Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hähnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15, 2015 | TUD | R. Hähnle | 1
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program September 15, 2015 | TUD | R. Hähnle | 2
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications September 15, 2015 | TUD | R. Hähnle | 2
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) Construction of with Loop & Method Insecurity Specifications Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2
Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Exploit Generation Seamless interleaving of state simplification & As (xUnit) Tests infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2
Framework Regression of Behaviour, Fault Propagation, . . . Goal: Witness generation to demonstrate violation of relational property Relational Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Witness From Specifications Formulas Witness Formulas SE as Proof Attempt Witness Generation Seamless interleaving of state simplification & As (xUnit) Tests infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 3
Information Flow Confidential input ? Observable Public input output System September 15, 2015 | TUD | R. Hähnle | 4
Information Flow Confidential input ? Observable Public input output System Information flow security ◮ Ensure confidential information is not leaked ◮ Ensuring Information Flow Security: ◮ Static Analyses: Type-Based Systems, Deductive Verification ◮ Dynamic Analyses: Runtime Monitoring, Secure Multi-Execution September 15, 2015 | TUD | R. Hähnle | 4
Noninterference High variable (Secret input) Low variable Low variable (Public input) (Observable output) Program Definition ◮ Policy NI = ( Low , High ) : Low , High ⊆ Var , Low ˙ ∪ High = Var with Var = set of all variables of program p ◮ Program p satisfies NI iff. for any two traces Tr 1 , Tr 2 of p , it holds that: init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) init ( X ), final ( X ): Initial state and final state of a trace X September 15, 2015 | TUD | R. Hähnle | 5
Noninterference High variable (Secret input) Low variable Low variable (Public input) (Observable output) Program Definition ◮ Policy NI = ( Low , High ) : Low , High ⊆ Var , Low ˙ ∪ High = Var with Var = set of all variables of program p ◮ Program p satisfies NI iff. for any two traces Tr 1 , Tr 2 of p , it holds that: init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) init ( X ), final ( X ): Initial state and final state of a trace X Noninterference is too strict: Many secure programs are classified as insecure September 15, 2015 | TUD | R. Hähnle | 5
Declassification vote 1 vote 2 Aggregate A result . . B . vote n E-Voting System September 15, 2015 | TUD | R. Hähnle | 6
Declassification vote 1 n � ( vote i = A ?1; 0) vote 2 Aggregate A i =1 result . e . B n . � ( vote i = B ?1; 0) vote n i =1 E-Voting System September 15, 2015 | TUD | R. Hähnle | 6
Declassification vote 1 n � ( vote i = A ?1; 0) vote 2 Aggregate A i =1 result . e . B n . � ( vote i = B ?1; 0) vote n i =1 E-Voting System Delimited Release ◮ Policy Decl = ( Low , High , e ): ◮ e : escape hatch expression ◮ Program p satisfies Decl iff for any two traces Tr 1 , Tr 2 of p , it holds that: ] Init ( Tr 2 ) ∧ init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) [ [ e ] ] Init ( Tr 1 ) = [ [ e ] September 15, 2015 | TUD | R. Hähnle | 6
Noninterference as Deductive Verification The Hoare triple: { Pre } p { Post } September 15, 2015 | TUD | R. Hähnle | 7
Noninterference as Deductive Verification The Hoare triple: { Pre } p { Post } Self-composition [Darvas, Hähnle & Sands 2003/05] ◮ Program p ( l , h ) for simplicity with Low = { l } , High = { h } ◮ p ( l ′ , h ′ ) is obtained as a copy of p with fresh variables l for l ′ , h for h ′ ◮ Formalization of noninterference policy NI = ( Low , High ): { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } Drawback: Program p must be analysed twice Idea: Compute weakest precondition of p before self-composition September 15, 2015 | TUD | R. Hähnle | 7
Symbolic Execution if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; September 15, 2015 | TUD | R. Hähnle | 8
Symbolic Execution ( x := x 0 , y := y 0 ) if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; September 15, 2015 | TUD | R. Hähnle | 8
Symbolic Execution ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) September 15, 2015 | TUD | R. Hähnle | 8
Symbolic Execution path condition ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) September 15, 2015 | TUD | R. Hähnle | 8
Symbolic Execution path condition ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) ( x = x 0 , y = 2 ∗ ( y 0 − 1)) ( x = x 0 , y = 2 ∗ ( y 0 + 1)) symbolic final state September 15, 2015 | TUD | R. Hähnle | 8
Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n September 15, 2015 | TUD | R. Hähnle | 9
Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Formalizing noninterference by self-composition: { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } September 15, 2015 | TUD | R. Hähnle | 9
Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Formalizing noninterference by self-composition: { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } Formalizing noninterference by symbolic execution: � ( l = l ′ ∧ pc i ( l , h ) ∧ pc j ( l ′ , h ′ ) ⇒ f l i ( l , h ) = f l j ( l ′ , h ′ )) 1 ≤ i , j ≤ n September 15, 2015 | TUD | R. Hähnle | 9
Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Program p is insecure iff insecurity formula is satisfiable: � ( l = l ′ ∧ pc i ( l , h ) ∧ pc j ( l ′ , h ′ ) ∧ f l i ( l , h ) � = f l j ( l ′ , h ′ )) 1 ≤ i , j ≤ n � �� � Leak ij September 15, 2015 | TUD | R. Hähnle | 10
Recommend
More recommend