exploit generation for information flow leaks in object
play

Exploit Generation for Information Flow Leaks in Object-Oriented - PowerPoint PPT Presentation

Aug 31, 2022 •409 likes •920 views

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15,

  1. Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hähnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15, 2015 | TUD | R. Hähnle | 1

  2. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program September 15, 2015 | TUD | R. Hähnle | 2

  3. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications September 15, 2015 | TUD | R. Hähnle | 2

  4. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  5. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) Construction of with Loop & Method Insecurity Specifications Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  6. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  7. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  8. Approach Goal: Exploit generation to demonstrate insecure information flow IF Policy Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Insecurity From Specifications Formula Insecurity Formula SE as Proof Attempt Exploit Generation Seamless interleaving of state simplification & As (xUnit) Tests infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 2

  9. Framework Regression of Behaviour, Fault Propagation, . . . Goal: Witness generation to demonstrate violation of relational property Relational Specification + Target Program Model Extraction by SMT solvers Symbolic Execution (SE) Construction of Model Extraction with Loop & Method Witness From Specifications Formulas Witness Formulas SE as Proof Attempt Witness Generation Seamless interleaving of state simplification & As (xUnit) Tests infeasible path elimination September 15, 2015 | TUD | R. Hähnle | 3

  10. Information Flow Confidential input ? Observable Public input output System September 15, 2015 | TUD | R. Hähnle | 4

  11. Information Flow Confidential input ? Observable Public input output System Information flow security ◮ Ensure confidential information is not leaked ◮ Ensuring Information Flow Security: ◮ Static Analyses: Type-Based Systems, Deductive Verification ◮ Dynamic Analyses: Runtime Monitoring, Secure Multi-Execution September 15, 2015 | TUD | R. Hähnle | 4

  12. Noninterference High variable (Secret input)  Low variable Low variable (Public input) (Observable output) Program Definition ◮ Policy NI = ( Low , High ) : Low , High ⊆ Var , Low ˙ ∪ High = Var with Var = set of all variables of program p ◮ Program p satisfies NI iff. for any two traces Tr 1 , Tr 2 of p , it holds that: init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) init ( X ), final ( X ): Initial state and final state of a trace X September 15, 2015 | TUD | R. Hähnle | 5

  13. Noninterference High variable (Secret input)  Low variable Low variable (Public input) (Observable output) Program Definition ◮ Policy NI = ( Low , High ) : Low , High ⊆ Var , Low ˙ ∪ High = Var with Var = set of all variables of program p ◮ Program p satisfies NI iff. for any two traces Tr 1 , Tr 2 of p , it holds that: init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) init ( X ), final ( X ): Initial state and final state of a trace X Noninterference is too strict: Many secure programs are classified as insecure September 15, 2015 | TUD | R. Hähnle | 5

  14. Declassification vote 1 vote 2 Aggregate A result . . B . vote n E-Voting System September 15, 2015 | TUD | R. Hähnle | 6

  15. Declassification vote 1 n � ( vote i = A ?1; 0) vote 2 Aggregate A i =1 result . e . B n . � ( vote i = B ?1; 0) vote n i =1 E-Voting System September 15, 2015 | TUD | R. Hähnle | 6

  16. Declassification vote 1 n � ( vote i = A ?1; 0) vote 2 Aggregate A i =1 result . e . B n . � ( vote i = B ?1; 0) vote n i =1 E-Voting System Delimited Release ◮ Policy Decl = ( Low , High , e ): ◮ e : escape hatch expression ◮ Program p satisfies Decl iff for any two traces Tr 1 , Tr 2 of p , it holds that: ] Init ( Tr 2 ) ∧ init ( Tr 1 ) ≃ Low init ( Tr 2 ) ⇒ final ( Tr 1 ) ≃ Low final ( Tr 2 ) [ [ e ] ] Init ( Tr 1 ) = [ [ e ] September 15, 2015 | TUD | R. Hähnle | 6

  17. Noninterference as Deductive Verification The Hoare triple: { Pre } p { Post } September 15, 2015 | TUD | R. Hähnle | 7

  18. Noninterference as Deductive Verification The Hoare triple: { Pre } p { Post } Self-composition [Darvas, Hähnle & Sands 2003/05] ◮ Program p ( l , h ) for simplicity with Low = { l } , High = { h } ◮ p ( l ′ , h ′ ) is obtained as a copy of p with fresh variables l for l ′ , h for h ′ ◮ Formalization of noninterference policy NI = ( Low , High ): { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } Drawback: Program p must be analysed twice Idea: Compute weakest precondition of p before self-composition September 15, 2015 | TUD | R. Hähnle | 7

  19. Symbolic Execution if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; September 15, 2015 | TUD | R. Hähnle | 8

  20. Symbolic Execution ( x := x 0 , y := y 0 ) if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; September 15, 2015 | TUD | R. Hähnle | 8

  21. Symbolic Execution ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) September 15, 2015 | TUD | R. Hähnle | 8

  22. Symbolic Execution path condition ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) September 15, 2015 | TUD | R. Hähnle | 8

  23. Symbolic Execution path condition ( x := x 0 , y := y 0 ) ( x 0 , y 0 ) if (x >= 0) { x 0 ≥ 0 x 0 < 0 y=y-1; } ( x 0 , y 0 ) ( x 0 , y 0 ) else { ( x 0 , y 0 − 1) ( x 0 , y 0 + 1) y=y+1; } y=2*y; ( x 0 , 2 ∗ ( y 0 − 1)) ( x 0 , 2 ∗ ( y 0 + 1)) ( x = x 0 , y = 2 ∗ ( y 0 − 1)) ( x = x 0 , y = 2 ∗ ( y 0 + 1)) symbolic final state September 15, 2015 | TUD | R. Hähnle | 8

  24. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n September 15, 2015 | TUD | R. Hähnle | 9

  25. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Formalizing noninterference by self-composition: { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } September 15, 2015 | TUD | R. Hähnle | 9

  26. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Formalizing noninterference by self-composition: { l . = l ′ } p ( l , h ); p ( l ′ , h ′ ) { l . = l ′ } Formalizing noninterference by symbolic execution: � ( l = l ′ ∧ pc i ( l , h ) ∧ pc j ( l ′ , h ′ ) ⇒ f l i ( l , h ) = f l j ( l ′ , h ′ )) 1 ≤ i , j ≤ n September 15, 2015 | TUD | R. Hähnle | 9

  27. Self-composition by Symbolic Execution p (l',h') p (l,h) path condition: path condition: pc i (l,h) pc j (l',h') symbolic output value: symbolic output value: l = f i l (l,h) l' = f j l (l',h') ... 1 2 ... i j ... n Program p is insecure iff insecurity formula is satisfiable: � ( l = l ′ ∧ pc i ( l , h ) ∧ pc j ( l ′ , h ′ ) ∧ f l i ( l , h ) � = f l j ( l ′ , h ′ )) 1 ≤ i , j ≤ n � �� � Leak ij September 15, 2015 | TUD | R. Hähnle | 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

NSA PRISM Slides - IC OFF THE RECORD 11.06.18 14:18 2013 LEAKS 2014 LEAKS 2015 LEAKS 2016 LEAKS 2017 LEAKS 2018 LEAKS IC OFF THE RECORD: Direct access to leaked information related to the

480 views • 18 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

782 views • 29 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
MA/CSSE 473 Day 16 Combinatorial Object Generation Permutations MA/CSSE 473 Day 16 No new

MA/CSSE 473 Day 16 Combinatorial Object Generation Permutations MA/CSSE 473 Day 16 No new

MA/CSSE 473 Day 16 Combinatorial Object Generation Permutations MA/CSSE 473 Day 16 No new announcements Student Questions Combinatorial Object Generation Intro Permutation generation Q1 Permutations Subsets

450 views • 15 slides
Next Generation OMG Object Management Architecture Craig Thompson Object Services and Consulting,

Next Generation OMG Object Management Architecture Craig Thompson Object Services and Consulting,

Object Services and Consulting, Inc. Thoughts on OMA-NG: Next Generation OMG Object Management Architecture Craig Thompson Object Services and Consulting, Inc. (OBJS) Ted Linden and Bob Filman Microelectronics and Computer Technology

515 views • 13 slides
Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 ,

Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 ,

Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 , Stphane Ducasse 2 and T udor Grba 1 1 Software Composition Group, University of Bern, Switzerland 2 LISTIC, University of Savoie, France A missing

376 views • 21 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
4th Generation 4th Generation Obj Object Databases t D t b (we are not alone 3 more nosql events

4th Generation 4th Generation Obj Object Databases t D t b (we are not alone 3 more nosql events

N SQL Berlin N SQL Berlin Prof. Dr. Stefan Edlich 4th Generation 4th Generation Obj Object Databases t D t b (we are not alone 3 more nosql events to come in 2009 : ) (we are not alone. 3 more nosql events to come in 2009 : ) Object

404 views • 23 slides
In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user data passwords stored in readable format 1B 600M 0.5M Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach

677 views • 35 slides
Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher Under-Approximating Loops in C Programs for Fast Counterexample Detection Daniel Kroening, Matt Lewis, Georg Weissenbacher, CAV 2013

373 views • 25 slides
Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo Instituto de Autom atica e Inform atica Industrial Universitat Polit` ecnica de Val` encia, Spain { speiro, mmu noz, mmasmano, acrespo }

379 views • 18 slides
Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria

Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria

Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria Queen Mary University of London 1 The problem An attacker has some a priori knowledge of the secret which is improved by observing the system

234 views • 21 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
Formal/Symbolic/Numerical Computational Methods Michael R. Douglas CMSA, Harvard University and

Formal/Symbolic/Numerical Computational Methods Michael R. Douglas CMSA, Harvard University and

Formal/Symbolic/Numerical Computational Methods Michael R. Douglas CMSA, Harvard University and Simons Center, Stony Brook University AITP , September 2020 Abstract We discuss applications of ITP , AITP and related technologies: Facilitate

1.01k views • 67 slides
RenMac 2020 Outlook Call ll 12/19/2019 1 Overall Less policy risk in 2020 than 2019.

RenMac 2020 Outlook Call ll 12/19/2019 1 Overall Less policy risk in 2020 than 2019.

RenMac 2020 Outlook Call ll 12/19/2019 1 Overall Less policy risk in 2020 than 2019. Trump needs strong economy. Lawmakers are risk-averse. Shortened-legislative calendar. Trade will continue to be a headwind but

615 views • 43 slides
Mizzou Advancement March 19, 2018 April 12-13, 2018 OPEN EXT AFF M&amp;A INFO 1-1

Mizzou Advancement March 19, 2018 April 12-13, 2018 OPEN EXT AFF M&amp;A INFO 1-1

Mizzou Advancement March 19, 2018 April 12-13, 2018 OPEN EXT AFF M&amp;A INFO 1-1 Mizzou Advancement I. Who We Are II. Strategic Planning Process III. Metrics Measuring Success IV. Aligning Development with University

626 views • 33 slides
RDMA in Data Centers: Looking Back and Looking Forward Chuanxiong Guo Microsoft Research ACM

RDMA in Data Centers: Looking Back and Looking Forward Chuanxiong Guo Microsoft Research ACM

RDMA in Data Centers: Looking Back and Looking Forward Chuanxiong Guo Microsoft Research ACM SIGCOMM APNet 2017 August 3 2017 The Rising of Cloud Computing 40 AZURE REGIONS Data Centers Data Centers Data center networks (DCN) Cloud

465 views • 44 slides
Consequences of Special Relativity The Twins Paradox Length Contraction Relativistic

Consequences of Special Relativity The Twins Paradox Length Contraction Relativistic

Consequences of Special Relativity The Twins Paradox Length Contraction Relativistic Momentum Relativistic Energy Homework 1 The Twins Paradox 1 Intriguing biological consequence of time dilation Consider a set of 20

354 views • 14 slides
Physics 116 Session 29 Relativity Nov 17, 2011 R. J. Wilkes Email: ph116@u.washington.edu

Physics 116 Session 29 Relativity Nov 17, 2011 R. J. Wilkes Email: ph116@u.washington.edu

Physics 116 Session 29 Relativity Nov 17, 2011 R. J. Wilkes Email: ph116@u.washington.edu Announcements: Updated quiz score totals will be posted on WebAssign tomorrow Nice series on PBS covering topics we will discuss in class:

424 views • 15 slides
Introductionto piecesofpaper ShowtoTeam2facedown RandomVariables Team2:

Introductionto piecesofpaper ShowtoTeam2facedown RandomVariables Team2:

GuesstheBiggerNumber MathematicsforComputerScience MIT 6.042J/18.062J Team1: Writetwointegersfrom0to7ontwo Introductionto piecesofpaper ShowtoTeam2facedown RandomVariables Team2:

396 views • 6 slides
Innovation by Design Report by Mumbai Mirror The image published in Mid- Day dated 24 th

Innovation by Design Report by Mumbai Mirror The image published in Mid- Day dated 24 th

Chakkus 7 concerns for Innovation by Design Report by Mumbai Mirror The image published in Mid- Day dated 24 th December 2012 turned as a key trigger for the project. Request from Joint Commissioner of Police Mumbai, Mr. Sadanand Date

681 views • 44 slides

More recommend