Jiaqi Tan Rajeev Gandhi Priya Narasimhan PARALLEL DATA LABORATORY Carnegie Mellon University FMCAD 2015 Student Forum Motivation Software Isolation Safety property of software External user input cannot subvert and control software execution ID: 463683
Download Presentation The PPT/PDF document "White-box Software Isolation with Fully ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
White-box Software Isolation with Fully Automated Black-box Proofs
Jiaqi Tan
Rajeev Gandhi,
Priya
Narasimhan
PARALLEL DATA LABORATORY
Carnegie Mellon University
FMCAD 2015 Student ForumSlide2
Motivation
Software IsolationSafety property of software: External user input cannot subvert and control software executionEnsures software is safe from potentially malicious inputWhere is it important?
Safety-critical systems e.g., medical devices, avionics, cars
Lack of isolation
Security vulnerabilities Potentially catastrophic accidentsWhy White-box Isolation?Safety-critical systems: Need high-assuranceProgrammers need to see what safety-checks are doingWhy Black-box Proofs? Many connected, potentially safety-critical Internet-of-Things devices Many programmers writing code for such devicesNeed fully-automated, black-box (no expert input) proofs
Jiaqi Tan © September 15
http://www.pdl.cmu.edu/
2Slide3
Black-Box Software Isolation Proofs
Jiaqi Tan © September 15
http://www.pdl.cmu.edu/
3
Machine-code
Source-code (e.g., C)
Compilation
void
arraycopy
(
int
*
src
,
int
*
dst
,
int
n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}
Computed memory write target: Dangerous
Source-code
Machine-code
Key Insight 1:
Potential isolation violations evident in machine-code
We
can automate isolation proofs in machine-codeSlide4
White-Box Software Isolation: Locations
Jiaqi Tan © September 15
http://www.pdl.cmu.edu/
4
Machine-code
Source-code (e.g., C)
Compilation
void
arraycopy
(
int
*
src
,
int
*
dst
,
int
n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}
Computed memory write target: Dangerous
Debug information helps us resolve this (for
unoptimized
code)
Source-code
Machine-code
Key Insight 2:
We can identify source-code locations from machine-code addresses for potential isolation violationsSlide5
White-Box Software Isolation: Hints for Remedies
Jiaqi Tan © September 15http://www.pdl.cmu.edu/
5
Source-code
Machine-code
void
arraycopy
(
int
*
src
,
int
*
dst
,
int
n) { unsigned int i; for (i = 0; i < n; ++i) { dst[i] = src[i];
}
}
#define SAFE(
array,idx
) = ……
if (SAFE(
dst,i)) {
}
.... (
safety check code
) ....
......e1a02102 lsl
r2, r2, #2
e51b1010
ldr
r1, [
fp
, #-16]
e0812002
add
r2, r1, r2
e5922000
ldr
r2, [r2]
e50b3008
str
r2 [r3]
e51b3008
ldr
r3, [
fp
, #-8]
e2833001
add
r3, r3, #1
e50b3008
str
r3, [
fp
, #-8]
e51b2018
ldr
r2, [
fp
, #-24]
......
Provides logic preconditions needed: Proves dangerous instruction is safe to run
Compilation
Machine-code
Source-code (e.g., C)
Compilation
Key Insight 3:
We can write code,
SAFE(
dst,i
)
, which gives us the necessary logic
pre-conditions for provable isolationSlide6
Visualization of Approach
Jiaqi Tan © September 15
http://www.pdl.cmu.edu/
6
Machine-code
Source-code (e.g., C)
Software Isolation Proof Generation (AUSPICE) [1]
Software Isolation Remedy Hint Generation
Software isolation violations manifest in machine-code behavior
Prove isolation in machine-code
Programmers can only observe this level of abstraction
Isolation enforcement mechanisms must be in source-code
Compilation
Safety Proof of Isolation
Proof Success
Proof Failure
Hints for source-code remedies for safety violations
Machine-code
Addresses Responsible for Proof- Failure
Programmer applies hints
HOL4 and Cambridge ARM Logic [2]
LLVM-Clang ToolingSlide7
References
[1] Jiaqi Tan, Hui Jun Tay, Rajeev Gandhi, Priya Narasimhan
. AUSPICE: Automatic Safety Property Verification for Unmodified Executables. In Working Conference on Verified Software: Tools, Theories and Experiments (VSTTE), July 2015.
[2] Magnus
Myreen, Anthony Fox, Michael Gordon. Hoare Logic for ARM Machine Code. In Fundamentals of Software Engineering (FSEN), 2007. Jiaqi Tan © September 15http://www.pdl.cmu.edu/7