SlideShare a Scribd company logo

Self-composition by Symbolic Execution

Quoc-Sang Phan
Quoc-Sang Phan

Presentation at the ICCSW 2013 workshop. Full paper is here: http://drops.dagstuhl.de/opus/volltexte/2013/4277/

SoftwareTechnologyEducation
1 of 24
Download to read offline
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition by Symbolic Execution Quoc-Sang Phan Queen Mary, University of London September 26, 2013 1 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Outline 1 THE PROBLEM Information Flow Self-composition 2 PRELIMINARIES The trace semantics Symbolic Execution 3 THE APPROACH Self-composition as Path-equivalence Path-equivalence generation Implementation 4 CONCLUSION 2 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Attacker model H Secret H External observer Secret H Public L Public O L SW 3 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Examples Direct flow (explicit flow) O = H + 3; Indirect flow (implicit flow) i f (H == L) O = true ; // accept password else O = f a l s e ; // r e j e c t 4 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition The problem (Qualitative) Information Flow: does the program leak information? Quantitative Information Flow (QIF): how much does it leak? Given a function F measuring secrecy. Leakage of information is defined as: ∆F (H) = F(H) − F(H|O) F can measure: Shannon entropy, Renyi’s min-entropy, guessing entropy. Two-step analysis for QIF Detect the leaks ← this presentation. “Measure” the leaks. 5 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Detecting information flow leaks Type system No false negatives, too many false positives (too restrictive) Fast Taint analysis Both false negatives and false positives. Fast (powerful to detect bugs). Theorem proving (by self-composition) Precise: no false positives, no false negatives Impractical in reality. 6 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Self-composition // program P i f (H == L) O = true ; else O = f a l s e ; // copy of P with a l l v a r i a b l e s renamed i f (H1 == L1 ) O1 = true ; else O1 = f a l s e ; Self-composition in Hoare logic {L = L1}P; P1{O = O1} 7 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Self-composition Terauchi and Aiken. “Secure information flow as a safety problem”. SAS 2005. “When we actually applied the self-composition approach, we found that not only are the existing automatic safety analysis tools not powerful enough to verify many realistic problem instances efficiently (or at all), but also that there are strong reasons to believe that it is unlikely to expect any future advance”. 8 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Our contribution Practical approach for Self-composition using Symbolic Execution and SMT solvers. Shift the self-composing step from the source code to the symbolic expressions. Generate self-composition formula in first-order theories. Implement on Symbolic Pathfinder and Z3. 9 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The formal system A deterministic program is modelled as a transition system: P = (Σ, I, F, T) Σ is the set of program states; I ⊆ Σ : the set of initial states. σ ∈ I is a pair H, L , which means I = IH × IL F ⊆ Σ : the set of final states. T ⊆ Σ × Σ : the transition function. 10 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The trace semantics A trace of (concrete) execution of program P: ρ = σ0σ1..σn σ0 ∈ I, σn ∈ F and σi , σi+1 ∈ T for all i ∈ {0, .., n − 1}. The semantics of P : the set R of all possible traces. init(ρ) = σ0 and fin(ρ) = σn 11 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution Symbolic Execution Example i f (H == L) O = true ; // accept password else O = f a l s e ; // r e j e c t Execute program with input symbols: H = α and L = β If (α == β) : O = true. If (α = β) : O = false. 12 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution Symbolic Execution A deterministic program is modelled as a transition system: P = (Σs , Is , Fs , Ts ) Σs: the set of symbolic states Is ⊆ Σs : the set of initial symbolic states Fs ⊆ Σs : the set of final symbolic states Ts ⊆ Σs × Σs : the transition function. 13 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The semantics A symbolic path (symbolic trace) of the program P: ρs = σs 0σs 1..σs n such that σs 0 ∈ Is, σs n ∈ Fs and σs i , σs i+1 ∈ Ts for all i ∈ {0, . . . , n − 1}. The symbolic semantics of P : the set Rs of all symbolic paths (aka the symbolic execution tree) 14 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The summaries Denote by X|y the value of the variable X at the state y. For each σs i ∈ Fs: O|σs i = fi (α, β) σs i is reachable iff path condition ci (α, β) is SAT. O =    f1(α, β) if c1(α, β) f2(α, β) if c2(α, β) . . . . . . fn(α, β) if cn(α, β)    ∀i, j ∈ [1, n] ∧ i = j.ci ∧ cj = ⊥ 15 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Trace-equivalence Self-composition in Hoare logic {L = L1}P; P1{O = O1} Interpret in trace semantics: Self-composition as Trace-equivalence ∀ρ ∈ R, ρ1 ∈ R1.L|init(ρ) = L1|init(ρ1) → O|fin(ρ) = O1|fin(ρ1) → impossible to enumerate all traces. → need an abstract interpretation: Symbolic Execution. 16 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Trace-equivalence Self-composition in Hoare logic {L = L1}P; P1{O = O1} Interpret in trace semantics: Self-composition as Trace-equivalence ∀ρ ∈ R, ρ1 ∈ R1.L|init(ρ) = L1|init(ρ1) → O|fin(ρ) = O1|fin(ρ1) → impossible to enumerate all traces. → need an abstract interpretation: Symbolic Execution. 17 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Path-equivalence Self-composition in Hoare logic {L = L1}P; P1{O = O1} Interpret in symbolic semantics: Self-composition as Path-equivalence ∀ρs ∈ Rs , ρs 1 ∈ Rs 1. (L|init(ρs ) = L1|init(ρs 1)) ∧ path(ρs ) ∧ path(ρs 1) → (O|fin(ρs ) = O1|fin(ρs 1)) 18 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Path-equivalence generation Symbolically Execution H|init(ρs ) = α; L|init(ρs ) = β; H1|init(ρs 1) = α1; L1|init(ρs 1) = β Path-equivalence generation PE ≡ DF ∧ IF where: DF ≡ n i=1 ci (α, β) ∧ ci (α1, β) → (fi (α, β) = fi (α1, β)) IF ≡ n−1 i=1 n j=i+1 ci (α, β) ∧ cj (α1, β) → (fi (α, β) = fj (α1, β)) 19 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Path-equivalence generation The password checking program O = true if α = β false if α = β Path-equivalence generation PE ≡ DF ∧ IF where: DF ≡ (α = β ∧ α1 = β → true = true)∧ (α = β ∧ α1 = β → false = false) IF ≡ α = β ∧ α1 = β → true = false 20 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Implementation Tools to use: Symbolic Execution: Symbolic Pathfinder of NASA SMT solver: Z3 of Microsoft Also extended to Quantitative Information Flow. The project “Secure Information Flow by Symbolic Execution” Google Summer of Code 2013: evaluation submitted yesterday. Mentor organization: NASA’s Java Pathfinder team. Also extended to Quantitative Information Flow. 21 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Implementation Tools to use: Symbolic Execution: Symbolic Pathfinder of NASA SMT solver: Z3 of Microsoft Also extended to Quantitative Information Flow. The project “Secure Information Flow by Symbolic Execution” Google Summer of Code 2013: evaluation submitted yesterday. Mentor organization: NASA’s Java Pathfinder team. Also extended to Quantitative Information Flow. 22 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Conclusions Shift the self-composing step from the source code to the symbolic expressions. Generate self-composition formula in first-order theories. Implement on Symbolic Pathfinder and Z3. 23 / 24
THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION THANK YOU FOR YOUR ATTENTION! 24 / 24

Recommended

Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuoc-Sang Phan
 
Unambiguous functions in logarithmic space - CiE 2009
Unambiguous functions in logarithmic space - CiE 2009Unambiguous functions in logarithmic space - CiE 2009
Unambiguous functions in logarithmic space - CiE 2009Michael Soltys
 
LocFaults, a bounded constraint-based approach to aid for error localization
LocFaults, a bounded constraint-based approach to aid for error localizationLocFaults, a bounded constraint-based approach to aid for error localization
LocFaults, a bounded constraint-based approach to aid for error localizationMohammed Bekkouche
 
(Www.entrance exam.net)-tcs placement sample paper 2
(Www.entrance exam.net)-tcs placement sample paper 2(Www.entrance exam.net)-tcs placement sample paper 2
(Www.entrance exam.net)-tcs placement sample paper 2Pamidimukkala Sivani
 
P, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardP, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardAnimesh Chaturvedi
 
Computability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionComputability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionReggie Niccolo Santos
 
Introduction to modern Variational Inference.
Introduction to modern Variational Inference.Introduction to modern Variational Inference.
Introduction to modern Variational Inference.Tomasz Kusmierczyk
 
Daa notes 3
Daa notes 3Daa notes 3
Daa notes 3smruti sarangi
 

Recommended

Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuoc-Sang Phan
 
Unambiguous functions in logarithmic space - CiE 2009
Unambiguous functions in logarithmic space - CiE 2009Unambiguous functions in logarithmic space - CiE 2009
Unambiguous functions in logarithmic space - CiE 2009Michael Soltys
 
LocFaults, a bounded constraint-based approach to aid for error localization
LocFaults, a bounded constraint-based approach to aid for error localizationLocFaults, a bounded constraint-based approach to aid for error localization
LocFaults, a bounded constraint-based approach to aid for error localizationMohammed Bekkouche
 
(Www.entrance exam.net)-tcs placement sample paper 2
(Www.entrance exam.net)-tcs placement sample paper 2(Www.entrance exam.net)-tcs placement sample paper 2
(Www.entrance exam.net)-tcs placement sample paper 2Pamidimukkala Sivani
 
P, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardP, NP, NP-Complete, and NP-Hard
P, NP, NP-Complete, and NP-HardAnimesh Chaturvedi
 
Computability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionComputability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionReggie Niccolo Santos
 
Introduction to modern Variational Inference.
Introduction to modern Variational Inference.Introduction to modern Variational Inference.
Introduction to modern Variational Inference.Tomasz Kusmierczyk
 
Daa notes 3
Daa notes 3Daa notes 3
Daa notes 3smruti sarangi
 
Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuoc-Sang Phan
 
QMC: Transition Workshop - Approximating Multivariate Functions When Function...
QMC: Transition Workshop - Approximating Multivariate Functions When Function...QMC: Transition Workshop - Approximating Multivariate Functions When Function...
QMC: Transition Workshop - Approximating Multivariate Functions When Function...The Statistical and Applied Mathematical Sciences Institute
 
Connection between inverse problems and uncertainty quantification problems
Connection between inverse problems and uncertainty quantification problemsConnection between inverse problems and uncertainty quantification problems
Connection between inverse problems and uncertainty quantification problemsAlexander Litvinenko
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemIosif Itkin
 
Statement of stochastic programming problems
Statement of stochastic programming problemsStatement of stochastic programming problems
Statement of stochastic programming problemsSSA KPI
 
Otter 2016-11-28-01-ss
Otter 2016-11-28-01-ssOtter 2016-11-28-01-ss
Otter 2016-11-28-01-ssRuo Ando
 
Computation paths, transport and the univalence axiom - EBL 2017 talk
Computation paths, transport and the univalence axiom - EBL 2017 talkComputation paths, transport and the univalence axiom - EBL 2017 talk
Computation paths, transport and the univalence axiom - EBL 2017 talkArthur Ramos
 
main
mainmain
mainMahmudul Faisal
 
Richard Everitt's slides
Richard Everitt's slidesRichard Everitt's slides
Richard Everitt's slidesChristian Robert
 
3_MLE_printable.pdf
3_MLE_printable.pdf3_MLE_printable.pdf
3_MLE_printable.pdfElio Laureano
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCSR2011
 
Scala as a Declarative Language
Scala as a Declarative LanguageScala as a Declarative Language
Scala as a Declarative Languagevsssuresh
 
RuleML2015: Input-Output STIT Logic for Normative Systems
RuleML2015: Input-Output STIT Logic for Normative SystemsRuleML2015: Input-Output STIT Logic for Normative Systems
RuleML2015: Input-Output STIT Logic for Normative SystemsRuleML
 
L03 ai - knowledge representation using logic
L03 ai - knowledge representation using logicL03 ai - knowledge representation using logic
L03 ai - knowledge representation using logicManjula V
 
Abhik-Satish-dagstuhl
Abhik-Satish-dagstuhlAbhik-Satish-dagstuhl
Abhik-Satish-dagstuhlAbhik Roychoudhury
 
Cryptography Baby Step Giant Step
Cryptography Baby Step Giant StepCryptography Baby Step Giant Step
Cryptography Baby Step Giant StepSAUVIK BISWAS
 
Control Synthesis by Sum of Squares Optimization
Control Synthesis by Sum of Squares OptimizationControl Synthesis by Sum of Squares Optimization
Control Synthesis by Sum of Squares OptimizationBehzad Samadi
 
Road junction modeling using a scheme based on Hamilton-Jacobi equations
Road junction modeling using a scheme based on Hamilton-Jacobi equationsRoad junction modeling using a scheme based on Hamilton-Jacobi equations
Road junction modeling using a scheme based on Hamilton-Jacobi equationsGuillaume Costeseque
 
Issta13 workshop on debugging
Issta13 workshop on debuggingIssta13 workshop on debugging
Issta13 workshop on debuggingAbhik Roychoudhury
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCSR2011
 
Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsQuoc-Sang Phan
 
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...Quoc-Sang Phan
 

More Related Content

Similar to Self-composition by Symbolic Execution

Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuoc-Sang Phan
 
Connection between inverse problems and uncertainty quantification problems
Connection between inverse problems and uncertainty quantification problemsConnection between inverse problems and uncertainty quantification problems
Connection between inverse problems and uncertainty quantification problemsAlexander Litvinenko
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemIosif Itkin
 
Statement of stochastic programming problems
Statement of stochastic programming problemsStatement of stochastic programming problems
Statement of stochastic programming problemsSSA KPI
 
Otter 2016-11-28-01-ss
Otter 2016-11-28-01-ssOtter 2016-11-28-01-ss
Otter 2016-11-28-01-ssRuo Ando
 
Computation paths, transport and the univalence axiom - EBL 2017 talk
Computation paths, transport and the univalence axiom - EBL 2017 talkComputation paths, transport and the univalence axiom - EBL 2017 talk
Computation paths, transport and the univalence axiom - EBL 2017 talkArthur Ramos
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCSR2011
 
Scala as a Declarative Language
Scala as a Declarative LanguageScala as a Declarative Language
Scala as a Declarative Languagevsssuresh
 
RuleML2015: Input-Output STIT Logic for Normative Systems
RuleML2015: Input-Output STIT Logic for Normative SystemsRuleML2015: Input-Output STIT Logic for Normative Systems
RuleML2015: Input-Output STIT Logic for Normative SystemsRuleML
 
L03 ai - knowledge representation using logic
L03 ai - knowledge representation using logicL03 ai - knowledge representation using logic
L03 ai - knowledge representation using logicManjula V
 
Cryptography Baby Step Giant Step
Cryptography Baby Step Giant StepCryptography Baby Step Giant Step
Cryptography Baby Step Giant StepSAUVIK BISWAS
 
Control Synthesis by Sum of Squares Optimization
Control Synthesis by Sum of Squares OptimizationControl Synthesis by Sum of Squares Optimization
Control Synthesis by Sum of Squares OptimizationBehzad Samadi
 
Road junction modeling using a scheme based on Hamilton-Jacobi equations
Road junction modeling using a scheme based on Hamilton-Jacobi equationsRoad junction modeling using a scheme based on Hamilton-Jacobi equations
Road junction modeling using a scheme based on Hamilton-Jacobi equationsGuillaume Costeseque
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCSR2011
 

Similar to Self-composition by Symbolic Execution (20)

Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability Analysis
 
QMC: Transition Workshop - Approximating Multivariate Functions When Function...
QMC: Transition Workshop - Approximating Multivariate Functions When Function...QMC: Transition Workshop - Approximating Multivariate Functions When Function...
QMC: Transition Workshop - Approximating Multivariate Functions When Function...
 
Connection between inverse problems and uncertainty quantification problems
Connection between inverse problems and uncertainty quantification problemsConnection between inverse problems and uncertainty quantification problems
Connection between inverse problems and uncertainty quantification problems
 
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light SystemTMPA-2015: Implementing the MetaVCG Approach in the C-light System
TMPA-2015: Implementing the MetaVCG Approach in the C-light System
 
Statement of stochastic programming problems
Statement of stochastic programming problemsStatement of stochastic programming problems
Statement of stochastic programming problems
 
Otter 2016-11-28-01-ss
Otter 2016-11-28-01-ssOtter 2016-11-28-01-ss
Otter 2016-11-28-01-ss
 
Computation paths, transport and the univalence axiom - EBL 2017 talk
Computation paths, transport and the univalence axiom - EBL 2017 talkComputation paths, transport and the univalence axiom - EBL 2017 talk
Computation paths, transport and the univalence axiom - EBL 2017 talk
 
main
mainmain
main
 
Richard Everitt's slides
Richard Everitt's slidesRichard Everitt's slides
Richard Everitt's slides
 
3_MLE_printable.pdf
3_MLE_printable.pdf3_MLE_printable.pdf
3_MLE_printable.pdf
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatov
 
Scala as a Declarative Language
Scala as a Declarative LanguageScala as a Declarative Language
Scala as a Declarative Language
 
RuleML2015: Input-Output STIT Logic for Normative Systems
RuleML2015: Input-Output STIT Logic for Normative SystemsRuleML2015: Input-Output STIT Logic for Normative Systems
RuleML2015: Input-Output STIT Logic for Normative Systems
 
L03 ai - knowledge representation using logic
L03 ai - knowledge representation using logicL03 ai - knowledge representation using logic
L03 ai - knowledge representation using logic
 
Abhik-Satish-dagstuhl
Abhik-Satish-dagstuhlAbhik-Satish-dagstuhl
Abhik-Satish-dagstuhl
 
Cryptography Baby Step Giant Step
Cryptography Baby Step Giant StepCryptography Baby Step Giant Step
Cryptography Baby Step Giant Step
 
Control Synthesis by Sum of Squares Optimization
Control Synthesis by Sum of Squares OptimizationControl Synthesis by Sum of Squares Optimization
Control Synthesis by Sum of Squares Optimization
 
Road junction modeling using a scheme based on Hamilton-Jacobi equations
Road junction modeling using a scheme based on Hamilton-Jacobi equationsRoad junction modeling using a scheme based on Hamilton-Jacobi equations
Road junction modeling using a scheme based on Hamilton-Jacobi equations
 
Issta13 workshop on debugging
Issta13 workshop on debuggingIssta13 workshop on debugging
Issta13 workshop on debugging
 
Csr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatovCsr2011 june17 14_00_bulatov
Csr2011 june17 14_00_bulatov
 

More from Quoc-Sang Phan

Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsQuoc-Sang Phan
 
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...Quoc-Sang Phan
 
Quantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo TheoriesQuantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo TheoriesQuoc-Sang Phan
 
Concurrent Bounded Model Checking
Concurrent Bounded Model CheckingConcurrent Bounded Model Checking
Concurrent Bounded Model CheckingQuoc-Sang Phan
 
Symbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo TheoriesSymbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo TheoriesQuoc-Sang Phan
 
Towards an SMT-based approach for Quantitative Information Flow
Towards an SMT-based approach for Quantitative Information FlowTowards an SMT-based approach for Quantitative Information Flow
Towards an SMT-based approach for Quantitative Information FlowQuoc-Sang Phan
 
Symbolic Quantitative Information Flow
Symbolic Quantitative Information FlowSymbolic Quantitative Information Flow
Symbolic Quantitative Information FlowQuoc-Sang Phan
 

More from Quoc-Sang Phan (7)

Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical Constraints
 
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
 
Quantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo TheoriesQuantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo Theories
 
Concurrent Bounded Model Checking
Concurrent Bounded Model CheckingConcurrent Bounded Model Checking
Concurrent Bounded Model Checking
 
Symbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo TheoriesSymbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo Theories
 
Towards an SMT-based approach for Quantitative Information Flow
Towards an SMT-based approach for Quantitative Information FlowTowards an SMT-based approach for Quantitative Information Flow
Towards an SMT-based approach for Quantitative Information Flow
 
Symbolic Quantitative Information Flow
Symbolic Quantitative Information FlowSymbolic Quantitative Information Flow
Symbolic Quantitative Information Flow
 

Recently uploaded

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 

Recently uploaded (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 

Self-composition by Symbolic Execution

  • 1. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition by Symbolic Execution Quoc-Sang Phan Queen Mary, University of London September 26, 2013 1 / 24
  • 2. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Outline 1 THE PROBLEM Information Flow Self-composition 2 PRELIMINARIES The trace semantics Symbolic Execution 3 THE APPROACH Self-composition as Path-equivalence Path-equivalence generation Implementation 4 CONCLUSION 2 / 24
  • 3. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Attacker model H Secret H External observer Secret H Public L Public O L SW 3 / 24
  • 4. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Examples Direct flow (explicit flow) O = H + 3; Indirect flow (implicit flow) i f (H == L) O = true ; // accept password else O = f a l s e ; // r e j e c t 4 / 24
  • 5. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition The problem (Qualitative) Information Flow: does the program leak information? Quantitative Information Flow (QIF): how much does it leak? Given a function F measuring secrecy. Leakage of information is defined as: ∆F (H) = F(H) − F(H|O) F can measure: Shannon entropy, Renyi’s min-entropy, guessing entropy. Two-step analysis for QIF Detect the leaks ← this presentation. “Measure” the leaks. 5 / 24
  • 6. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Detecting information flow leaks Type system No false negatives, too many false positives (too restrictive) Fast Taint analysis Both false negatives and false positives. Fast (powerful to detect bugs). Theorem proving (by self-composition) Precise: no false positives, no false negatives Impractical in reality. 6 / 24
  • 7. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Self-composition // program P i f (H == L) O = true ; else O = f a l s e ; // copy of P with a l l v a r i a b l e s renamed i f (H1 == L1 ) O1 = true ; else O1 = f a l s e ; Self-composition in Hoare logic {L = L1}P; P1{O = O1} 7 / 24
  • 8. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Self-composition Terauchi and Aiken. “Secure information flow as a safety problem”. SAS 2005. “When we actually applied the self-composition approach, we found that not only are the existing automatic safety analysis tools not powerful enough to verify many realistic problem instances efficiently (or at all), but also that there are strong reasons to believe that it is unlikely to expect any future advance”. 8 / 24
  • 9. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Information Flow Self-composition Our contribution Practical approach for Self-composition using Symbolic Execution and SMT solvers. Shift the self-composing step from the source code to the symbolic expressions. Generate self-composition formula in first-order theories. Implement on Symbolic Pathfinder and Z3. 9 / 24
  • 10. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The formal system A deterministic program is modelled as a transition system: P = (Σ, I, F, T) Σ is the set of program states; I ⊆ Σ : the set of initial states. σ ∈ I is a pair H, L , which means I = IH × IL F ⊆ Σ : the set of final states. T ⊆ Σ × Σ : the transition function. 10 / 24
  • 11. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The trace semantics A trace of (concrete) execution of program P: ρ = σ0σ1..σn σ0 ∈ I, σn ∈ F and σi , σi+1 ∈ T for all i ∈ {0, .., n − 1}. The semantics of P : the set R of all possible traces. init(ρ) = σ0 and fin(ρ) = σn 11 / 24
  • 12. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution Symbolic Execution Example i f (H == L) O = true ; // accept password else O = f a l s e ; // r e j e c t Execute program with input symbols: H = α and L = β If (α == β) : O = true. If (α = β) : O = false. 12 / 24
  • 13. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution Symbolic Execution A deterministic program is modelled as a transition system: P = (Σs , Is , Fs , Ts ) Σs: the set of symbolic states Is ⊆ Σs : the set of initial symbolic states Fs ⊆ Σs : the set of final symbolic states Ts ⊆ Σs × Σs : the transition function. 13 / 24
  • 14. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The semantics A symbolic path (symbolic trace) of the program P: ρs = σs 0σs 1..σs n such that σs 0 ∈ Is, σs n ∈ Fs and σs i , σs i+1 ∈ Ts for all i ∈ {0, . . . , n − 1}. The symbolic semantics of P : the set Rs of all symbolic paths (aka the symbolic execution tree) 14 / 24
  • 15. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION The trace semantics Symbolic Execution The summaries Denote by X|y the value of the variable X at the state y. For each σs i ∈ Fs: O|σs i = fi (α, β) σs i is reachable iff path condition ci (α, β) is SAT. O =    f1(α, β) if c1(α, β) f2(α, β) if c2(α, β) . . . . . . fn(α, β) if cn(α, β)    ∀i, j ∈ [1, n] ∧ i = j.ci ∧ cj = ⊥ 15 / 24
  • 16. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Trace-equivalence Self-composition in Hoare logic {L = L1}P; P1{O = O1} Interpret in trace semantics: Self-composition as Trace-equivalence ∀ρ ∈ R, ρ1 ∈ R1.L|init(ρ) = L1|init(ρ1) → O|fin(ρ) = O1|fin(ρ1) → impossible to enumerate all traces. → need an abstract interpretation: Symbolic Execution. 16 / 24
  • 17. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Trace-equivalence Self-composition in Hoare logic {L = L1}P; P1{O = O1} Interpret in trace semantics: Self-composition as Trace-equivalence ∀ρ ∈ R, ρ1 ∈ R1.L|init(ρ) = L1|init(ρ1) → O|fin(ρ) = O1|fin(ρ1) → impossible to enumerate all traces. → need an abstract interpretation: Symbolic Execution. 17 / 24
  • 18. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Path-equivalence Self-composition in Hoare logic {L = L1}P; P1{O = O1} Interpret in symbolic semantics: Self-composition as Path-equivalence ∀ρs ∈ Rs , ρs 1 ∈ Rs 1. (L|init(ρs ) = L1|init(ρs 1)) ∧ path(ρs ) ∧ path(ρs 1) → (O|fin(ρs ) = O1|fin(ρs 1)) 18 / 24
  • 19. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Path-equivalence generation Symbolically Execution H|init(ρs ) = α; L|init(ρs ) = β; H1|init(ρs 1) = α1; L1|init(ρs 1) = β Path-equivalence generation PE ≡ DF ∧ IF where: DF ≡ n i=1 ci (α, β) ∧ ci (α1, β) → (fi (α, β) = fi (α1, β)) IF ≡ n−1 i=1 n j=i+1 ci (α, β) ∧ cj (α1, β) → (fi (α, β) = fj (α1, β)) 19 / 24
  • 20. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Path-equivalence generation The password checking program O = true if α = β false if α = β Path-equivalence generation PE ≡ DF ∧ IF where: DF ≡ (α = β ∧ α1 = β → true = true)∧ (α = β ∧ α1 = β → false = false) IF ≡ α = β ∧ α1 = β → true = false 20 / 24
  • 21. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Implementation Tools to use: Symbolic Execution: Symbolic Pathfinder of NASA SMT solver: Z3 of Microsoft Also extended to Quantitative Information Flow. The project “Secure Information Flow by Symbolic Execution” Google Summer of Code 2013: evaluation submitted yesterday. Mentor organization: NASA’s Java Pathfinder team. Also extended to Quantitative Information Flow. 21 / 24
  • 22. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Self-composition as Path-equivalence Path-equivalence generation Implementation Implementation Tools to use: Symbolic Execution: Symbolic Pathfinder of NASA SMT solver: Z3 of Microsoft Also extended to Quantitative Information Flow. The project “Secure Information Flow by Symbolic Execution” Google Summer of Code 2013: evaluation submitted yesterday. Mentor organization: NASA’s Java Pathfinder team. Also extended to Quantitative Information Flow. 22 / 24
  • 23. THE PROBLEM PRELIMINARIES THE APPROACH CONCLUSION Conclusions Shift the self-composing step from the source code to the symbolic expressions. Generate self-composition formula in first-order theories. Implement on Symbolic Pathfinder and Z3. 23 / 24