Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Zoo of Software Security Techniques

Published byMariann Knutsen Modified over 5 years ago

Similar presentations

Presentation on theme: "The Zoo of Software Security Techniques"— Presentation transcript:

1 The Zoo of Software Security Techniques
Computer Security: Techniques and Tactics The Zoo of Software Security Techniques Acknowledgements: CMU 17654: Analysis of Software Artifacts, Jonathan Aldrich CMU 18732: Secure Software Systems, Lujo Baurer Stanford CS357: Techniques for Program Analysis and Verification, David Dill

2

3 Software (In)Security
This Software is Secure. Prove the correctness. Show an counter-example.

4 Overview Human Inspection & Testing
Program Specification and Verification Hoare Logic Program Verification Static Analysis Dataflow Analysis Model Checking Testing Fuzzing Taint Analysis Symbolic Execution (Defense/Mitigation) Sometimes dynamic analysis is under testing.

5 Inspection

6 Inspection is Actually Powerful
Raytheon Reduced "rework" from 41% of cost to 20% of cost Reduced effort to fix integration problems by 80% IBM 1 hour of inspection saved 20 hours of testing Saved 82 hours of rework if defects in released product IBM Santa Teresa Lab 3.5 hours to find bug with inspection HP System use 0.21 defects/hour Black box 0.28 defects/hour White box 0.32 defects/hour Reading/inspect 1.06 defects/hour

7 Testing Direct execution of code on test data in a controlled environment

8 Testing Direct execution of code on test data in a controlled environment Heavily used in real life Black-box testing: care about the coverage on input domain White-box testing: care about the coverage on program TODO: Advantage of different metrics Statement/code Coverage Branch Coverage Path Coverage

9 Program Specification and Verification
Overview Human Inspection & Testing Program Specification and Verification Program Verification Hoare Logic Static Analysis Dataflow Analysis Model Checking Testing Fuzzing Taint Analysis Symbolic Execution (Defense/Mitigation) Sometimes dynamic analysis is under testing.

10 Program Verification Prove that a program S satisfies a property Q.
In security specification: Q is a security property. How to prove? Wait a moment, something is wrong

11 Program Verification S: y = x * x; Q: y > 0; Does S satisfy Q?
Depends on x. <---- precondition

12 (Hoare triples or Hoare notation)
Program Verification {P}S{Q} (Hoare triples or Hoare notation) Whenever S is executed in a state satisfying P And if the execution of S terminates The state in which S’s execution terminates satisfies Q P: Precondition Q: Postcondition

13 Example {X = 1} X:=X+1 {X = 2}, True or False?
{X = 1} WHILE T DO X := X {Y = 2}, True or False?

14 /*@ requires len >= 0 && array.length == len
@ ensures \result == @ (\sum int j; 0 <= j && j < len; array[j]) @*/ float sum(int array[], int len) { float sum = 0.0; int i = 0; while (i < len) { sum = sum + array[i]; i = i + 1; } return sum; Notation from the Java Modeling Language (JML) (A representation Language)

15 Weakest Precondition The most “general” precondition given a S and Q
{x = 5 && y = 10} z := x / y { z < 1 } {x < y && y > 0} z := x / y { z < 1 } {y ≠ 0 && x / y < 1} z := x / y { z < 1 } Which one is the weakest precondition? wp(S, Q) y ≠ 0 && x / y < 1 x = 5 && y = 10 x = 5 && y = 10

16 {P}S{Q} holds if and only if P -> wp(S, Q)
Program Verification Prove {P}S{Q} is True {P}S{Q} holds if and only if P -> wp(S, Q) wp(S, Q) P

17 Now our goal is to find wp(S, Q).
Program Verification Prove {P}S{Q} is True {P}S{Q} holds if and only if P -> wp(S, Q) Now our goal is to find wp(S, Q).

18 Finding wp(S, Q) by Hoare Logic
High-level idea: using rules for different statements in S. e.g., Assignment rule wp(x := E, Q) = [E/x] Q [E/x] Q (Substitution Notation): Replacing all occurrences of x in Q by E Exercise: wp(x := 3*y + z, x * y - z > 0 )

19 Finding wp(S, Q) by Hoare Logic
wp(x := 3*y + z, x * y - z > 0 ) = [3 * y + z / x] (x * y - z > 0) = ( 3 * y + z ) * y - z > 0 = 3y2 + yz - z > 0

20 Using Hoare Logic to Prove Correctness (Security)
Requires a lot of work (deduction, or pre-defined precondition) Can be unsound E.g. loop never terminates Finding loop invariant

21 Overview Dataflow Analysis Human Inspection & Testing
Program Specification and Verification Hoare Logic Program Verification Static Analysis Dataflow Analysis Model Checking Testing Fuzzing Taint Analysis Symbolic Execution (Defense/Mitigation) Sometimes dynamic analysis is under testing.

22 Dataflow Analysis: Motivation
Tracking value flow through program Checking whether values satisfy a specific property E.g. Zero analysis: could a variable be 0? Property is a specification of Hoare logic Hoare logic allows any property to be expressed Specialization allows automation and soundness

23 Example: Zero Analysis
y := x; z := 0; if (y > -1) { x := x / y; y := y-1; z := 5; } Could x be 0? Could y be 0? Could z be 0? Hard for program verification

24 Example: Zero Analysis
σ = [ ]  maps variables to an abstract value: Z, NZ, MZ (abstract interpretation) x := 10; y := x; z := 0; if (y > -1) { x := x / y; y := y-1; z := 5; } Could x be 0? Could y be 0? Could z be 0? Hard for program verification

25 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> 10] y := x; z := 0; if (y > -1) { x := x / y; y := y-1; z := 5; } Could x be 0? Could y be 0? Could z be 0? Hard for program verification

26 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> NZ] y := x; z := 0; if (y > -1) { x := x / y; y := y-1; z := 5; } Could x be 0? Could y be 0? Could z be 0? Hard for program verification

27 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> NZ] y := x; σ = [x -> NZ, y -> NZ] z := 0; σ = [x -> NZ, y -> NZ, z -> Z] if (y > -1) { σ = [x -> NZ, y -> NZ, z -> Z] x := x / y; y := y-1; z := 5; } σ = [x -> NZ, y -> NZ, z -> Z] Could x be 0? Could y be 0? Could z be 0? Hard for program verification

28 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> NZ] y := x; σ = [x -> NZ, y -> NZ] z := 0; σ = [x -> NZ, y -> NZ, z -> Z] if (y > -1) { σ = [x -> NZ, y -> NZ, z -> Z] x := x / y; σ = [x -> NZ, y -> NZ, z -> Z] y := y-1; z := 5; } σ = [x -> NZ, y -> NZ, z -> Z] Could x be 0? Could y be 0? Could z be 0? Hard for program verification

29 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> NZ] y := x; σ = [x -> NZ, y -> NZ] z := 0; σ = [x -> NZ, y -> NZ, z -> Z] if (y > -1) { σ = [x -> NZ, y -> NZ, z -> Z] x := x / y; σ = [x -> NZ, y -> NZ, z -> Z] y := y-1; σ = [x -> NZ, y -> MZ, z -> Z] z := 5; } σ = [x -> NZ, y -> NZ, z -> Z] Could x be 0? Could y be 0? Could z be 0? Hard for program verification

30 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> NZ] y := x; σ = [x -> NZ, y -> NZ] z := 0; σ = [x -> NZ, y -> NZ, z -> Z] if (y > -1) { σ = [x -> NZ, y -> NZ, z -> Z] x := x / y; σ = [x -> NZ, y -> NZ, z -> Z] y := y-1; σ = [x -> NZ, y -> MZ, z -> Z] z := 5; σ = [x -> NZ, y -> MZ, z -> NZ] } σ = [x -> NZ, y -> NZ, z -> Z] Could x be 0? Could y be 0? Could z be 0? Hard for program verification

31 Example: Zero Analysis
σ = [ ]  maps variable to an abstract value: Z, NZ, MZ x := 10; σ = [x -> NZ] y := x; σ = [x -> NZ, y -> NZ] z := 0; σ = [x -> NZ, y -> NZ, z -> Z] if (y > -1) { σ = [x -> NZ, y -> NZ, z -> Z] x := x / y; σ = [x -> NZ, y -> NZ, z -> Z] y := y-1; σ = [x -> NZ, y -> MZ, z -> Z] z := 5; σ = [x -> NZ, y -> MZ, z -> NZ] } σ = [x -> NZ, y -> MZ, z -> MZ] Could x be 0? Could y be 0? Could z be 0? Hard for program verification

32 Model Checking x=0, y=0, z=0,… x := 10; y := x; z := 0; x := 10;
if (y > -1) { x := x / y; y := y-1; z := 5; } x := 10; y := x; z := 0; y > -1 y <= -1 x := x / y; y := y-1; z := 5;

33 Model Checking x=0, y=0, z=0,… x := 10; y := x; z := 0;
[x -> NZ, y -> NZ, z -> Z] y > -1 y <= -1 [x -> NZ, y -> NZ, z -> Z] x := x / y; y := y-1; z := 5; [x -> NZ, y -> MZ, z -> MZ] x := x / y; y := y-1; z := 5;

34 Model Checking Equivalent

35 Model Checking Current abstract interpretation is insufficient for y and z x=0, y=0, z=0,… x := 10; y := x; z := 0; [x -> NZ, y -> NZ, z -> Z] y > -1 y <= -1 [x -> NZ, y -> NZ, z -> Z] x := x / y; y := y-1; z := 5; [x -> NZ, y -> MZ, z -> MZ] x := x / y; y := y-1; z := 5;

36 Predicate Abstraction
x := 10; y := x; z := 0; x := 10; y := x; z := 0; if (y > -1) { x := x / y; y := y-1; z := 5; } assert(y == 0) if y > -1 Yes x := x / y; y := y-1; z := 5; No assert y == 0

37 Predicate Abstraction
x := 10; y := x; z := 0; if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 y == 0 y != 0

38 Predicate Abstraction – Adding Transaction
x := 10; y := x; z := 0; if y > -1 ? Yes No x := x / y; y := y-1; z := 5; y <= -1 assert y == 0 y == 0 y != 0

39 Predicate Abstraction – Adding Transaction
x := 10; y := x; z := 0; if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 y == 0 y != 0

40 Predicate Abstraction – Find Counterexample
y := x; z := 0; if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 y == 0 y != 0

41 Predicate Abstraction – Validate Counterexample
y := x; z := 0; x := 10; y := x; z := 0; if y > -1 Yes No y <= -1 x := x / y; y := y-1; z := 5; assert y == 0 y != 0

42 Predicate Abstraction – Refinement
P : y == 0 Q : y <= -1 Predicate Abstraction – Refinement x := 10; y := x; z := 0; if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 P && Q ¬ P && Q P && ¬Q ¬P && ¬Q

43 Predicate Abstraction – Second Iteration
P : y == 0 Q : y <= -1 Predicate Abstraction – Second Iteration x := 10; y := x; z := 0; if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 ¬ P && Q P && ¬Q ¬P && ¬Q

44 Predicate Abstraction – Second Iteration
P : y == 0 Q : y <= -1 Predicate Abstraction – Second Iteration x := 10; y := x; z := 0; if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 ¬ P && Q P && ¬Q ¬P && ¬Q

45 Predicate Abstraction – Second Iteration
P : y == 0 Q : y <= -1 Predicate Abstraction – Second Iteration x := 10; y := x; z := 0; Counterexample! if y > -1 Yes No x := x / y; y := y-1; z := 5; assert y == 0 ¬ P && Q P && ¬Q ¬P && ¬Q

46 What if there is a loop P : y == 0 Q : y <= -1 ¬ P && Q P && ¬Q
x := 10; y := x; z := 0; if y > -1 No Yes x := x / y; y := y-1; z := 5; assert y == 0 ¬ P && Q P && ¬Q ¬P && ¬Q

47 What if there is a loop

48 Quiz Which of the following will give us a counterexample while checking whether a program satisfies a property? Predicate abstraction Program verification Dataflow analysis All of the above

Download ppt "The Zoo of Software Security Techniques"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on.

11111 Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, Y. Cheon and M. Vela, A Tutorial on.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
50.530: Software Engineering Sun Jun SUTD. Week 9: Hoare Logic.

50.530: Software Engineering Sun Jun SUTD. Week 9: Hoare Logic.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.

1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Predicate Transformers

Predicate Transformers

Similar presentations

Ads by Google