Download presentation

Presentation is loading. Please wait.

Published byBraden Loring Modified over 3 years ago

1
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan

2
Lab Q1: Manual reasoning on code – Mergesort implementation published in Wikibooks Q2: Constraint Solving – ‘Solve’ for collisions in ELFHash function Q3: Whitebox & blackbox fuzzing – Use a dynamic symbolic execution tool to find bugs automatically Start early!

3
Big Picture Attacks & Defenses Mobile Security (Android) Web Security Network Security Crypto Program Analysis & Verification Symbolic Execution & Constraint Solving Why?

4
A little history … Can we build a machine that can automatically reason and prove mathematical facts about programs?

5
1967

7
1976 “From one simple view, it is an enhanced testing technique. Instead of executing a program on a set of sample inputs, a program is "symbolically" executed for a set of classes of inputs.”

8
Why now?

10
Advances in SAT Solvers Source: Sanjit Seshia

11
Advances in SAT Solvers Source: Sanjit Seshia

12
Significance

13
How do we know our program is “correct”? In general, we don’t know. Test it Let users test it for us Fuzz it Try to prove it’s correct Static analysis Symbolic Execution & Constraint Solving Precision Coverage

14
Dynamic Sym Exec is Directed Testing Path-by-path exploration buf=malloc (s); read(fd, buf, len); s = lens = len + 2 len = input + 3; if len < 10 if len % 2 == 0 s = len F T T F (len == input + 3) && !(len < 10) && !(len%2==0)

15
Dynamic Sym Exec is Directed Testing Path-by-path exploration buf=malloc (s); read(fd, buf, len); s = lens = len + 2 len = input + 3; if len < 10 if len % 2 == 0 s = len F T T F (len == input + 3) && !(len < 10) && (len%2==0) Can we combine all paths into 1 single formula? Bounded Model Checking How do we construct the formula & use a solver?

16
Q2 Goal: ‘Solve’ for Hash Collisions

17
Constructing Logic Formulas from Code Convert statements into Static Single Assignment (SSA) form Encode SSA into target solver input format

18
Static Single Assignment Equations Unroll loops to form loop-free program – for(i=0; i<2; i++){a=a+1;} a=a+1; a=a+1; Rename LHS of each assignment into a new local variable a1=a+1; a2=a+1; Whenever a variable is read (e.g., at RHS), replace it with last assigned variable name a1=a0+1; a2=a1+1;

19
Conditional (if) statements Dynamic Symbolic Execution: – 2 separate path formulas Bounded Model Checking: – Merge both branches into 1 formula

20
Conditional (if) statements

21
Example int example1(int x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Q: Is !(ret3 >= 0) satisfiable? Is this program correct?

22
Constructing Logic Formulas from Code Convert statements into Static Single Assignment (SSA) form = Bit-vector Equations in quantifier-free 1 st order logic Encode SSA into target solver input format – Bit-vector arithmetic logic – “SMT” Solver – SMT-LIB 1.0 standard

24
Example SMT-LIB :extrafuns(x0 BitVec[32]) :extrafuns(ret1 BitVec[32]) :extrafuns(ret2 BitVec[32]) :extrafuns(ret3 BitVec[32]) :extrapreds(branchcond1) :assumption (= ret1 x0) :assumption (= ret2 (bvneg x0) :assumption (iff branchcond1 (bvsgt x0 bv0[32]) :assumption (= ret3 (ite branchcond1 ret1 ret2) (not (bvsge ret3 bv0[32]) :formula true SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Is !(ret3 >= 0) satisfiable?

25
Querying the Solver $./z3 example1.smt –m ret3 -> bv2147483648[32] ret1 -> bv2147483648[32] branchcond1 -> false ret2 -> bv2147483648[32] x0 -> bv2147483648[32] sat 2147483648 0x80000000 int example1(int x) { … 32 bits Two’s Complement system – Positive range: [0.. 2 N-1 – 1] – Or: [0x00.. 0x7FFFFFFF] – 0x80000000 is a negative signed 32-bit value: -2147483648

26
Example int example1(int x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Q: Is !(ret3 >= 0) satisfiable? Assertion violated if x = -2147483648

27
Slightly Modified Example int example1(char x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Q: Is !(ret3 >= 0) satisfiable?

28
Example :extrafuns(x0 BitVec[32]) :extrafuns(ret1 BitVec[32]) :extrafuns(ret2 BitVec[32]) :extrafuns(ret3 BitVec[32]) :extrapreds(branchcond1) :assumption (= ret1 (sign_extend[24] x0)) :assumption (= ret2 (bvneg (sign_extend[24] x0)) :assumption (iff branchcond1 (bvsgt x0 bv0[32]) :assumption (= ret3 (ite branchcond1 ret1 ret2) (not (bvsge ret3 bv0[32]) :formula true SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Is !(ret3 >= 0) satisfiable?

29
Querying the Solver $./z3 example1.smt –m unsat int example1(char x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } No satisfying assignment exists ==> Assertion holds for all possible inputs!

30
SMT-LIB “Cheat” Sheet: Bit-vectors Declare 32-bit “variable” ‘a’: n-bits Sign Extension to ‘a’: :extrafuns( a BitVec[32] ) sign_extend[n] a 32-bit constant ‘1234’ bv1234[32] Unary functions: ~a bvnot (a) -a bvneg (a) Binary functions: Binary predicates: bvand bvor bvxor bvadd bvshl bvlshr bvsgt bvsge bvfoo (a b) & | ^ + > > >=

31
SMT-LIB “Cheat” Sheet: Booleans Declare a predicate ‘C’: :extrapreds( C ) Unary connectives: ! C not (C) Binary connectives: Implies and or xor iff foo (C D) => && || Ternary connectives: C ? a : b ite (C a b) where a, b can be bit-vectors +

32
Exercise: C Operator Precedence 1.SSA equations? 2.SMT-LIB formula? a = (b >> c) + d; b = -(a ^ ~c);

33
Exercise: C Operator Precedence int a,b; char d; a = (b >> 3) + d; b = -(a ^ ~d); SSA a1 = (b0 >> 3) + d0; b1 = -(a1 ^ ~d0); SMT-LIB :extrafuns(a1 BitVec[32]) :extrafuns(b0 BitVec[32]) :extrafuns(b1 BitVec[32]) :extrafuns(d0 BitVec[8]) :assumption(= a1 (bvadd (bvlshr b0 bv3[32]) (sign_extend[24] d0)) :assumption(= b1 (bvneg (bvxor (bvnot (sign_extend[24] d0) a1 )))

34
Additional References An enjoyable read on verification history: – Vijay D’Silva, Tales from Verification History More about “constraint solvers”: – Daniel Kroening & Ofer Strichman, Decision Procedures: An Algorithmic Point of View

Similar presentations

OK

1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.

1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google