it doesn t have to be so hard efficient symbolic
play

It Doesnt Have to Be So Hard: Efficient Symbolic Reasoning for CRCs - PowerPoint PPT Presentation

Jun 08, 2023 •226 likes •626 views

It Doesnt Have to Be So Hard: Efficient Symbolic Reasoning for CRCs Vaibhav Sharma, Navid Emamdoost, Seonmo Kim, Stephen McCamant University of Minnesota, Minneapolis, MN, USA Motivation Cyclic Redundancy Check (CRC) is commonly used

  1. It Doesn’t Have to Be So Hard: Efficient Symbolic Reasoning for CRCs Vaibhav Sharma, Navid Emamdoost, Seonmo Kim, Stephen McCamant University of Minnesota, Minneapolis, MN, USA

  2. Motivation ● Cyclic Redundancy Check (CRC) is commonly used for error detection ● Not resistant to adversarial modification ○ WEP, SSHv1 ● Sometimes used as an obstacle to symbolic execution ○ Jung et al., USENIX Security 2019 ● Is analysis of CRC difficult?

  3. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  4. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  5. CRC symbolic pre-image computation int main() { char sym_str[LEN]; // set to symbolic bytes unsigned int sym_crc = crc(sym_str, LEN); char conc_str[LEN]; srand(time(NULL)); for ( int i = 0; i < LEN; i++) conc_str[i] = ( char ) rand(); if (sym_crc == crc(conc_str, LEN)) { printf("found the pre-image\n"); } return 0; }

  6. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  7. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit ○ update CRC using lookup table (for every 8 bits in input)

  8. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations Used by Jung et al. to ○ update CRC once for every input bit defeat symbolic execution ○ update CRC using lookup table (for every 8 bits in input)

  9. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; message points to i = 0; crc = 0xFFFFFFFF; symbolic bytes while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  10. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  11. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  12. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  13. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  14. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { byte = reverse(message[i]); for (j = 0; j <= 7; j++) { if (( int )(crc ^ byte) < 0) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  15. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; while (message[i] != 0) { ● Both sides of branch byte = reverse(message[i]); for (j = 0; j <= 7; j++) { feasible if (( int )(crc ^ byte) < 0) ● Executed once for every bit crc = (crc << 1) ^ 0x04C11DB7; in message else crc = crc << 1; byte = byte << 1; ● Causes path explosion } ● Can be easily alleviated i = i + 1; with path-merging } return reverse(~crc); }

  16. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; Summarize both sides of branch into while (message[i] != 0) { byte = reverse(message[i]); single formula for (j = 0; j <= 7; j++) { crc =( int )(crc ^ byte) < 0 if (( int )(crc ^ byte) < 0) ? (crc << 1) ^ 0x04C11DB7 crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; : crc << 1 byte = byte << 1; } i = i + 1; } return reverse(~crc); }

  17. CRC Implementation Type #1 unsigned int fuzzification_crc32 ( unsigned char *message) { int i, j; unsigned int byte, crc; i = 0; crc = 0xFFFFFFFF; ● Summarize both sides of branch while (message[i] != 0) { byte = reverse(message[i]); into single formula for (j = 0; j <= 7; j++) { ● Write side-effects of summary into if (( int )(crc ^ byte) < 0) local variable (crc) crc = (crc << 1) ^ 0x04C11DB7; else crc = crc << 1; ● Skip branching, jump to immediate byte = byte << 1; post-dominator of branch } instruction i = i + 1; } return reverse(~crc); }

  18. Our Contribution ● It is not difficult to analyze CRC implementations ● Use symbolic execution to compute pre-image of CRC ● Explore two kinds of CRC implementations ○ update CRC once for every input bit Used to make CRC ○ update CRC using lookup table (for every 8 bits in input) computation faster

  19. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  20. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; buf points to for (n = 0; n < len; n++) symbolic bytes c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  21. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  22. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  23. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; int n; for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] ^ (c >> 8); return c ^ 0xffffffff; }

  24. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; ● Concrete table lookup with symbolic int n; index for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] a. Branch for every entry ^ (c >> 8); b. Read table contents into return c ^ 0xffffffff; If-Then-Else expression } c. Use theory of arrays d. Use the structure of the table to summarize its contents

  25. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; ● Concrete table lookup with symbolic int n; index for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] a. Branch for every entry ^ (c >> 8); b. Read table contents into return c ^ 0xffffffff; If-Then-Else expression } c. Use theory of arrays d. Use the structure of the table to summarize its contents

  26. CRC Implementation Type #2 unsigned int cgc_crc32( char *buf, int len) { unsigned int c = 0xffffffff; ● Concrete table lookup with symbolic int n; index for (n = 0; n < len; n++) c = table[(c ^ buf[n]) & 0xff] a. Branch for every entry ^ (c >> 8); b. Read table contents into return c ^ 0xffffffff; If-Then-Else expression } c. Use theory of arrays d. Use the structure of the table to summarize its contents

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Digital Media is it.. ..Economic? ..Efficient? 1 1 Is it Efficient? Can it deliver large

Digital Media is it.. ..Economic? ..Efficient? 1 1 Is it Efficient? Can it deliver large

..Effective? Digital Media is it.. ..Economic? ..Efficient? 1 1 Is it Efficient? Can it deliver large audiences? Does it make the investment work hard? 2 Huge number of intermediaries makes programmatic expensive or inefficient 3

680 views • 40 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
SDRL: Interpretable and Data-efficient Deep Liu Reinforcement Learning Introduction Background

SDRL: Interpretable and Data-efficient Deep Liu Reinforcement Learning Introduction Background

SDRL: Symbolic Deep Reinforcement Learning SDRL: Interpretable and Data-efficient Deep Liu Reinforcement Learning Introduction Background Leveraging Symbolic Planning Method Experiment Conclusion Bo Liu and Future Work Auburn

1k views • 20 slides
Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers

Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers

Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers retailers Liam Patterson Founder &amp; CEO Show of hands? Q: Who is actively running Google Shopping ? About You 27% of SHOPPERS 27% of

573 views • 30 slides
On the Design of Symbolic-Geometric Online Planning Systems Lavindra de Silva -

On the Design of Symbolic-Geometric Online Planning Systems Lavindra de Silva -

On the Design of Symbolic-Geometric Online Planning Systems Lavindra de Silva - University of Nottingham Felipe Meneguzzi - PUCRS Motivation Programming autonomous robots is hard Wide variety of algorithms Varying

639 views • 24 slides
Finding Code That Explodes Under Symbolic Evalua&lt;on James Bornholt Emina Torlak University

Finding Code That Explodes Under Symbolic Evalua&lt;on James Bornholt Emina Torlak University

Finding Code That Explodes Under Symbolic Evalua&lt;on James Bornholt Emina Torlak University of Washington unsat.org Automated reasoning tools help us solve hard programming problems Automated reasoning tools help us solve hard programming

850 views • 60 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 / 16 Overview Symbolic So far in this course we dealt with MATLAB variables that were placeholders for numeric types (e.g., scalars, vectors,

953 views • 17 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
fjlesystem reliability 1 last time inodes (double-, triple-)indirect blocks sparse fjles hard

fjlesystem reliability 1 last time inodes (double-, triple-)indirect blocks sparse fjles hard

fjlesystem reliability 1 last time inodes (double-, triple-)indirect blocks sparse fjles hard and symbolic links block groups for locality extents and fragments non-binary trees on disk 2 note on FAT assignment you will need to use

1.34k views • 106 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0 Slide F - 1 Outline Data Encryption Standard Algorithm Advanced Encryption Standard Background mathematics Algorithm Computer

499 views • 31 slides
Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint

Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint

Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint work with: Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, Richard Black Some edits and

522 views • 35 slides
Memory &amp; C Pointers Yunhao Zhang Cornell University What is memory? cooling fan CPU under

Memory &amp; C Pointers Yunhao Zhang Cornell University What is memory? cooling fan CPU under

Memory &amp; C Pointers Yunhao Zhang Cornell University What is memory? cooling fan CPU under the cooling fan Memory * Images from https://www.123rf.com/ What is memory? Circuits connecting CPU and memory * Images from

336 views • 18 slides
CS 356: Introduction to Computer Networks Lecture 19: Transmission Control Protocol (TCP) Chap.

CS 356: Introduction to Computer Networks Lecture 19: Transmission Control Protocol (TCP) Chap.

CS 356: Introduction to Computer Networks Lecture 19: Transmission Control Protocol (TCP) Chap. 5.2 Xiaowei Yang xwy@cs.duke.edu Overview TCP Connection management Flow control When to transmit a segment Adaptive

931 views • 53 slides
&quot;why perl utf-8&quot; also (bonus!) &quot;why OmniGraffle is not a replacement for

&quot;why perl utf-8&quot; also (bonus!) &quot;why OmniGraffle is not a replacement for

&quot;why perl utf-8&quot; also (bonus!) &quot;why OmniGraffle is not a replacement for Powerpoint&quot; perl programmers who everyone understand character sets me. and mark, sometimes. and nick. 10010110 byte character a

1.04k views • 34 slides
Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a

Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a

Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a bucket of bytes . Computer Memory Organization Memory is a bucket of bytes. Each byte is 8 bits wide. Computer Memory Organization Memory

994 views • 42 slides
Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr

Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr

School of Computer Science, University of Birmingham. Java Lecture notes. M. D. Ryan. September 2000. Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr only) Bit stands for binary digit ; it has

76 views • 3 slides
Arrays Memory a b c d start 1-dimensional array x = [a, b, c, d] map into

Arrays Memory a b c d start 1-dimensional array x = [a, b, c, d] map into

1D Array Representation In Java, C, and C++ Arrays Memory a b c d start 1-dimensional array x = [a, b, c, d] map into contiguous memory locations location(x[i]) = start + i Space Overhead 2D Arrays Memory a b c d The

427 views • 6 slides

More recommend