"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Model-counting Approaches For Nonlinear Numerical Constraints
1. Model-counting Approaches For Nonlinear
Numerical Constraints
Mateus Borges1
, Sang Phan2
, Antonio Filieri1
, Corina P˘as˘areanu2,3
1Imperial College London, UK
2Carnegie Mellon University Silicon Valley, USA
3NASA Ames Research Center, USA
NASA Formal Methods Symposium
May 16, 2017
1 / 14
2. Model Counting
Applications of model counting
probabilistic inference
reliability analysis
quantitative information flow (for side-channel analysis)
. . .
Integrated Symbolic Execution for Space-Time Analysis of Code.
http://www.cmu.edu/silicon-valley/research/isstac
2 / 14
3. Side channels
H
L
“main” channelprogram
(unintended) side channel
main channel
output of the program, i.e. return value
side channels
execution time
power consumption
number of packets transmitted over a network
number of bytes written to a file
. . .
3 / 14
4. Symbolic Execution and Symbolic PathFinder
1 int x,y;
2 if(x > y){
3 x = x + y;
4 y = x − y;
5 x = x − y;
6 if(x − y > 0)
7 assert(false);
8 }
{x → X, y → Y }
PC : True
{x → X, y → Y }
PC : X > Y
{x → X + Y, y → Y }
PC : X > Y
{x → X + Y, y → X}
PC : X > Y
{x → Y, y → X}
PC : X > Y
{x → Y, y → X}
PC : X > Y ∧ Y − X > 0
6
{x → Y, y → X}
PC : X > Y ∧ Y − X ≤ 0
6
5
4
3
2
{x → X, y → Y }
PC : X ≤ Y
2
Symbolic PathFinder: symbolic JVM for Java bytecode
4 / 14
5. Side-channel analysis
Quantifying information leaks
Perform symbolic execution to collect all symbolic paths πi .
Compute the observable of each symbolic path oi = cost(πi ).
Compute the leakage using Shannon entropy
Leakage =
i=1...n
p(oi ) log2
1
p(oi )
Assume the secret h has uniform distribution over the domain ΩH
p(oi ) =
cost(πj )=oi
(πj )
|ΩH|
where (πj ) is computed by using model counting tools.
5 / 14
6. Motivation
Most previous work limit on programs with linear numerical
constraints (using Latte or barvinok).
Reliability Analysis in SymbolicPathfinder. ICSE’13.
Multi-run Side-Channel Analysis Using Symbolic Execution and
Max-SMT. CSF’16.
String Analysis for Side Channels with Segmented Oracles. FSE’16.
Synthesis of Adaptive Side-Channel Attacks. CSF’17.
⇒ Model counting of path conditions for programs with nonlinear
numerical constraints.
6 / 14
7. Taxonomy of model counting
Precision
Exact counting
Approximate counting
Level
Bit-level counting
Word-level counting
Others:
Blocking-clause enumeration
BDD-based enumerations
Counting with Gr¨obner bases
Brute force
7 / 14
8. Evaluation setup
Tool selection
Publicly available implementations of model counting
algorithms
POC’s developed by us
Fixed execution time (1 hour)
Benchmark: Modular exponentiation
Two distinct implementations
Extracted path conditions through symbolic execution
8 / 14
9. Evaluated Tools
Precision Level
All-SAT exact bit
Dsharp exact bit
SharpCDCL exact bit
SharpSAT exact bit
ApproxMC approximate bit
SMTapproxMC approximate word
Brute force exact word
MathSAT exact word
Z3 (blocking clause) exact word
9 / 14
10. Modular Exponentiation
Asymmetric cryptographic algorithms
public key: (e,n)
private key: d
message: m
encryption: c = modPow(m, e, n)
decryption: m = modPow(c, d, n)
Experiments with
n = 1717
n = 834443
n = 1964903306
(product of two distinct prime numbers)
modPow(x, y, z) = xy
mod z
int modPow1(int c, int d, int n){
int s = 1, y = c, res=0;
while (d > 0) {
if (d % 2 == 1) {
//reduction:
int tmp = s ∗ y;
if (tmp > n){
tmp = tmp − n;
}
res = tmp % n;
} else {
res=s;
}
s = (res ∗ res) % n;
d /= 2;
}
return res;
}
10 / 14
11. Modular Exponentiation
SnapBuddy
A photo-sharing web application.
Given by DARPA as one of the engagement problems.
public static BigInteger modPow2(final BigInteger x, final BigInteger y,
final BigInteger z) {
BigInteger s = BigInteger.valueOf(1L);
for (int width = y.bitLength(), i = 0; i < width; ++i) {
s = s.multiply(s).mod(z);
if (y.testBit(width − i − 1)) {
s = fastMultiply(s, x).mod(z);
}
}
return s;
}
}
11 / 14
12. Symbolic Execution of Modular Exponentiation
modPow(x, y, z) = xy mod z
Perform symbolic execution on
modPow1
Both x and y are symbolic.
z is either 1717, 834443, or 1964903306.
modPow2
x is a concrete 1532-bit value.
y is symbolic BigInteger with 40 bits.
z is a concrete 1536-bit value (hard-coded in SnapBuddy)
12 / 14
14. Conclusion
Small domain: brute force!
Exact counters can be effective when the problem is small
(< 50K clauses) or count is close to domain size.
Most promising: approximate model counting with bit-level
hashing.
Performance can degrade when increased precision is required.
14 / 14