Using model checking tools to triage the severity of security bugs in the Xen hypervisor

In practice, few security bugs found in source code are urgent, but quickly identifying which ones are is hard. We describe the application of bounded model checking to triaging reported issues quickly at the cloud service provider Amazon Web Services (AWS). We focus on the job of reactive security experts who need to determine the severity of bugs found in the Xen hypervisor. We show that, using our publicly available extensions to the model checker CBMC, a security expert can obtain traces to construct security tests and estimate the severity of the reported finding within 15 minutes. We believe that the changes made to the model checker, as well as the methodology for using tools in this scenario, will generalise to other organisations and environments.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[3]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[4]  Fei Xie,et al.  Automated Bug Detection and Replay for COTS Linux Kernel Modules with Concolic Execution , 2020, 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[5]  Rafal Wojtczuk UQBTng : a tool capable of automatically finding integer overflows in Win 32 binaries , .

[6]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[7]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[8]  Sagar Chaki,et al.  Parametric Verification of Address Space Separation , 2012, POST.

[9]  Susan Horwitz,et al.  Fast and accurate flow-insensitive points-to analysis , 1997, POPL '97.

[10]  Dirk Beyer,et al.  Software Verification with Validation of Results - (Report on SV-COMP 2017) , 2017, TACAS.

[11]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[12]  Niklas Sörensson,et al.  Temporal induction by incremental SAT solving , 2003, BMC@CAV.

[13]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[14]  Eric Bodden,et al.  PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution , 2016, STM.

[15]  Daniel Kroening,et al.  CBMC - C Bounded Model Checker - (Competition Contribution) , 2014, TACAS.

[16]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[17]  Armand Puccetti,et al.  Static Analysis of the XEN Kernel using Frama-C , 2010, J. Univers. Comput. Sci..

[18]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Wolfgang J. Paul,et al.  Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification , 2012, SEFM.

[20]  ともやん KVM (Kernel-based Virtual Machine) - 仮想化 , 2009 .

[21]  Armin Biere,et al.  Verifiying Safety Properties of a Power PC Microprocessor Using Symbolic Model Checking without BDDs , 1999, CAV.

[22]  Michael Dahlin,et al.  Toward the Verification of a Simple Hypervisor , 2011, ACL2.

[23]  Harry Katzan,et al.  Operating systems architecture , 1899, AFIPS '70 (Spring).

[24]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[25]  Michael E. Locasto,et al.  Verifying security patches , 2014, PSP '14.

[26]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.