Model-counting Approaches For Nonlinear Numerical Constraints
•
1 like•80 views
Presentation at NASA Formal Methods Symposium 2017
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to Model-counting Approaches For Nonlinear Numerical Constraints
Similar to Model-counting Approaches For Nonlinear Numerical Constraints (20)
More from Quoc-Sang Phan
More from Quoc-Sang Phan (9)
Recently uploaded
Recently uploaded (20)
Model-counting Approaches For Nonlinear Numerical Constraints
- 1. Model-counting Approaches For Nonlinear Numerical Constraints Mateus Borges1 , Sang Phan2 , Antonio Filieri1 , Corina P˘as˘areanu2,3 1Imperial College London, UK 2Carnegie Mellon University Silicon Valley, USA 3NASA Ames Research Center, USA NASA Formal Methods Symposium May 16, 2017 1 / 14
- 2. Model Counting Applications of model counting probabilistic inference reliability analysis quantitative information flow (for side-channel analysis) . . . Integrated Symbolic Execution for Space-Time Analysis of Code. http://www.cmu.edu/silicon-valley/research/isstac 2 / 14
- 3. Side channels H L “main” channelprogram (unintended) side channel main channel output of the program, i.e. return value side channels execution time power consumption number of packets transmitted over a network number of bytes written to a file . . . 3 / 14
- 4. Symbolic Execution and Symbolic PathFinder 1 int x,y; 2 if(x > y){ 3 x = x + y; 4 y = x − y; 5 x = x − y; 6 if(x − y > 0) 7 assert(false); 8 } {x → X, y → Y } PC : True {x → X, y → Y } PC : X > Y {x → X + Y, y → Y } PC : X > Y {x → X + Y, y → X} PC : X > Y {x → Y, y → X} PC : X > Y {x → Y, y → X} PC : X > Y ∧ Y − X > 0 6 {x → Y, y → X} PC : X > Y ∧ Y − X ≤ 0 6 5 4 3 2 {x → X, y → Y } PC : X ≤ Y 2 Symbolic PathFinder: symbolic JVM for Java bytecode 4 / 14
- 5. Side-channel analysis Quantifying information leaks Perform symbolic execution to collect all symbolic paths πi . Compute the observable of each symbolic path oi = cost(πi ). Compute the leakage using Shannon entropy Leakage = i=1...n p(oi ) log2 1 p(oi ) Assume the secret h has uniform distribution over the domain ΩH p(oi ) = cost(πj )=oi (πj ) |ΩH| where (πj ) is computed by using model counting tools. 5 / 14
- 6. Motivation Most previous work limit on programs with linear numerical constraints (using Latte or barvinok). Reliability Analysis in SymbolicPathfinder. ICSE’13. Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT. CSF’16. String Analysis for Side Channels with Segmented Oracles. FSE’16. Synthesis of Adaptive Side-Channel Attacks. CSF’17. ⇒ Model counting of path conditions for programs with nonlinear numerical constraints. 6 / 14
- 7. Taxonomy of model counting Precision Exact counting Approximate counting Level Bit-level counting Word-level counting Others: Blocking-clause enumeration BDD-based enumerations Counting with Gr¨obner bases Brute force 7 / 14
- 8. Evaluation setup Tool selection Publicly available implementations of model counting algorithms POC’s developed by us Fixed execution time (1 hour) Benchmark: Modular exponentiation Two distinct implementations Extracted path conditions through symbolic execution 8 / 14
- 9. Evaluated Tools Precision Level All-SAT exact bit Dsharp exact bit SharpCDCL exact bit SharpSAT exact bit ApproxMC approximate bit SMTapproxMC approximate word Brute force exact word MathSAT exact word Z3 (blocking clause) exact word 9 / 14
- 10. Modular Exponentiation Asymmetric cryptographic algorithms public key: (e,n) private key: d message: m encryption: c = modPow(m, e, n) decryption: m = modPow(c, d, n) Experiments with n = 1717 n = 834443 n = 1964903306 (product of two distinct prime numbers) modPow(x, y, z) = xy mod z int modPow1(int c, int d, int n){ int s = 1, y = c, res=0; while (d > 0) { if (d % 2 == 1) { //reduction: int tmp = s ∗ y; if (tmp > n){ tmp = tmp − n; } res = tmp % n; } else { res=s; } s = (res ∗ res) % n; d /= 2; } return res; } 10 / 14
- 11. Modular Exponentiation SnapBuddy A photo-sharing web application. Given by DARPA as one of the engagement problems. public static BigInteger modPow2(final BigInteger x, final BigInteger y, final BigInteger z) { BigInteger s = BigInteger.valueOf(1L); for (int width = y.bitLength(), i = 0; i < width; ++i) { s = s.multiply(s).mod(z); if (y.testBit(width − i − 1)) { s = fastMultiply(s, x).mod(z); } } return s; } } 11 / 14
- 12. Symbolic Execution of Modular Exponentiation modPow(x, y, z) = xy mod z Perform symbolic execution on modPow1 Both x and y are symbolic. z is either 1717, 834443, or 1964903306. modPow2 x is a concrete 1532-bit value. y is symbolic BigInteger with 40 bits. z is a concrete 1536-bit value (hard-coded in SnapBuddy) 12 / 14
- 13. Experimental Results Subject a-1 a-2 a-3 a-4 a-5 a-6 a-7 b-1 b-2 b-3 b-4 N. Ops 11 26 15 37 121 57 117 250 243 1428 1428 Domain Size 10K 10K 10K 25M 25M 59B 59B 4T 4T 32B 32B N. Solutions 1.7K 7 1.7K 208K 109K 80M 77M 2B 66B 1 1 N. CNF clauses 40K 78K 58K 67K 114K 58K 78K 2K 2K 2K 2K Execution time BitBlasting 15s 30s 24s 25s 44s 23s 30s 1s 1s 1s 2s SharpCDCL 1s 1s 1s 43m - - - - - 1s 1s All-SAT 1s 8s 2s 31m∗ 59m∗ 15m∗ 19m∗ - - 1s 1s SharpSAT 5s 2s 11s 29m 53m - - 1s 1s 1s 1s Dsharp 12m 32s 22m - - - - 1s 1s 1s 1s ApproxMC (f) 4s 2s 5s 16s 32s 1m 1m 4s 5s 1s 1s ApproxMC (p) 4s 2s 6s 2m 5m 21m 24m 16s 25s 1s 1s SMTapproxMC (f) 6m 15m 8m - - - - - - 2m 2m SMTapproxMC (p) - 15m - - - - - - - 2m 2m MathSAT 2s 2s 5s 38m 54m - - - - 1s 1s Z3-BC 12s 3s 18s - - - - - - 1s 1s Brute Force 1s 1s 1s 1s 1s 8m 8m - - 2m 2m 13 / 14
- 14. Conclusion Small domain: brute force! Exact counters can be effective when the problem is small (< 50K clauses) or count is close to domain size. Most promising: approximate model counting with bit-level hashing. Performance can degrade when increased precision is required. 14 / 14