lazart a symbolic approach for evaluating the robustness
play

Lazart: a symbolic approach for evaluating the robustness of secured - PowerPoint PPT Presentation

Jan 21, 2023 •334 likes •565 views

Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections M. L. Potet L. Mounier M. Puys L. Dureuil VERIMAG University of Grenoble Alpes, France SDTA 2014 First presented in ICST 2014

  1. Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections M. L. Potet L. Mounier M. Puys L. Dureuil VERIMAG University of Grenoble Alpes, France SDTA 2014 First presented in ICST 2014 Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 1/19

  2. Outline 1 Context and Motivation 2 The Lazart Approach 3 A quick example 4 Conclusion and perspectives Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 2/19

  3. Context: smart card certification Smart cards Pervasive : bank, health, phones, . . . (7 billions sold in 2012) Contain sensible data and applications ⇒ can be attacked! Smart card security Protections mechanisms added by manufacturers Well-defined certification process, prior to commercialization: Security functional test Penetration test Certification procedures include Physical testing on the device (black box) Code review and/or code analysis (white box) Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 3/19

  4. Effects of fault injection at the source level 1 int verify(char buffer [4]) 1 MOV R3 , #01h 2 { 2 MOV R0 , #00h 3 int i; 3 WHILE: MOV A, R0 4 for(i = 0; i < 4; i++) 4 SUBB A, #04h 5 if(buffer[i] != pin[i]) 5 JZ END // exit loop { 6 DO: 6 authenticated = 0; 7 MOV R2 , [buffer+i] 7 goto FAILURE; 8 MOV A, [pin+i] 8 } 9 SUBB A, R2 9 authenticated = 1; 10 JZ SUCCESS 10 return EXIT_SUCCESS; 11 MOV R3 , #00h 11 FAILURE : return 12 JMP END EXIT_FAILURE; 13 12 } 14 SUCCESS: INC R0 15 JMP WHILE 16 17 END: MOV authenticated , R3 18 RET Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 4/19

  5. Security Property and Fault Model Security Property → Enforce or prevent the execution of specific instruction(s). ⇒ ֒ Attack Objective = set of basic blocks (not) to be reached Objectives of the analysis: Predict (or prove the absence of) possible attacks, for a given fault model Locate the“dangerous spots”in the code Evaluate the relevance of existing counter-measures Fault Model - Multiple faults Volatile control structure test inversion (e.g., if , while , etc.) → Encompass multiple binary-level attacks, e.g., ֒ NOP injection, modify flag or register value, . . . Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 5/19

  6. Outline 1 Context and Motivation 2 The Lazart Approach 3 A quick example 4 Conclusion and perspectives Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 6/19

  7. The complete tool chain LLVM framework Java tool CFG mutant appli.ll mutation strategy appli.ll coloring generation attack objectives mutant.ll symbolic KLEE test case generation attack paths inconclusive robustness "proof" Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 7/19

  8. Step 1: CFG-coloring entry: entry: T F T F bb: bb: bb4: bb4: T F T F bb1: bb1: T F T F bb2: bb3: bb2: bb3: FAILURE: bb5: FAILURE: bb5: bb6: bb6: return: return: (a) cfg for 'Verify' function (b) Colored cfg for bb5 to be reached Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 8/19

  9. Step 2: Mutation operators Example: mandatory mutation operator bb: T F bb: bbTI: T F bb1: bb2: bb1: (a) A mutation scheme (b) Our mandatory mutation More complex mutation operators Using only mandatory mutations guarantees adversary to reach the objective. More mutation operators describing optional faults the adversary can use to optimize his attack path. Guarded by boolean values named activ_i . Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 9/19

  10. Step 3: Symbolic execution → Produce“all possible”mutant executions . . . ֒ Symbolic values Attack activation guards activ_i . Security-relevant external inputs (e.g., PIN input values). Assertions Inputs constraints (e.g., the entered PIN is incorrect). Maximal fault number (e.g., fault <= 2 ). Coverage criteria (Try to) exercise each symbolic execution path. (Try to) satisfy/violate each assertion. Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 10/19

  11. Step 4: Results gathering Tool-chain Use of LLVM-Klee and STP solver. Produces trace execution files for: “Correct”test cases. Assertion violations, execution errors. Timeout occurrences (to many paths or untractable constraint). Robustness verdicts (for a given fault number) ATK ∃ an execution path satisfying the assertions. INC timeout detection and no attack produced. ROB no timeout and no attack . . . Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 11/19

  12. Outline 1 Context and Motivation 2 The Lazart Approach 3 A quick example 4 Conclusion and perspectives Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 12/19

  13. On an example: VerifyPIN entry: T F bb: 1 int verify(char buffer [4]) { 2 int i; 3 for(i = 0; i < 4; i++) { bb4: 4 if(buffer[i] != pin[i]) { T F 5 authenticated = 0; bb1: 6 goto FAILURE; T F 7 } 8 } bb2: bb3: 9 authenticated = 1; 10 return EXIT_SUCCESS; FAILURE: bb5: 11 FAILURE: 12 return EXIT_FAILURE; bb6: 13 } return: (b) Colored cfg for bb5 to be reached Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 13/19

  14. Results obtained for the VerifyPIN example Number of test execution produced: # fault injections no input constraints input PIN is incorrect fault ==0 1 0 fault ==1 x 1 fault ==2 x 1 fault > = 3 x 3 A 1-fault attack scenario Circumvent the whole loop (PIN verification) execution Optional mutation on bb4 A 4-faults attack scenario Change the result (inside the loop) when checking each PIN digit Mandatory mutation on bb1: force the flow to bb3 Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 14/19

  15. A PIN Verify procedure with countermeasures (CM) 1 char triesLeft = maxTries; entry: 2 char triesLeftBackup = -maxTries; // triesleft BACKUP T F 3 BYTE Verify(char buffer [4]) { bb: 4 int i; T F 5 int stepCounter = INITIAL_VALUE ; // instruction counter bb2: T F 6 short char t1 = triesLeft; 7 if(t1 != -triesLeftBackup ) goto CM ; // check with bb1: bb3: triesleft BACKUP 8 if(triesLeft <= 0) return EXIT_FAILURE ; bb8: 9 t1 --; triesLeft = t1; triesLeftBackup ++; T F 10 if(triesLeft != -triesLeftBackup ) goto CM ; 11 equal = BOOL_TRUE; bb4: bb9: T F T F 12 for(i = 0; i < 4; i++) 13 {equal=equal &(( buffer[i]!= pin[i])?BOOL_FALSE : bb5: bb6: bb10: BOOL_TRUE); T F 14 stepCounter ++; }; 15 if(equal == BOOL_TRUE) { bb7: bb11: T F 16 if(equal != BOOL_TRUE) goto CM ; // redundant test bb12: 17 triesLeft = maxTries; triesLeftBackup = -maxTries; T F 18 if (triesLeft != -triesLeftBackup ) goto CM ; bb14: bb15: 19 authenticated = 1; T F 20 if( stepCounter == INITIAL_VALUE + 4) // check instruction counter CM: bb13: bb16: 21 return EXIT_SUCCESS ; } // TO BE REACHED 22 else { bb17: 23 authenticated = 0; 24 if( stepCounter == INITIAL_VALUE + 4) // check instruction counter return: 25 return EXIT_FAILURE ; } (a) Colored CFG for bb12 to be reached 26 } Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 15/19

  16. Outline 1 Context and Motivation 2 The Lazart Approach 3 A quick example 4 Conclusion and perspectives Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 16/19

  17. Conclusion Current results Higher-order fault injection according to the state of the art Positive and negative diagnostic A tool suite based on robust tools (Clang, LLVM, Klee) validation on“realistic”applications (PIN verifier, random number generator, OpenSSH, . . . ) A conservative approach for extended fault models [PMPD14] Lazart: A symbolic approach for evaluation the robustness of secured codes against control flow injections. In ICST 2014, March 2014. [RPL+14] Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks. In FPS 2014, November 2014. Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections 17/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantifying Robustness by Symbolic Model Checking S. Baarir C. Braunstein E Encrenaz J-M.

Quantifying Robustness by Symbolic Model Checking S. Baarir C. Braunstein E Encrenaz J-M.

Quantifying Robustness by Symbolic Model Checking S. Baarir C. Braunstein E Encrenaz J-M. Ili T. Li I. Mounier D. Poitrenaud S. Younes HWVW 2010, July 15, 2010 Quantifying Robustness - HWVW 2010 1 / 28 Outline Motivation 1

809 views • 31 slides
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1 , Augustin Soule 2 , Jennifer Rexford 1 , Christophe Diot 2 1 Princeton University, 2 Thomson Research Outline Context

598 views • 15 slides
Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas

Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas

Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas Carlini Google Research Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Lessons Learned from Evaluating the

1.28k views • 127 slides
Towards Evaluating the Robustness of Neural Networks Nicholas Carlini and David Wagner

Towards Evaluating the Robustness of Neural Networks Nicholas Carlini and David Wagner

Towards Evaluating the Robustness of Neural Networks Nicholas Carlini and David Wagner University of California, Berkeley Background A neural network is a function with trainable parameters that learns a given mapping Given an image,

590 views • 58 slides
Evaluating the Robustness of Natural Language Reward Shaping Models to Spatial Relations Antony

Evaluating the Robustness of Natural Language Reward Shaping Models to Spatial Relations Antony

Evaluating the Robustness of Natural Language Reward Shaping Models to Spatial Relations Antony Yun Successes of Reinforcement Learning https://deepmind.com/blog/article/alphazero-shedding-new-light-grand-games-chess-shogi-and-go

699 views • 34 slides
EV CHARGING QOS AND POWER SYSTEM ROBUSTNESS THROUGH ICT APPLICATIONS; NEMOS APPROACH

EV CHARGING QOS AND POWER SYSTEM ROBUSTNESS THROUGH ICT APPLICATIONS; NEMOS APPROACH

EV CHARGING QOS AND POWER SYSTEM ROBUSTNESS THROUGH ICT APPLICATIONS; NEMOS APPROACH Theodoros Theodoropoulos Researcher ICCS ITS WC 18 1 CHALLENGES FOR NEMO (E-MOBILITY)? Limitation in Electric Vehicle range lack of interoperability

252 views • 11 slides
Robustness? Robustness ? Robustness?

Robustness? Robustness ? Robustness?

Robustness? Robustness ? Robustness? Thomas Mandl

245 views • 5 slides
Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise

Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise

Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise and Channel Variations 2 Michael Picheny, Bhuvana Ramabhadran, Stanley F. Chen Robustness via Adaptation 3 IBM T.J. Watson Research Center

256 views • 22 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
A Symbolic Summarizer Fabrizio Gotti, Guy Lapalme Universit de Montral Luka Nerima, ric

A Symbolic Summarizer Fabrizio Gotti, Guy Lapalme Universit de Montral Luka Nerima, ric

GOFAI SUM A Symbolic Summarizer Fabrizio Gotti, Guy Lapalme Universit de Montral Luka Nerima, ric Wehrli Universit de Genve Originality of our approach Symbolic approach - Syntactic parser that produces an XML file - Tree

409 views • 14 slides
An Approach to Robustness in Matching Problems under Ordinal Preferences Post-viva presentation

An Approach to Robustness in Matching Problems under Ordinal Preferences Post-viva presentation

An Approach to Robustness in Matching Problems under Ordinal Preferences Post-viva presentation Presenter : Begm Gen Supervisors : Prof. Barry OSullivan (UCC) and Dr. Mohamed Siala (LAAS-CNRS) Outline 1. Background

547 views • 43 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides
Nothing About Us Without Us: Using a Participatory and Equitable Approach to Evaluating an

Nothing About Us Without Us: Using a Participatory and Equitable Approach to Evaluating an

Nothing About Us Without Us: Using a Participatory and Equitable Approach to Evaluating an Overdose Prevention Project CESBC Webinar May 8, 2020 Agenda Intros Peer perspective and terminology What worked Challenges Peer

327 views • 30 slides
EPA Region 7 Dan Nicoski } EPA Region 7 approach to evaluating the VI Pathway } Using the VISL

EPA Region 7 Dan Nicoski } EPA Region 7 approach to evaluating the VI Pathway } Using the VISL

EPA Region 7 Dan Nicoski } EPA Region 7 approach to evaluating the VI Pathway } Using the VISL Calculator } Why Pre-emptive Mitigation? } New ORD VI Documents } EP EPA R7 recommended approach Sub-slab/Indoor Air/Ambient t Air/Survey }

568 views • 18 slides
A Neural-Symbolic Approach to the Contemporary Theory of Metaphor Guido Boella - University of

A Neural-Symbolic Approach to the Contemporary Theory of Metaphor Guido Boella - University of

Contemporary Theory of Metaphor Sets, Functions and Networks Example Applications and conclusion Philosophy and Machine Learning - Workshop (@ Neural Information Processing Systems 2011) A Neural-Symbolic Approach to the Contemporary Theory

682 views • 19 slides
UCSD Robustness Summer School David Donoho 20190812 David Donoho UCSD Robustness Summer School

UCSD Robustness Summer School David Donoho 20190812 David Donoho UCSD Robustness Summer School

What is Statistics? What is Statistical Research? Paradigm Shifts in Statistics How did Robustness in Statistics Emerge? What has Robustness in Statistics delivered? What has Robustness in Statistics to do with CS? UCSD Robustness

721 views • 26 slides
Keynote

Keynote

Keynote Agile, Lean, Rugged The Paper Edition!

796 views • 51 slides
Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L.

Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L.

Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L. Soares J. Pereira losoares@di.uminho.pt jop@di.uminho.pt Distributed Systems Group Informatics Department University of Minho PORTUGAL L. Soares

461 views • 17 slides
Challenging Anti-fragile Blockchain systems Miguel Gonzlez Univ. Lille 1 1 What is

Challenging Anti-fragile Blockchain systems Miguel Gonzlez Univ. Lille 1 1 What is

Challenging Anti-fragile Blockchain systems Miguel Gonzlez Univ. Lille 1 1 What is Anti-fragile? Harmed by Resilient to Benefits and Learns disorder disorder from disorder 2 Systems considered anti-fragile Financial system

386 views • 16 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
How to write a novel using open source software Introduction to bibisco Andrea Feccomandi The

How to write a novel using open source software Introduction to bibisco Andrea Feccomandi The

How to write a novel using open source software Introduction to bibisco Andrea Feccomandi The story of bibisco started in 1997 ever since I was a child Ive loved reading, but the video impressed me so much that an urgency

791 views • 49 slides
DSC 102 Systems for Scalable Analytics Arun Kumar Topic 5: Dataflow Systems Chapter 2.2 of

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 5: Dataflow Systems Chapter 2.2 of

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 5: Dataflow Systems Chapter 2.2 of MLSys Book 1 Parallel RDBMSs Parallel RDBMSs are highly successful and widely used They offer massive scalability (shared-nothing

692 views • 44 slides
Software Failures Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar

Software Failures Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar

Software Failures Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar Dr. David Robertson dr@inf.ed.ac.uk http://www.inf.ed.ac.uk/ssp/members/dave.htm SAPM Spring 2012: Failures 1 Recall: Criteria for success For

565 views • 22 slides
CoRD: Collabora,ve Data Race Detec,on Baris Kasikci, Cris,an

CoRD: Collabora,ve Data Race Detec,on Baris Kasikci, Cris,an

CoRD: Collabora,ve Data Race Detec,on Baris Kasikci, Cris,an Zamfir, and George Candea School of Computer &amp; Communica3on Sciences Data Races 2 Data Races

858 views • 70 slides

More recommend