to find
play

to Find Safety and Cybersecurity Defects Daniel Kstner, Laurent - PowerPoint PPT Presentation

Jun 04, 2023 •297 likes •531 views

High-Precision Sound Analysis to Find Safety and Cybersecurity Defects Daniel Kstner, Laurent Mauborgne, Stephan Wilhelm, Christian Ferdinand AbsInt GmbH, 2020 2 Functional Safety Demonstration of functional correctness Required by

  1. High-Precision Sound Analysis to Find Safety and Cybersecurity Defects Daniel Kästner, Laurent Mauborgne, Stephan Wilhelm, Christian Ferdinand AbsInt GmbH, 2020

  2. 2 Functional Safety  Demonstration of functional correctness Required by DO-178B / DO-178C /  Well-defined criteria ISO-26262, EN-50128,  Automated and/or model-based testing IEC-61508  Formal techniques: model checking, theorem proving  Satisfaction of safety-relevant non-functional requirements  No runtime errors (e.g. division by zero, overflow, Required by invalid pointer access, out-of-bounds array access) DO-178B / DO-178C /  Resource usage: + Security- ISO-26262, EN-50128,  Timing requirements (e.g. WCET, WCRT) relevant! IEC-61508  Memory requirements (e.g. no stack overflow)  Robustness / freedom of interference (e.g. no corruption of content, incorrect synchronization, illegal read/write accesses)  Insufficient: Tests & Measurements  No specific test cases, unclear test end criteria, no full coverage possible  "Testing, in general, cannot show the absence of errors." [DO-178B]  Formal technique: abstract interpretation.

  3. 3 (Information-/Cyber-) Security Aspects  Confidentiality  Information shall not be disclosed to unauthorized entities  safety-relevant  Integrity  Data shall not be modified in an unauthorized or undetected way  safety-relevant  Availability  Data is accessible and usable upon demand  safety-relevant  Safety In some cases: not safe  not secure In some cases: not secure  not safe

  4. 4 Static Program Analysis  General Definition: results only computed from program structure, without executing the program under analysis.  Categories, depending on analysis depth:  Syntax-based: Coding guideline checkers (e.g. MISRA C)  Semantics-based Question: Is there an error in the program?  False positive: answer wrongly “Yes”  False negative: answer wrongly “No”   Unsound: Bug-finders / bug-hunters.  False positives: possible  False negatives: possible  Sound / Abstract Interpretation-based Example: Astrée  False positives: possible Important: low false alarm rate  No false negatives  Soundness No defect missed

  5. 5 Support for Cybersecurity Analysis  Many security vulnerabilities due to undefined / unspecified behaviors in the programming language semantics:  buffer overflows, invalid pointer accesses, uninitialized memory accesses, data races, etc.  Consequences: denial-of-service / code injection / data breach  In addition:  Checking coding guidelines  Data and Control Flow Analysis  Impact analysis (data safety / “fault” propagation)  Program slicing  Taint analysis  Side channel attacks  SPECTRE detection (Spectre V1/V1.1, SplitSpectre)  …

  6. 6 Runtime Errors and Data Races  Abstract Interpretation-based static runtime error analysis  Astrée detects all runtime errors* with few false alarms:  Array index out of bounds  Int/float division by 0  Invalid pointer dereferences  Uninitialized variables  Arithmetic overflows  Data races  Lock/unlock problems, deadlocks  Floating point overflows, Inf, NaN  Taint analysis (data safety / security), SPECTRE detection  Floating-point rounding errors taken into account  User-defined assertions, unreachable code, non-terminating loops  Check coding guidelines (MISRA C/C++, CERT, CWE, ISO TS 17961) * Defects due to undefined / unspecified behaviors of the programming language

  7. 7 Design of Astrée Partitioning domain Parallel domain Control-flow Abstract Front-end State graph iterator machine domain Memory domain State Value Value … … machine domain domain listener

  8. 8 Finite State Machines: Example 1 int *p; int state = 0; 2 while (1) {env_get(&E); 3 switch (state) { 4 case 0: 5 if (E) state = 1; 6 else state = 2; 7 break ; 0 8 case 1: E 9 state = 3; E 10 p = &state; 11 break ; 1 2 12 case 2: 13 if (E) state = 0; 14 else state = 1; 15 break ; 3 4 16 case 3: 17 *p = 4; 18 break ; 19 case 4: 20 return ; 21 } 22 }

  9. 9 “Normal” Analysis Iter 1 Iter 3 Iter 2 Iter 4 p:{INVALID, p:{INVALID, 1 int *p; int state = 0; &state} &state} p:INVALID p:INVALID 2 while (1) {env_get(&E); State:[0,3] State:[0,4] state:{0} state:[0,2] 3 switch (state) { 4 case 0: 5 if (E) state = 1; p:INVALID p:INVALID p:{INVALID, p:{INVALID, 6 else state = 2; state:{1,2} state:{1,2} &state} &state} 7 break ; state:{1,2} state:{1,2} 8 case 1: 9 state = 3; p:&state p:&state 10 p = &state; p:&state state:{3} state:{3} state:{3} 11 break ; 12 case 2: 13 if (E) state = 0; p:{INVALID, p:{INVALID, p:INVALID 14 else state = 1; &state} &state} 0 state:{0,1} 15 break ; state:{0,1} state:{0,1} 16 case 3: E E 17 *p = 4; p:{INVALID, p:{INVALID, &state} 18 break ; &state} 1 2 state:{3,4} state:{3,4} 19 case 4: 20 return ; ALARM: Invalid p:{INVALID, 21 } &state} pointer dereference 22 } state:{4} 3 4

  10. 10 State Machine Domain  Implements basic disjunction over states  Map: State = 0 Abstract values (all other vars, memory layout…) Top State = 1 Or State Abstract values (all other vars, memory layout…) - Abstract value (all vars, memory State = 3 layout…) Abstract values (all other vars, memory layout…) Transfer functions: applied to each leaf ▷ How do we cover all states and keep them disjoint?

  11. 11 State Machine Listener Domain  Dedicated domain, below memory layout domain  Keeps track of memory blocks associated with state machine variable keys  Manual and/or automatic (heuristic) state variable detection  Start following variable ( __ASTREE_states_track )  Stop following variable when merging all state machine states ( __ASTREE_states_merge )  For each transfer function (assignment, memcpy ,…), check if value changes for a state variable key  Each time a state variable is modified  Compute new set of values  Re-compute disjunctions, join states with same values

  12. 12 FSM Analysis Iter 1 state 1 int *p; int state = 0; 2 while (1) {env_get(&E); 0 3 switch (state) { p:INVALID 4 case 0: E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; 11 break ; p:INVALID p:INVALID 12 case 2: E: T E: F 13 if (E) state = 0; 14 else state = 1; 0 15 break ; 16 case 3: E E 17 *p = 4; 18 break ; 1 2 19 case 4: 20 return ; 21 } 22 } 3 4

  13. 13 FSM Analysis Iter 2 state 1 int *p; int state = 0; 0 2 2 while (1) {env_get(&E); 1 3 switch (state) { p:INVALID p:INVALID p:INVALID 4 case 0: E: {T,F} E: {T,F} E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; state p:INVALID p:INVALID 11 break ; E: T E: F 12 case 2: 3 13 if (E) state = 0; p:&state 14 else state = 1; 0 state E: {T,F} 15 break ; 16 case 3: 0 1 E E 17 *p = 4; p:INVALID p:INVALID 18 break ; 1 2 E: F E: T 19 case 4: 20 return ; 21 } 22 } 3 4

  14. 14 FSM Analysis Iter 3 state 1 int *p; int state = 0; 0 3 2 while (1) {env_get(&E); 2 1 3 switch (state) { p:INVALID p:&state p:INVALID p:INVALID 4 case 0: E: {T,F} E: {T,F} E: {T,F} E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; state p:INVALID p:INVALID 11 break ; E: T E: F 12 case 2: 3 13 if (E) state = 0; p:&state 14 else state = 1; 0 state E: {T,F} 15 break ; 16 case 3: 0 1 E E 17 *p = 4; p:INVALID p:INVALID state 18 break ; 1 2 E: T E: F 19 case 4: 4 20 return ; 21 } p:&state 22 } E: {T,F} 3 4

  15. 15 FSM Analysis Iter 4 4 p:&state state 1 int *p; int state = 0; E: {T,F} 0 3 2 while (1) {env_get(&E); 2 1 3 switch (state) { p:INVALID p:&state p:INVALID p:INVALID 4 case 0: E: {T,F} E: {T,F} E: {T,F} E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; state p:INVALID p:INVALID 11 break ; E: T E: F 12 case 2: 3 13 if (E) state = 0; p:&state 14 else state = 1; 0 state E: {T,F} 15 break ; 16 case 3: 0 1 E E 17 *p = 4; p:INVALID p:INVALID state 18 break ; 1 2 E: T E: F 19 case 4: 4 20 return ; 21 } p:&state state state 22 } E: {T,F} 4 4 3 4 p:&state p:&state E: {T,F} E: {T,F}

  16. 16 Experimental Results *: state machine automatically detected by Astrée I: industrial code TL: code generated by dSPACE TargetLink Sc: code generated by SCADE wo/: without FSM domain; w/: with FSM domain With FSM domain, zero false alarms due to imprecision caused by state  machine code structures. Max observed increase in RAM: 40% (B5), max decrease: 48% (B1)  Analysis time typically increases, but can also decrease as higher  precision prevents spurious paths/values from being analyzed.

  17. 17 Taint Analysis  Purpose: Static analysis to track flow of tainted values through program.  Concepts:  Tainted source: origin of tainted values  Restricted sink: operands and arguments to be protected from tainted values  Sanitization: remove taint from value, e.g. by replacement or termination  User interaction to identify tainted sources and sinks.  Applications:  Information Flow (Confidentiality / Information Leaks)  Propagation of Error Values (Data and Control Flow)  Data Safety

Recommend

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru Agenda AddressSanitizer (aka ASan) detects use-after-free and buffer overflows

742 views • 55 slides
Lesson 1.6: Finding text on a web page Suppose you want to find your time in the local 8K

Lesson 1.6: Finding text on a web page Suppose you want to find your time in the local 8K

Lesson 1.6: Finding text on a web page Suppose you want to find your time in the local 8K race Its easy to find the page but then what? How do you find a word on the page? Control-F aka CMD-F aka Edit>Find CMD-F Find works

362 views • 9 slides
Focus on pages 16-17 In the next five minutes I would like you to try and find examples of any

Focus on pages 16-17 In the next five minutes I would like you to try and find examples of any

Focus on pages 16-17 In the next five minutes I would like you to try and find examples of any nouns, verbs, adjectives and adverbs and fill up your grid. Silver Bronze Noun (N) Verb (V) Adjective (Aj) Adverb (Av) Find 2 Find 2 examples of

447 views • 6 slides
Everything Else Find all substrings Weve learned how to find the first location of a

Everything Else Find all substrings Weve learned how to find the first location of a

Everything Else Find all substrings Weve learned how to find the first location of a string in another string with find . What about finding all matches? Start by looking at the documentation. S.find(sub [,start [,end]]) -> int

265 views • 25 slides
dyslexia Today you will: Experience dyslexia Find out what dyslexia is Find out how to get a

dyslexia Today you will: Experience dyslexia Find out what dyslexia is Find out how to get a

dyslexia Today you will: Experience dyslexia Find out what dyslexia is Find out how to get a diagnosis Learn an effective way to teach dyslexics Nancy Blaskewicz nanblask@aol.com 1 2 One day John and Bob went for a walk. What

613 views • 24 slides
WorkshopQ WHO WE ARE We design. We create. We visualize. We find the chaos in the calm. We

WorkshopQ WHO WE ARE We design. We create. We visualize. We find the chaos in the calm. We

WorkshopQ WHO WE ARE We design. We create. We visualize. We find the chaos in the calm. We find the bumps in the seamless. We see the incoherent in the coherent. We upcycle. We recycle. We sustain. We find what we can upcycle. We find

736 views • 26 slides
Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps.

Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps.

Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps. Move from Creating products To .. Assembling products Step 1: Turn your challenge into an opportunity How to anticipate and manage complexity

496 views • 38 slides
Rates Rates are used to find absolute amounts. Examples: Sales tax rate used to find

Rates Rates are used to find absolute amounts. Examples: Sales tax rate used to find

Rates Rates are used to find absolute amounts. Examples: Sales tax rate used to find sales tax Interest Rate used to find interest Speed used to find distance Percent The language of percents is often used to describe

697 views • 5 slides
RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1

RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1

RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1 Good news: - primes are fairly common: there are about N/ln N primes N Exercise: If looking for a 512-bit prime, how many randomly generated

358 views • 10 slides
Chapter 3-7 2, find the corresponding domino gate using a PDN net 3, find the Euler path for the

Chapter 3-7 2, find the corresponding domino gate using a PDN net 3, find the Euler path for the

Parameters from a Digital IC-Design Problem 0.35 um process 1, draw the static transistor schematic for the function f = (A+BC)D Chapter 3-7 2, find the corresponding domino gate using a PDN net 3, find the Euler path for the PDN and draw

371 views • 12 slides
Find out more at voice21.org Aim ims Why oracy should be at the heart of your

Find out more at voice21.org Aim ims Why oracy should be at the heart of your

Who ho are Vo Voice 21? 21? Voice 21 is a national charity that exists to enable teachers and schools to provide a high quality oracy education so that all young people can find their voice for success in school and life. Find out more

399 views • 22 slides
People Businesses Higher Ed Find

People Businesses Higher Ed Find

People Businesses Higher Ed Find workers who grew up or have relatives in your area Find high school and college alumni Identify individuals outside your region who are ready to

668 views • 48 slides
Welcome! elcome! Grab a b a pla plate te and and a a drink drink Find Find a s a

Welcome! elcome! Grab a b a pla plate te and and a a drink drink Find Find a s a

Welcome! elcome! Grab a b a pla plate te and and a a drink drink Find Find a s a sea eat t and and wor ork k on the on the activ activities ities as as you ou ea eat ONLY dad Y dads write rite your our name name

279 views • 12 slides
WARMUP (10, -4) AND (6, 0) FIND THE DISTANCE BETWEEN THE 2 POINTS. FIND THE SLOPE

WARMUP (10, -4) AND (6, 0) FIND THE DISTANCE BETWEEN THE 2 POINTS. FIND THE SLOPE

WARMUP (10, -4) AND (6, 0) FIND THE DISTANCE BETWEEN THE 2 POINTS. FIND THE SLOPE BETWEEN THESE 2 POINTS. FIND THE MIDPOINT. POINTS, LINES, AND PLANES Agenda: Warmup Points, Lines, and Planes Notes Quick Check

444 views • 13 slides
Example: Find intervals where the function f ( x ) = x 2 16 x is increasing, where it is

Example: Find intervals where the function f ( x ) = x 2 16 x is increasing, where it is

Mt 020.02 Slide 1 on 3/22/00 Example: Find intervals where the function f ( x ) = x 2 16 x is increasing, where it is decreasing and find its relative extreme values. Solution: Make a sign chart for the derivative function f ' ( x ) = 2 x +

247 views • 8 slides
Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Hard Problems What do you do when your problem is NP-Hard ? Give up? (A) Solve a special case! Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate solution. Traveling Salesperson Problem (D) Find a

546 views • 5 slides
Implementing Todays lecture: the UNION-FIND ADT Basic implementation of the UNION-FIND

Implementing Todays lecture: the UNION-FIND ADT Basic implementation of the UNION-FIND

10/27/2016 The plan Last lecture: Disjoint sets CSE373: Data Structures and Algorithms The UNION-FIND ADT for disjoint sets Implementing Todays lecture: the UNION-FIND ADT Basic implementation of the UNION-FIND ADT with

371 views • 5 slides
information retrieval find documents find documents in response to user query find

information retrieval find documents find documents in response to user query find

Search indexing the web information retrieval find documents find documents in response to user query find relevant documents in response to user query quickly find relevant documents in response to user query Key steps

420 views • 13 slides
Find Us! Find Us! Find Us! Find Us! Like Us! Like Us! Interact With Us! Interact With Us!

Find Us! Find Us! Find Us! Find Us! Like Us! Like Us! Interact With Us! Interact With Us!

Find Us! Find Us! Find Us! Find Us! Like Us! Like Us! Interact With Us! Interact With Us! Come To Our Events! Come To Our Events! Come To Our Events! Come To Our Events! Post Your Thoughts! Post Your Thoughts! Questions?

267 views • 15 slides
Example: Let g(x) = x 3 + 2. a) Find g'(x) for any x value. b) Find g'(2) = slope of the

Example: Let g(x) = x 3 + 2. a) Find g'(x) for any x value. b) Find g'(2) = slope of the

temp.nb 1 Example: Let g(x) = x 3 + 2. a) Find g'(x) for any x value. b) Find g'(2) = slope of the tangent line to the graph y=g(x) at the point (2,g(2)). c) Determine the equation of the line tangent to the graph of y=g(x) at the point

327 views • 4 slides
My contact details: AmirTaaki.org Signal: +44 7873170866 amir@dyne.org Twitter: @AmirPolyteknik

My contact details: AmirTaaki.org Signal: +44 7873170866 amir@dyne.org Twitter: @AmirPolyteknik

My contact details: AmirTaaki.org Signal: +44 7873170866 amir@dyne.org Twitter: @AmirPolyteknik My aims Find sponsors Find a place for our hackers academy Find partner organizations to develop new technology projects with Find

539 views • 7 slides
Is your Find a Doctor everything it can be? Ranked #1 in most pediatric specialties in Illi

Is your Find a Doctor everything it can be? Ranked #1 in most pediatric specialties in Illi

Is your Find a Doctor everything it can be? Ranked #1 in most pediatric specialties in Illi Illinois i V Voted one of the best places to work d f h b l k FIND A DOCTOR FIND A DOCTOR Research Research Usability studies &

952 views • 55 slides
ORIGINAL PROMOTIONAL PRODUCTS October 2017 FIND-E SMART BLUETOOTH F NDER FIND-E is a smart

ORIGINAL PROMOTIONAL PRODUCTS October 2017 FIND-E SMART BLUETOOTH F NDER FIND-E is a smart

ORIGINAL PROMOTIONAL PRODUCTS October 2017 FIND-E SMART BLUETOOTH F NDER FIND-E is a smart device that helps you keep track of your most important belongings. It instantly alerts you if you leave your keys, wallet or nearly anything else

501 views • 24 slides
Parallelizing Union-Find in Constraint Handling Rules Using Confluence Analysis Thom Fr

Parallelizing Union-Find in Constraint Handling Rules Using Confluence Analysis Thom Fr

Introduction Basic Union-Find Optimal Union-Find Conclusion Parallelizing Union-Find in Constraint Handling Rules Using Confluence Analysis Thom Fr uhwirth Faculty of Computer Science University of Ulm, Germany

770 views • 40 slides

More recommend