Chaoqiang Deng NYU and Kedar Namjoshi Bell Labs Nokia NOKIA Bell Labs Correctness Security Case in point static single assignment SSA Chaoqiang Deng New York University 08302017 ID: 675754
Download Presentation The PPT/PDF document "Securing The SSA Transform" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Securing The SSA Transform
Chaoqiang Deng (NYU) and Kedar Namjoshi (Bell Labs, Nokia)
NOKIA
Bell LabsSlide2
Correctness ≠ SecurityCase in point: static single assignment (SSA)
Chaoqiang Deng | New York University | 08/30/2017Compiler Optimizations May Weaken Program Security
Static Single Assignment (SSA)
P
void foo() {
int
x;
x =
read_password
();
use(x);
x = 0; // clear password
other();
return;}
Q
void foo() {
int x1, x2; x1 = read_password(); use(x1); x2 = 0; other(); return;}
The SSA transformation is correct
P and Q have the same input-output behavior
However, it is insecure!Slide3
New
information leakage is introduced by fresh SSA variables
When x1 and x2 are assigned distinct registers, the password is leaked through the register assigned to x1Chaoqiang Deng | New York University | 08/30/2017
SSA Transformation Is
Insecure
T
he security of SSA-dependent transformations may be jeopa
r
dized
,
e
ven if it can be guaranteed that SSA variables are allocated the same register
Dead
Store
EliminationQ1x1 = read_password();use(x1);skip;other(); //vulnerable
Q
0
x1 =
read_password
();
use(x1);
x2 = 0;
other(); // vulnerable
SSA
P
x =
read_password
();
use(x);
x = 0; // clear password
other(); // vulnerableSlide4
Procedure
Replace each assignment to x with a fresh name, say xi, for the i ’th assignmentInsert phi functions at merge points to combine values from different branches
ExampleChaoqiang Deng | New York University | 08/30/2017
SSA Background
Single Static Assignment (SSA)
P
for (
i
=0, x=0;
i
< N;
i
++)
{
x = x + i
;
}
Qi1 = 0;x1 = 0;loop: i2 = phi(i1, i3) || x2 = phi(x1, x3); if (i2 >= N) goto end; x3 = x2 + i2; i3 = i2 + 1; goto
loop;
end:Slide5
Programs are deterministic
Input variables are partitioned into High (H) and Low (L) securityAll state variables are low securityProgram P
leaks information if there are inputs (H=a,L
=c) and (H=b,L=c) such that
the computations of P on those inputs produce different output OR terminate in different states
We call (
a,b,c
) a
leaky triple:
example
(h = 0
,
h = 1, l = 100)
Chaoqiang Deng | New York University | 08/30/2017Information Leakage BackgroundHigh input hLow input lLow x initially 0x = h;
High
input h
Low input lLow x initially 0if (h > 0) { x = 10;} else { x = 20;} A transformation from P to Q is secure if every leaky triple for Q is also leaky for PSlide6
Possible workaround?
Forcibly clear any data tainted by high input before an untrusted function callInefficient: a sound taint analysis is generally over-approximateNot always correct: the data may be needed after the function callOutline
How to block a leak immediately after an SSA transformation?How to track a leak through a sequence of optimizations?
Chaoqiang Deng | New York University | 08/30/2017How to stop the leaks introduced by SSA?Slide7
SSA
Replaces each variable x by several variants, e.g. x1, x2, x3, …Advantage: this simplifies register allocation by splitting the live range of xExposes all intermediate values of x, which is the source of new leaksChaoqiang Deng | New York University | 08/30/2017
Problem I: unSSA Immediately After SSA
SSA
P
x =
read_password
();
use(x);
x = 0;
x = read_password2();
Q
x1
=
read_password
();
use(
x1);x2 = 0;x3 = read_password2();unSSA
R
x3
=
read_password
();
use(
x3
);
x3
= 0;
x3
= read_password2();
unSSA
Group together variants of x
Rename every variable in a group to its representative
Secure
BUT
completely negates the SSA advantage
Group:
{x1, x2,
x3
}
Groups:
{x1,
x2
}, {
x3
}
x2
=
read_password
();
use(
x2
);
x2
= 0;
x3
= read_password2();
R
?Slide8
Target: stop the leak & maximize the number of groups
Unfortunately, this is undecidable in general Proof: a simple reduction from the halting problem. Given program P, Original program Q :: {P ; l = h ; l = 0; } SSA program Q’ :: {P’ ; l1 = h ; l2 = 0; } where P’ is the SSA form of P
Q’ leaks the value of h if, and only if, P terminates. Thus, {l1, l2} must be grouped together if, and only if, P terminates.
Chaoqiang Deng | New York University | 08/30/2017Optimal GroupingSlide9
Group variants of variable x in Q:
Find the key variant of x, i.e. the variant corresponding to the final value of x in PPerform a taint analysis on Q
Partition the variants of x into groups such that(P1) Each group has a
representative variable, which is either a key variant or untainted(P2) The variables in a group have mutually disjoint live ranges
(
P3
) The “def” of the group representative
post-dominates
the live ranges of other group variables
Chaoqiang Deng | New York University | 08/30/2017
Sub-optimal Grouping
using Taint Analysis
SSA
P
x = read_password
();
use(x);x = 0;x = read_password2();
Qx1 = read_password();use(x1);x2 = 0;x3 = read_password2();
unSSA
x2
=
read_password
();
use(
x2
);
x2
= 0;
x3
= read_password2();
R
x3
x2
{x1,
x2
},
{
x3
}
x
x2
x3
Leak
=Slide10
In practice, unSSA
must be placed after all SSA-dependent transformationsIt is then difficult to recover the origin of a variableChaoqiang Deng | New York University | 08/30/2017Problem II: unSSA After Intermediate Transformations
SSA
P
x =
read_password
();
use(x);
x = 0;
x = read_password2();
Q
0
x1 =
read_password
();
use(x1);
x2 = 0;
x3 = read_password2();unSSA
Transform
u
=
read_password
();
use(
u
);
v
= 0;
w
= read_password2();
Q
n
Transform
…
?
x3
x
w
X
Key
: the relationships between variables of
Q
n
and variables of PSlide11
Intuitively,
core variables of Qi hold the final values of variables in PCore set Ci – the set of core variables in Qi
Q0: core variables = key variants
Any leak via a core variable in C0
corresponds
to a leak in P
Q
i+1
(
i
≥ 0): C
i+1 is chosen using the refinement relation connecting Qi to Q i+1 so that
Any leak through
a variable of C i+1 induces a leak via the variables in CiBy induction,
any leak in Qn via its core set Cn has a corresponding leak in PChaoqiang Deng | New York University | 08/30/2017Core SetsSSA
P
x =
read_password();use(x);x = 0;x = read_password2();Q0x1 = read_password
();
use(x1);
x2 = 0;
x3 = read_password2();
Transform
u
=
read_password
();
use(
u
);
v
= 0;
w
= read_password2();
Q
n
Transform
…
C
0
= {x3}
x
C
n
= {
w
}
…
LeakSlide12
Construct the
core set CnPerform a taint analysis on QnPartition the variables of
Qn into groups such that(P1
) Each group has a representative variable, which is either a core variant or untainted(P2) The variables in a group have
mutually disjoint live ranges
(
P3
) The “def” of the group representative
post-dominates
the live ranges of other group variables
Rename every variable in a group to the representative
Chaoqiang Deng | New York University | 08/30/2017
The full
unSSA Transform
SSAPx = read_password();
use(x);
x = 0;x = read_password2();
Q0x1 = read_password();use(x1);x2 = 0;x3 = read_password2();
u
=
read_password
();
use(u);
v
= 0;
w
= read_password2();
Q
n
…
R
v
=
read_password
();
use(
v
);
v
= 0;
w
= read_password2();
unSSA
v
w
Leak
w
v
{u,
v
},
{
w
}
=
…
x3
xSlide13
R is at least as secure as P
Intermediate transformations must preserve properties (P1) - (P3)Examples:Constant propagation and foldingLoop unrollingNeither standard DSE or the DSE in [Deng & Namjoshi
, SAS 2016] preserve (P1) - (P3)Secure DSE
Chaoqiang Deng | New York University | 08/30/2017End-to-End Security
P
Q
0
SSA
Intermediate
Transforms
Q
n
R
un
SSA
Intermediate
Transforms
…Slide14
Register Allocation
Live range splitting is analogous to SSA The live range of a variable is broken up into sub-rangesEach sub-range is separately allocated to either register or memoryChaoqiang Deng | New York University | 08/30/2017Open Questions
X1
X2
X3
Live Range of X
Register A
Memory
Register B
X2
X3
Clear XSlide15
Register Allocation
Live range splittingThe live range of a variable is broken up into sub-rangesEach sub-range is separately allocated to either register or memoryPossible solutionsDisable splittingClear unused register or memory locationsChaoqiang Deng | New York University | 08/30/2017
Open Questions
X1
X2
X3
Live Range of X
Register A
Memory
Register B
X1
X2
X3
Clear XSlide16
Main ContributionsSSA transformation is correct but insecure
unSSA blocks leaks introduced by SSA while permitting standard SSA-based optimizations A key step towards end-to-end secure compilationFuture WorkPossibly loosen constraints (P1)-(P3) on intermediate transformationsConsider refinements which address the “amount” of leaked information
Investigate the security impact of live range splitting in register allocationChaoqiang Deng | New York University | 08/30/2017
SummarySlide17
Secure CompilationV.
D’Silva, M. Payer, and D. X. Song. The correctness-security gap in compiler optimization. In SPW 2015, San Jose, CA, USA, May 21-22, 2015.K. Gondi, P. Bisht, P. Venkatachari, A. P. Sistla, and V. N.
Venkatakrishnan. SWIPE: eager erasure of sensitive data in large scale systems software. In CODASPY 2012, San Antonio, TX, USA, February 7-9, 2012.
C. Deng and K. S. Namjoshi. Securing a compiler transformation. In SAS 2016, Edinburgh, UK, September 8-10, 2016.
M.
Patrignani
and D. Garg. Secure compilation and
hyperproperty
preservation. In
CSF
2017,
Santa Barbara, CA, USA, August 21-25, 2017.Quantitative Information FlowG. Smith. Recent developments in quantitative information flow (invited tutorial). In LICS
2015, Kyoto, Japan, July 6-10, 2015.
Chaoqiang Deng | New York University | 08/30/2017Related WorkSlide18
Main ContributionsSSA transformation is correct but insecure
unSSA blocks leaks introduced by SSA while permitting standard SSA-based optimizations A key step towards end-to-end secure compilationFuture WorkPossibly loosen constraints (P1)-(P3) on intermediate transformationsConsider refinements which address the “amount” of leaked information
Investigate the security impact of live range splitting in register allocationChaoqiang Deng | New York University | 08/30/2017
Summary