to find
play

to Find Safety and Cybersecurity Defects Daniel Kstner, Laurent - PowerPoint PPT Presentation

Jun 04, 2023 •297 likes •531 views

High-Precision Sound Analysis to Find Safety and Cybersecurity Defects Daniel Kstner, Laurent Mauborgne, Stephan Wilhelm, Christian Ferdinand AbsInt GmbH, 2020 2 Functional Safety Demonstration of functional correctness Required by

  1. High-Precision Sound Analysis to Find Safety and Cybersecurity Defects Daniel Kästner, Laurent Mauborgne, Stephan Wilhelm, Christian Ferdinand AbsInt GmbH, 2020

  2. 2 Functional Safety  Demonstration of functional correctness Required by DO-178B / DO-178C /  Well-defined criteria ISO-26262, EN-50128,  Automated and/or model-based testing IEC-61508  Formal techniques: model checking, theorem proving  Satisfaction of safety-relevant non-functional requirements  No runtime errors (e.g. division by zero, overflow, Required by invalid pointer access, out-of-bounds array access) DO-178B / DO-178C /  Resource usage: + Security- ISO-26262, EN-50128,  Timing requirements (e.g. WCET, WCRT) relevant! IEC-61508  Memory requirements (e.g. no stack overflow)  Robustness / freedom of interference (e.g. no corruption of content, incorrect synchronization, illegal read/write accesses)  Insufficient: Tests & Measurements  No specific test cases, unclear test end criteria, no full coverage possible  "Testing, in general, cannot show the absence of errors." [DO-178B]  Formal technique: abstract interpretation.

  3. 3 (Information-/Cyber-) Security Aspects  Confidentiality  Information shall not be disclosed to unauthorized entities  safety-relevant  Integrity  Data shall not be modified in an unauthorized or undetected way  safety-relevant  Availability  Data is accessible and usable upon demand  safety-relevant  Safety In some cases: not safe  not secure In some cases: not secure  not safe

  4. 4 Static Program Analysis  General Definition: results only computed from program structure, without executing the program under analysis.  Categories, depending on analysis depth:  Syntax-based: Coding guideline checkers (e.g. MISRA C)  Semantics-based Question: Is there an error in the program?  False positive: answer wrongly “Yes”  False negative: answer wrongly “No”   Unsound: Bug-finders / bug-hunters.  False positives: possible  False negatives: possible  Sound / Abstract Interpretation-based Example: Astrée  False positives: possible Important: low false alarm rate  No false negatives  Soundness No defect missed

  5. 5 Support for Cybersecurity Analysis  Many security vulnerabilities due to undefined / unspecified behaviors in the programming language semantics:  buffer overflows, invalid pointer accesses, uninitialized memory accesses, data races, etc.  Consequences: denial-of-service / code injection / data breach  In addition:  Checking coding guidelines  Data and Control Flow Analysis  Impact analysis (data safety / “fault” propagation)  Program slicing  Taint analysis  Side channel attacks  SPECTRE detection (Spectre V1/V1.1, SplitSpectre)  …

  6. 6 Runtime Errors and Data Races  Abstract Interpretation-based static runtime error analysis  Astrée detects all runtime errors* with few false alarms:  Array index out of bounds  Int/float division by 0  Invalid pointer dereferences  Uninitialized variables  Arithmetic overflows  Data races  Lock/unlock problems, deadlocks  Floating point overflows, Inf, NaN  Taint analysis (data safety / security), SPECTRE detection  Floating-point rounding errors taken into account  User-defined assertions, unreachable code, non-terminating loops  Check coding guidelines (MISRA C/C++, CERT, CWE, ISO TS 17961) * Defects due to undefined / unspecified behaviors of the programming language

  7. 7 Design of Astrée Partitioning domain Parallel domain Control-flow Abstract Front-end State graph iterator machine domain Memory domain State Value Value … … machine domain domain listener

  8. 8 Finite State Machines: Example 1 int *p; int state = 0; 2 while (1) {env_get(&E); 3 switch (state) { 4 case 0: 5 if (E) state = 1; 6 else state = 2; 7 break ; 0 8 case 1: E 9 state = 3; E 10 p = &state; 11 break ; 1 2 12 case 2: 13 if (E) state = 0; 14 else state = 1; 15 break ; 3 4 16 case 3: 17 *p = 4; 18 break ; 19 case 4: 20 return ; 21 } 22 }

  9. 9 “Normal” Analysis Iter 1 Iter 3 Iter 2 Iter 4 p:{INVALID, p:{INVALID, 1 int *p; int state = 0; &state} &state} p:INVALID p:INVALID 2 while (1) {env_get(&E); State:[0,3] State:[0,4] state:{0} state:[0,2] 3 switch (state) { 4 case 0: 5 if (E) state = 1; p:INVALID p:INVALID p:{INVALID, p:{INVALID, 6 else state = 2; state:{1,2} state:{1,2} &state} &state} 7 break ; state:{1,2} state:{1,2} 8 case 1: 9 state = 3; p:&state p:&state 10 p = &state; p:&state state:{3} state:{3} state:{3} 11 break ; 12 case 2: 13 if (E) state = 0; p:{INVALID, p:{INVALID, p:INVALID 14 else state = 1; &state} &state} 0 state:{0,1} 15 break ; state:{0,1} state:{0,1} 16 case 3: E E 17 *p = 4; p:{INVALID, p:{INVALID, &state} 18 break ; &state} 1 2 state:{3,4} state:{3,4} 19 case 4: 20 return ; ALARM: Invalid p:{INVALID, 21 } &state} pointer dereference 22 } state:{4} 3 4

  10. 10 State Machine Domain  Implements basic disjunction over states  Map: State = 0 Abstract values (all other vars, memory layout…) Top State = 1 Or State Abstract values (all other vars, memory layout…) - Abstract value (all vars, memory State = 3 layout…) Abstract values (all other vars, memory layout…) Transfer functions: applied to each leaf ▷ How do we cover all states and keep them disjoint?

  11. 11 State Machine Listener Domain  Dedicated domain, below memory layout domain  Keeps track of memory blocks associated with state machine variable keys  Manual and/or automatic (heuristic) state variable detection  Start following variable ( __ASTREE_states_track )  Stop following variable when merging all state machine states ( __ASTREE_states_merge )  For each transfer function (assignment, memcpy ,…), check if value changes for a state variable key  Each time a state variable is modified  Compute new set of values  Re-compute disjunctions, join states with same values

  12. 12 FSM Analysis Iter 1 state 1 int *p; int state = 0; 2 while (1) {env_get(&E); 0 3 switch (state) { p:INVALID 4 case 0: E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; 11 break ; p:INVALID p:INVALID 12 case 2: E: T E: F 13 if (E) state = 0; 14 else state = 1; 0 15 break ; 16 case 3: E E 17 *p = 4; 18 break ; 1 2 19 case 4: 20 return ; 21 } 22 } 3 4

  13. 13 FSM Analysis Iter 2 state 1 int *p; int state = 0; 0 2 2 while (1) {env_get(&E); 1 3 switch (state) { p:INVALID p:INVALID p:INVALID 4 case 0: E: {T,F} E: {T,F} E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; state p:INVALID p:INVALID 11 break ; E: T E: F 12 case 2: 3 13 if (E) state = 0; p:&state 14 else state = 1; 0 state E: {T,F} 15 break ; 16 case 3: 0 1 E E 17 *p = 4; p:INVALID p:INVALID 18 break ; 1 2 E: F E: T 19 case 4: 20 return ; 21 } 22 } 3 4

  14. 14 FSM Analysis Iter 3 state 1 int *p; int state = 0; 0 3 2 while (1) {env_get(&E); 2 1 3 switch (state) { p:INVALID p:&state p:INVALID p:INVALID 4 case 0: E: {T,F} E: {T,F} E: {T,F} E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; state p:INVALID p:INVALID 11 break ; E: T E: F 12 case 2: 3 13 if (E) state = 0; p:&state 14 else state = 1; 0 state E: {T,F} 15 break ; 16 case 3: 0 1 E E 17 *p = 4; p:INVALID p:INVALID state 18 break ; 1 2 E: T E: F 19 case 4: 4 20 return ; 21 } p:&state 22 } E: {T,F} 3 4

  15. 15 FSM Analysis Iter 4 4 p:&state state 1 int *p; int state = 0; E: {T,F} 0 3 2 while (1) {env_get(&E); 2 1 3 switch (state) { p:INVALID p:&state p:INVALID p:INVALID 4 case 0: E: {T,F} E: {T,F} E: {T,F} E: {T,F} 5 if (E) state = 1; 6 else state = 2; 7 break ; state 8 case 1: 9 state = 3; 1 2 10 p = &state; state p:INVALID p:INVALID 11 break ; E: T E: F 12 case 2: 3 13 if (E) state = 0; p:&state 14 else state = 1; 0 state E: {T,F} 15 break ; 16 case 3: 0 1 E E 17 *p = 4; p:INVALID p:INVALID state 18 break ; 1 2 E: T E: F 19 case 4: 4 20 return ; 21 } p:&state state state 22 } E: {T,F} 4 4 3 4 p:&state p:&state E: {T,F} E: {T,F}

  16. 16 Experimental Results *: state machine automatically detected by Astrée I: industrial code TL: code generated by dSPACE TargetLink Sc: code generated by SCADE wo/: without FSM domain; w/: with FSM domain With FSM domain, zero false alarms due to imprecision caused by state  machine code structures. Max observed increase in RAM: 40% (B5), max decrease: 48% (B1)  Analysis time typically increases, but can also decrease as higher  precision prevents spurious paths/values from being analyzed.

  17. 17 Taint Analysis  Purpose: Static analysis to track flow of tainted values through program.  Concepts:  Tainted source: origin of tainted values  Restricted sink: operands and arguments to be protected from tainted values  Sanitization: remove taint from value, e.g. by replacement or termination  User interaction to identify tainted sources and sinks.  Applications:  Information Flow (Confidentiality / Information Leaks)  Propagation of Error Values (Data and Control Flow)  Data Safety

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru Agenda AddressSanitizer (aka ASan) detects use-after-free and buffer overflows

742 views • 55 slides
Lesson 1.6: Finding text on a web page Suppose you want to find your time in the local 8K

Lesson 1.6: Finding text on a web page Suppose you want to find your time in the local 8K

Lesson 1.6: Finding text on a web page Suppose you want to find your time in the local 8K race Its easy to find the page but then what? How do you find a word on the page? Control-F aka CMD-F aka Edit>Find CMD-F Find works

362 views • 9 slides
Focus on pages 16-17 In the next five minutes I would like you to try and find examples of any

Focus on pages 16-17 In the next five minutes I would like you to try and find examples of any

Focus on pages 16-17 In the next five minutes I would like you to try and find examples of any nouns, verbs, adjectives and adverbs and fill up your grid. Silver Bronze Noun (N) Verb (V) Adjective (Aj) Adverb (Av) Find 2 Find 2 examples of

447 views • 6 slides
Everything Else Find all substrings Weve learned how to find the first location of a

Everything Else Find all substrings Weve learned how to find the first location of a

Everything Else Find all substrings Weve learned how to find the first location of a string in another string with find . What about finding all matches? Start by looking at the documentation. S.find(sub [,start [,end]]) -> int

265 views • 25 slides
dyslexia Today you will: Experience dyslexia Find out what dyslexia is Find out how to get a

dyslexia Today you will: Experience dyslexia Find out what dyslexia is Find out how to get a

dyslexia Today you will: Experience dyslexia Find out what dyslexia is Find out how to get a diagnosis Learn an effective way to teach dyslexics Nancy Blaskewicz nanblask@aol.com 1 2 One day John and Bob went for a walk. What

613 views • 24 slides
WorkshopQ WHO WE ARE We design. We create. We visualize. We find the chaos in the calm. We

WorkshopQ WHO WE ARE We design. We create. We visualize. We find the chaos in the calm. We

WorkshopQ WHO WE ARE We design. We create. We visualize. We find the chaos in the calm. We find the bumps in the seamless. We see the incoherent in the coherent. We upcycle. We recycle. We sustain. We find what we can upcycle. We find

736 views • 26 slides
Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps.

Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps.

Feature Assembly Find out what, why and how in 5 steps. Find out what, why and how in 5 steps. Move from Creating products To .. Assembling products Step 1: Turn your challenge into an opportunity How to anticipate and manage complexity

496 views • 38 slides
Rates Rates are used to find absolute amounts. Examples: Sales tax rate used to find

Rates Rates are used to find absolute amounts. Examples: Sales tax rate used to find

Rates Rates are used to find absolute amounts. Examples: Sales tax rate used to find sales tax Interest Rate used to find interest Speed used to find distance Percent The language of percents is often used to describe

697 views • 5 slides
RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1

RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1

RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, (pq))=1 Good news: - primes are fairly common: there are about N/ln N primes N Exercise: If looking for a 512-bit prime, how many randomly generated

358 views • 10 slides
Chapter 3-7 2, find the corresponding domino gate using a PDN net 3, find the Euler path for the

Chapter 3-7 2, find the corresponding domino gate using a PDN net 3, find the Euler path for the

Parameters from a Digital IC-Design Problem 0.35 um process 1, draw the static transistor schematic for the function f = (A+BC)D Chapter 3-7 2, find the corresponding domino gate using a PDN net 3, find the Euler path for the PDN and draw

371 views • 12 slides
Find out more at voice21.org Aim ims Why oracy should be at the heart of your

Find out more at voice21.org Aim ims Why oracy should be at the heart of your

Who ho are Vo Voice 21? 21? Voice 21 is a national charity that exists to enable teachers and schools to provide a high quality oracy education so that all young people can find their voice for success in school and life. Find out more

399 views • 22 slides
People Businesses Higher Ed Find

People Businesses Higher Ed Find

People Businesses Higher Ed Find workers who grew up or have relatives in your area Find high school and college alumni Identify individuals outside your region who are ready to

668 views • 48 slides
Welcome! elcome! Grab a b a pla plate te and and a a drink drink Find Find a s a

Welcome! elcome! Grab a b a pla plate te and and a a drink drink Find Find a s a

Welcome! elcome! Grab a b a pla plate te and and a a drink drink Find Find a s a sea eat t and and wor ork k on the on the activ activities ities as as you ou ea eat ONLY dad Y dads write rite your our name name

279 views • 12 slides
WARMUP (10, -4) AND (6, 0) FIND THE DISTANCE BETWEEN THE 2 POINTS. FIND THE SLOPE

WARMUP (10, -4) AND (6, 0) FIND THE DISTANCE BETWEEN THE 2 POINTS. FIND THE SLOPE

WARMUP (10, -4) AND (6, 0) FIND THE DISTANCE BETWEEN THE 2 POINTS. FIND THE SLOPE BETWEEN THESE 2 POINTS. FIND THE MIDPOINT. POINTS, LINES, AND PLANES Agenda: Warmup Points, Lines, and Planes Notes Quick Check

444 views • 13 slides
Example: Find intervals where the function f ( x ) = x 2 16 x is increasing, where it is

Example: Find intervals where the function f ( x ) = x 2 16 x is increasing, where it is

Mt 020.02 Slide 1 on 3/22/00 Example: Find intervals where the function f ( x ) = x 2 16 x is increasing, where it is decreasing and find its relative extreme values. Solution: Make a sign chart for the derivative function f ' ( x ) = 2 x +

247 views • 8 slides
Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Hard Problems What do you do when your problem is NP-Hard ? Give up? (A) Solve a special case! Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate solution. Traveling Salesperson Problem (D) Find a

546 views • 5 slides
Positive Surgical Margins in Partial Nephrectomy Specimens Evgeny Yakirevich, MD, DSc Department

Positive Surgical Margins in Partial Nephrectomy Specimens Evgeny Yakirevich, MD, DSc Department

Positive Surgical Margins in Partial Nephrectomy Specimens Evgeny Yakirevich, MD, DSc Department of Pathology Lifespan Academic Medical Center Alpert Medical School at Brown University Providence, RI, USA Financial and Other Disclosures

660 views • 22 slides
Utilizing Predictive Modeling to Improve Policy through Improved Targeting of Agency Resources: A

Utilizing Predictive Modeling to Improve Policy through Improved Targeting of Agency Resources: A

Utilizing Predictive Modeling to Improve Policy through Improved Targeting of Agency Resources: A Case Study on Placement Instability among Foster Children Dallas J. Elgin, Ph.D. IMPAQ International Randi Walters, Ph.D. Casey Family Programs

327 views • 20 slides
Local Market Power Mitigation Enhancements Draft Final Proposal and Retrospective Analysis May

Local Market Power Mitigation Enhancements Draft Final Proposal and Retrospective Analysis May

Local Market Power Mitigation Enhancements Draft Final Proposal and Retrospective Analysis May 13, 2011 Cynthia Hinman, Sr. Market Design and Policy Specialist Lin Xu, Sr. Market Development Engineer Agenda for todays meeting Estimated

351 views • 32 slides
Update on Plasmodium falciparum hrp2/3 gene deletions Jane Cunningham MPAC 22 24 March

Update on Plasmodium falciparum hrp2/3 gene deletions Jane Cunningham MPAC 22 24 March

Update on Plasmodium falciparum hrp2/3 gene deletions Jane Cunningham MPAC 22 24 March 2017 Overview Summary of reports: pfhrp2/3 gene deletions reports: Central/South America, Africa, Asia Progress report on action items (1-7)

684 views • 32 slides
Adversarial Contrastive Estimation ACL 2018 *AVISHEK (JOEY) BOSE, *HUAN LING, *YANSHUAI CAO

Adversarial Contrastive Estimation ACL 2018 *AVISHEK (JOEY) BOSE, *HUAN LING, *YANSHUAI CAO

Adversarial Contrastive Estimation Adversarial Contrastive Estimation ACL 2018 *AVISHEK (JOEY) BOSE, *HUAN LING, *YANSHUAI CAO Avishek (Joey) Bose* , Huan Ling*, Yanshuai Cao* | Borealis AI, University of Toronto | August 2, 2018 1 / 29

689 views • 29 slides
Metastatic Papillary Gallbladder Carcinoma with a Unique Presentation and Clinical Course Brandon

Metastatic Papillary Gallbladder Carcinoma with a Unique Presentation and Clinical Course Brandon

JOP. J Pancreas (Online) 2014 Sep 28; 15(5): 515 - 519 CASE REPORT Metastatic Papillary Gallbladder Carcinoma with a Unique Presentation and Clinical Course Brandon C Chapman 1 , Teresa Jones 1 , Martine C McManus 2 , Raj Shah 2 , Csaba Gajdos 1

435 views • 5 slides
CUP: Comprehensive User-Space Protection Nathan Burow, Derrick McKee, Scott A. Carr, Mathias

CUP: Comprehensive User-Space Protection Nathan Burow, Derrick McKee, Scott A. Carr, Mathias

CUP: Comprehensive User-Space Protection Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Memory Safety All software exploits rely on corrupting memory state Control-flow hijacking: Code-pointers Data only: Critical

395 views • 17 slides
DEVELOPMENT GOALS General Conference on Weights and Measures 15 November 2018 |Versailles, France

DEVELOPMENT GOALS General Conference on Weights and Measures 15 November 2018 |Versailles, France

METROLOGY IN SUPPORT METROLOGY IN SUPPORT OF THE OF THE SUSTAINABLE SUSTAINABLE DEVELOPMENT GOALS DEVELOPMENT GOALS General Conference on Weights and Measures 15 November 2018 |Versailles, France Bernardo Calzadilla Sarmiento Director,

1.24k views • 48 slides

More recommend