2. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Outline
1 THE PROBLEM
Information Flow
Self-composition
2 PRELIMINARIES
The trace semantics
Symbolic Execution
3 THE APPROACH
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
4 CONCLUSION
2 / 24
5. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Information Flow
Self-composition
The problem
(Qualitative) Information Flow: does the program leak
information?
Quantitative Information Flow (QIF): how much does it leak?
Given a function F measuring secrecy. Leakage of information
is defined as:
∆F (H) = F(H) − F(H|O)
F can measure: Shannon entropy, Renyi’s min-entropy,
guessing entropy.
Two-step analysis for QIF
Detect the leaks ← this presentation.
“Measure” the leaks.
5 / 24
6. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Information Flow
Self-composition
Detecting information flow leaks
Type system
No false negatives, too many false positives (too restrictive)
Fast
Taint analysis
Both false negatives and false positives.
Fast (powerful to detect bugs).
Theorem proving (by self-composition)
Precise: no false positives, no false negatives
Impractical in reality.
6 / 24
7. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Information Flow
Self-composition
Self-composition
// program P
i f (H == L)
O = true ;
else
O = f a l s e ;
// copy of P with a l l v a r i a b l e s renamed
i f (H1 == L1 )
O1 = true ;
else
O1 = f a l s e ;
Self-composition in Hoare logic
{L = L1}P; P1{O = O1}
7 / 24
8. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Information Flow
Self-composition
Self-composition
Terauchi and Aiken. “Secure information flow as a safety
problem”. SAS 2005.
“When we actually applied the self-composition approach, we
found that not only are the existing automatic safety analysis tools
not powerful enough to verify many realistic problem instances
efficiently (or at all), but also that there are strong reasons to
believe that it is unlikely to expect any future advance”.
8 / 24
9. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Information Flow
Self-composition
Our contribution
Practical approach for Self-composition using Symbolic Execution
and SMT solvers.
Shift the self-composing step from the source code to the
symbolic expressions.
Generate self-composition formula in first-order theories.
Implement on Symbolic Pathfinder and Z3.
9 / 24
10. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
The trace semantics
Symbolic Execution
The formal system
A deterministic program is modelled as a transition system:
P = (Σ, I, F, T)
Σ is the set of program states;
I ⊆ Σ : the set of initial states.
σ ∈ I is a pair H, L , which means I = IH × IL
F ⊆ Σ : the set of final states.
T ⊆ Σ × Σ : the transition function.
10 / 24
11. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
The trace semantics
Symbolic Execution
The trace semantics
A trace of (concrete) execution of program P:
ρ = σ0σ1..σn
σ0 ∈ I, σn ∈ F and σi , σi+1 ∈ T for all i ∈ {0, .., n − 1}.
The semantics of P : the set R of all possible traces.
init(ρ) = σ0 and fin(ρ) = σn
11 / 24
12. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
The trace semantics
Symbolic Execution
Symbolic Execution
Example
i f (H == L)
O = true ; // accept password
else
O = f a l s e ; // r e j e c t
Execute program with input symbols: H = α and L = β
If (α == β) : O = true.
If (α = β) : O = false.
12 / 24
13. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
The trace semantics
Symbolic Execution
Symbolic Execution
A deterministic program is modelled as a transition system:
P = (Σs
, Is
, Fs
, Ts
)
Σs: the set of symbolic states
Is ⊆ Σs : the set of initial symbolic states
Fs ⊆ Σs : the set of final symbolic states
Ts ⊆ Σs × Σs : the transition function.
13 / 24
14. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
The trace semantics
Symbolic Execution
The semantics
A symbolic path (symbolic trace) of the program P:
ρs
= σs
0σs
1..σs
n
such that σs
0 ∈ Is, σs
n ∈ Fs and σs
i , σs
i+1 ∈ Ts for all
i ∈ {0, . . . , n − 1}.
The symbolic semantics of P : the set Rs of all symbolic paths
(aka the symbolic execution tree)
14 / 24
15. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
The trace semantics
Symbolic Execution
The summaries
Denote by X|y the value of the variable X at the state y. For each
σs
i ∈ Fs:
O|σs
i
= fi (α, β)
σs
i is reachable iff path condition ci (α, β) is SAT.
O =
f1(α, β) if c1(α, β)
f2(α, β) if c2(α, β)
. . . . . .
fn(α, β) if cn(α, β)
∀i, j ∈ [1, n] ∧ i = j.ci ∧ cj = ⊥
15 / 24
16. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Trace-equivalence
Self-composition in Hoare logic
{L = L1}P; P1{O = O1}
Interpret in trace semantics:
Self-composition as Trace-equivalence
∀ρ ∈ R, ρ1 ∈ R1.L|init(ρ) = L1|init(ρ1) → O|fin(ρ) = O1|fin(ρ1)
→ impossible to enumerate all traces.
→ need an abstract interpretation: Symbolic Execution.
16 / 24
17. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Trace-equivalence
Self-composition in Hoare logic
{L = L1}P; P1{O = O1}
Interpret in trace semantics:
Self-composition as Trace-equivalence
∀ρ ∈ R, ρ1 ∈ R1.L|init(ρ) = L1|init(ρ1) → O|fin(ρ) = O1|fin(ρ1)
→ impossible to enumerate all traces.
→ need an abstract interpretation: Symbolic Execution.
17 / 24
18. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Path-equivalence
Self-composition in Hoare logic
{L = L1}P; P1{O = O1}
Interpret in symbolic semantics:
Self-composition as Path-equivalence
∀ρs
∈ Rs
, ρs
1 ∈ Rs
1.
(L|init(ρs ) = L1|init(ρs
1)) ∧ path(ρs
) ∧ path(ρs
1)
→ (O|fin(ρs ) = O1|fin(ρs
1))
18 / 24
19. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Path-equivalence generation
Symbolically Execution
H|init(ρs ) = α; L|init(ρs ) = β; H1|init(ρs
1) = α1; L1|init(ρs
1) = β
Path-equivalence generation
PE ≡ DF ∧ IF
where:
DF ≡
n
i=1
ci (α, β) ∧ ci (α1, β) → (fi (α, β) = fi (α1, β))
IF ≡
n−1
i=1
n
j=i+1
ci (α, β) ∧ cj (α1, β) → (fi (α, β) = fj (α1, β))
19 / 24
20. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Path-equivalence generation
The password checking program
O =
true if α = β
false if α = β
Path-equivalence generation
PE ≡ DF ∧ IF
where:
DF ≡ (α = β ∧ α1 = β → true = true)∧
(α = β ∧ α1 = β → false = false)
IF ≡ α = β ∧ α1 = β → true = false
20 / 24
21. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Implementation
Tools to use:
Symbolic Execution: Symbolic Pathfinder of NASA
SMT solver: Z3 of Microsoft
Also extended to Quantitative Information Flow.
The project
“Secure Information Flow by Symbolic Execution”
Google Summer of Code 2013: evaluation submitted
yesterday.
Mentor organization: NASA’s Java Pathfinder team.
Also extended to Quantitative Information Flow.
21 / 24
22. THE PROBLEM
PRELIMINARIES
THE APPROACH
CONCLUSION
Self-composition as Path-equivalence
Path-equivalence generation
Implementation
Implementation
Tools to use:
Symbolic Execution: Symbolic Pathfinder of NASA
SMT solver: Z3 of Microsoft
Also extended to Quantitative Information Flow.
The project
“Secure Information Flow by Symbolic Execution”
Google Summer of Code 2013: evaluation submitted
yesterday.
Mentor organization: NASA’s Java Pathfinder team.
Also extended to Quantitative Information Flow.
22 / 24