White-box Software Isolation with Fully Automated Black-box - PowerPoint Presentation

Slide1

White-box Software Isolation with Fully Automated Black-box Proofs

Jiaqi Tan

Rajeev Gandhi,

Priya

Narasimhan

PARALLEL DATA LABORATORY

Carnegie Mellon University

FMCAD 2015 Student ForumSlide2

Motivation

Software IsolationSafety property of software: External user input cannot subvert and control software executionEnsures software is safe from potentially malicious inputWhere is it important?

Safety-critical systems e.g., medical devices, avionics, cars

Lack of isolation

 Security vulnerabilities  Potentially catastrophic accidentsWhy White-box Isolation?Safety-critical systems: Need high-assuranceProgrammers need to see what safety-checks are doingWhy Black-box Proofs? Many connected, potentially safety-critical Internet-of-Things devices  Many programmers writing code for such devicesNeed fully-automated, black-box (no expert input) proofs

Jiaqi Tan © September 15

http://www.pdl.cmu.edu/

2Slide3

Black-Box Software Isolation Proofs

Jiaqi Tan © September 15

http://www.pdl.cmu.edu/

3

Machine-code

Source-code (e.g., C)

Compilation

void

arraycopy

(

int

*

src

,

int

*

dst

,

int

n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}

Computed memory write target: Dangerous

Source-code

Machine-code

Key Insight 1:

Potential isolation violations evident in machine-code



We

can automate isolation proofs in machine-codeSlide4

White-Box Software Isolation: Locations

Jiaqi Tan © September 15

http://www.pdl.cmu.edu/

4

Machine-code

Source-code (e.g., C)

Compilation

void

arraycopy

(

int

*

src

,

int

*

dst

,

int

n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}

Computed memory write target: Dangerous

Debug information helps us resolve this (for

unoptimized

code)

Source-code

Machine-code

Key Insight 2:

We can identify source-code locations from machine-code addresses for potential isolation violationsSlide5

White-Box Software Isolation: Hints for Remedies

Jiaqi Tan © September 15http://www.pdl.cmu.edu/

5

Source-code

Machine-code

void

arraycopy

(

int

*

src

,

int

*

dst

,

int

n) { unsigned int i; for (i = 0; i < n; ++i) { dst[i] = src[i];

}

}

#define SAFE(

array,idx

) = ……

if (SAFE(

dst,i)) {

}

.... (

safety check code

) ....

......e1a02102 lsl

r2, r2, #2

e51b1010

ldr

r1, [

fp

, #-16]

e0812002

add

r2, r1, r2

e5922000

ldr

r2, [r2]

e50b3008

str

r2 [r3]

e51b3008

ldr

r3, [

fp

, #-8]

e2833001

add

r3, r3, #1

e50b3008

str

r3, [

fp

, #-8]

e51b2018

ldr

r2, [

fp

, #-24]

......

Provides logic preconditions needed: Proves dangerous instruction is safe to run

Compilation

Machine-code

Source-code (e.g., C)

Compilation

Key Insight 3:

We can write code,

SAFE(

dst,i

)

, which gives us the necessary logic

pre-conditions for provable isolationSlide6

Visualization of Approach

Jiaqi Tan © September 15

http://www.pdl.cmu.edu/

6

Machine-code

Source-code (e.g., C)

Software Isolation Proof Generation (AUSPICE) [1]

Software Isolation Remedy Hint Generation

Software isolation violations manifest in machine-code behavior

 Prove isolation in machine-code

Programmers can only observe this level of abstraction

 Isolation enforcement mechanisms must be in source-code

Compilation

Safety Proof of Isolation

Proof Success

Proof Failure

Hints for source-code remedies for safety violations

Machine-code

Addresses Responsible for Proof- Failure

Programmer applies hints

HOL4 and Cambridge ARM Logic [2]

LLVM-Clang ToolingSlide7

References

[1] Jiaqi Tan, Hui Jun Tay, Rajeev Gandhi, Priya Narasimhan

. AUSPICE: Automatic Safety Property Verification for Unmodified Executables. In Working Conference on Verified Software: Tools, Theories and Experiments (VSTTE), July 2015.

[2] Magnus

Myreen, Anthony Fox, Michael Gordon. Hoare Logic for ARM Machine Code. In Fundamentals of Software Engineering (FSEN), 2007. Jiaqi Tan © September 15http://www.pdl.cmu.edu/7