution as concrete domain in abstract interpretation Program Logic Abstract Interpretation Program representation abstract syntax tree control flow graph Merging execution paths unusual, but possible yes Computation states implicit explicit Value Computation symbolic concrete Node semantics single path collecting Loop treatment invariant from user fixed point Termination in general, no if no ∞ chains Remaining issues: state representation and loop treatment Reiner H¨ ahnle FMCO-8 081023 10 / 19

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift

Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift

Abstract interpretation The Verification Grand Challenge - Abstract interpretation is a mathematical theory of - - and Abstract Interpretation sound approximation of properties of formal sys- tems (including program specifications, semantics,

422 views • 10 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

568 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an

Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an

Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an abstract interpretation (AI)? Given: A complete join semi-lattice D . This is the abstract semantic domain. A monotonic

297 views • 25 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto

1.17k views • 88 slides

More recommend