formal verification of low level execution platforms
play

Formal verification of low-level execution platforms Roberto - PowerPoint PPT Presentation

Roberto Guanciale Estonian Winter School Day 01 Formal verification of low-level execution platforms Roberto Guanciale Assistant professor Computer Security Department of Theoretical Computer Science @KTH Research interest in Formal


  1. Roberto Guanciale Estonian Winter School Day 01 Formal verification of low-level execution platforms

  2. Roberto Guanciale Assistant professor Computer Security Department of Theoretical Computer Science @KTH Research interest in Formal Verification Enthusiast software developer

  3. Distributed Attacks B A

  4. Distributed Attacks Software vulnerabilities Design flows ● Web parameter injection • Broken authentication •

  5. Distributed Attacks Software vulnerabilities Password re-usage ● Poor Management Social engineering ● Misconfiguration ●

  6. Distributed Attacks Software vulnerabilities Poor Management

  7. OpenSSL 500 000 Lines of Code 1 Buffer Overflow Introduced 2012 Discovered 2014

  8. Apps OS Hardware Host 1 Motivations

  9. Apps OS Hardware Host 1 Motivations

  10. Apps OS Hardware Host 1 Motivations

  11. Apps OS Hardware Host 1 Motivations

  12. Apps OS Hardware Host 1 Motivations

  13. Apps Crypto Service OS Hypervisor Hardware Host 1 Motivations

  14. ∀ s. secure ( s ) Assumptions Models Verifjcation Formal Verification

  15. CPU MEMORY Assumptions Models Verifjcation Formal Verification

  16. OS Hypervisor CPU MEMORY Assumptions Models Verifjcation Formal Verification

  17. OS Hypervisor CPU MEMORY Assumptions Models Verifjcation Formal Verification

  18. Lecture plan 1) Formal verification 2) CPU models and proof strategy 3) Verification of memory virtualization 4) When the models are incorrect

  19. Formal verification

  20. Formal models states of the system ● Deterministic Finite Automata: integers • Stack, Heap, Current instruction: Java • … •

  21. Formal models states of the system ● Deterministic Finite Automata: integers • Stack, Heap, Current instruction: Java • … • transition relation (behavior of the system) ● DFA: depends on the transition function • Java: depends on the program and the Java semantics •

  22. Formal models states of the system ● Deterministic Finite Automata: integers • Stack, Heap, Current instruction: Java • … • transition relation (behavior of the system) ● DFA: depends on the transition function • Java: depends on the program and the Java semantics • labeled transition system ● • DFA: labels represent the accepted input characters • weak transition system (when some event is not important) •

  23. Contract Verification  {P} C {Q} : when the precondition P is met, executing the program C establishes the postcondition Q. 

  24. Contract Verification: Hoare logic  {P} C {Q} : when the precondition P is met, executing the program C establishes the postcondition Q.  

  25. Contract verification: Hoare logic  {P} C {Q} : when the precondition P is met, executing the program C establishes the postcondition Q.    Java Modeling Language (JML)

  26. Contract verification int SQRT(x) { int r = 0; while (r*r<=x) r++; return r; }

  27. Hoare logic: weakest preconditon  Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  Then prove P => WP

  28. Hoare logic: weakest preconditon  Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q  x:= exp {Q(x)}  WP = Q(exp)  Example  x:= 5 {Q(x) = x > y}  WP = Q(5) = 5 > y

  29. Hoare logic: weakest preconditon  Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  x:= exp {Q(x)}  WP = Q(exp)  Example  x:= y+1 {Q(x) = x > y}  WP = Q(y+1) = y+1 > y

  30. Hoare logic: weakest preconditon  Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  WP (C1; C2, Q) = WP(C1; WP(C2, Q))  Example x:=z+1 y:=x+y 1) WP(y:=x+y, y>5) = x+y > 5 Q = y > 5 2) WP(x:=z+1, x+y > 5) = z+1+y>5

  31. Hoare logic: weakest preconditon  Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  WP (IF C THEN C1 ELSE C2, Q) if (x>y) then z = x = else z=y  Example Q: z >= x /\ z >= y x>y => WP(z=x, z >= x /\ z >= y) eq x>y => x >= x /\ x >= y x<=y => WP(z=y, z >= x /\ z >= y) eq x<=y => y >= x /\ y >= y

  32. Trace inclusion  Implementation model  Java Classes  DFA  Specification model  Interfaces  NFA

  33. Trace inclusion  Implementation model  trace  traces  Specification model

  34. Trace inclusion  Implementation model  trace  traces  Specification model

  35. Trace inclusion  Implementation model  trace  traces  Specification model  Trace Inclusion

  36. Formal verification: Trace inclusion

  37. Formal verification: Trace inclusion

  38. Formal verification: Trace inclusion

  39. Formal verification: Trace inclusion  Implementation model  Specification model  Trace Inclusion  Contract verification  Then

  40. Formal verification: Trace inclusion   Relation

  41. Formal verification: Trace inclusion   Relation  Trace Inclusion  Contract verification  Property transfer

  42. Formal verification: Trace inclusion   Relation  Trace Inclusion  Contract verification  Property transfer

  43. Formal verification: simulation   Relation  Trace Inclusion 

  44. Formal verification: express secrecy  K1 and K2 are secret variables (e.g. keys) int F (P1) { P2 := K1; }  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

  45. Formal verification: express secrecy  K1 and K2 are secret variables (e.g. keys) int F (P1) { P2 := K1; }  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

  46. Formal verification: express secrecy  K1 and K2 are secret variables (e.g. keys) int F (P1) { P2 := P1; }  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

  47. Formal verification: express secrecy  K1 and K2 are secret variables (e.g. keys) int F (P1) { P2 := P1+K1; }  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

  48. Formal verification: express secrecy  K1 and K2 are secret variables (e.g. keys) int F (P1) { if (K1 < 10) P2 := P1;  P1 and P2 are public variables }  The attacker can invoke the function F  F should not leak the value of Ks

  49. Formal verification: express secrecy  K1 and K2 are secret variables (e.g. keys) int F (P1) { if (P1 < 10) P2 := P1;  P1 and P2 are public variables K2 := K1 + P1; }  The attacker can invoke the function F  F should not leak the value of Ks

  50. Information flow security  K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables

  51. Information flow security: refinement

  52. Information flow security: refinement 

  53. Information flow security: refinement 

  54. Information flow security: refinement 

  55. Information flow security: refinement int S() { P := RND()*2; } P:2 P:1 P:4 K:0 P:0 P:2 P:1 P:4 K:1 P:0

  56. Information flow security: refinement int I() { int S() { P := K*2; P := RND()*2; } } P:2 P:1 P:4 K:0 P:0 P:2 P:1 P:4 K:1 P:0

  57. Information flow security: refinement int I() { int S() { P := K*2; P := RND()*2; } } P:2 P:2 P:1 P:1 P:4 K:0 P:0 P:4 K:0 P:0 P:2 P:1 P:4 K:1 P:0

  58. Information flow security: refinement int I() { int S() { P := K*2; P := RND()*2; } } P:2 P:2 P:1 P:1 P:4 K:0 P:0 P:4 K:0 P:0 P:2 P:2 P:1 P:1 P:4 K:1 P:0 P:4 K:1 P:0

  59. Information flow security: refinement 

  60. Formal verification: bisimulation   Relation  Trace Inclusion 

  61. Theorem prover Fully automated (propositional logic)  Automated, but not necessarily terminating (first order logic)  With automation, but mainly interactive (higher-order logic)  Isabelle  HOL4 

  62. Isabelle/HOL4 A generic interactive proof assistant  Interactive:  more than just yes/no, you can interactively guide the system  Proof assistant:  helps to explore, find, and maintain proofs  Widely used systems, Active development, Reasonably easy to use  Internal Logic and object logic (HOL) 

  63. Summary Motivations ● Refinements ● Information flow security ● Upcoming ● Formal models of CPUs • High level proof •

  64. THANKS! Any questions? You can find me at robertog@kth.se http://prosper.sics.se/ References

Recommend


More recommend