Formal verification of low-level execution platforms Roberto - - PowerPoint PPT Presentation

Formal verification

• f low-level

execution platforms

Roberto Guanciale Estonian Winter School Day 01

Assistant professor Computer Security Department of Theoretical Computer Science @KTH Research interest in Formal Verification Enthusiast software developer

Roberto Guanciale

Distributed Attacks

A B

Distributed Attacks Software vulnerabilities

• Design flows
• Web parameter injection
• Broken authentication

Distributed Attacks Software vulnerabilities Poor Management

• Password re-usage
• Social engineering
• Misconfiguration

Distributed Attacks Software vulnerabilities Poor Management

500 000 Lines of Code 1 Buffer Overflow Introduced 2012 Discovered 2014

OpenSSL

Motivations

Host 1

Hardware OS Apps

Motivations

Host 1

Hardware OS Apps

Motivations

Host 1

Hardware OS Apps

Motivations

Host 1

Hardware OS Apps

Motivations

Host 1

Hardware OS Apps

Motivations

Host 1

Hardware OS Apps Hypervisor Crypto Service

Formal Verification

Models Assumptions Verifjcation

∀ s. secure(s)

Formal Verification

Models Assumptions Verifjcation CPU MEMORY

Formal Verification

Models Assumptions Verifjcation Hypervisor CPU MEMORY

OS

Formal Verification

Models Assumptions Verifjcation Hypervisor CPU MEMORY

OS

1) Formal verification 2) CPU models and proof strategy 3) Verification of memory virtualization 4) When the models are incorrect

Lecture plan

Formal verification

• states of the system
• Deterministic Finite Automata: integers
• Stack, Heap, Current instruction: Java
• …

Formal models

• states of the system
• Deterministic Finite Automata: integers
• Stack, Heap, Current instruction: Java
• …
• transition relation (behavior of the system)
• DFA: depends on the transition function
• Java: depends on the program and the Java semantics

Formal models

• states of the system
• Deterministic Finite Automata: integers
• Stack, Heap, Current instruction: Java
• …
• transition relation (behavior of the system)
• DFA: depends on the transition function
• Java: depends on the program and the Java semantics
• labeled transition system
• DFA: labels represent the accepted input characters
• weak transition system (when some event is not important)

Formal models

 {P} C {Q} : when the precondition P is met, executing the program C establishes the postcondition Q. 

Contract Verification

 {P} C {Q} : when the precondition P is met, executing the program C establishes the postcondition Q.  

Contract Verification: Hoare logic

 {P} C {Q} : when the precondition P is met, executing the program C establishes the postcondition Q.    Java Modeling Language (JML)

Contract verification: Hoare logic

Contract verification

int SQRT(x) { int r = 0; while (r*r<=x) r++; return r; }

Hoare logic: weakest preconditon

 Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  Then prove P => WP

Hoare logic: weakest preconditon

 Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q  x:= exp {Q(x)}  WP = Q(exp)  Example  x:= 5 {Q(x) = x > y}  WP = Q(5) = 5 > y

Hoare logic: weakest preconditon

 Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  x:= exp {Q(x)}  WP = Q(exp)  Example  x:= y+1 {Q(x) = x > y}  WP = Q(y+1) = y+1 > y

Hoare logic: weakest preconditon

 Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  WP (C1; C2, Q) = WP(C1; WP(C2, Q))  Example 1) WP(y:=x+y, y>5) = x+y > 5 2) WP(x:=z+1, x+y > 5) = z+1+y>5

x:=z+1 y:=x+y Q = y > 5

Hoare logic: weakest preconditon

 Find the weakest precondition that guarantees that executing the program C establishes the postcondition Q.  WP (IF C THEN C1 ELSE C2, Q) =  Example x>y => WP(z=x, z >= x /\ z >= y) eq x>y => x >= x /\ x >= y x<=y => WP(z=y, z >= x /\ z >= y) eq x<=y => y >= x /\ y >= y

if (x>y) then z = x else z=y Q: z >= x /\ z >= y

 Implementation model  Java Classes  DFA  Specification model  Interfaces  NFA

Trace inclusion

 Implementation model  trace  traces  Specification model

Trace inclusion

 Implementation model  trace  traces  Specification model

Trace inclusion

 Implementation model  trace  traces  Specification model  Trace Inclusion

Trace inclusion

Formal verification: Trace inclusion

Formal verification: Trace inclusion

Formal verification: Trace inclusion

 Implementation model  Specification model  Trace Inclusion  Contract verification  Then

Formal verification: Trace inclusion

  Relation

Formal verification: Trace inclusion

  Relation  Trace Inclusion  Contract verification  Property transfer

Formal verification: Trace inclusion

  Relation  Trace Inclusion  Contract verification  Property transfer

Formal verification: Trace inclusion

  Relation  Trace Inclusion 

Formal verification: simulation

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

Formal verification: express secrecy

int F (P1) { P2 := K1; }

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

Formal verification: express secrecy

int F (P1) { P2 := K1; }

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

Formal verification: express secrecy

int F (P1) { P2 := P1; }

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

Formal verification: express secrecy

int F (P1) { P2 := P1+K1; }

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

Formal verification: express secrecy

int F (P1) { if (K1 < 10) P2 := P1; }

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables  The attacker can invoke the function F  F should not leak the value of Ks

Formal verification: express secrecy

int F (P1) { if (P1 < 10) P2 := P1; K2 := K1 + P1; }

 K1 and K2 are secret variables (e.g. keys)  P1 and P2 are public variables

Information flow security

Information flow security: refinement

Information flow security: refinement



Information flow security: refinement



Information flow security: refinement



Information flow security: refinement

int S() { P := RND()*2; } K:0 P:1 P:0 P:2 P:4 K:1 P:1 P:0 P:2 P:4

Information flow security: refinement

int S() { P := RND()*2; } int I() { P := K*2; } K:0 P:1 P:0 P:2 P:4 K:1 P:1 P:0 P:2 P:4

Information flow security: refinement

int S() { P := RND()*2; } int I() { P := K*2; } K:0 P:1 P:0 P:2 P:4 K:1 P:1 P:0 P:2 P:4 K:0 P:1 P:0 P:2 P:4

Information flow security: refinement

int S() { P := RND()*2; } int I() { P := K*2; } K:0 P:1 P:0 P:2 P:4 K:1 P:1 P:0 P:2 P:4 K:0 P:1 P:0 P:2 P:4 K:1 P:1 P:0 P:2 P:4

Information flow security: refinement



  Relation  Trace Inclusion 

Formal verification: bisimulation



Fully automated (propositional logic)



Automated, but not necessarily terminating (first order logic)



With automation, but mainly interactive (higher-order logic)



Isabelle



HOL4

Theorem prover



A generic interactive proof assistant



Interactive:



more than just yes/no, you can interactively guide the system



Proof assistant:



helps to explore, find, and maintain proofs



Widely used systems, Active development, Reasonably easy to use



Internal Logic and object logic (HOL)

Isabelle/HOL4

Summary

• Motivations
• Refinements
• Information flow security
• Upcoming
• Formal models of CPUs
• High level proof

THANKS! Any questions?

You can find me at robertog@kth.se http://prosper.sics.se/

References