Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | maude-rogers |
View: | 215 times |
Download: | 0 times |
White-box Software Isolation with Fully Automated Black-
box Proofs
Jiaqi TanRajeev Gandhi, Priya Narasimhan
PARALLEL DATA LABORATORYCarnegie Mellon University
FMCAD 2015 Student Forum
2
Motivation• Software Isolation
• Safety property of software: External user input cannot subvert and control software execution
• Ensures software is safe from potentially malicious input• Where is it important?
• Safety-critical systems e.g., medical devices, avionics, cars• Lack of isolation Security vulnerabilities Potentially catastrophic
accidents• Why White-box Isolation?
• Safety-critical systems: Need high-assurance• Programmers need to see what safety-checks are doing
• Why Black-box Proofs? • Many connected, potentially safety-critical Internet-of-Things
devices Many programmers writing code for such devices• Need fully-automated, black-box (no expert input) proofs
Jiaqi Tan © September 15http://www.pdl.cmu.edu/
3
Black-Box Software Isolation Proofs
Jiaqi Tan © September 15http://www.pdl.cmu.edu/
Machine-code
Source-code
(e.g., C)
Compilation
void arraycopy(int *src, int *dst, int n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}
Computed memory write target: Dangerous
So
urc
e-co
de
Mac
hin
e-co
de
Key Insight 1: Potential isolation violations evident in machine-code We can automate isolation proofs in machine-code
4
White-Box Software Isolation: Locations
Jiaqi Tan © September 15http://www.pdl.cmu.edu/
Machine-code
Source-code
(e.g., C)
Compilation
void arraycopy(int *src, int *dst, int n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}
Computed memory write target: Dangerous
Debug information helps us resolve this
(for unoptimized code)S
ou
rce-
cod
eM
ach
ine-
cod
e
Key Insight 2: We can identify source-code locations from machine-code addresses for potential isolation violations
5
White-Box Software Isolation: Hints for Remedies
Jiaqi Tan © September 15http://www.pdl.cmu.edu/
So
urc
e-co
de
Mac
hin
e-co
de
void arraycopy (int *src, int *dst, int n) { unsigned int i; for (i = 0; i < n; ++i) {
dst[i] = src[i]; }}
#define SAFE(array,idx) = ……
if (SAFE(dst,i)) {
}
.... (safety check code) ....
......e1a02102 lsl r2, r2, #2e51b1010 ldr r1, [fp, #-16]e0812002 add r2, r1, r2e5922000 ldr r2, [r2]
e50b3008 str r2 [r3]e51b3008 ldr r3, [fp, #-8]e2833001 add r3, r3, #1e50b3008 str r3, [fp, #-8]e51b2018 ldr r2, [fp, #-24]......
Provides logic preconditions
needed: Proves dangerous
instruction is safe to run
Compilation
Machine-code
Source-code (e.g., C)
Compilation
Key Insight 3: We can write code, SAFE(dst,i), which gives us the necessary logic pre-conditions for provable isolation
6
Visualization of Approach
Jiaqi Tan © September 15http://www.pdl.cmu.edu/
Machine-code
Source-code (e.g., C)
Software Isolation Proof Generation
(AUSPICE) [1]
Software Isolation Remedy Hint Generation
Software isolation violations manifest in machine-code behavior Prove isolation in machine-code
Programmers can only observe this level of abstraction Isolation enforcement mechanisms must be in source-code
Compilation
Safety Proof of Isolation
Proof Success
Proof Failure
Hints for source-code remedies for safety violations
Machine-code Addresses
Responsible for Proof-
Failure
Programmer applies hints
HOL4 and Cambridge
ARM Logic [2]
LLVM-Clang Tooling
7
References• [1] Jiaqi Tan, Hui Jun Tay, Rajeev Gandhi,
Priya Narasimhan. AUSPICE: Automatic Safety Property Verification for Unmodified Executables. In Working Conference on Verified Software: Tools, Theories and Experiments (VSTTE), July 2015.
• [2] Magnus Myreen, Anthony Fox, Michael Gordon. Hoare Logic for ARM Machine Code. In Fundamentals of Software Engineering (FSEN), 2007.
Jiaqi Tan © September 15http://www.pdl.cmu.edu/