Finding trojan message vulnerabilities in distributed systems

Trojan messages are messages that seem correct to the receiver but cannot be generated by any correct sender. Such messages constitute major vulnerability points of a distributed system---they constitute ideal targets for a malicious actor and facilitate failure propagation across nodes. We describe Achilles, a tool that searches for Trojan messages in a distributed system. Achilles uses dynamic white-box analysis on the distributed system binaries in order to infer the predicate that defines messages parsed by receiver nodes and generated by sender nodes, respectively, and then computes Trojan messages as the difference between the two. We apply Achilles on implementations of real distributed systems: FSP, a file transfer application, and PBFT, a Byzantine-fault-tolerant state machine replication library. Achilles discovered a new bug in FSP and rediscovered a previously known vulnerability in PBFT. In our evaluation we demonstrate that our approach can perform orders of magnitude better than general approaches based on regular fuzzing and symbolic execution.

[1]  George Candea,et al.  Parallel symbolic execution for automated real-world software testing , 2011, EuroSys '11.

[2]  Kripa Krishnan Weathering the Unexpected , 2012, ACM Queue.

[3]  Stephen McCamant,et al.  Input generation via decomposition and re-stitching: finding bugs in Malware , 2010, CCS '10.

[4]  Luis Ceze,et al.  DDOS: taming nondeterminism in distributed systems , 2013, ASPLOS '13.

[5]  Rachid Guerraoui,et al.  Model Checking a Networked System Without the Network , 2011, NSDI.

[6]  George Candea,et al.  Execution synthesis: a technique for automated software debugging , 2010, EuroSys '10.

[7]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[8]  Dawn Xiaodong Song,et al.  Automatic protocol reverse-engineering: Message format extraction and field semantics inference , 2013, Comput. Networks.

[9]  David Brumley,et al.  Tachyon: Tandem Execution for Efficient Live Patch Testing , 2012, USENIX Security Symposium.

[10]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[11]  Nikolai Tillmann,et al.  Demand-Driven Compositional Symbolic Execution , 2008, TACAS.

[12]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[13]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[14]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[15]  Matthew B. Dwyer,et al.  Differential symbolic execution , 2008, SIGSOFT '08/FSE-16.

[16]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[17]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[18]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[19]  Haoxiang Lin,et al.  MODIST: Transparent Model Checking of Unmodified Distributed Systems , 2009, NSDI.

[20]  Michael Dahlin,et al.  Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults , 2009, NSDI.

[21]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.