Exploit Generation for Information Flow Leaks in Object-Oriented - - PowerPoint PPT Presentation
Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15,
(joint work with Richard Bubel and Quoc Huy Do)
Dagstuhl Seminar 15381
Information from Deduction: Models and Proofs
September 15, 2015
September 15, 2015 | TUD | R. Hähnle | 1
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination
Construction of Insecurity Formula
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination
Construction of Insecurity Formula Model Extraction From Insecurity Formula
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination
Construction of Insecurity Formula Model Extraction From Insecurity Formula
Model Extraction by SMT solvers
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Exploit generation to demonstrate insecure information flow
IF Policy Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination
Construction of Insecurity Formula Model Extraction From Insecurity Formula
Model Extraction by SMT solvers
Exploit Generation As (xUnit) Tests
September 15, 2015 | TUD | R. Hähnle | 2
Goal: Witness generation to demonstrate violation of relational property
Relational Specification + Target Program Symbolic Execution (SE) with Loop & Method Specifications
SE as Proof Attempt Seamless interleaving of state simplification & infeasible path elimination
Construction of Witness Formulas Model Extraction From Witness Formulas
Model Extraction by SMT solvers
Witness Generation As (xUnit) Tests
September 15, 2015 | TUD | R. Hähnle | 3
System Confidential input Public input Observable
September 15, 2015 | TUD | R. Hähnle | 4
System Confidential input Public input Observable
◮ Ensure confidential information is not leaked ◮ Ensuring Information Flow Security:
◮ Static Analyses: Type-Based Systems, Deductive Verification ◮ Dynamic Analyses: Runtime Monitoring, Secure Multi-Execution September 15, 2015 | TUD | R. Hähnle | 4
Program High variable (Secret input) Low variable (Public input) Low variable (Observable
◮ Policy NI = (Low, High) : Low, High ⊆ Var, Low ˙
∪ High = Var
with Var = set of all variables of program p
◮ Program p satisfies NI iff. for any two traces Tr1, Tr2 of p, it holds that:
init(Tr1) ≃Low init(Tr2) ⇒ final(Tr1) ≃Low final(Tr2) init(X), final(X): Initial state and final state of a trace X
September 15, 2015 | TUD | R. Hähnle | 5
Program High variable (Secret input) Low variable (Public input) Low variable (Observable
◮ Policy NI = (Low, High) : Low, High ⊆ Var, Low ˙
∪ High = Var
with Var = set of all variables of program p
◮ Program p satisfies NI iff. for any two traces Tr1, Tr2 of p, it holds that:
init(Tr1) ≃Low init(Tr2) ⇒ final(Tr1) ≃Low final(Tr2) init(X), final(X): Initial state and final state of a trace X Noninterference is too strict: Many secure programs are classified as insecure
September 15, 2015 | TUD | R. Hähnle | 5
vote 1 vote 2 vote n
. . .
E-Voting System Aggregate result
A B
September 15, 2015 | TUD | R. Hähnle | 6
vote 1 vote 2 vote n
. . .
E-Voting System Aggregate result
A B
n
(votei = A?1; 0)
n
(votei = B?1; 0)
September 15, 2015 | TUD | R. Hähnle | 6
vote 1 vote 2 vote n
. . .
E-Voting System Aggregate result
A B
n
(votei = A?1; 0)
n
(votei = B?1; 0)
◮ Policy Decl = (Low, High, e):
◮ e: escape hatch expression
◮ Program p satisfies Decl iff for any two traces Tr1, Tr2 of p, it holds that:
[ [e] ]Init(Tr1) = [ [e] ]Init(Tr2) ∧ init(Tr1) ≃Low init(Tr2) ⇒ final(Tr1) ≃Low final(Tr2)
September 15, 2015 | TUD | R. Hähnle | 6
The Hoare triple: {Pre} p {Post}
September 15, 2015 | TUD | R. Hähnle | 7
The Hoare triple: {Pre} p {Post}
◮ Program p(l, h) for simplicity with Low = {l}, High = {h} ◮ p(l′, h′) is obtained as a copy of p with fresh variables l for l′, h for h′ ◮ Formalization of noninterference policy NI = (Low, High):
{l .
= l′} p(l, h); p(l′, h′) {l . = l′} Drawback: Program p must be analysed twice Idea: Compute weakest precondition of p before self-composition
September 15, 2015 | TUD | R. Hähnle | 7
if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y;
September 15, 2015 | TUD | R. Hähnle | 8
if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; (x := x0, y := y0)
September 15, 2015 | TUD | R. Hähnle | 8
if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; (x := x0, y := y0) (x0, y0) (x0, y0) (x0, y0) (x0, y0 − 1) (x0, y0 + 1) (x0, 2 ∗ (y0 − 1)) (x0, 2 ∗ (y0 + 1)) x0 ≥ 0 x0 < 0
September 15, 2015 | TUD | R. Hähnle | 8
if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; (x := x0, y := y0) (x0, y0) (x0, y0) (x0, y0) (x0, y0 − 1) (x0, y0 + 1) (x0, 2 ∗ (y0 − 1)) (x0, 2 ∗ (y0 + 1)) x0 ≥ 0 x0 < 0 path condition
September 15, 2015 | TUD | R. Hähnle | 8
if (x >= 0) { y=y-1; } else { y=y+1; } y=2*y; (x := x0, y := y0) (x0, y0) (x0, y0) (x0, y0) (x0, y0 − 1) (x0, y0 + 1) (x0, 2 ∗ (y0 − 1)) (x0, 2 ∗ (y0 + 1)) x0 ≥ 0 x0 < 0 path condition (x = x0, y = 2 ∗ (y0 − 1)) (x = x0, y = 2 ∗ (y0 + 1)) symbolic final state
September 15, 2015 | TUD | R. Hähnle | 8
1 2 ... i j ... ... n
path condition: pci(l,h) symbolic output value: l = fi
l(l,h)
path condition: pcj(l',h') symbolic output value: l' = fj
l(l',h')
September 15, 2015 | TUD | R. Hähnle | 9
1 2 ... i j ... ... n
path condition: pci(l,h) symbolic output value: l = fi
l(l,h)
path condition: pcj(l',h') symbolic output value: l' = fj
l(l',h')
Formalizing noninterference by self-composition:
{l .
= l′} p(l, h); p(l′, h′) {l . = l′}
September 15, 2015 | TUD | R. Hähnle | 9
1 2 ... i j ... ... n
path condition: pci(l,h) symbolic output value: l = fi
l(l,h)
path condition: pcj(l',h') symbolic output value: l' = fj
l(l',h')
Formalizing noninterference by self-composition:
{l .
= l′} p(l, h); p(l′, h′) {l . = l′} Formalizing noninterference by symbolic execution:
(l = l′ ∧ pci(l, h) ∧ pcj(l′, h′) ⇒ f l
i (l, h) = f l j (l′, h′))
September 15, 2015 | TUD | R. Hähnle | 9
1 2 ... i j ... ... n
path condition: pci(l,h) symbolic output value: l = fi
l(l,h)
path condition: pcj(l',h') symbolic output value: l' = fj
l(l',h')
Program p is insecure iff insecurity formula is satisfiable:
(l = l′ ∧ pci(l, h) ∧ pcj(l′, h′) ∧ f l
i (l, h) = f l j (l′, h′))
September 15, 2015 | TUD | R. Hähnle | 10
public class Example { public int l; private int h; /*! l | h ; !*/ public void magic(){ if (h>0) l=0; else l=h; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=this.h; <return of magic> <end>
1 2
September 15, 2015 | TUD | R. Hähnle | 11
public class Example { public int l; private int h; /*! l | h ; !*/ public void magic(){ if (h>0) l=0; else l=h; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=this.h; <return of magic> <end>
1 2
Formula Model
Leak11
l = l′ ∧ h > 0 ∧ h′ > 0 ∧ 0 = 0
∅ Leak12
l = l′ ∧ h > 0 ∧ h′ < 1 ∧ 0 = h′ l = l′ = 0, h = 1, h′ = −1
Leak22
l = l′ ∧ h < 1 ∧ h′ < 1 ∧ h = h′ l = l′ = 0, h = 0, h′ = −1
September 15, 2015 | TUD | R. Hähnle | 11
public class Example { public int l; private int h; /*! l | h ; !*/ public void magic(){ if (h>0) l=0; else l=h; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=this.h; <return of magic> <end>
1 2
The sign of h, but its value is allowed to leak: Encode with escape hatch expression: e(h, l) ≡ h > 0
September 15, 2015 | TUD | R. Hähnle | 12
public class Example { public int l; private int h; /*! l | h ; !*/ /*@ escapes (h>0); @*/ public void magic(){ if (h>0) l=0; else l=h; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=this.h; <return of magic> <end>
1 2
Insecurity formula:
(e(l, h) = e(l′, h′) ∧ l = l′ ∧ pci(l, h) ∧ pcj(l′, h′) ∧ f l
i (l, h) = f l j (l′, h′))
September 15, 2015 | TUD | R. Hähnle | 13
public class Example { public int l; private int h; /*! l | h ; !*/ /*@ escapes (h>0); @*/ public void magic(){ if (h>0) l=0; else l=h; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=this.h; <return of magic> <end>
1 2
Formula Model
Leak11
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h > 0 ∧ h′ > 0 ∧ 0 = 0
∅ Leak12
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h > 0 ∧ h′ < 1 ∧ 0 = h′
∅ Leak22
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h < 1 ∧ h′ < 1 ∧ h = h′ l = l′ = 0, h = 0, h′ = −1
September 15, 2015 | TUD | R. Hähnle | 14
public class Example { public int l; private int h; /*! l | h ; !*/ /*@ escapes (h>0); @*/ public void magic(){ if (h>0) l=0; else l=1; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=1; <return of magic> <end>
1 2
September 15, 2015 | TUD | R. Hähnle | 15
public class Example { public int l; private int h; /*! l | h ; !*/ /*@ escapes (h>0); @*/ public void magic(){ if (h>0) l=0; else l=1; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=1; <return of magic> <end>
1 2
Formula Model
Leak11
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h > 0 ∧ h′ > 0 ∧ 0 = 0
∅ Leak12
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h > 0 ∧ h′ < 1 ∧ 0 = 1
∅ Leak22
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h < 1 ∧ h′ < 1 ∧ 1 = 1
∅
September 15, 2015 | TUD | R. Hähnle | 15
public class Example { public int l; private int h; /*! l | h ; !*/ /*@ escapes (h>0); @*/ public void magic(){ if (h>0) l=0; else l=1; } }
<start> <call self.magic()> if (this.h>0) self.h > 0 this.l=0; <return of magic> <end> self.h < 1 this.l=1; <return of magic> <end>
1 2
Formula Model
Leak11
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h > 0 ∧ h′ > 0 ∧ 0 = 0
∅ Leak12
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h > 0 ∧ h′ < 1 ∧ 0 = 1
∅ Leak22
(h > 0) = (h′ > 0) ∧ l = l′ ∧ h < 1 ∧ h′ < 1 ∧ 1 = 1
∅
September 15, 2015 | TUD | R. Hähnle | 15
◮ escapes e \if C \to T ◮ Information may only be released through escape hatch expression e to a set
Insecurity formula:
(l = l′ ∧ pci(l, h) ∧ pcj(l′, h′)
∧ l ∈ T ∧ (C(l, h) ∧
i (l, h) = f l j (l′, h′)
September 15, 2015 | TUD | R. Hähnle | 16
public class MethodContract { public int l; private int h; /*! l | h ; !*/ public void magic(){ if (h<0) l=-1; else l = run(h); } private int run(int x){ if (x<=0) return 0; else return (x+run(x-1)); } }
September 15, 2015 | TUD | R. Hähnle | 17
public class MethodContract { public int l; private int h; /*! l | h ; !*/ public void magic(){ if (h<0) l=-1; else l = run(h); } private int run(int x){ if (x<=0) return 0; else return (x+run(x-1)); } }
September 15, 2015 | TUD | R. Hähnle | 17
◮ Method contract of called method m: Contractm = Prem, Postm, modm
◮ Prem: Precondition of method m ◮ Postm: Postcondition of method m ◮ modm: set of modifiable variables
◮ Method calls are treated as a black box
method contracts contribute to path conditions / symbolic output states
◮ Method contract of called method m: Contractm = Prem, Postm, modm
◮ Prem: Precondition of method m ◮ Postm: Postcondition of method m ◮ modm: set of modifiable variables
◮ Method calls are treated as a black box
method contracts contribute to path conditions / symbolic output states void main(){ ... m(); next statement; ... }
September 15, 2015 | TUD | R. Hähnle | 18
◮ Method contract of called method m: Contractm = Prem, Postm, modm
◮ Prem: Precondition of method m ◮ Postm: Postcondition of method m ◮ modm: set of modifiable variables
◮ Method calls are treated as a black box
method contracts contribute to path conditions / symbolic output states void main(){ ... m(); next statement; ... }
calling m inlining m next statement
September 15, 2015 | TUD | R. Hähnle | 18
◮ Method contract of called method m: Contractm = Prem, Postm, modm
◮ Prem: Precondition of method m ◮ Postm: Postcondition of method m ◮ modm: set of modifiable variables
◮ Method calls are treated as a black box
method contracts contribute to path conditions / symbolic output states void main(){ ... m(); next statement; ... }
calling m inlining m next statement calling m next statement
Set of variables: Var Path condition: pc Set of variables: VS = Var {vfresh| v modm} rm Path condition: pc Prem
wp(VS) Postm wp(VS) September 15, 2015 | TUD | R. Hähnle | 18
public class MethodContract { int l,h; /*! l | h ; !*/ public void magic(){ if (h<0) l=-1; else l = run(h); } /*@ requires true; @ ensures ((x<=0)==> \result == 0) && @ ((x>0) ==> \result*2 == x*(x+1)); @ assignable \nothing; @*/ private int run(int x){ if (x<=0) return 0; else return (x+run(x-1)); } }
September 15, 2015 | TUD | R. Hähnle | 19
public class MethodContract { int l,h; /*! l | h ; !*/ public void magic(){ if (h<0) l=-1; else l = run(h); } /*@ requires true; @ ensures ((x<=0)==> \result == 0) && @ ((x>0) ==> \result*2 == x*(x+1)); @ assignable \nothing; @*/ private int run(int x){ if (x<=0) return 0; else return (x+run(x-1)); } } pc1 : h < 0 pc2 : h ≥ 0 ∧ (h ≤ 0 ⇒ r = 0) ∧ (h > 0 ⇒ r ∗ 2 = h ∗ (h + 1))
September 15, 2015 | TUD | R. Hähnle | 19
public class MethodContract { int l,h; /*! l | h ; !*/ public void magic(){ if (h<0) l=-1; else l = run(h); } /*@ requires true; @ ensures ((x<=0)==> \result == 0) && @ ((x>0) ==> \result*2 == x*(x+1)); @ assignable \nothing; @*/ private int run(int x){ if (x<=0) return 0; else return (x+run(x-1)); } } pc1 : h < 0 pc2 : h ≥ 0 ∧ (h ≤ 0 ⇒ r = 0) ∧ (h > 0 ⇒ r ∗ 2 = h ∗ (h + 1))
Formula Model
Leak11 ∅ Leak12
l = l′ = 0, h = −1, h′ = 1
Leak22
l = l′ = 0, h = 1, h′ = 2
September 15, 2015 | TUD | R. Hähnle | 19
KEG generates exploits for annotated sequential Java Programs (w/o floats, garbage collection and reflection)
◮ Based on the KeY verification system for Java ◮ Using SMT Solver Z3 for finding models ◮ Generated exploits are synthesized into JUnit tests
September 15, 2015 | TUD | R. Hähnle | 20
File #Loop/ Policy Secure/ Time #Generated Exploit/ name Method call (NI/D) Insecure (ms) False Positive Mul 0 / 0 D I 6266 1 / 0 Mul_StrongLI 1 / 0 D I 7274 1 / 0 Mul_WeakLI 1 / 0 D I 7463 2 / 1 Mul_WrongLI 1 / 0 D I 7285 0 / 0 Comp_StrongMC 0 / 1 NI I 7995 3 / 0 Comp_WeakMC 0 / 1 NI I 8065 3 / 3 Comp_WrongMC 0 / 1 NI I 7887 0 / 0 Company 1 / 1 NI I 8816 3 / 0 ExpList 0 / 0 NI I 8668 1 / 0 ExpLinkedList 0 / 4 NI I 15526 2 / 0 ExpArrayList 0 / 5 NI I 24752 3 / 0 ArrMax 1 / 0 NI I 8804 1 / 0 ArrSearch 1 / 0 D S 9568 0 / 0
September 15, 2015 | TUD | R. Hähnle | 21
◮ Symbolic execution
◮ Path conditions ◮ Symbolic states
◮ Model Extraction for exploit generation
Insecurity Formula Construction
Approach implemented for sequential Java Programs: KEG Tool
September 15, 2015 | TUD | R. Hähnle | 22
◮ Symbolic execution
◮ Path conditions ◮ Symbolic states
◮ Model Extraction for exploit generation
Insecurity Formula Construction
Approach implemented for sequential Java Programs: KEG Tool
◮ Secret extraction from insecure programs ◮ Usage of information-flow contracts ◮ Improve the presentation and explanation of the generated exploits ◮ Instantiate framework to other relational properties
September 15, 2015 | TUD | R. Hähnle | 22