path constraints from
play

Path Constraints from Symbolic Execution Tod Amon - PowerPoint PPT Presentation

Mar 27, 2024 •183 likes •384 views

Creating Human Readable Path Constraints from Symbolic Execution Tod Amon (ttamon@sandia.gov) Tim Loffredo (tjloffr@sandia.gov) Sandia National Laboratories 2/23/2020 Sandia National Laboratories is a multimission laboratory managed and

  1. Creating Human Readable Path Constraints from Symbolic Execution Tod Amon (ttamon@sandia.gov) Tim Loffredo (tjloffr@sandia.gov) Sandia National Laboratories 2/23/2020 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND # 2020-2220 C Unlimited Unrestricted Release 1

  2. Background • Path Constraints: An inherent component of symbolic execution; ▪ When execution is conditional upon symbolic variables, ▪ multiple states arise, with different path constraints Constraints stored in SMT solver ▪ • Example: int abs(int x) { if (x < 0) { return -x; symbolic execution yields two states, with resulting } path-constraints and return values return x; } When x >= 0 When x < 0 Result is -x Result is x When <Bool x[31:31] == 0> When <Bool x[31:31] != 0> Result is <BV32 0xffffffff * x> Result is <BV32 x> 2

  3. Readability • Human-tool cooperation is currently the fastest approach for thoroughly analyzing programs • Some common questions when symbolically debugging and reverse engineering binaries: What does this function do? ▪ Did I set up my symbolic variables correctly? ▪ How do I get here? or How did I get here? ▪ • Simple questions should have simple answers 3

  4. Contributions Our paper presents several examples that demonstrate the • usefulness of path constraints and the need for them to be human readable We demonstrate the feasibility of transforming Boolean bit- • vector constraints into the integer domain We present several novel ideas • Including the use of logic synthesis tools to put constraints into specific forms. ▪ Including an alternative approach to type inferencing based simply on finding ▪ patterns in path-constraints. 4

  5. Basics • We are using “ angr ” for symbolic execution • We are using Z3 • We are using python • Our artifacts are available here: http://github.com/TodAmon/Bar2020 5

  6. Example #1: • Help vulnerability researchers study functions. Access to both source code and binary ▪ Leverage SMT solvers to handle complex bit-vector issues ▪ • Toy problem: When does this function return y – 2 ? 400526: push rbp int sub1or2(int y) 400527: mov rbp,rsp { 40052a: mov DWORD PTR [rbp-0x14],edi int x = y; 40052d: mov eax,DWORD PTR [rbp-0x14] x--; 400530: mov DWORD PTR [rbp-0x4],eax 400533: sub DWORD PTR [rbp-0x4],0x1 if (x > 5) 400537: cmp DWORD PTR [rbp-0x4],0x5 x--; 40053b: jle 400541 <sub1or2+0x1b> return x; 40053d: sub DWORD PTR [rbp-0x4],0x1 } 400541: mov eax,DWORD PTR [rbp-0x4] Solution: 400544: pop rbp • 400545: ret Two states are obtained from symbolic execution, one has the return value as ▪ Claripy: <BV32 0xfffffffe + y_intle:32_13_32> Z3 sexpr: (bvadd #xfffffffe |y_intle_32_13_32|) Print this state’s path -constraint to get the answer ▪ 6

  7. Ugly Path Constraints • Claripy: [<Bool (0xffffffff + y_intle:32_13_32 - 0x5[31:31] ^ 0xffffffff + ▪ y_intle:32_13_32[31:31] & (0xffffffff + y_intle:32_13_32[31:31] ^ 0xffffffff + y_intle:32_13_32 - 0x5[31:31]) | (if 0xffffffff + y_intle:32_13_32 - 0x5 == 0x0 then 1 else 0)) == 0>] • Z3 string (simplified using ctx-solver-simplify): And((Extract(31, 31, 4294967290 + y_intle:32) == 1) == ▪ Not(Or(Extract(31, 31, 4294967290 + y_intle:32) == 1, Extract(31, 31, 4294967295 + y_intle:32) == 0)), Not(y_intle:32 == 6)) • Z3 sexpr: (let ((a!1 (bvxor ((_ extract 31 31) (bvadd #xffffffff y)) ▪ ((_ extract 31 31) (bvsub (bvadd #xffffffff y) #x00000005)))) (a!3 (ite (= #x00000000 (bvsub (bvadd #xffffffff y) #x00000005)) #b1 #b0)))(let ((a!2 (bvxor ((_ extract 31 31) (bvsub (bvadd #xffffffff y) #x00000005))(bvand ((_ extract 31 31) (bvadd #xffffffff y)) a!1)))) (and (= #b0 (bvor a!2 a!3))))) 7

  8. Why? Path constraints are added when evaluating a conditional • branch in the intermediate representation used by symbolic execution. 40053b: jle 400541 <sub1or2+0x1b> vex for 0x40053b: IRSB { t0:Ity_I1 t1:Ity_I64 t2:Ity_I64 t3:Ity_I64 t4:Ity_I64 t5:Ity_I64 t6:Ity_I64 00 | ------ IMark(0x40053b, 2, 0) ------ 01 | t1 = GET:I64(cc_op) 02 | t2 = GET:I64(cc_dep1) 03 | t3 = GET:I64(cc_dep2) 04 | t4 = GET:I64(cc_ndep) 05 | t5 = amd64g_calculate_condition(0x000000000000000e, t1,t2,t3,t4):Ity_I64 06 | t0 = 64to1(t5) 07 | if (t0) { PUT(rip) = 0x400541; Ijk_Boring } NEXT: PUT(rip) = 0x000000000040053d; Ijk_Boring } 8

  9. Why? Path constraints are added when evaluating a conditional • branch in the intermediate representation used by symbolic execution. ULong amd64g_calculate_condition ( ... return 1 & (inv ^ ((sf ^ of) | zf)); 1 (let ((a!1 (bvxor ((_ extract 31 31) (bvadd #xffffffff y)) 2 ((_ extract 31 31) (bvsub (bvadd #xffffffff y) #x00000005)))) 3 (a!3 (ite (= #x00000000 (bvsub (bvadd #xffffffff y) #x00000005)) 4 #b1 #b0)))(let ((a!2 (bvxor 5 ((_ extract 31 31) (bvsub (bvadd #xffffffff y) #x00000005)) 6 (bvand ((_ extract 31 31) (bvadd #xffffffff y)) a!1) 7 )))(and (= #b0 (bvor a!2 a!3))))) Path constraints are simpler if vex is optimized • Our tools typically execute a single instruction at a time, for blocks the constraints are simpler ▪ 9

  10. A Better Result • Using type information and tools that transform patterns in bit-vector-domain to integer-domain (let ((a!1 (or (and (not (<= 1 |y_intle:32|)) (not (<= 6 |y_intle:32|))) (and (>= |y_intle:32| 1) (<= 6 |y_intle:32|)) (>= |y_intle:32| 1)))) (let ((a!2 (or (= |y_intle:32| 6) (and (< (+ (- 6) |y_intle:32|) 0) a!1) (and (>= (+ (- 6) |y_intle:32|) 0) (not a!1))))) (not a!2))) No longer bvand, bvsub, bvadd, etc. • Then use ctx-solver-simplify (or other approaches) : And(Not(y_intle:32 == 6), 6 <= y_intle:32) • We are nearly there! (Z3 avoids strict inequalities) 10

  11. A Better Result A lot of work to discover that when y > 6 • our function returns y – 2 int sub1or2(int y) { int x = y; x--; if (x > 5) And(Not(y_intle:32 == 6), 6 <= y_intle:32) x--; return x; } The translation into the integer-domain may not be precise, • due to overflow or other bit-vector effects E.g., if we switch x-- to x++ the result, that our function returns y+2 when y > 4 ▪ is not precise in that there are some possible values of y that do not return y+2 . See our code for methods to check equivalence of statements in the same domain, ▪ or potentially cross domain, in the presence of constraints 11

  12. Example #2 • Tools to support network protocol extraction Identify paths from Source (e.g., read ) to Sink (e.g., write ) ▪ Configure Source as a symbolic byte array (network input) ▪ Sink deliver bytes to network ▪ How is what is written related to what is read? ▪ • Add marshalling to previous example: read(0, inbuf, 64) … int *ri = (int*)&inbuf[0]; int x = *ri; x--; Configured as array of symbolic bytes: if(x > 5) { x--; [sym0, sym1, sym2, sym3, …] } int *wi = (int*)&outbuf[0]; *wi = x; write(1, outbuf, 4); 12

  13. Example #2 Users and tools have only the binary (no source) • Path constraint when we decrement twice: • (let ((a!1 (= ((_ extract 31 31)(bvadd #xfffffffa (concat sym3 sym2 sym1 sym0) )) #b1)) (a!2 (= ((_ extract 31 31)(bvadd #xffffffff (concat sym3 sym2 sym1 sym0) )) #b0)) (a!3 (= ((_ extract 31 31)(bvadd #xffffffff (concat sym3 sym2 sym1 sym0) )) #b1))) (let ((a!4 (or (= a!1 (or a!2 (= a!3 a!1))) (and (= sym0 #x06) (= sym1 #x00) (= sym2 #x00) (= sym3 #x00))))) (not a!4))) Path constraint suggests that our symbolic • byte sequence contains a 32 bit integer in little endian Substitute each symbolic byte with an expression showing • it as a piece in a hypothesized type sym0 -> ((_ extract 31 24) |sym[0-3]-?_intle:32|) ▪ sym1 -> ((_ extract 23 16) |sym[0-3]-?_intle:32|) sym2 -> ((_ extract 15 8) |sym[0-3]-?_intle:32|) sym3 -> ((_ extract 7 0) |sym[0-3]-?_intle:32|) Then apply domain conversion, and simplification to obtain: • And(6 <= sym[0-3]-?_intle:32, Not(sym[0-3]-?_intle:32 == 6)) ▪ 13

  14. Methodology • Convert from bit-vector domain to integer domain Use examples to discover constraint patterns such as: ▪ - And-of-equality-on-extracts gets converted to actual value - If-then-else checks on a sign-bit gets converted to inequality - Concat-with-zero/s gets converted to multiplication Examples that fail suggest more patterns to understand ▪ Preliminary results testing on constraints from toy problems that ▪ are simplified using different strategies was very promising 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Car-Like Robot: e.g., lie in free space How to Park a Car? Differential constraints: ff

Car-Like Robot: e.g., lie in free space How to Park a Car? Differential constraints: ff

2/14/2012 Types of Path Constraints Local constraints: Car-Like Robot: e.g., lie in free space How to Park a Car? Differential constraints: ff e.g., have bounded curvature (Nonholonomic Planning) Global constraints: e.g., have

252 views • 4 slides
1 Clock skew optimization Another approach for sequential timing optimization

1 Clock skew optimization Another approach for sequential timing optimization

Sequential Timing Optimization Long path timing constraints Data must not reach destination FF too late d max (i,j) s i + d(i,j) + T setup s j + P i j s s i i sj d(i,j) T setup Short path timing constraints FF should not

85 views • 7 slides
Creating a Clean Critical Path in P6 Using Constraints By: Ben Solinsky, Jennifer Stone, and Ryan

Creating a Clean Critical Path in P6 Using Constraints By: Ben Solinsky, Jennifer Stone, and Ryan

Creating a Clean Critical Path in P6 Using Constraints By: Ben Solinsky, Jennifer Stone, and Ryan Shook February 27 - March 1, 2020 | Renaissance Indian Wells Resort &amp; Spa Safe Harbor The statements made in this technical presentation are

631 views • 45 slides
Exploiting Branch Constraints without Exhaustive Path Enumeration Ting Chen, Tulika Mitra,

Exploiting Branch Constraints without Exhaustive Path Enumeration Ting Chen, Tulika Mitra,

Exploiting Branch Constraints without Exhaustive Path Enumeration Ting Chen, Tulika Mitra, Abhik Roychoudhury, Vivy Suhendra National University of Singapore Static WCET Analysis Flow analysis Loop bounds and infeasible paths

560 views • 16 slides
Necessary Condition for Path Partitioning Constraints Nicolas Beldiceanu and Xavier Lorca Ecole

Necessary Condition for Path Partitioning Constraints Nicolas Beldiceanu and Xavier Lorca Ecole

Necessary Condition for Path Partitioning Constraints Nicolas Beldiceanu and Xavier Lorca Ecole des Mines de Nantes, LINA FRE CNRS 2729, FR-44307 Cedex 3 {Nicolas.Beldiceanu,Xavier.Lorca}@emn.fr 1 Context and Contribution Graph partitioning

523 views • 41 slides
Chapter 1: Constraints What are they, what do they do and what can I use them for. 1

Chapter 1: Constraints What are they, what do they do and what can I use them for. 1

Constraint Logic Programming Chapter 1: Constraints What are they, what do they do and what can I use them for. 1 Constraints What are constraints? Modelling problems Constraint solving Tree constraints Other constraint

205 views • 19 slides
20. Logic constraints, integer variables If-then constraints Generalized assignment

20. Logic constraints, integer variables If-then constraints Generalized assignment

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 20. Logic constraints, integer variables If-then constraints Generalized assignment problems Logic constraints Modeling a restricted set of values Sudoku! Laurent

475 views • 24 slides
Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

The C-Path Vision: Sharing Data and Expertise to Accelerate the Development of Safe and Effective Therapies for Neonates Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a catalyst in the development of

410 views • 20 slides
SEM Professor Patrick Sturgis Plan Path diagrams Exogenous, endogenous variables

SEM Professor Patrick Sturgis Plan Path diagrams Exogenous, endogenous variables

Key ideas, terms &amp; concepts in SEM Professor Patrick Sturgis Plan Path diagrams Exogenous, endogenous variables Variance/covariance matrices Maximum likelihood estimation Parameter constraints Nested Models and Model

500 views • 25 slides
Introduction to Path Analysis Ways to think about path analysis Path coefficients

Introduction to Path Analysis Ways to think about path analysis Path coefficients

Introduction to Path Analysis Ways to think about path analysis Path coefficients A bit about direct and indirect effects What path analysis can and cant do for you Measured vs. manifested the when of

589 views • 24 slides
Modeling and Solving Constraints Erin Catto Blizzard Entertainment Basic Idea Constraints

Modeling and Solving Constraints Erin Catto Blizzard Entertainment Basic Idea Constraints

Modeling and Solving Constraints Erin Catto Blizzard Entertainment Basic Idea Constraints are used to simulate joints, contact, and collision. We need to solve the constraints to stack boxes and to keep ragdoll limbs attached.

1.34k views • 81 slides
Page 1 Expressing Constraints in UML Models A constraint can also be depicted as a note

Page 1 Expressing Constraints in UML Models A constraint can also be depicted as a note

Podcast Ch09-03 Title : Expressing Constraints using OCL Description : Preconditions; postconditions; constraints on more than one class Participants : Barry Kurtz (instructor); Brandon Winters, Sara Hyde, Cheng Vue, Dan Baehr

453 views • 6 slides
The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way

The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way

The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way Path #2 - The way of of the foolish the wise Picture from rootsrated.com via Ed Ogle/Flickr Pay attention to my commands, Gods Word. Proverbs

527 views • 25 slides
From Reasoning with Constraints to Mining Constraints: Multi-Objective Parameter Fitting in

From Reasoning with Constraints to Mining Constraints: Multi-Objective Parameter Fitting in

From Reasoning with Constraints to Mining Constraints: Multi-Objective Parameter Fitting in Parametric Probabilistic Hybrid Automata Martin Frnzle 1 joint work (in progress) with Alessandro Abate (Oxford University, UK), Sebastian Gerwinn

709 views • 55 slides
CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1

CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1

CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1 Longest Path in a DAG Longest Path in a DAG Goal: Given a DAG G, find the longest path. Recall: A directed graph G is a DAG if it has no cycle.

571 views • 23 slides
Loop Quantum Gravity: From Spin Networks to Spinor Path Integrals Etera Livine ENS Lyon -

Loop Quantum Gravity: From Spin Networks to Spinor Path Integrals Etera Livine ENS Lyon -

Loop Quantum Gravity in a Nutshell Twisted Geometries and Coherent States Spinfoam Amplitudes as Spinor Integrals The Hamiltonian Constraints as Differential Operators Loop Quantum Gravity: From Spin Networks to Spinor Path Integrals Etera

747 views • 31 slides
The Stack and Memory in IA32 10/6/16 Tuesday, we covered these IA32 convenience instructions

The Stack and Memory in IA32 10/6/16 Tuesday, we covered these IA32 convenience instructions

The Stack and Memory in IA32 10/6/16 Tuesday, we covered these IA32 convenience instructions pushl src subl $4, %esp movl src, (%esp) popl dst movl (%esp), dst addl $4, %esp leave %esp = %ebp popl %ebp Next up: call and ret

790 views • 29 slides
The Hardware/Software Interface CSE351 Spring 2013 x86 Programming II University of Washington

The Hardware/Software Interface CSE351 Spring 2013 x86 Programming II University of Washington

University of Washington The Hardware/Software Interface CSE351 Spring 2013 x86 Programming II University of Washington Todays Topics: control flow Condition codes Conditional and unconditional branches Loops 2 University of

757 views • 39 slides
LINKING HOW BASIC MECHANISMS Professor Ken Birman ENABLE SOPHISTICATED WRAPPERS CS4414

LINKING HOW BASIC MECHANISMS Professor Ken Birman ENABLE SOPHISTICATED WRAPPERS CS4414

LINKING HOW BASIC MECHANISMS Professor Ken Birman ENABLE SOPHISTICATED WRAPPERS CS4414 Lecture 12 CORNELL CS4414 - FALL 2020. 1 SYSTEMS PROGRAMMING IS ABOUT TAKING CONTROL OVER EVERYTHING We have seen that a systems programmer learns to

782 views • 64 slides
Architecture and Infrastructure Week 1, Lecture 1 1 14/07/2017 Week 1/SBM4104/S2, 2017 Chapter

Architecture and Infrastructure Week 1, Lecture 1 1 14/07/2017 Week 1/SBM4104/S2, 2017 Chapter

Architecture and Infrastructure Week 1, Lecture 1 1 14/07/2017 Week 1/SBM4104/S2, 2017 Chapter 6 Architecture and Infrastructure Managing and Using Information Systems: A Strategic Approach by Keri Pearlson &amp; Carol Saunders Learning

264 views • 24 slides
USER-CENTERED PROGRAMMING LANGUAGE DESIGN Michael Coblenz WHY? Tell me what the following

USER-CENTERED PROGRAMMING LANGUAGE DESIGN Michael Coblenz WHY? Tell me what the following

USER-CENTERED PROGRAMMING LANGUAGE DESIGN Michael Coblenz WHY? Tell me what the following program does WHAT DOES THIS DO? (this is part of Firefox) 0000000100000e30 movq %rdi, %rax 0000000100000eb2 movl $0x400, %ecx 0000000100000e33

739 views • 36 slides
Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche

Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche

Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche Universitt Siegen Siegen, August 31, 2017 Sebastian Gutsche (Siegen) Constructive Categories August 31, 2017 1 / 23 Outline Constructive category

2.3k views • 190 slides
Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to assembly programing Introduction to Y86 Y86 instructions, encoding and execution 2 Assembly The CPU uses machine language to perform all its

1.06k views • 48 slides
Linking 15-213: Introduc;on to Computer Systems 13 th Lecture,

Linking 15-213: Introduc;on to Computer Systems 13 th Lecture,

Carnegie Mellon Linking 15-213: Introduc;on to Computer Systems 13 th Lecture, Oct. 13, 2015 Instructors: Randal E. Bryant and David R. OHallaron 1

643 views • 49 slides

More recommend