crema research briefing
play

Crema Research Briefing Jacob Torrey & Mark Bridgman May 21, - PowerPoint PPT Presentation

Apr 14, 2023 •28 likes •278 views

Crema Research Briefing Jacob Torrey & Mark Bridgman May 21, 2015 The views, opinions, and/or findings contained in this presentation are those of the authors and should not be interpreted as representing the official views or policies of

  1. Crema Research Briefing Jacob Torrey & Mark Bridgman May 21, 2015 The views, opinions, and/or findings contained in this presentation are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. 1 Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  2. In a Nutshell } What are we doing? Crema was a program to explore the sub-Turing complete (TC) programming languages and execution environments. By restricting the computational expressiveness of programs to the minimum needed to perform the programmer’s intent, “Weird machines” can be eliminated and more powerful formal methods explored OR Give the developers the programming tools to make development of safer & more secure software easier and automated analysis problems easier Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  3. Objective } Crema aimed to demonstrate the feasibility and security benefits of general purpose sub-TC programming languages ◦ Create a language and corresponding execution environment that is purposefully sub-TC ◦ Explore computing tasks that explicitly need Turing completeness and how to logically isolate them } Explore the impact on formal methods when the computational models are restricted ◦ With Crema, software can be analyzed with more granularity and/or at larger scale ◦ Analyses undecidable for TC languages may be possible Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  4. Background Information } Weird Machines } LLVM ◦ Modular and abstracted open-source compilation tool-chain ◦ Compiles to immediate representation (IR) for advanced optimization and static analysis/symbolic execution } KLEE ◦ Performs symbolic execution using LLVM IR ◦ Executes most/all code paths in program to explore for crash/error states Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  5. Problem Statement } TC languages provide more expressiveness than most programmers need for most tasks ◦ This often leads to unintended emergent behaviors or "weird machines” programmed by attacker } The majority of general purpose programming languages are designed to be TC and are susceptible to weird machine behavior } Turing completeness and the Halting problem makes certain forms of formal methods/program analysis undecidable or intractable, decreasing software quality Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  6. “Circle of Bugs” Complex Complex data format parser Ineffective Hard “signatures”, analysis restrictions tasks Undetected bugs/ emergent properties Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  7. Input Parsing is Safety- Critical } Problem: code receives attacker-controlled inputs, inputs drive execution flow, system enters untrustworthy state (often enabling arbitrary computation by attacker) ◦ General computation model is needed for input handling (model must at least match practice!) } Predicting behavior of a complex code (e.g., parsers) on inputs is hard to impossible } Software verification: producing proofs that software remains in the safe, intended state no matter what the inputs ◦ Challenge: state explosion, some properties cannot be established or proved algorithmically Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  8. “Undecidability Cliff” } The more powerful/expressive an execution environment is, the harder it is to analyze } Automated analysis tends to become provably impossible after a complexity threshold ◦ Hierarchies of complexity exist to describe such thresholds } Undecidability "cliff": ◦ Automatically recognizing whether a TC program halts or loops forever is impossible ◦ Automatically verifying if two parsers are equivalent becomes undecidable at "non-deterministic context free” Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  9. Technical Approach } Developed proof-of-concept sub-TC language front- end for LLVM ◦ Designed to be general purpose and minimal learning curve ◦ Could be used as parser “bridge” into a formal type system ◦ Used in transducers/ parsers that convert input into structured data } Explore sub-TC space from LangSec perspective ◦ How the lack of halting problem reduces weird machines ◦ Limits power given to attackers in the event of compromise } Explore program analysis improvements ◦ More granular checks are now possible to verify correctness ◦ State-space growth shown to be slower/SMT problems easier Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  10. Results And Impact } Prototype language (Crema) ◦ Sub-TC ◦ Easy to learn ◦ Capable of performing most* programming tasks ◦ Open source (https://github.com/ainfosec/crema) } KLEE on C versus Crema highlights benefit for state- space explosion Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  11. Crema Example } “FizzBuzz” int hundred[] = crema_seq(1, 100) foreach(hundred as i) { int_print(i) str_print(" ") if (i % 3 == 0) { str_print("Fizz") } if (i % 5 == 0) { str_print("Buzz") } str_println(" ") } Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  12. State-Space Growth } Symbolic input length vs. number of paths to search Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  13. State-Space Growth II } Paths to search as function of time: Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  14. State-Space Growth II } Instruction Coverage* Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  15. State-Space Growth (cont.) } Qmail C-language parser versus Crema parser for SMTP: ◦ SMT solving time creates bottle-neck Parser Execution Max. States Instruction Branch Time (s) Coverage (%) Coverage (%) Qmail C 31.50 678 44.47 33.96 Crema 28.67 76 61.97 37.74 Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  16. Reference Monitor Implications } Reference monitors are automatons recognizing a language of events } Currently are prefix-based (can only identify bad patterns of events early) } With a Walther-recursive model, can strengthen the “power” of the reference monitors to a larger language set Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  17. Impact } Break the cycle of complexity } Provides ability to verify software previously out of range for contemporary methods } Automatically limits risks incurred through poor programming practices } Answers key questions and provides empirical data on restricted computational models Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  18. Future Work } Restricting JIT compilation model in LLVM/HW ◦ While the program source may be sub-TC, an attacker may be able to inject TC LLVM IR ◦ FPGA or customizable CPU environment • Crema LangSec paper modeled a CPU environment with a bit set to enforce “forward-only execution” of loop-unrolled programs • Bring Crema benefits to hardware and embedded } More powerful formal methods tools ◦ What is possible now that was once infeasible? • When there is no concerns over termination and undecidability, what FM techniques can now be implemented/made tractable ◦ GCC/LVVM static analysis hinting to programmers to use restricted semantics • “Please write this portion in Crema” Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  19. Future Work (cont.) } Automatic source conversion/TC detection ◦ Translate existing source where possible ◦ Identifying TC regions or where human-in-the-loop is needed } Identify security-sensitive code regions, specifically for handling input parsing and limiting expressiveness in those regions ◦ Easy for programmers to create code that cannot be analyzed; Crema provides framework to describe semantics to verifier ◦ “IR” for representing verification hints and challenges ◦ Lessens expertise required for formal verification } Hammer port to Crema ◦ Formally verified reference implementations of parsers } Solve P=NP to reduce SMT solving times ;) Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  20. Summary } Re-envision programming language development ◦ Prevent feature-creep in formal language development as we do in software development ◦ Powerful enough for many tasks, easy enough for analysis/ verification – the “sweet spot” • The only safe method for input-driven programs } Analyze sub-TC languages and environments through lens of LangSec } Explored new capabilities for formal methods ◦ Analysis highlighted benefits of restricted environment vis-à-vis verification state-space growth Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

  21. Acknowledgments } We would like to thank DARPA and Dr. John Everett for sponsoring this work } Additional thanks to Sergey Bratus, Halvar Flake and Julien Vanegue for their input and support of this work Unclassified 153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Muonic news Muonic hydrogen and deuterium Randolf Pohl Randolf Pohl JGU, Mainz MPQ, Garching

Muonic news Muonic hydrogen and deuterium Randolf Pohl Randolf Pohl JGU, Mainz MPQ, Garching

Shrinking the Proton Laser spectroscopy for nuclear physics and fundamental constants Muonic news Muonic hydrogen and deuterium Randolf Pohl Randolf Pohl JGU, Mainz MPQ, Garching for the CREMA collaboration 1 Collaborators CREMA (Charge

1.63k views • 124 slides
International collaboration CREMA - Charge Radius Experiments with Muonic Atoms General goals:

International collaboration CREMA - Charge Radius Experiments with Muonic Atoms General goals:

International collaboration CREMA - Charge Radius Experiments with Muonic Atoms General goals: Laser spectroscopy of muonic atoms Determination of the Lamb shift and assessment of the nuclear size and other nuclear properties. Coimbra,

277 views • 12 slides
Staff Briefing Proposal for the Organisation of Research Administration Services: HDR and

Staff Briefing Proposal for the Organisation of Research Administration Services: HDR and

Staff Briefing Proposal for the Organisation of Research Administration Services: HDR and Research Publication Administration Research Management Business Transformation Project Professor Peter Hj Vice-Chancellor and President Timeline to

374 views • 26 slides
Wild Rice Research Briefing Iron Mining Association Presentations to Range Cities October 1 and

Wild Rice Research Briefing Iron Mining Association Presentations to Range Cities October 1 and

Wild Rice Research Briefing Iron Mining Association Presentations to Range Cities October 1 and 2, 2014 1 Wild Rice Research Briefing MN CHAMBER ANALYSIS OF MPCA RESEARCH & PRELIMINARY DETERMINATIONS 2 Minnesota Chamber Review Team

376 views • 35 slides
Postgraduate Research Student Briefing What is the Postgraduate Research Experience Survey? The

Postgraduate Research Student Briefing What is the Postgraduate Research Experience Survey? The

Postgraduate Research Student Briefing What is the Postgraduate Research Experience Survey? The survey is run by AdvanceHE on behalf of UK universities It is your opportunity to provide valuable feedback that can lead to enhancements

397 views • 7 slides
COVID-19 BRIEFING FOR HEALTH & SAFET Y REPS ABOUT THIS BRIEFING This briefing is being

COVID-19 BRIEFING FOR HEALTH & SAFET Y REPS ABOUT THIS BRIEFING This briefing is being

COVID-19 BRIEFING FOR HEALTH & SAFET Y REPS ABOUT THIS BRIEFING This briefing is being provided to: update Qld HSRs on the WHS implications of the COVID-19 pandemic on workplaces discuss appropriate ways to manage the risk of

431 views • 25 slides
Briefing on Nuclear Regulatory Research Program May 30, 2019 Agenda Steven West

Briefing on Nuclear Regulatory Research Program May 30, 2019 Agenda Steven West

Briefing on Nuclear Regulatory Research Program May 30, 2019 Agenda Steven West Introduction Raymond Furstenau Strategic Overview of the Research Program Ho Nieh Research Benefiting Operating Reactor Business Line

409 views • 26 slides
Transdiciplinary Research Grant Introduction A new grant initiative from Research University

Transdiciplinary Research Grant Introduction A new grant initiative from Research University

Briefing Briefing on on Trans ansdiciplina diciplinary Rese esear arch h (TDR) (TDR) Gr Grant ant Phas Phase e 1/2018 1/2018 1 Transdiciplinary Research Grant Introduction A new grant initiative from Research University funding

160 views • 14 slides
Multi-Level Logic with Constant Depth: Multi-Level Logic with Constant Depth: Recent Research

Multi-Level Logic with Constant Depth: Multi-Level Logic with Constant Depth: Recent Research

Multi-Level Logic with Constant Depth: Multi-Level Logic with Constant Depth: Recent Research from Italy Recent Research from Italy Researchers: Anna Bernasconi (U. Pisa), Valentina Ciriani (U. Milano-Crema) , Roberto Cordone (U.

1.09k views • 83 slides
Boardroom Briefing: Sustainable Centres of Tomorrow https://sbenrc.com.au/research-programs/1-62/

Boardroom Briefing: Sustainable Centres of Tomorrow https://sbenrc.com.au/research-programs/1-62/

Boardroom Briefing: Sustainable Centres of Tomorrow https://sbenrc.com.au/research-programs/1-62/ Project 1.62 Leaders Townsville Case Study Team: A/Professor Sacha Reid Project Leader, Development Cities Research Institute, Griffith

389 views • 19 slides
Superfund Research Program P42 RFA Briefing (RFA ES 18-002) Sponsored by: National Institute of

Superfund Research Program P42 RFA Briefing (RFA ES 18-002) Sponsored by: National Institute of

Welcome to the CLU-IN Internet Seminar Superfund Research Program P42 RFA Briefing (RFA ES 18-002) Sponsored by: National Institute of Environmental Health Sciences, Superfund Research Program Presenters: William Suk, Director, Superfund

903 views • 64 slides
Sustainable Finance Strategic Insights Media Briefing Research commissioned by HSBC 2H 2016

Sustainable Finance Strategic Insights Media Briefing Research commissioned by HSBC 2H 2016

Sustainable Finance Strategic Insights Media Briefing Research commissioned by HSBC 2H 2016 INTERNAL Research Methodology: key elements Corporates/ % of Total Investors Issuers (N: 553) (N: 277) (N: 276) 27.9 Europe 27.2 25.3

443 views • 15 slides
Research Dis isrupted: Protecting Federal Research In Investments and the U.S .S. Research

Research Dis isrupted: Protecting Federal Research In Investments and the U.S .S. Research

Research Dis isrupted: Protecting Federal Research In Investments and the U.S .S. Research Work rkforce fr from COVID ID-19 Im Impacts Congressional Briefing Monday, July 27th, 2020 2:30pm 1 BRIE IEFING AGENDA Welcome &

604 views • 23 slides
Briefing Notes The Briefing Notes Page The Briefing Notes include: An introduction to the

Briefing Notes The Briefing Notes Page The Briefing Notes include: An introduction to the

Community Services : Education The Inspection of the Education Functions of Local Authorities Briefing Notes March 2004 Ma March Briefing Notes The Briefing Notes Page The Briefing Notes include: An introduction to the inspection

531 views • 11 slides
Briefing on ISO Transmission for a 33% Briefing on ISO Transmission for a 33% RPS Plan Keith E.

Briefing on ISO Transmission for a 33% Briefing on ISO Transmission for a 33% RPS Plan Keith E.

Briefing on ISO Transmission for a 33% Briefing on ISO Transmission for a 33% RPS Plan Keith E. Casey Vice President, Market and Infrastructure Development Board of Governors Meeting General Session December 15-16, 2010 Planning the ISO grid

264 views • 15 slides
A Briefing on Georgias Budget: The Big Picture Overview CSLF and the Fiscal Research

A Briefing on Georgias Budget: The Big Picture Overview CSLF and the Fiscal Research

November 15, 2017 Bob Buschman and Maggie Reeves A Briefing on Georgias Budget: The Big Picture Overview CSLF and the Fiscal Research Center Revenues Budget Practices Georgias Expenditures By Policy Area and Over Time

642 views • 50 slides
Stoichiometry (stoich) notes 1. What is Stoichiometry?

Stoichiometry (stoich) notes 1. What is Stoichiometry?

Stoichiometry (stoich) notes 1. What is Stoichiometry? __________________________________________________________________ ________________________________________________________________________________________

242 views • 7 slides
EASY Meta-Programming with Rascal Leveraging the Extract-Analyze-SYnthesize Paradigm Paul Klint

EASY Meta-Programming with Rascal Leveraging the Extract-Analyze-SYnthesize Paradigm Paul Klint

EASY Meta-Programming with Rascal Leveraging the Extract-Analyze-SYnthesize Paradigm Paul Klint & Jurgen Vinju Joint work with (amongst others): Bas Basten, Mark Hills, Anastasia Izmaylova, Davy Landman, Arnold Lankamp, Bert Lisser, Atze

1.31k views • 109 slides
Software Engineering I cs361 Test Driven Development What is Test Driven Development (TDD)

Software Engineering I cs361 Test Driven Development What is Test Driven Development (TDD)

Software Engineering I cs361 Test Driven Development What is Test Driven Development (TDD) Test-driven development ( TDD ) is a software development process based on three simple rules TDD Rules (From Uncle Bob Martin) 1. You are not allowed

386 views • 19 slides
http://xkcd.com/1312/ Tony Hoares Hints on Programming Language Design CS 252:

http://xkcd.com/1312/ Tony Hoares Hints on Programming Language Design CS 252:

http://xkcd.com/1312/ Tony Hoares Hints on Programming Language Design CS 252: Advanced Programming Language Principles Introduction to Haskell Prof. Tom Austin San Jos State University Key traits of Haskell 1. Purely

711 views • 32 slides
Abstract Factory Linda Marshall and Vreda Pieterse Department of Computer Science University of

Abstract Factory Linda Marshall and Vreda Pieterse Department of Computer Science University of

Identification Structure Participants Related Patterns Examples Abstract Factory Linda Marshall and Vreda Pieterse Department of Computer Science University of Pretoria 13 August 2014 Linda Marshall and Vreda Pieterse Abstract Factory

246 views • 21 slides
ONLINE INSTRUCTOR RETREAT Ag e n d a 12:0 0 -12:0 5p m W e lcom e to th e Re tre a t! 12:0

ONLINE INSTRUCTOR RETREAT Ag e n d a 12:0 0 -12:0 5p m W e lcom e to th e Re tre a t! 12:0

W ELCOME TO THE 6 TH ANNUAL ONLINE INSTRUCTOR RETREAT Ag e n d a 12:0 0 -12:0 5p m W e lcom e to th e Re tre a t! 12:0 5 - 12:20 p m Op e n in g Re m a rks - VP of In stru ction 12:20 - 12:4 0 p m W h a ts Ne w in On lin e Ed

231 views • 11 slides
De DeCO: : A DS DSP Block Based FPGA Accelerator Overlay Wi With Low Overhead Interconnect Ab

De DeCO: : A DS DSP Block Based FPGA Accelerator Overlay Wi With Low Overhead Interconnect Ab

De DeCO: : A DS DSP Block Based FPGA Accelerator Overlay Wi With Low Overhead Interconnect Ab Abhishek Kumar Ja Jain, Xiangwei Li, Pranjul Singhai, Douglas L. Maskell School of Computer Science and Engineering Nanyang Technological

564 views • 39 slides
Principles of Software Construction: Objects, Design, and Concurrency Introduction to Java Josh

Principles of Software Construction: Objects, Design, and Concurrency Introduction to Java Josh

Principles of Software Construction: Objects, Design, and Concurrency Introduction to Java Josh Bloch Charlie Garrod School of Computer Science 15-214 1 Administrivia First home was pushed to repo this morning Due next Thursday at

735 views • 52 slides

More recommend