Automating Information Flow Analysis of Low Level Code

Low level code is challenging: It lacks structure, it uses jumps and symbolic addresses, the control flow is often highly optimized, and registers and memory locations may be reused in ways that make typing extremely challenging. Information flow properties create additional complications: They are hyperproperties relating multiple executions, and the possibility of interrupts and concurrency, and use of devices and features like memory-mapped I/O requires a departure from the usual initial-state final-state account of noninterference. In this work we propose a novel approach to relational verification for machine code. Verification goals are expressed as equivalence of traces decorated with observation points. Relational verification conditions are propagated between observation points using symbolic execution, and discharged using first-order reasoning. We have implemented an automated tool that integrates with SMT solvers to automate the verification task. The tool transforms ARMv7 binaries into an intermediate, architecture-independent format using the BAP toolset by means of a verified translator. We demonstrate the capabilities of the tool on a separation kernel system call handler, which mixes hand-written assembly with gcc-optimized output, a UART device driver and a crypto service modular exponentiation routine.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[3]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[4]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[6]  Gurvan Le Guernic Confidentiality Enforcement Using Dynamic Information Flow Analyses , 2007 .

[7]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[8]  Gurvan Le Guernic Information Flow Testing , 2007, ASIAN.

[9]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[10]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[11]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[12]  Eduardo Bonelli,et al.  A Typed Assembly Language for Non-interference , 2005, ICTCS.

[13]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[14]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[15]  Mads Dam,et al.  ENCoVer: Symbolic Exploration for Information Flow Security , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[16]  Stephen McCamant,et al.  HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism , 2013, ESORICS.

[17]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[18]  David Monniaux,et al.  Verification of device drivers and intelligent controllers: a case study , 2007, EMSOFT '07.

[19]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[20]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[21]  Gilles Barthe,et al.  A certified lightweight non-interference Java bytecode verifier† , 2007, Mathematical Structures in Computer Science.

[22]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[23]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[24]  Dawson R. Engler,et al.  Practical, Low-Effort Equivalence Verification of Real Code , 2011, CAV.

[25]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[27]  Mark A. Hillebrand,et al.  Formal Device and Programming Model for a Serial Interface , 2007, VERIFY.

[28]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[29]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[30]  Bernd Finkbeiner,et al.  Relational abstract interpretation for the verification of 2-hypersafety properties , 2013, CCS.

[31]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[32]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[33]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[34]  Onur Aciiçmez,et al.  Microarchitectural Attacks and Countermeasures , 2009, Cryptographic Engineering.

[35]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[36]  Alexander Aiken,et al.  Data-driven equivalence checking , 2013, OOPSLA.

[37]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[38]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[39]  Thomas W. Reps,et al.  There's Plenty of Room at the Bottom: Analyzing and Verifying Machine Code , 2010, CAV.

[40]  David Sands,et al.  Timing Aware Information Flow Security for a JavaCard-like Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[41]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[42]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[43]  John Regehr,et al.  Correctness Proofs for Device Drivers in Embedded Systems , 2010, SSV.

[44]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[45]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[46]  Eran Yahav,et al.  Abstract Semantic Differencing for Numerical Programs , 2013, SAS.

[47]  Thomas W. Reps,et al.  Directed Proof Generation for Machine Code , 2010, CAV.