ABSTRACT
Low level code is challenging: It lacks structure, it uses jumps and symbolic addresses, the control flow is often highly optimized, and registers and memory locations may be reused in ways that make typing extremely challenging. Information flow properties create additional complications: They are hyperproperties relating multiple executions, and the possibility of interrupts and concurrency, and use of devices and features like memory-mapped I/O requires a departure from the usual initial-state final-state account of noninterference. In this work we propose a novel approach to relational verification for machine code. Verification goals are expressed as equivalence of traces decorated with observation points. Relational verification conditions are propagated between observation points using symbolic execution, and discharged using first-order reasoning. We have implemented an automated tool that integrates with SMT solvers to automate the verification task. The tool transforms ARMv7 binaries into an intermediate, architecture-independent format using the BAP toolset by means of a verified translator. We demonstrate the capabilities of the tool on a separation kernel system call handler, which mixes hand-written assembly with gcc-optimized output, a UART device driver and a crypto service modular exponentiation routine.
- O. Aciicmez and Cetin Kaya Koç. Microarchitectural attacks and countermeasures. In Cryptographic Engineering, pages 475--504. 2009.Google ScholarCross Ref
- J. Agat. Transforming out timing leaks. In POPL, pages 40--53, 2000. Google ScholarDigital Library
- E. Alkassar, M. A. Hillebrand, S. Knapp, R. Rusev, and S. Tverdyshev. Formal device and programming model for a serial interface. In VERIFY, 2007.Google Scholar
- ARMv7-A architecture reference manual.Google Scholar
- T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. Aeg: Automatic exploit generation. In NDSS, 2011.Google Scholar
- G. Balakrishnan and T. Reps. Wysinwyx: What you see is not what you execute. ACM Trans. Program. Lang. Syst., 32:23:1--23:84, August 2010. Google ScholarDigital Library
- M. Balliu, M. Dam, and G. L. Guernic. Epistemic Temporal Logic for Information Flow Security. In Proceedings of the ACM SIGPLAN Programming Languages and Analysis for Security, june 2011. Google ScholarDigital Library
- M. Balliu, M. Dam, and G. L. Guernic. ENCoVer: Symbolic Exploration for Information Flow Security. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 30--44, june 2012. Google ScholarDigital Library
- M. Barnett and K. R. M. Leino. Weakest-precondition of unstructured programs. In PASTE, pages 82--87, 2005. Google ScholarDigital Library
- G. Barthe, J. M. Crespo, and C. Kunz. Relational verification using product programs. In FM, pages 200--214, 2011. Google ScholarDigital Library
- G. Barthe, P. R. D'Argenio, and T. Rezk. Secure information flow by self-composition. Mathematical Structures in Computer Science, 21(6):1207--1252, 2011. Google ScholarDigital Library
- G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight non-interference java bytecode verifier. In Proceedings of the 16th European Conference on Programming, ESOP'07, pages 125--140, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
- J. Brown and T. F. Knight Jr. A minimal trusted computing base for dynamically ensuring secure information flow. 2001.Google Scholar
- D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. Bap: A binary analysis platform. In CAV, pages 463--469, 2011. Google ScholarDigital Library
- D. Brumley, I. Jager, E. J. Schwartz, and S. Whitman. The bap handbook. http://bap.ece.cmu.edu/doc/bap.pdf, October 2013.Google Scholar
- D. Brumley, H. Wang, S. Jha, and D. X. Song. Creating vulnerability signatures using weakest preconditions. In CSF, pages 311--325, 2007. Google ScholarDigital Library
- D. Caselden, A. Bazhanyuk, M. Payer, S. McCamant, and D. Song. Hi-cfg: Construction by binary analysis and application to attack polymorphism. In ESORICS, pages 164{181, 2013.Google ScholarCross Ref
- S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE Symposium on Security and Privacy, pages 380--394, 2012. Google ScholarDigital Library
- M. Dam, R. Guanciale, N. Khakpour, H. Nemati, and O. Schwarz. Formal verification of information flow security for a simple arm-based separation kernel. In ACM Conference on Computer and Communications Security, pages 223--234, 2013. Google ScholarDigital Library
- M. Dam, R. Guanciale, and H. Nemati. Machine code verification of a tiny arm hypervisor. In TrustED@CCS, pages 3--12, 2013. Google ScholarDigital Library
- A. A. de Amorim, N. Collins, A. DeHon, D. Demange, C. Hritcu, D. Pichardie, B. C. Pierce, R. Pollack, and A. Tolmach. A verified information-flow architecture. In POPL, pages 165--178, 2014. Google ScholarDigital Library
- E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM, 18(8):453--457, Aug. 1975. Google ScholarDigital Library
- J. Duan and J. Regehr. Correctness proofs for device drivers in embedded systems. In Proceedings of the 5th International Conference on Systems Software Verification, SSV'10, pages 5--5, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proc. CAV'07, volume 4590 of Lecture Notes in Computer Science, pages 519--531. Springer, 2007. Google ScholarDigital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, Los Alamitos, Calif., 1982. IEEE Comp. Soc. Press.Google ScholarCross Ref
- D. Hedin and D. Sands. Timing aware information flow security for a javacard-like bytecode. Electr. Notes Theor. Comput. Sci., 141(1):163--182, 2005. Google ScholarDigital Library
- C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. Mclean. Formal specification and verification of data separation in a separation kernel for an embedded system. In CCS, pages 346--355. ACM, 2006. Google ScholarDigital Library
- HOL4. http://hol.sourceforge.net/.Google Scholar
- C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your ifcexception are belong to us. In IEEE Symposium on Security and Privacy, pages 3--17, 2013. Google ScholarDigital Library
- M. Kovacs, H. Seidl, and B. Finkbeiner. Relational abstract interpretation for the verification of 2-hypersafety properties. In ACM Conference on Computer and Communications Security, pages 211--222, 2013. Google ScholarDigital Library
- G. Le Guernic. Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University, 2007. Google ScholarDigital Library
- J. McLean. Proving noninterference and functional correctness using traces. Journal of Computer Security, 1(1):37--58, 1992.Google ScholarDigital Library
- R. Medel, A. Compagnoni, and E. Bonelli. A typed assembly language for non-interference. In Proceedings of the 9th Italian Conference on Theoretical Computer Science, ICTCS'05, pages 360--374. Springer-Verlag, 2005. Google ScholarDigital Library
- D. Molnar, M. Piotrowski, D. Schultz, and D. Wagner. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In ICISC, pages 156{168, 2005. Google ScholarDigital Library
- D. Monniaux. Verification of device drivers and intelligent controllers: a case study. In EMSOFT, pages 30--36, 2007. Google ScholarDigital Library
- T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. Noninterference for operating system kernels. In CPP, pages 126--142, 2012. Google ScholarDigital Library
- J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS, 2005.Google Scholar
- N. Partush and E. Yahav. Abstract semantic differencing for numerical programs. In SAS, pages 238--258, 2013.Google ScholarCross Ref
- D. A. Ramos and D. R. Engler. Practical, low-effort equivalence verification of real code. In CAV, pages 669--685, 2011. Google ScholarDigital Library
- T. W. Reps, J. Lim, A. V. Thakur, G. Balakrishnan, and A. Lal. There's plenty of room at the bottom: Analyzing and verifying machine code. In CAV, pages 41--56, 2010. Google ScholarDigital Library
- R. Richards. Modeling and security analysis of a commercial real-time operating system kernel. In D. S. Hardin, editor, Design and Verification of Microprocessor Systems for High-Assurance Applications, pages 301--322. Springer US, 2010.Google ScholarCross Ref
- A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE J. on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
- P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In ISSTA, pages 225--236, 2009. Google ScholarDigital Library
- R. Sharma, E. Schkufza, B. R. Churchill, and A. Aiken. Data-driven equivalence checking. In OOPSLA, pages 391--406, 2013. Google ScholarDigital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India, Dec. 2008. Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ACM SIGOPS Operating Systems Review, volume 38, pages 85--96. ACM, 2004. Google ScholarDigital Library
- T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS, pages 352--367, 2005. Google ScholarDigital Library
- A. V. Thakur, J. Lim, A. Lal, A. Burton, E. Driscoll, M. Elder, T. Andersen, and T. W. Reps. Directed proof generation for machine code. In CAV, pages 288--305, 2010. Google ScholarDigital Library
- D. Zhang, A. Askarov, and A. C. Myers. Language-based control and mitigation of timing channels. In PLDI, pages 99--110, 2012. Google ScholarDigital Library
Index Terms
- Automating Information Flow Analysis of Low Level Code
Recommendations
Formal verification of information flow security for a simple arm-based separation kernel
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityA separation kernel simulates a distributed environment using a single physical machine by executing partitions in isolation and appropriately controlling communication among them. We present a formal verification of information flow security for a ...
Automatic formal verification for scheduled VLIW code
VLIW processors are attractive for many embedded applications, but VLIW code scheduling, whether by hand or by compiler, is extremely challenging. In this paper, we extend previous work on automated verification of low-level software to handle the ...
Automatic formal verification for scheduled VLIW code
LCTES/SCOPES '02: Proceedings of the joint conference on Languages, compilers and tools for embedded systems: software and compilers for embedded systemsVLIW processors are attractive for many embedded applications, but VLIW code scheduling, whether by hand or by compiler, is extremely challenging. In this paper, we extend previous work on automated verification of low-level software to handle the ...
Comments