Integrated Symbolic Execution for Space-Time Analysis of Code (ISSTAC) Side Channel Analysis � Corina Pasareanu (CMU&NASA Ames)
Project team members � ❑ Corina Pasareanu � ❑ Teme Kahsai � ❑ Kasper Luckow ❑ Quoc-Sang Phan ❑ Rody Kersten ❑ Federico Ponte � Tevfik Bultan � ❑ Lucas Bang ❑ Abdulbaki Aydin ❑ Miroslav Gavrilov ❑ � Gabor Karsai � ❑ Zhenkai Zhang ❑ Dmitriy Kostyuchenko ❑ Sandor Nyako ❑
The Problem ❑ Inherent space-time complexity of algorithms used for building software systems offer new attack surfaces for cyber exploits � � ❑ Side-channel attacks — recover secret inputs to programs from non-functional characteristics of computations, such as time consumed, number of memory accesses or size of output files � ❑ Worst case-complexity — denial-of-service attacks, the adversary's goal is to deny service to the system's users, or to disable the system by choosing a worst-case input � � � �
The Project input generates Analysis Symbolic Java Report Bytecode Execution � � � Apache Worst-case Worst-case Bounds Analysis Spark Worst-case Input Hadoop Distributed (bounds) Worst-case Constraints � File System (HDFS) � guide Hive Data Symbolic Execution Side-channel Quantified Information Warehouse Analysis Leakage and Engines Confidence Model-counting Constraint Solver Compute from the bytecode its worst-case time-space bounds , produce example inputs that trigger them, estimate information leakage through observables related to time/memory via symbolic execution of the code performed on a cloud-based computing platform using a model-counting constraint-solver .
Background: Symbolic Execution King [Comm. ACM 1976], Clarke [IEEE TSE 1976] � � ❑ analysis of programs with symbolic inputs � ❑ symbolic states represent sets of concrete states � ❑ for each path, build path condition — encodes condition on inputs for the execution to follow that path � ❑ check path condition satisfiability – explore only feasible paths � � ❑ received renewed interest in recent years … due to � ❑ algorithmic advances � ❑ computational power and decision procedures � ❑ applications: test-case generation, error detection, … � many tools: SAGE, DART, KLEE, Pex, BitBlaze … ❑
Concrete Execution 6
Symbolic Execution 7
JPF and SPF � Java PathFinder � � Extensible tool for Java bytecode verification � � Uses specialized JVM � � Developed at NASA Ames since 1999 � � Open-sourced � � � Symbolic PathFinder (SPF) � � Symbolic execution tool for Java bytecode; open-sourced � � Uses lazy initializations to handle complex data structures and arrays as inputs � � Handles multi-threading � � Provides support for symbolic string operations � � Supports quantitative reasoning
Side-Channel Analysis input informs generates Analysis Symbolic Preprocessing Report Execution &Visualization Java Bytecode � � � Apache Worst-case Worst-case Bounds Spark Analysis Worst-case Input Hadoop Distributed (bounds) � Worst-case Constraints File System (HDFS) � Hive Data Symbolic Quantified Information Execution Side-channel Warehouse Leakage and Analysis Engines Confidence Model-counting Constraint Solver
Side-Channel Attacks low “main” channel program high (unintended) side channel Figure taken from: “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis"
Side-Channel Attacks � � � low high � � boolean verifyPassword(byte [] input, byte [] password) { � for ( int i = 0; i < SIZE; i++) { � if (password[ i ] != input[ i ]) � return false ; � Thread.sleep(25L); � } � return true; � } � � � � Suppose the password is a 4-digit PIN. A brute-force attack: � ❑ on the main channel: 10000 tries in the worst case. � ❑ on the timing channel: 40 tries in the worst case. �
Side-channel Analysis � ❑ Quantitative Information-Flow Analysis (QIF) to determine side-channel capacity — maximum possible leakage � Side-channel costs form the “observables” ❑ � Maximum Leakage deterministic programs
Side-channel Analysis using Symbolic Execution � ❑ Perform symbolic execution � ❑ Collect all symbolic paths � ❑ Compute “cost” of each path � � Cost model: � ❑ execution time � ❑ number of packets sent/received over a network � ❑ number of bytes written to a file � � Maximum Leakage
Computing Shannon Entropy � � � Probabilistic symbolic execution [ICSE’13,PLDI’14] ❑ PCs are path conditions computed with symbolic execution ❑ #(PC) — number of solutions computed with model counting (Latte) ❑ ❑ #D size of domain � � � � � � ❑ Model counting: � – Latte[Köppe, 2006] -- integer linear constraints, finite domain � – Polynomial in both number of variables and number of constraints; � – Omega Lib used for algebraic simplifications; optimizations � (independence, caching) … � �
Simple Example //high range: 1..10 � if(high>7) � ... cost=1; � else � ... cost=2; � � � � � high<8 � high>7 � Channel capacity: � o 2 =cost 2 � o 1 =cost 1 � log 2 (2)=1 bit � � � � p(o 2 )=0.7 Shannon Entropy: � p(o 1 )=0.3 -0.3 log 2 (0.3) -0.7 log 2 (0.7)= � 0.3 * 1.736966 + 0.7 * 0.514573= � 0.8812909 bits � � � � �
Password Example boolean verifyPassword(byte [] input, byte [] password) { for ( int i = 0; i < SIZE; i++) { if (password[ i ] != input[ i ]) return false ; Thread.sleep(25L); } return true; } n=4, range:0..9, #D=10 8 p(o 0 )=#PC 0 /#D=90000000/100000000=0.9 p(o 1 )=#PC 1 /#D=9000000/100000000=0.09 p(o 2 )=#PC 2 /#D=900000/100000000=0.009 …
Maximizing Channel Capacity Symbolic public inputs over-approximate the leakage � � Example 1: � 5 possible observables, l<0: 3 observables , l>=0: 2 observables ❑ Example 2: � ❑ 3 observables, l=0: 2 observables � � Goal � ❑ find the low input that leads to maximum number of observables �
Maximizing Channel Capacity: MaxSMT A ssemble PCs that lead to same observable into “clauses” of weight “1” � ❑ MaxSMT s olution gives maximal assignment corresponding to largest ❑ number of observables reached by a public input � ❑ Any other assignments leads to less observables � ❑ MaxSMT solution: � ❑ l=0: satisfies first 2 clauses � ❑ leakage log 2 (2)=1 bit �
Multi-run analysis Generalization over multiple-run side-channel analysis ❑ � � � ❑ The attacker gradually learns the secret by observing multiple program runs � An “observable” is a sequence of costs ❑ MaxSMT used to synthesize a sequence of public inputs ❑ Non-adaptive attacks, greedy approach ❑ Multi-threading/garbage collection ❑ � ❑ Analysis of password examples and cryptographic functions � ❑ Shown experimentally to perform better than CBMC+self composition or brute-force enumeration � � see [CSF’16] Multi-run side-channel analysis using Symbolic Execution and Max-SMT, by C. Pasareanu, S. Phan, P. Malacaria �
Multi-threading T 1 :: example1( l ; h ); � T 2 :: l = - l ; � � l =-1 � gives 3 observables for T 1 ;T 2 � gives 2 observables for T 2 ;T 1 � � � � � compute leakage for each schedule; enumerate all schedules; report max leakage � � multi-threading introduces noise that makes leakage smaller; � tree-like schedulers, probabilistic schedulers … future work � garbage collection
Side-channel analysis Next steps … � ❑ Multi-run analysis for adaptive attacks: attacker chooses next input based on previous outputs observed � � ❑ Leakage computation in the presence of noisy observations � � ❑ Model counting for string constraints (ABC) and non-linear constraints (#SAT, qCoral)
Attack Trees � At each step: � � the attacker uses MaxSMT to compute ❑ l 1 the next low value that maximizes leakage � � under “assumptions” encoding that h is ❑ o 1 consistent with previous observations � � Min-Max Game: at each step � l 2 � attacker minimizes entropy (uses ❑ MaxSMT to compute next low that � o 2 maximizes no. of observations) � l 3 system maximizes entropy (uses model ❑ counting to compute largest partition) � game ends when MaxSMT returns 1 ❑ clause (no further refinement on the secret possible) � gives “perfect” attacker for segment ❑ oracle
Recommend
More recommend
