symbolic string verification an automata based approach
play

Symbolic String Verification: An Automata-based Approach Fang Yu - PowerPoint PPT Presentation

Mar 14, 2024 •99 likes •465 views

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

  1. Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa Barbara, USA { yuf, bultan, marco, ibarra } @cs.ucsb.edu August 11, 2008 Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  2. Outline Motivation Symbolic String Verification Experiments Conclusion 1 Motivation Goal Is it vulnerable? 2 Symbolic String Verification Verification Framework A Language-based Replacement Widening Automata Symbolic Encoding 3 Experiments Benchmarks Results 4 Conclusion Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  3. Outline Motivation Goal Symbolic String Verification Is it vulnerable? Experiments Conclusion Motivation We aim to develop an efficient but rather precise string verification tool based on static string analysis. Static String Analysis : At each program point, statically compute all possible values that string variables can take. String analysis plays an important role in the security area. For instance, one can detect various web vulnerabilities like SQL Command Injection and Cross Site Scripting (XSS) attacks. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  4. Outline Motivation Goal Symbolic String Verification Is it vulnerable? Experiments Conclusion Is it vulnerable? A program is vulnerable if a sensitive function can take an attack string (specified by an attack pattern) as its input. A PHP Example : (A XSS attack pattern for echo: Σ ∗ < script Σ ∗ ) 1: < ?php 2: $www = $ GET[”www”]; 3: $l otherinfo = ”URL”; 4: echo ” < td > ” . $l otherinfo . ”: ” . $www . ” < /td > ”; 5:? > A simple taint analysis [Huang et al. WWW04] can report this segment vulnerable. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  5. Outline Motivation Goal Symbolic String Verification Is it vulnerable? Experiments Conclusion Is it vulnerable? Add a sanitization routine at line s . 1: < ?php 2: $www = $ GET[”www”]; 3: $l otherinfo = ”URL”; s : $www = ereg replace(”[ ∧ A-Za-z0-9 .-@://]”,””,$www); 4: echo ” < td > ” . $l otherinfo . ”: ” . $www . ” < /td > ”; 5:? > This segment is identified to be vulnerable by dynamic testing (Balzarotti et al.)[SSP08]. (A vulnerable point at line 218 in trans.php, distributed with MyEasyMarket-4.1.) Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  6. Outline Motivation Goal Symbolic String Verification Is it vulnerable? Experiments Conclusion Is it vulnerable? Fix the sanitization routine by inserting the escape character ’/’. 1: < ?php 2: $www = $ GET[”www”]; 3: $l otherinfo = ”URL”; s’: $www = ereg replace(”[ ∧ A-Za-z0-9 ./-@://]”,””,$www); 4: echo ” < td > ” . $l otherinfo . ”: ” . $www . ” < /td > ”; 5:? > By our approach, this segment is proven not vulnerable against the XSS attack pattern: Σ ∗ < script Σ ∗ . Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  7. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Verification Framework Associate each string variable at each program point with an automaton that accepts an over approximation of its possible values. Use these automata to perform a forward symbolic reachability analysis. Iteratively Compute the next state of current automata against string operations and Update automata by joining the result to the automata at the next statement Terminate the execution upon reaching a fixed point. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  8. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Challenges Precision: Need to deal with sanitization routines having PHP string functions, e.g., ereg replacement . Complexity: The problem in general is undecidable. The fixed point may not exist and even if it exists the fixpoint computation may not converge. Performance: Need to perform automata manipulations efficiently in terms of both time and memory. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  9. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Features of Our Approach We propose: A Language-based Replacement: To model string operations in PHP programs. An Automata Widening Operator: To accelerate fixed point computation. A Symbolic Encoding: Using Multi-terminal Binary Decision Diagrams (MBDDs) from MONA DFA packages. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  10. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion A Language-based Replacement M = replace ( M 1 , M 2 , M 3 ) M 1 , M 2 , and M 3 are Deterministic Finite Automata (DFAs). M 1 accepts the set of original strings, M 2 accepts the set of match strings, and M 3 accepts the set of replacement strings Let s ∈ L ( M 1), x ∈ L ( M 2), and c ∈ L ( M 3): Replaces all parts of any s that match any x with any c . Outputs a DFA that accepts the result. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  11. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion M = replace ( M 1 , M 2 , M 3 ) Some examples: L ( M 1 ) L ( M 2 ) L ( M 3 ) L ( M ) { baaabaa } { aa } { c } { bacbc, bcabc } a + { baaabaa } { bb } ǫ a + b { baaabaa } { c } { bcaa } a + { baaabaa } { c } { bcccbcc, bcccbc, bccbcc, bccbc, bcbcc, bcbc } ba + b a + bc + b { c } Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  12. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion M = replace ( M 1 , M 2 , M 3 ) An over approximation with respect to the leftmost/longest(first) constraints Many string functions in PHP can be converted to this form: h tmlspecialchars, t olower, t oupper, s tr replace, t rim, and p reg replace and e reg replace that have regular expressions as their arguments. Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  13. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion A Language-based Replacement Implementation of replace ( M 1 , M 2 , M 3 ): Mark matching sub-strings Insert marks to M 1 Insert marks to M 2 Replace matching sub-strings Identify marked paths Insert replacement automata In the following, we use two marks: < and > (not in Σ), and a duplicate alphabet: Σ ′ = { α ′ | α ∈ Σ } . Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  14. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion An Example Construct M = replace ( M 1 , M 2 , M 3 ). L ( M 1 ) = { baab } L ( M 2 ) = a + = { a , aa , aaa , . . . } L ( M 3 ) = { c } Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  15. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Step 1 Construct M ′ 1 from M 1 : Duplicate M 1 using Σ ′ Connect the original and duplicated states with < and > For instance, M ′ 1 accepts b < a ′ a ′ > b , b < a ′ > ab . Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  16. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Step 2 Construct M ′ 2 from M 2 : (a) Construct M ¯ 2 that accepts strings that do not contain any substring in L ( M 2 ). (b) Duplicate M 2 using Σ ′ . (c) Connect (a) and (b) with marks. For instance, M ′ 2 accepts b < a ′ a ′ > b , b < a ′ > bc < a ′ > . (a) (b) (c) Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  17. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Step 3 Intersect M ′ 1 and M ′ 2 . The matched substrings are marked in Σ ′ . Identify ( s , s ′ ), so that s → < . . . → > s ′ . In the example, we identify three pairs:(i,j), (i,k), (j,k). Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

  18. Outline Verification Framework Motivation A Language-based Replacement Symbolic String Verification Widening Automata Experiments Symbolic Encoding Conclusion Step 4 Construct M : (d) Insert M 3 for each identified pair. (e) Determinize and minimize the result. L ( M ) = { bcb , bccb } . (d) (e) Fang Yu, UCSB Symbolic String Verification: An Automata-based Approach

Recommend

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza,

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza,

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza, Raghavendra K.R., Barbara Sprick Indian Institute of Science, Bangalore, India An Automata Based Approach for Verification of Information Flow

696 views • 58 slides
Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of

Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of

Introduction Automata Manipulations Symbolic String Vulnerability Analysis Composite String Analysis Implementation and Summary Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of Management Information

1.62k views • 138 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a cek Universit e Joseph Fourrier (France) Brno University of Technology (Czech Republic) 1 Ph.D. 1st year of doctoral degree programme at

377 views • 21 slides
A Symbolic Execution-Based Approach to Model Transformation Verification using Structural

A Symbolic Execution-Based Approach to Model Transformation Verification using Structural

A Symbolic Execution-Based Approach to Model Transformation Verification using Structural Contracts Bentley James Oakes McGill University bentley.oakes@mail.mcgill.ca September 4, 2018 1 Introduction 2 Formalization of DSLTrans 3

386 views • 37 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic dynamics and automata Jean Berstel, Marie-Pierre B eal, Sren Eilers, Dominique

Symbolic dynamics and automata Jean Berstel, Marie-Pierre B eal, Sren Eilers, Dominique

Shift spaces Automata Minimal automata Symbolic conjugacy Special families of automata Syntactic invariants Symbolic dynamics and automata Jean Berstel, Marie-Pierre B eal, Sren Eilers, Dominique Perrin 26 novembre 2010 Jean Berstel,

1.06k views • 79 slides
3.9: Empty-string Finite Automata In this and the following two sections, we will study three

3.9: Empty-string Finite Automata In this and the following two sections, we will study three

3.9: Empty-string Finite Automata In this and the following two sections, we will study three progressively more restricted kinds of finite automata: empty-string finite automata (EFAs); nondeterministic finite automata (NFAs); and

273 views • 16 slides
B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and Formal Languages Wolfgang Ahrendt 22nd April 2013 B uchi Automata: TMV027/DIT321 / GU 130423 1 / 25 Motivating Temporal Logic? But How to

832 views • 64 slides
Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F. Raskin (ULB) TACAS 2007 Braga - Portugal March 28, 2007 Automata-based approach to model-checking Programs and properties are formalized as

812 views • 52 slides
Words and Automata, Lecture 1 Symbolic dynamics Dominique Perrin 21 novembre 2017 Dominique

Words and Automata, Lecture 1 Symbolic dynamics Dominique Perrin 21 novembre 2017 Dominique

Words and Automata, Lecture 1 Symbolic dynamics Dominique Perrin 21 novembre 2017 Dominique Perrin Words and Automata, Lecture 1 Symbolic dynamics Outline of the course Symbolic dynamical systems Substitution shifts Dimension groups

418 views • 24 slides
Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau

Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau

Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau and I. Walukiewicz LaBRI, Universit e de Bordeaux 1 Groupe de Travail Mod elisation et V erification LIF, Marseille - November 2011 Zone

1.51k views • 127 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Learning Symbolic Automata Samuel Drews Loris DAntoni University of Wisconsin-Madison

Learning Symbolic Automata Samuel Drews Loris DAntoni University of Wisconsin-Madison

Learning Symbolic Automata Samuel Drews Loris DAntoni University of Wisconsin-Madison Motivation Model System Automata Learning Java API code Classic Automata 1,3,5,7 1,3,5,7 0,2,4,6 0,2,4,6 Alphabet = {0,1,2,3,4,5,6,7}

846 views • 68 slides
Copyful Streaming String Transducers Emmanuel Filiot Pierre-Alain Reynier ULB, Computer Science

Copyful Streaming String Transducers Emmanuel Filiot Pierre-Alain Reynier ULB, Computer Science

Copyful Streaming String Transducers Emmanuel Filiot Pierre-Alain Reynier ULB, Computer Science LIF, Aix-Marseille University Department &amp; CNRS RP2017, Royal Holloway Automata based formal methods Automata-based approaches: model

763 views • 57 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Simulation Symbolic and ternary simulation BDDs Quaternary lattice Symbolic trajectory

334 views • 14 slides
Symbolic Reachability Analysis of Lazy Linear Hybrid Automata Susmit Jha, Bryan Brady and

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata Susmit Jha, Bryan Brady and

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata Susmit Jha, Bryan Brady and Sanjit A. Seshia Traditional Hybrid Automata Traditional Hybrid Automata do not model delay and finite precision in sensing and actuation PLANT

580 views • 33 slides
Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU Munich joint work with Andrey Rybalchenko, Microsoft Research and Boris Kpf, IMDEA Verification Quantitative verification Quantitative

599 views • 16 slides
Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification Verification Verification Kim G. Larsen Kim G. Larsen Aalborg Aalborg University Aalborg Aalborg University University DENMARK University, ,

682 views • 46 slides
+ Symbolic Encryption + String class // Comparing String objects, see reference below. String p

+ Symbolic Encryption + String class // Comparing String objects, see reference below. String p

+ Symbolic Encryption + String class // Comparing String objects, see reference below. String p = &quot;potato&quot;; if (p == &quot;potato&quot;) { println(&quot;p == potato, yep.&quot;); // This will not print } // The correct way to

281 views • 11 slides
Symbolic Finite Automata Margus Veanes April 5, 2014 VSSE'14, Grenoble, France 1 Overview

Symbolic Finite Automata Margus Veanes April 5, 2014 VSSE'14, Grenoble, France 1 Overview

Applications of Symbolic Finite Automata Margus Veanes April 5, 2014 VSSE'14, Grenoble, France 1 Overview Are SFAs applicable to analysis of software evolution? automata modulo theories S ymbolic Finite Automaton (SFA) Main

887 views • 35 slides
A Closed-loop Model-based Design Approach Based On Automatic Verification and Transformation

A Closed-loop Model-based Design Approach Based On Automatic Verification and Transformation

A Closed-loop Model-based Design Approach Based On Automatic Verification and Transformation Kun Zhang Jonathan Sprinkle Eclipse: fix a fat-finger or type change automatically Electrical and Computer Engineering 2 Eclipse: make warnings go

380 views • 18 slides
Pushdown Automata 7-0 Pushdown Automata The automata we saw so far were

Pushdown Automata 7-0 Pushdown Automata The automata we saw so far were

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Pushdown Automata 7-0 Pushdown Automata The automata we saw so far were limited by their

368 views • 15 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides

More recommend