Verifying information flow properties of firmware using symbolic execution

Verifying security requirements of the firmware in contemporary system-on-chip (SoC) designs is a critical challenge. There are two main difficulties in addressing this problem. Security properties like confidentiality and integrity cannot be specified with commonly-used property specification schemes like assertion-based verification/linear temporal logic (LTL). Second, firmware interacts closely with other hardware and firmware which may be untrusted/malicious and their behavior has to be correctly modelled for the verification to be sound and complete. In this paper, we propose an approach to verify firmware security properties using symbolic execution. We introduce a property specification language for information flow properties of firmware which intuitively captures the requirements of confidentiality and integrity. We also propose an algorithm based on symbolic execution to verify these properties. Evaluation on a commercial SoC design uncovered a complex security bug missed by simulation-based testing.

[1]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  Mark R. Tuttle,et al.  Symbolic Execution for BIOS Security , 2015, WOOT.

[4]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[5]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[6]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[7]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[9]  Samik Basu,et al.  Correct-by-Construction Approaches for SoC Design , 2013 .

[10]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[11]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[12]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[15]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[16]  Sayak Ray,et al.  Template-based synthesis of instruction-level abstractions for SoC verification , 2015, 2015 Formal Methods in Computer-Aided Design (FMCAD).

[17]  Samik Basu,et al.  The AMBA SOC Platform , 2014 .

[18]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[19]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[20]  Roksana Boreli,et al.  On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).