![Dawn Song
Precondition Example
● Precondition:
● fp points to a valid location
in memory
● fp points to a file
● the file that fp points to
contains at least 4
characters
1:int parse(FILE *fp) {
2: char cmd[256], *url, buf[5];
3: fread(cmd, 1, 256, fp);
4: int i, header_ok = 0;
5: if (cmd[0] == ‘G’)
6: if (cmd[1] == ‘E’)
7: if (cmd[2] == ‘T’)
8: if (cmd[3] == ‘ ’)
9: header_ok = 1;
10: if (!header_ok) return -1;
11: url = cmd + 4;
12: i=0;
13: while (i<5 && url[i]!=‘0’ && url[i]!=‘n’) {
14: buf[i] = tolower(url[i]);
15: i++;
16: }
17: buf[i] = ‘0’;
18: printf(“Location is %sn”, buf);
19: return 0; }
f(x)
φ(x)
ψ](https://image.slidesharecdn.com/lec7-program-verification-230920211241-c3c22c6a/85/lec7-program-verification-pdf-5-320.jpg)
![Dawn Song
Postcondition Example
1:int parse(FILE *fp) {
2: char cmd[256], *url, buf[5];
3: fread(cmd, 1, 256, fp);
4: int i, header_ok = 0;
5: if (cmd[0] == ‘G’)
6: if (cmd[1] == ‘E’)
7: if (cmd[2] == ‘T’)
8: if (cmd[3] == ‘ ’)
9: header_ok = 1;
10: if (!header_ok) return -1;
11: url = cmd + 4;
12: i=0;
13: while (i<5 && url[i]!=‘0’ && url[i]!=‘n’) {
14: buf[i] = tolower(url[i]);
15: i++;
16: }
17: buf[i] = ‘0’;
18: printf(“Location is %sn”, buf);
18: return 0; }
● Postcondition:
● buf contains no uppercase letters
● (return 0) ⇒(cmd[0..3] == “GET “)
f(x)
φ(x)
ψ](https://image.slidesharecdn.com/lec7-program-verification-230920211241-c3c22c6a/85/lec7-program-verification-pdf-7-320.jpg)
![Dawn Song
We’ll take our running example, fix the bug, and show that we can
successfully prove that the bug no longer exists.
1:int parse(FILE *fp) {
2: char cmd[256], *url, buf[5];
3: fread(cmd, 1, 256, fp);
4: int i, header_ok = 0;
5: if (cmd[0] == ‘G’)
6: if (cmd[1] == ‘E’)
7: if (cmd[2] == ‘T’)
8: if (cmd[3] == ‘ ’)
9: header_ok = 1;
10: if (!header_ok) return -1;
11: url = cmd + 4;
12: i=0;
13: while (i<5 && url[i]!=‘0’ && url[i]!=‘n’) {
14: buf[i] = tolower(url[i]);
15: i++;
16: }
17: assert(i>=0 && i <5);
18: buf[i] = ‘0’;
19: printf(“Location is %sn”, buf);
20: return 0; }
f(x)
φ(x)
ψ
1:int parse(FILE *fp) {
2: char cmd[256], *url, buf[5];
3: fread(cmd, 1, 256, fp);
4: int i, header_ok = 0;
5: if (cmd[0] == ‘G’)
6: if (cmd[1] == ‘E’)
7: if (cmd[2] == ‘T’)
8: if (cmd[3] == ‘ ’)
9: header_ok = 1;
10: if (!header_ok) return -1;
11: url = cmd + 4;
12: i=0;
13: while (i<4 && url[i]!=‘0’ && url[i]!=‘n’) {
14: buf[i] = tolower(url[i]);
15: i++;
16: }
17: assert(i>=0 && i <5);
18: buf[i] = ‘0’;
19: printf(“Location is %sn”, buf);
20: return 0; }
Bug Fixed!
F
T
T
F
i = 0;
buf[i] = ‘0’;
CRASH!
assert(i>=0 && i<5);
i++;
is(i<5 && url[i]!=‘0’ && url[i]!=‘n’)?
F
T
T
F
i = 0;
buf[i] = ‘0’;
CRASH!
assert(i>=0 && i<5);
i++;
is(i<4 && url[i]!=‘0’ && url[i]!=‘n’)?](https://image.slidesharecdn.com/lec7-program-verification-230920211241-c3c22c6a/85/lec7-program-verification-pdf-10-320.jpg)
![Dawn Song
We’ll take our running example, fix the bug, and show that we can
successfully prove that the bug no longer exists… f(x)
φ(x)
ψ
1:int parse(FILE *fp) {
2: char cmd[256], *url, buf[5];
3: fread(cmd, 1, 256, fp);
4: int i, header_ok = 0;
5: if (cmd[0] == ‘G’)
6: if (cmd[1] == ‘E’)
7: if (cmd[2] == ‘T’)
8: if (cmd[3] == ‘ ’)
9: header_ok = 1;
10: if (!header_ok) return -1;
11: url = cmd + 4;
12: i=0;
13: while (i<4 && url[i]!=‘0’ && url[i]!=‘n’) {
14: buf[i] = tolower(url[i]);
15: i++;
16: }
17: buf[i] = ‘0’;
18: printf(“Location is %sn”, buf);
18: return 0; }
…So assuming fp points to a file that begins
with “GET “, we want to show that parse
never goes down the false assertion path.
…But first, we will need the concept of loop invariant.
F
T
T
F
buf[i] = ‘0’;
CRASH!
assert(i>=0 && i<5);
i++;
is(i<4 && url[i]!=‘0’ && url[i]!=‘n’)?
i = 0;](https://image.slidesharecdn.com/lec7-program-verification-230920211241-c3c22c6a/85/lec7-program-verification-pdf-11-320.jpg)
![Dawn Song
Loop Invariant and Induction
● An assertion that is true at entrance to the loop, on
any path through the code
● Must be true before every loop iteration
● Both a pre- and post-condition for the loop body
F
T
i = 0;
buf[i] = tolower(url[i]);
i++;
is(i<5 && url[i]!=‘0’ && url[i]!=‘n’)?
A
C
B
φ(i)
φ(i+1)
φ(i)
φ(i+1)](https://image.slidesharecdn.com/lec7-program-verification-230920211241-c3c22c6a/85/lec7-program-verification-pdf-12-320.jpg)
![Dawn Song
Try with our familiar example, proving that (0≤i<5) after the loop terminates:
LOOP INVARIANT: /* φ(i) = (0≤i<5) */
φ(i)
φ(i+1)
/* φ(0) = (0≤0<5) */
Base Case:
Inductive Step:
/* ⇒ (0≤i+1<5) at the end of the loop
*/
/* spp(0≤i<5) at the beginning of the loop
*/
/* for (0≤i<4), clearly (0 ≤i+1<5)
*/
/* (i=5) is not a possible case since
that would fail the looping predicate
*/
F
T
T
F
i = 0;
buf[i] = ‘0’;
CRASH!
assert(i>=0 && i<5);
i++;
is(i<4 && url[i]!=‘0’ && url[i]!=‘n’)?
/* ⇒ parse never fails the assertion
*/](https://image.slidesharecdn.com/lec7-program-verification-230920211241-c3c22c6a/85/lec7-program-verification-pdf-14-320.jpg)
lec7-program-verification.pdf
- 1. Dawn Song Software Security: Vulnerability Analysis Computer Security Course. Dawn Song
- 3. Dawn Song Program Verification ● How to prove a program free of buffer overflows? ● Precondition ● Postcondition ● Loop invariants
- 4. Dawn Song Precondition ● Precondition for f() is an assertion (a logical proposition) that must hold at input to f() ● If any precondition is not met, f() may not behave correctly ● Callee may freely assume obligation has been met ● The concept similarly holds for any statement or block of statements f(x) Precondition: φ(x) Postcondition: ψ
- 5. Dawn Song Precondition Example ● Precondition: ● fp points to a valid location in memory ● fp points to a file ● the file that fp points to contains at least 4 characters 1:int parse(FILE *fp) { 2: char cmd[256], *url, buf[5]; 3: fread(cmd, 1, 256, fp); 4: int i, header_ok = 0; 5: if (cmd[0] == ‘G’) 6: if (cmd[1] == ‘E’) 7: if (cmd[2] == ‘T’) 8: if (cmd[3] == ‘ ’) 9: header_ok = 1; 10: if (!header_ok) return -1; 11: url = cmd + 4; 12: i=0; 13: while (i<5 && url[i]!=‘0’ && url[i]!=‘n’) { 14: buf[i] = tolower(url[i]); 15: i++; 16: } 17: buf[i] = ‘0’; 18: printf(“Location is %sn”, buf); 19: return 0; } f(x) φ(x) ψ
- 6. Dawn Song Postcondition ● Postcondition for f() ● An assertion that holds when f() returns ● f() has obligation of ensuring condition is true when it returns ● Caller may assume postcondition has been established by f() f(x) Precondition: φ(x) Postcondition: ψ
- 7. Dawn Song Postcondition Example 1:int parse(FILE *fp) { 2: char cmd[256], *url, buf[5]; 3: fread(cmd, 1, 256, fp); 4: int i, header_ok = 0; 5: if (cmd[0] == ‘G’) 6: if (cmd[1] == ‘E’) 7: if (cmd[2] == ‘T’) 8: if (cmd[3] == ‘ ’) 9: header_ok = 1; 10: if (!header_ok) return -1; 11: url = cmd + 4; 12: i=0; 13: while (i<5 && url[i]!=‘0’ && url[i]!=‘n’) { 14: buf[i] = tolower(url[i]); 15: i++; 16: } 17: buf[i] = ‘0’; 18: printf(“Location is %sn”, buf); 18: return 0; } ● Postcondition: ● buf contains no uppercase letters ● (return 0) ⇒(cmd[0..3] == “GET “) f(x) φ(x) ψ
- 8. Dawn Song Proving Precondition ⇒ Postcondition ● Given preconditions and postconditions ● Specifying what obligations caller has and what caller is entitled to rely upon ● Verify: No matter how function is called, ● if precondition is met at function’s entrance, ● then postcondition is guaranteed to hold upon function’s return f(x) Precondition: φ(x) Postcondition: ψ ⇒
- 9. Dawn Song Proving Precondition ⇒ Postcondition ● Basic idea: ● Write down a precondition and postcondition for every line of code ● Use logical reasoning ● Requirement: ● Each statement’s postcondition must match (imply) precondition of any following statement ● At every point between two statements, write down invariant that must be true at that point ● Invariant is postcondition for preceding statement, and precondition for next one f(x) φ(x) ψ ⇒
- 10. Dawn Song We’ll take our running example, fix the bug, and show that we can successfully prove that the bug no longer exists. 1:int parse(FILE *fp) { 2: char cmd[256], *url, buf[5]; 3: fread(cmd, 1, 256, fp); 4: int i, header_ok = 0; 5: if (cmd[0] == ‘G’) 6: if (cmd[1] == ‘E’) 7: if (cmd[2] == ‘T’) 8: if (cmd[3] == ‘ ’) 9: header_ok = 1; 10: if (!header_ok) return -1; 11: url = cmd + 4; 12: i=0; 13: while (i<5 && url[i]!=‘0’ && url[i]!=‘n’) { 14: buf[i] = tolower(url[i]); 15: i++; 16: } 17: assert(i>=0 && i <5); 18: buf[i] = ‘0’; 19: printf(“Location is %sn”, buf); 20: return 0; } f(x) φ(x) ψ 1:int parse(FILE *fp) { 2: char cmd[256], *url, buf[5]; 3: fread(cmd, 1, 256, fp); 4: int i, header_ok = 0; 5: if (cmd[0] == ‘G’) 6: if (cmd[1] == ‘E’) 7: if (cmd[2] == ‘T’) 8: if (cmd[3] == ‘ ’) 9: header_ok = 1; 10: if (!header_ok) return -1; 11: url = cmd + 4; 12: i=0; 13: while (i<4 && url[i]!=‘0’ && url[i]!=‘n’) { 14: buf[i] = tolower(url[i]); 15: i++; 16: } 17: assert(i>=0 && i <5); 18: buf[i] = ‘0’; 19: printf(“Location is %sn”, buf); 20: return 0; } Bug Fixed! F T T F i = 0; buf[i] = ‘0’; CRASH! assert(i>=0 && i<5); i++; is(i<5 && url[i]!=‘0’ && url[i]!=‘n’)? F T T F i = 0; buf[i] = ‘0’; CRASH! assert(i>=0 && i<5); i++; is(i<4 && url[i]!=‘0’ && url[i]!=‘n’)?
- 11. Dawn Song We’ll take our running example, fix the bug, and show that we can successfully prove that the bug no longer exists… f(x) φ(x) ψ 1:int parse(FILE *fp) { 2: char cmd[256], *url, buf[5]; 3: fread(cmd, 1, 256, fp); 4: int i, header_ok = 0; 5: if (cmd[0] == ‘G’) 6: if (cmd[1] == ‘E’) 7: if (cmd[2] == ‘T’) 8: if (cmd[3] == ‘ ’) 9: header_ok = 1; 10: if (!header_ok) return -1; 11: url = cmd + 4; 12: i=0; 13: while (i<4 && url[i]!=‘0’ && url[i]!=‘n’) { 14: buf[i] = tolower(url[i]); 15: i++; 16: } 17: buf[i] = ‘0’; 18: printf(“Location is %sn”, buf); 18: return 0; } …So assuming fp points to a file that begins with “GET “, we want to show that parse never goes down the false assertion path. …But first, we will need the concept of loop invariant. F T T F buf[i] = ‘0’; CRASH! assert(i>=0 && i<5); i++; is(i<4 && url[i]!=‘0’ && url[i]!=‘n’)? i = 0;
- 12. Dawn Song Loop Invariant and Induction ● An assertion that is true at entrance to the loop, on any path through the code ● Must be true before every loop iteration ● Both a pre- and post-condition for the loop body F T i = 0; buf[i] = tolower(url[i]); i++; is(i<5 && url[i]!=‘0’ && url[i]!=‘n’)? A C B φ(i) φ(i+1) φ(i) φ(i+1)
- 13. Dawn Song Loop Invariant and Induction ● To verify: ● Base Case: Prove true for first iteration: φ(0) ● Inductive step: Assume φ(i) at the beginning of the loop. Prove φ(i+1) at the start of the next iteration. φ(i) φ(i+1)
- 14. Dawn Song Try with our familiar example, proving that (0≤i<5) after the loop terminates: LOOP INVARIANT: /* φ(i) = (0≤i<5) */ φ(i) φ(i+1) /* φ(0) = (0≤0<5) */ Base Case: Inductive Step: /* ⇒ (0≤i+1<5) at the end of the loop */ /* spp(0≤i<5) at the beginning of the loop */ /* for (0≤i<4), clearly (0 ≤i+1<5) */ /* (i=5) is not a possible case since that would fail the looping predicate */ F T T F i = 0; buf[i] = ‘0’; CRASH! assert(i>=0 && i<5); i++; is(i<4 && url[i]!=‘0’ && url[i]!=‘n’)? /* ⇒ parse never fails the assertion */
- 15. Dawn Song Function Post-/Pre-Conditions ● For every function call, we have to verify that its precondition will be met ● Then we can conclude its postcondition holds and use this fact in our reasoning ● Annotating every function with pre- and post-conditions enables modular reasoning ● Can verify function f() by looking at only its code and the annotations on every function f() calls ● Can ignore code of all other functions and functions called transitively ● Makes reasoning about f() an almost purely local activity
- 16. Dawn Song Documentation ● Pre-/post-conditions serve as useful documentation ● To invoke Bob’s code, Alice only has to look at pre- and post-conditions – she doesn’t need to look at or understand his code ● Useful way to coordinate activity between multiple programmers: ● Each module assigned to one programmer, and pre-/post- conditions are a contract between caller and callee ● Alice and Bob can negotiate the interface (and responsibilities) between their code at design time
- 17. Dawn Song Avoiding Security Holes ● To avoid security holes (or program crashes) ● Some implicit requirements code must meet ● Must not divide by zero, make out-of-bounds memory accesses, or deference null ptrs, … ● Prove that code meets these requirements using same style of reasoning ● Ex: when a pointer is dereferenced, there is an implicit precondition that pointer is non-null and in-bounds
- 18. Dawn Song Avoiding Security Holes ● Proving absence of buffer overruns might be much more difficult ● Depends on how code is structured ● Instead of structuring your code so that it is hard to provide a proof of no buffer overruns, restructure it to make absence of buffer overruns more evident ● Lots of research into automated theorem provers to try to mathematically prove validity of alleged pre-/post-conditions ● Or to help infer such invariants
- 19. Dawn Song Report Type Line 1 stack oflow 324 2 buffer oflow 8,491 3 buffer oflow 23,212 4 mem leak 86,923 5 unsafe indexing op 5,393,245 … … … 12,002 info leak 10,921 Program Analyzers Code Program Analyzer Spec potentially reports many warnings may emit false alarms analyze large code bases false alarm false alarm
- 20. Dawn Song Soundness, Completeness Property Definition Soundness If the program contains an error, the analysis will report a warning. “Sound for reporting correctness” Completeness If the analysis reports an error, the program will contain an error. “Complete for reporting correctness”
- 21. Dawn Song Complete Incomplete Sound Unsound Reports all errors Reports no false alarms Reports all errors May report false alarms Undecidable Decidable Decidable May not report all errors May report false alarms Decidable May not report all errors Reports no false alarms (Ex: Symbolic Execution) (Ex: Syntactic Analysis) (Ex: Abstract Interpretation) (Ex: Manual Program Verification)
- 22. Dawn Song Isolation and Reference Monitor Slide credit: Dan Boneh
- 23. Dawn Song Running untrusted code We often need to run buggy/untrusted code: ● programs from untrusted Internet sites: ● toolbars, viewers, codecs for media player ● old or insecure applications: ghostview, outlook ● legacy daemons: sendmail, bind ● Honeypots ● Goal: ensure misbehaving app cannot harm rest of system ● Approach: Confinement ● Can be implemented at many different levels
- 24. Dawn Song Confinement (I): Hardware ● Hardware: run application on isolated hw (air gap) air gap network 1 Network 2 app 1 app 2
- 25. Dawn Song Confinement (II): Firewall ● Firewall: isolate internal network from the Internet
- 26. Dawn Song Confinement (III): VM ● Virtual machines: isolate OS’s on a single machine Virtual Machine Monitor (VMM) OS1 OS2 app1 app2
- 27. Dawn Song Confinement (IV): Processes ● Processes: ● Isolate a process in a single operating system ● System Call Interposition Operating System process 2 process 1
- 28. Dawn Song Confinement (V): SFI ● Threads: Software Fault Isolation (SFI) ● Isolating threads sharing same address space
- 29. Dawn Song Implementing confinement: Reference Monitor Key properties: ● Mediates requests from applications ● Implements protection policy ● Enforces isolation and confinement ● Must always be invoked (complete mediation) ● Every application request must be mediated ● Tamperproof/fail safe ● Reference monitor cannot be killed ● or if killed, then monitored process cannot accessing anything requiring reference monitor’s approval ● Small enough to be analyzed and validated