research-article

Automating Information Flow Analysis of Low Level Code

Authors:
Musard Balliu

KTH Royal Institute of Technology, Stockholm, Sweden

KTH Royal Institute of Technology, Stockholm, Sweden
View Profile

,
Mads Dam

KTH Royal Institute of Technology, Stockholm, Sweden

KTH Royal Institute of Technology, Stockholm, Sweden
View Profile

,
Roberto Guanciale

KTH Royal Institute of Technology, Stockholm, Sweden

KTH Royal Institute of Technology, Stockholm, Sweden
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 1080–1091https://doi.org/10.1145/2660267.2660322

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 1080–1091

ABSTRACT

Low level code is challenging: It lacks structure, it uses jumps and symbolic addresses, the control flow is often highly optimized, and registers and memory locations may be reused in ways that make typing extremely challenging. Information flow properties create additional complications: They are hyperproperties relating multiple executions, and the possibility of interrupts and concurrency, and use of devices and features like memory-mapped I/O requires a departure from the usual initial-state final-state account of noninterference. In this work we propose a novel approach to relational verification for machine code. Verification goals are expressed as equivalence of traces decorated with observation points. Relational verification conditions are propagated between observation points using symbolic execution, and discharged using first-order reasoning. We have implemented an automated tool that integrates with SMT solvers to automate the verification task. The tool transforms ARMv7 binaries into an intermediate, architecture-independent format using the BAP toolset by means of a verified translator. We demonstrate the capabilities of the tool on a separation kernel system call handler, which mixes hand-written assembly with gcc-optimized output, a UART device driver and a crypto service modular exponentiation routine.

References

O. Aciicmez and Cetin Kaya Koç. Microarchitectural attacks and countermeasures. In Cryptographic Engineering, pages 475--504. 2009.Google ScholarCross Ref
J. Agat. Transforming out timing leaks. In POPL, pages 40--53, 2000. Google ScholarDigital Library
E. Alkassar, M. A. Hillebrand, S. Knapp, R. Rusev, and S. Tverdyshev. Formal device and programming model for a serial interface. In VERIFY, 2007.Google Scholar
ARMv7-A architecture reference manual.Google Scholar
T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. Aeg: Automatic exploit generation. In NDSS, 2011.Google Scholar
G. Balakrishnan and T. Reps. Wysinwyx: What you see is not what you execute. ACM Trans. Program. Lang. Syst., 32:23:1--23:84, August 2010. Google ScholarDigital Library
M. Balliu, M. Dam, and G. L. Guernic. Epistemic Temporal Logic for Information Flow Security. In Proceedings of the ACM SIGPLAN Programming Languages and Analysis for Security, june 2011. Google ScholarDigital Library
M. Balliu, M. Dam, and G. L. Guernic. ENCoVer: Symbolic Exploration for Information Flow Security. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 30--44, june 2012. Google ScholarDigital Library
M. Barnett and K. R. M. Leino. Weakest-precondition of unstructured programs. In PASTE, pages 82--87, 2005. Google ScholarDigital Library
G. Barthe, J. M. Crespo, and C. Kunz. Relational verification using product programs. In FM, pages 200--214, 2011. Google ScholarDigital Library
G. Barthe, P. R. D'Argenio, and T. Rezk. Secure information flow by self-composition. Mathematical Structures in Computer Science, 21(6):1207--1252, 2011. Google ScholarDigital Library
G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight non-interference java bytecode verifier. In Proceedings of the 16th European Conference on Programming, ESOP'07, pages 125--140, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
J. Brown and T. F. Knight Jr. A minimal trusted computing base for dynamically ensuring secure information flow. 2001.Google Scholar
D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. Bap: A binary analysis platform. In CAV, pages 463--469, 2011. Google ScholarDigital Library
D. Brumley, I. Jager, E. J. Schwartz, and S. Whitman. The bap handbook. http://bap.ece.cmu.edu/doc/bap.pdf, October 2013.Google Scholar
D. Brumley, H. Wang, S. Jha, and D. X. Song. Creating vulnerability signatures using weakest preconditions. In CSF, pages 311--325, 2007. Google ScholarDigital Library
D. Caselden, A. Bazhanyuk, M. Payer, S. McCamant, and D. Song. Hi-cfg: Construction by binary analysis and application to attack polymorphism. In ESORICS, pages 164{181, 2013.Google ScholarCross Ref
S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE Symposium on Security and Privacy, pages 380--394, 2012. Google ScholarDigital Library
M. Dam, R. Guanciale, N. Khakpour, H. Nemati, and O. Schwarz. Formal verification of information flow security for a simple arm-based separation kernel. In ACM Conference on Computer and Communications Security, pages 223--234, 2013. Google ScholarDigital Library
M. Dam, R. Guanciale, and H. Nemati. Machine code verification of a tiny arm hypervisor. In TrustED@CCS, pages 3--12, 2013. Google ScholarDigital Library
A. A. de Amorim, N. Collins, A. DeHon, D. Demange, C. Hritcu, D. Pichardie, B. C. Pierce, R. Pollack, and A. Tolmach. A verified information-flow architecture. In POPL, pages 165--178, 2014. Google ScholarDigital Library
E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM, 18(8):453--457, Aug. 1975. Google ScholarDigital Library
J. Duan and J. Regehr. Correctness proofs for device drivers in embedded systems. In Proceedings of the 5th International Conference on Systems Software Verification, SSV'10, pages 5--5, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proc. CAV'07, volume 4590 of Lecture Notes in Computer Science, pages 519--531. Springer, 2007. Google ScholarDigital Library
J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, Los Alamitos, Calif., 1982. IEEE Comp. Soc. Press.Google ScholarCross Ref
D. Hedin and D. Sands. Timing aware information flow security for a javacard-like bytecode. Electr. Notes Theor. Comput. Sci., 141(1):163--182, 2005. Google ScholarDigital Library
C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. Mclean. Formal specification and verification of data separation in a separation kernel for an embedded system. In CCS, pages 346--355. ACM, 2006. Google ScholarDigital Library
HOL4. http://hol.sourceforge.net/.Google Scholar
C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your ifcexception are belong to us. In IEEE Symposium on Security and Privacy, pages 3--17, 2013. Google ScholarDigital Library
M. Kovacs, H. Seidl, and B. Finkbeiner. Relational abstract interpretation for the verification of 2-hypersafety properties. In ACM Conference on Computer and Communications Security, pages 211--222, 2013. Google ScholarDigital Library
G. Le Guernic. Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University, 2007. Google ScholarDigital Library
J. McLean. Proving noninterference and functional correctness using traces. Journal of Computer Security, 1(1):37--58, 1992.Google ScholarDigital Library
R. Medel, A. Compagnoni, and E. Bonelli. A typed assembly language for non-interference. In Proceedings of the 9th Italian Conference on Theoretical Computer Science, ICTCS'05, pages 360--374. Springer-Verlag, 2005. Google ScholarDigital Library
D. Molnar, M. Piotrowski, D. Schultz, and D. Wagner. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In ICISC, pages 156{168, 2005. Google ScholarDigital Library
D. Monniaux. Verification of device drivers and intelligent controllers: a case study. In EMSOFT, pages 30--36, 2007. Google ScholarDigital Library
T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. Noninterference for operating system kernels. In CPP, pages 126--142, 2012. Google ScholarDigital Library
J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS, 2005.Google Scholar
N. Partush and E. Yahav. Abstract semantic differencing for numerical programs. In SAS, pages 238--258, 2013.Google ScholarCross Ref
D. A. Ramos and D. R. Engler. Practical, low-effort equivalence verification of real code. In CAV, pages 669--685, 2011. Google ScholarDigital Library
T. W. Reps, J. Lim, A. V. Thakur, G. Balakrishnan, and A. Lal. There's plenty of room at the bottom: Analyzing and verifying machine code. In CAV, pages 41--56, 2010. Google ScholarDigital Library
R. Richards. Modeling and security analysis of a commercial real-time operating system kernel. In D. S. Hardin, editor, Design and Verification of Microprocessor Systems for High-Assurance Applications, pages 301--322. Springer US, 2010.Google ScholarCross Ref
A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE J. on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In ISSTA, pages 225--236, 2009. Google ScholarDigital Library
R. Sharma, E. Schkufza, B. R. Churchill, and A. Aiken. Data-driven equivalence checking. In OOPSLA, pages 391--406, 2013. Google ScholarDigital Library
D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India, Dec. 2008. Google ScholarDigital Library
G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ACM SIGOPS Operating Systems Review, volume 38, pages 85--96. ACM, 2004. Google ScholarDigital Library
T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS, pages 352--367, 2005. Google ScholarDigital Library
A. V. Thakur, J. Lim, A. Lal, A. Burton, E. Driscoll, M. Elder, T. Andersen, and T. W. Reps. Directed proof generation for machine code. In CAV, pages 288--305, 2010. Google ScholarDigital Library
D. Zhang, A. Askarov, and A. C. Myers. Language-based control and mitigation of timing channels. In PLDI, pages 99--110, 2012. Google ScholarDigital Library

Index Terms

Automating Information Flow Analysis of Low Level Code

Recommendations

Formal verification of information flow security for a simple arm-based separation kernel
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

A separation kernel simulates a distributed environment using a single physical machine by executing partitions in isolation and appropriately controlling communication among them. We present a formal verification of information flow security for a ...
Read More
Automatic formal verification for scheduled VLIW code

VLIW processors are attractive for many embedded applications, but VLIW code scheduling, whether by hand or by compiler, is extremely challenging. In this paper, we extend previous work on automated verification of low-level software to handle the ...
Read More
Automatic formal verification for scheduled VLIW code
LCTES/SCOPES '02: Proceedings of the joint conference on Languages, compilers and tools for embedded systems: software and compilers for embedded systems

VLIW processors are attractive for many embedded applications, but VLIW code scheduling, whether by hand or by compiler, is extremely challenging. In this paper, we extend previous work on automated verification of low-level software to handle the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
formal verification
information flow security
machine code
symbolic execution
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 27
  Total Citations
  View Citations
- 583
  Total Downloads
- Downloads (Last 12 months)22
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.