it doesn t have to be so hard efficient symbolic
play

It Doesnt Have to Be So Hard: Efficient Symbolic Reasoning for CRCs - PowerPoint PPT Presentation

Jun 08, 2023 •226 likes •626 views

It Doesnt Have to Be So Hard: Efficient Symbolic Reasoning for CRCs Vaibhav Sharma, Navid Emamdoost, Seonmo Kim, Stephen McCamant University of Minnesota, Minneapolis, MN, USA Motivation Cyclic Redundancy Check (CRC) is commonly used

  1. It Doesn’t Have to Be So Hard: Efficient Symbolic Reasoning for CRCs Vaibhav Sharma, Navid Emamdoost, Seonmo Kim, Stephen McCamant University of Minnesota, Minneapolis, MN, USA

  2. Motivation ● Cyclic Redundancy Check (CRC) is commonly used for error detection ● Not resistant to adversarial modification ○ WEP, SSHv1 ● Sometimes used as an obstacle to symbolic execution ○ Jung et al., USENIX Security 2019 ● Is analysis of CRC difficult?

  3. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  4. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  5. CRC symbolic pre-image computation int main() { char sym_str[LEN]; // set to symbolic bytes unsigned int sym_crc = crc(sym_str, LEN); char conc_str[LEN]; srand(time(NULL)); for ( int i = 0; i < LEN; i++) conc_str[i] = ( char ) rand(); if (sym_crc == crc(conc_str, LEN)) { printf("found the pre-image\n"); } return 0; }

  6. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  7. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  8. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations Used by Jung et al. to ○ update CRC once for every input bit defeat symbolic execution ○ update CRC using lookup table (for every 8 bits in input)

  9. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; message points to i = 0; crc = 0xFFFFFFFF; symbolic bytes while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  10. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  11. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  12. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  13. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  14. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  15. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { ● Both sides of branch byte = reverse(message[i]); for (j = 0; j <= 7; j++) { feasible if (( int )(crc ^ byte) < 0) ● Executed once for every bit crc = (crc << 1) ^ 0x04C11DB7; in message else crc = crc << 1; byte = byte << 1; ● Causes path explosion } ● Can be easily alleviated i = i + 1; with path-merging } return reverse(~crc); }

  16. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; Summarize both sides of branch into while (message[i] != 0) { byte = reverse(message[i]); single formula for (j = 0; j <= 7; j++) { crc =( int )(crc ^ byte) < 0 if (( int )(crc ^ byte) < 0) ? (crc << 1) ^ 0x04C11DB7 crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; : crc << 1 byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  17. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; ● Summarize both sides of branch while (message[i] != 0) { byte = reverse(message[i]); into single formula for (j = 0; j <= 7; j++) { ● Write side-effects of summary into if (( int )(crc ^ byte) < 0) local variable (crc) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; ● Skip branching, jump to immediate byte = byte << 1; post-dominator of branch } instruction i = i + 1; } return reverse(~crc); }

  18. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit Used to make CRC ○ update CRC using lookup table (for every 8 bits in input) computation faster

  19. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  20. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; buf points to for (n = 0; n < len; n++) symbolic bytes c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  21. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  22. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  23. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  24. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; ● Concrete table lookup with symbolic int n; index for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] a. Branch for every entry ^ (c >> 8); b. Read table contents into return c ^ 0xffffffff; If-Then-Else expression } c. Use theory of arrays d. Use the structure of the table to summarize its contents

  25. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; ● Concrete table lookup with symbolic int n; index for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] a. Branch for every entry ^ (c >> 8); b. Read table contents into return c ^ 0xffffffff; If-Then-Else expression } c. Use theory of arrays d. Use the structure of the table to summarize its contents

  26. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; ● Concrete table lookup with symbolic int n; index for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] a. Branch for every entry ^ (c >> 8); b. Read table contents into return c ^ 0xffffffff; If-Then-Else expression } c. Use theory of arrays d. Use the structure of the table to summarize its contents

Recommend

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Digital Media is it.. ..Economic? ..Efficient? 1 1 Is it Efficient? Can it deliver large

Digital Media is it.. ..Economic? ..Efficient? 1 1 Is it Efficient? Can it deliver large

..Effective? Digital Media is it.. ..Economic? ..Efficient? 1 1 Is it Efficient? Can it deliver large audiences? Does it make the investment work hard? 2 Huge number of intermediaries makes programmatic expensive or inefficient 3

680 views • 40 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
SDRL: Interpretable and Data-efficient Deep Liu Reinforcement Learning Introduction Background

SDRL: Interpretable and Data-efficient Deep Liu Reinforcement Learning Introduction Background

SDRL: Symbolic Deep Reinforcement Learning SDRL: Interpretable and Data-efficient Deep Liu Reinforcement Learning Introduction Background Leveraging Symbolic Planning Method Experiment Conclusion Bo Liu and Future Work Auburn

1k views • 20 slides
Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers

Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers

Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers retailers Liam Patterson Founder &amp; CEO Show of hands? Q: Who is actively running Google Shopping ? About You 27% of SHOPPERS 27% of

573 views • 30 slides
On the Design of Symbolic-Geometric Online Planning Systems Lavindra de Silva -

On the Design of Symbolic-Geometric Online Planning Systems Lavindra de Silva -

On the Design of Symbolic-Geometric Online Planning Systems Lavindra de Silva - University of Nottingham Felipe Meneguzzi - PUCRS Motivation Programming autonomous robots is hard Wide variety of algorithms Varying

639 views • 24 slides
Finding Code That Explodes Under Symbolic Evalua&lt;on James Bornholt Emina Torlak University

Finding Code That Explodes Under Symbolic Evalua&lt;on James Bornholt Emina Torlak University

Finding Code That Explodes Under Symbolic Evalua&lt;on James Bornholt Emina Torlak University of Washington unsat.org Automated reasoning tools help us solve hard programming problems Automated reasoning tools help us solve hard programming

850 views • 60 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 / 16 Overview Symbolic So far in this course we dealt with MATLAB variables that were placeholders for numeric types (e.g., scalars, vectors,

953 views • 17 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
fjlesystem reliability 1 last time inodes (double-, triple-)indirect blocks sparse fjles hard

fjlesystem reliability 1 last time inodes (double-, triple-)indirect blocks sparse fjles hard

fjlesystem reliability 1 last time inodes (double-, triple-)indirect blocks sparse fjles hard and symbolic links block groups for locality extents and fragments non-binary trees on disk 2 note on FAT assignment you will need to use

1.34k views • 106 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
A bi bird d doesn't s sing be beca cause it it has has an an an answer, it it sin ings

A bi bird d doesn't s sing be beca cause it it has has an an an answer, it it sin ings

A bi bird d doesn't s sing be beca cause it it has has an an an answer, it it sin ings bec ecau ause it it has has a a song. Ma Maya An a Ange gelou The Journey 17 Y 7 YEARS OL OLD Ent ntrep epreneu eneur??? Brunei

381 views • 19 slides
Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data Lynne Billard University of Georgia lynne@stat.uga.edu Tribute to Professor Edwin Diday: Paris, France; 5 September 2007 Naturally occurring

635 views • 44 slides
6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests:

6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests:

6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests: Inheritance Recursive-Descent Parsing 22 April 2020 Symbolic Algebra Today well implement a symbolic algebra engine , designed to represent

811 views • 19 slides
Efficient compilation of complex tensor algebra expressions Martin Sandve Alns Center for

Efficient compilation of complex tensor algebra expressions Martin Sandve Alns Center for

Efficient compilation of complex tensor algebra expressions Martin Sandve Alns Center for Biomedical Computing June 5th, FEniCS 2012 UFL is a DSL, symbolic backend, and frontend to form compilers Users recently reported scalabiliy

311 views • 18 slides
Testing Steve Loughran HP Laboratories Thursday November 6th, 2006 your code doesn't work i

Testing Steve Loughran HP Laboratories Thursday November 6th, 2006 your code doesn't work i

Testing Steve Loughran HP Laboratories Thursday November 6th, 2006 your code doesn't work i know this because... my code doesn't work it's OK to write code that doesnt work just dont ship it especially if it matters how do you get

479 views • 24 slides
Neural-Symbolic Integration Strategies Neural-Symbolic Integration Unification Hybrid

Neural-Symbolic Integration Strategies Neural-Symbolic Integration Unification Hybrid

Neural-Symbolic Integration Strategies Neural-Symbolic Integration Unification Hybrid Strategies Systems Neuronal Connectionist Hybrid Hybrid by Modeling Logic Systems by Translation Function Neural-Symbolic Learning Systems CILP:

670 views • 37 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Computational Aspects of Symbolic Dynamics Part III: Turing Degrees E. Jeandel LORIA (Nancy,

Computational Aspects of Symbolic Dynamics Part III: Turing Degrees E. Jeandel LORIA (Nancy,

Computational Aspects of Symbolic Dynamics Part III: Turing Degrees E. Jeandel LORIA (Nancy, France) E. Jeandel, CASD, Part III: Turing Degrees 1/27 Introduction The Turing degree of a point x expresses how hard it is to compute x Turing

732 views • 38 slides

More recommend