exploit generation for information flow leaks in object
play

Exploit Generation for Information Flow Leaks in Object-Oriented - PowerPoint PPT Presentation

Aug 31, 2022 •409 likes •920 views

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15,

  1. Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hähnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15, 2015 | TUD | R. Hähnle | 1

  2. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program September 15, 2015 | TUD | R. Hähnle | 2

  3. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications September 15, 2015 | TUD | R. Hähnle | 2

  4. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  5. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) Construction of with Loop & Method Insecurity Specifications Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  6. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  7. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  8. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Exploit Generation Seamless interleaving of state simplification & As (xUnit) Tests infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  9. Framework Regression of Behaviour, Fault Propagation, . . . Goal: Witness generation to demonstrate violation of relational property Relational Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Witness From Specifications Formulas Witness Formulas SE as Proof Attempt Witness Generation Seamless interleaving of state simplification & As (xUnit) Tests infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 3

  10. Information Flow Confidential input ? Observable Public input output System September 15, 2015 | TUD | R. Hähnle | 4

  11. Information Flow Confidential input ? Observable Public input output System Information flow security ◮ Ensure confidential information is not leaked ◮ Ensuring Information Flow Security: ◮ Static Analyses: Type-Based Systems, Deductive Verification ◮ Dynamic Analyses: Runtime Monitoring, Secure Multi-Execution September 15, 2015 | TUD | R. Hähnle | 4

  12. Noninterference High variable (Secret input)  Low variable Low variable (Public input) (Observable output) Program Definition ◮ Policy NI = ( Low , High ) : Low , High ⊆ Var , Low ˙ ∪ High = Var with Var = set of all variables of program p ◮ Program p satisfies NI iff. for any two traces Tr 1 , Tr 2 of p , it holds that: init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) init ( X ), final ( X ): Initial state and final state of a trace X September 15, 2015 | TUD | R. Hähnle | 5

  13. Noninterference High variable (Secret input)  Low variable Low variable (Public input) (Observable output) Program Definition ◮ Policy NI = ( Low , High ) : Low , High ⊆ Var , Low ˙ ∪ High = Var with Var = set of all variables of program p ◮ Program p satisfies NI iff. for any two traces Tr 1 , Tr 2 of p , it holds that: init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) init ( X ), final ( X ): Initial state and final state of a trace X Noninterference is too strict: Many secure programs are classified as insecure September 15, 2015 | TUD | R. Hähnle | 5

  14. Declassification vote 1 vote 2 Aggregate A result . . B . vote n E-Voting System September 15, 2015 | TUD | R. Hähnle | 6

  15. Declassification vote 1 n � ( vote i = A ?1; 0) vote 2 Aggregate A i =1 result . e . B n . � ( vote i = B ?1; 0) vote n i =1 E-Voting System September 15, 2015 | TUD | R. Hähnle | 6

  16. Declassification vote 1 n � ( vote i = A ?1; 0) vote 2 Aggregate A i =1 result . e . B n . � ( vote i = B ?1; 0) vote n i =1 E-Voting System Delimited Release ◮ Policy Decl = ( Low , High , e ): ◮ e : escape hatch expression ◮ Program p satisfies Decl iff for any two traces Tr 1 , Tr 2 of p , it holds that: ] Init ( Tr 2 ) ∧ init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) [ [ e ] ] Init ( Tr 1 ) = [ [ e ] September 15, 2015 | TUD | R. Hähnle | 6

  17. Noninterference as Deductive Verification The Hoare triple: { Pre } p { Post } September 15, 2015 | TUD | R. Hähnle | 7

  18. Noninterference as Deductive Verification The Hoare triple: { Pre } p { Post } Self-composition [Darvas, Hähnle & Sands 2003/05] ◮ Program p ( l , h ) for simplicity with Low = { l } , High = { h } ◮ p ( l ′ , h ′ ) is obtained as a copy of p with fresh variables l for l ′ , h for h ′ ◮ Formalization of noninterference policy NI = ( Low , High ): { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } Drawback: Program p must be analysed twice Idea: Compute weakest precondition of p before self-composition September 15, 2015 | TUD | R. Hähnle | 7

  19. Symbolic Execution if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; September 15, 2015 | TUD | R. Hähnle | 8

  20. Symbolic Execution ( x := x 0 , y := y 0 ) if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; September 15, 2015 | TUD | R. Hähnle | 8

  21. Symbolic Execution ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) September 15, 2015 | TUD | R. Hähnle | 8

  22. Symbolic Execution path condition ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) September 15, 2015 | TUD | R. Hähnle | 8

  23. Symbolic Execution path condition ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) ( x = x 0 , y = 2 ∗ ( y 0 − 1)) ( x = x 0 , y = 2 ∗ ( y 0 + 1)) symbolic final state September 15, 2015 | TUD | R. Hähnle | 8

  24. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n September 15, 2015 | TUD | R. Hähnle | 9

  25. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Formalizing noninterference by self-composition: { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } September 15, 2015 | TUD | R. Hähnle | 9

  26. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Formalizing noninterference by self-composition: { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } Formalizing noninterference by symbolic execution: � ( l = l ′ ∧ pc i ( l , h ) ∧ pc j ( l ′ , h ′ ) ⇒ f l i ( l , h ) = f l j ( l ′ , h ′ )) 1 ≤ i , j ≤ n September 15, 2015 | TUD | R. Hähnle | 9

  27. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Program p is insecure iff insecurity formula is satisfiable: � ( l = l ′ ∧ pc i ( l , h ) ∧ pc j ( l ′ , h ′ ) ∧ f l i ( l , h ) � = f l j ( l ′ , h ′ )) 1 ≤ i , j ≤ n � �� � Leak ij September 15, 2015 | TUD | R. Hähnle | 10

Recommend

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

NSA PRISM Slides - IC OFF THE RECORD 11.06.18 14:18 2013 LEAKS 2014 LEAKS 2015 LEAKS 2016 LEAKS 2017 LEAKS 2018 LEAKS IC OFF THE RECORD: Direct access to leaked information related to the

480 views • 18 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

782 views • 29 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
MA/CSSE 473 Day 16 Combinatorial Object Generation Permutations MA/CSSE 473 Day 16 No new

MA/CSSE 473 Day 16 Combinatorial Object Generation Permutations MA/CSSE 473 Day 16 No new

MA/CSSE 473 Day 16 Combinatorial Object Generation Permutations MA/CSSE 473 Day 16 No new announcements Student Questions Combinatorial Object Generation Intro Permutation generation Q1 Permutations Subsets

450 views • 15 slides
Next Generation OMG Object Management Architecture Craig Thompson Object Services and Consulting,

Next Generation OMG Object Management Architecture Craig Thompson Object Services and Consulting,

Object Services and Consulting, Inc. Thoughts on OMA-NG: Next Generation OMG Object Management Architecture Craig Thompson Object Services and Consulting, Inc. (OBJS) Ted Linden and Bob Filman Microelectronics and Computer Technology

515 views • 13 slides
Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 ,

Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 ,

Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 , Stphane Ducasse 2 and T udor Grba 1 1 Software Composition Group, University of Bern, Switzerland 2 LISTIC, University of Savoie, France A missing

376 views • 21 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
4th Generation 4th Generation Obj Object Databases t D t b (we are not alone 3 more nosql events

4th Generation 4th Generation Obj Object Databases t D t b (we are not alone 3 more nosql events

N SQL Berlin N SQL Berlin Prof. Dr. Stefan Edlich 4th Generation 4th Generation Obj Object Databases t D t b (we are not alone 3 more nosql events to come in 2009 : ) (we are not alone. 3 more nosql events to come in 2009 : ) Object

404 views • 23 slides
In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user data passwords stored in readable format 1B 600M 0.5M Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach

677 views • 35 slides
Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher Under-Approximating Loops in C Programs for Fast Counterexample Detection Daniel Kroening, Matt Lewis, Georg Weissenbacher, CAV 2013

373 views • 25 slides
Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo Instituto de Autom atica e Inform atica Industrial Universitat Polit` ecnica de Val` encia, Spain { speiro, mmu noz, mmasmano, acrespo }

379 views • 18 slides
Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria

Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria

Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria Queen Mary University of London 1 The problem An attacker has some a priori knowledge of the secret which is improved by observing the system

234 views • 21 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
Lead Generation Keeping a steady stream of leads flow ing into your sales pipeline Dale

Lead Generation Keeping a steady stream of leads flow ing into your sales pipeline Dale

Lead Generation Keeping a steady stream of leads flow ing into your sales pipeline Dale DataDale Filhaber President, Dataman Group Direct Author, Lead Generation Made Easier Lead Generation is not an event. It is a well-thought

676 views • 40 slides
Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of Technology Computer devices are everywhere 2 Foundational software systems 3 Inherent insecurity: Vulnerabilities and insecure designs Implemented in

774 views • 74 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
Object Tracking Computer Vision Fall 2018 Columbia University Homework 5 Released last

Object Tracking Computer Vision Fall 2018 Columbia University Homework 5 Released last

Object Tracking Computer Vision Fall 2018 Columbia University Homework 5 Released last night Due November 26th Start it today no extensions! Optical Flow Optical flow field: assign a flow vector to each pixel Visualize:

656 views • 54 slides
Extending the Charter: Addressing Vulnerability and Exploit Information Yurie Yurie I to I to

Extending the Charter: Addressing Vulnerability and Exploit Information Yurie Yurie I to I to

I ETF I NCH W orking Group Meeting 5 th August 2 0 0 4 , San Diego CA US Extending the Charter: Addressing Vulnerability and Exploit Information Yurie Yurie I to I to I an Bryant I an Bryant Liaison Manager Head, Capability Developm ent

389 views • 22 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
MA/CSSE 473 Day 15 BFS Topological Sort Combinatorial Object Generation MA/CSSE 473 Day 15

MA/CSSE 473 Day 15 BFS Topological Sort Combinatorial Object Generation MA/CSSE 473 Day 15

MA/CSSE 473 Day 15 BFS Topological Sort Combinatorial Object Generation MA/CSSE 473 Day 15 HW 6 due tomorrow, HW 7 Friday, Exam next Tuesday HW 8 has been updated for this term. Due Oct 8 ConvexHull implementation problem due Day

384 views • 13 slides

More recommend