kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Proving Safety and Security of Binary Programs
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS.ORCID iD: 0000-0001-5311-1781
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

With the increasing ubiquity of computing devices, their correct and secure operation is of growing importance. In particular, critical components that provide core functionalities or process sensitive data have to operate as intended. Examples are operating systems that must provide proper isolation among applications, device drivers that must reliably communicate with the hardware, crypto routines that must avoid leakage of sensitive information, and low-level security mechanisms that must be implemented correctly to be effective. All these make use of hardware functionalities that are beyond plain software execution. Therefore, they should ideally be verified at binary level to accurately account for the effects their execution has on the underlying hardware systems.

Verifying properties of binary code is challenging because of its lack of structure in terms of control flows and memory representations, and the complex hardware specifics involved. In this thesis, we aim to improve the precision and trustworthiness of binary code analyses by basing the analyses on interactive theorem proving. We contribute with the new HolBA framework for binary analysis, which is built on top of the HOL4 theorem prover. This allows all implemented algorithms to produce machine-checked correctness proofs for their results. We applied this to implement translation procedures into the intermediate language BIR to facilitate analyses. The proof-producing analysis procedures we provide for program verification are the weakest precondition propagation and symbolic execution. We evaluated the framework with a number of binaries and a larger case study, which is the control software for a balancing robot. The latter has been used as an analysis target to establish execution time bounds using symbolic execution.

Since verification is carried out on models of hardware, the applicability of the verification results hinges on how well the used models reflect the actual hardware. In particular, in the context of security applications, where an attacker tries to exploit traits of hardware execution, this has received less attention in the formal methods community. We contribute with the new Scam-V methodology and tool for differential testing to discover possible instances where the attacker-exploitable behavior of a model and a real hardware system diverge. In a number of case studies with real processors, we found a number of new types of leakage that could be exploited by an attacker. Additionally, our validation exercises revealed a number of modeling issues.
Abstract [sv]

Med datorer och inbyggda system förekommande överallt i dagens samhälle blir dessas korrekthet och säkerhet allt viktigare. I synnerhet måste mjukvarukomponenter som bidrar med viktig funktionalitet eller hanterar känslig data fungera som avsett. Exempel på komponenter är operativsystem som måste isolera applikationer, drivrutiner som måste kommunicera med hårdvaran på ett tillförlitligt sätt, kryptografiska rutiner som inte får läcka känslig information och fundamentala säkerhetsmekanismer vars resultat beror starkt på implementationens korrekthet. Alla dessa komponenter involverar hårdvaruaspekter som normalt sett inte involveras vid exekvering av applikationsprogram. För korrekt verifiering bör därför dessa komponenter analyseras på binär nivå.

Att verifiera binärkodsegenskaper är utmanande då kontrollflöden och minnesrepresentationer saknar struktur i binärkod, och för att verifieringen involverar komplexa hårdvarudetaljer. I denna avhandling förbättrar vi precisionen och tillförlitligheten i binärkodsanalys med hjälp av en interaktiv bevisassistent. Vi presenterar ramverket HolBA för binärkodsanalys, som vi har implementerat i den interaktiva bevisassistenten HOL4. HolBA möjliggör implementation av analysalgoritmer så att algoritmerna producerar maskinkontrollerade korrekthetsbevis för dessas beräknade resultat. Vi har använt HolBA för att implementera översättningsprocedurer från binärkod till det mer abstrakta programspråket BIR för att underlätta formell analys. HolBA har två bevisproducerande analysrutiner för att möjliggöra programverifiering: en rutin för symbolisk exekvering och en rutin som beräknar det minst restriktiva villkoret som garanterar att programets resultat satisfierar ett givet villkor. Vi utvärderar HolBA med hjälp av ett antal binära program, och en större fallstudie bestående av ett program som styr en självbalanserande robot. Robotmjukvarans exekveringstider har analyserats med symbolisk exekvering för att verifiera dess övre och undre tidsgränser.

Verifieringsresultatens tillförlitlighet beror på hur precist hårdvarumodellerna återspeglar den faktiska hårdvaran. Denna aspekt har fått begränsad uppmärksamhet i samband med säkerhet, där subtila hårdvaruoperationer kan utnyttjas vid angrepp. Vi presenterar Scam-V, en metod och ett verktyg för differentiell testning, som upptäcker skillnader i beteende mellan modell och hårdvara som kan ge upphov till säkerhetssårbarheter. I ett antal fallstudier med riktiga processorer hittades, tidigare okända, typer av informationsläckage.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2023. , p. vi, 181
Series
TRITA-EECS-AVL ; 2023:41
Keywords [en]
Binary Code, Binary Analysis, Formal Verification, Model-Based Testing, Theorem Proving, HOL4, Intermediate Language, Instruction Set Architectures, ISA, Observational Models, Symbolic Execution, Weakest-Precondition, Execution Time Analysis
Keywords [sv]
binärkod, binärkodsanalys, formell verifiering, modellbaserad testning, satsbevisning, HOL4, mellankod, instruktionsuppsättningar, ISA, observationsmodeller, symbolisk exekvering, minst restriktiva villkoret, analys av övre tidsgräns
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-326719ISBN: 978-91-8040-583-6 (print)OAI: oai:DiVA.org:kth-326719DiVA, id: diva2:1755837
Public defence
2023-06-02, https://kth-se.zoom.us/j/68807417997, L1, Drottning Kristinas väg 30, Stockholm, 09:00 (English)
Opponent
Supervisors
Funder
Swedish Foundation for Strategic Research, RIT 17-0036Swedish Civil Contingencies Agency, 2015-831
Note

QC 20230509

Available from: 2023-05-09 Created: 2023-05-09 Last updated: 2023-05-15Bibliographically approved
List of papers
1. TrABin: Trustworthy analyses of binaries
Open this publication in new window or tab >>TrABin: Trustworthy analyses of binaries
2019 (English)In: Science of Computer Programming, ISSN 0167-6423, E-ISSN 1872-7964, Vol. 174, p. 72-89Article in journal (Refereed) Published
Abstract [en]

Verification of microkernels, device drivers, and crypto routines requires analyses at the binary level. In order to automate these analyses, in the last years several binary analysis platforms have been introduced. These platforms share a common design: the adoption of hardware-independent intermediate representations, a mechanism to translate architecture dependent code to this representation, and a set of architecture independent analyses that process the intermediate representation. The usage of these platforms to verify software introduces the need for trusting both the correctness of the translation from binary code to intermediate language (called transpilation) and the correctness of the analyses. Achieving a high degree of trust is challenging since the transpilation must handle (i) all the side effects of the instructions, (ii) multiple instruction encodings (e.g. ARM Thumb), and (iii) variable instruction length (e.g. Intel). Similarly, analyses can use complex transformations (e.g. loop unrolling) and simplifications (e.g. partial evaluation) of the artifacts, whose bugs can jeopardize correctness of the results. We overcome these problems by developing a binary analysis platform on top of the interactive theorem prover HOL4. First, we formally model a binary intermediate language and we prove correctness of several supporting tools (i.e. a type checker). Then, we implement two proof-producing transpilers, which respectively translate ARMv8 and CortexM0 programs to the intermediate language and generate a certificate. This certificate is a HOL4 proofdemonstrating correctness of the translation. As demonstrating analysis, we implement a proof-producing weakest precondition generator, which can be used to verify that a given loop-free program fragment satisfies a contract. Finally, we use an AES encryption implementation to benchmark our platform.
Place, publisher, year, edition, pages
Elsevier, 2019
Keywords
Binary analysis, Formal verification, Proof producing analysis, Theorem proving
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-246462 (URN)10.1016/j.scico.2019.01.001 (DOI)000461533200003 ()2-s2.0-85060511323 (Scopus ID)
Projects
Trustfull
Note

QC 20190321

Available from: 2019-03-21 Created: 2019-03-21 Last updated: 2023-05-09Bibliographically approved
2. Proof-Producing Symbolic Execution for Binary Code Verification
Open this publication in new window or tab >>Proof-Producing Symbolic Execution for Binary Code Verification
(English)Manuscript (preprint) (Other academic)
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-326741 (URN)
Note

QC 20230509

Available from: 2023-05-09 Created: 2023-05-09 Last updated: 2023-05-09Bibliographically approved
3. Validation of Abstract Side-Channel Models for Computer Architectures
Open this publication in new window or tab >>Validation of Abstract Side-Channel Models for Computer Architectures
Show others...
2020 (English)In: Lecture Notes in Computer Science book series, Springer , 2020, Vol. 1224, p. 225-248Conference paper, Published paper (Refereed)
Abstract [en]

Observational models make tractable the analysis of information flow properties by providing an abstraction of side channels. We introduce a methodology and a tool, Scam-V, to validate observational models for modern computer architectures. We combine symbolic execution, relational analysis, and different program generation techniques to generate experiments and validate the models. An experiment consists of a randomly generated program together with two inputs that are observationally equivalent according to the model under the test. Validation is done by checking indistinguishability of the two inputs on real hardware by executing the program and analyzing the side channel. We have evaluated our framework by validating models that abstract the data-cache side channel of a Raspberry Pi 3 board with a processor implementing the ARMv8-A architecture. Our results show that Scam-V can identify bugs in the implementation of the models and generate test programs which invalidate the models due to hidden microarchitectural behavior.
Place, publisher, year, edition, pages
Springer, 2020
Keywords
Information flow security, Microarchitectures, Model validation, Side channels, Testing, Computer aided analysis, Program debugging, Software testing, Indistinguishability, Information flows, Observational models, Program generation, Relational analysis, Side-channel, Symbolic execution, Test program, Computer architecture
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-285360 (URN)10.1007/978-3-030-53288-8_12 (DOI)000695276000012 ()2-s2.0-85089236051 (Scopus ID)
Conference
CAV 2020: Computer Aided Verification, 21 July 2020 through 24 July 2020
Note

QC 20201201

Available from: 2020-12-01 Created: 2020-12-01 Last updated: 2024-01-10Bibliographically approved
4. Validation of side-channel models via observation refinement
Open this publication in new window or tab >>Validation of side-channel models via observation refinement
2021 (English)In: Proceedings of the Annual International Symposium on Microarchitecture, MICRO, Association for Computing Machinery (ACM) , 2021, p. 578-591Conference paper, Published paper (Refereed)
Abstract [en]

Observational models enable the analysis of information flow properties against side channels. Relational testing has been used to validate the soundness of these models by measuring the side channel on states that the model considers indistinguishable. However, unguided search can generate test states that are too similar to each other to invalidate the model. To address this we introduce observation refinement, a technique to guide the exploration of the state space to focus on hardware features of interest. We refine observational models to include fine-grained observations that characterize behavior that we want to exclude. States that yield equivalent refined observations are then ruled out, reducing the size of the space. We have extended an existing model validation framework, Scam-V, to support refinement. We have evaluated the usefulness of refinement for search guidance by analyzing cache coloring and speculative leakage in the ARMv8-A architecture. As a surprising result, we have exposed SiSCLoak, a new vulnerability linked to speculative execution in Cortex-A53.
Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2021
Keywords
Information flow security, Microarchitectures, Model validation, Side channels, Testing, Channel modelling, Flow properties, Information flows, Micro architectures, Observational models, On state, Side-channel, Unguided search, Security of data
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-313186 (URN)10.1145/3466752.3480130 (DOI)001118047400042 ()2-s2.0-85118897960 (Scopus ID)
Conference
54th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2021, 18 October 2021 through 22 October 2021
Note

QC 20220602

part of proceedings ISBN 9781450385572

Available from: 2022-06-02 Created: 2022-06-02 Last updated: 2025-12-05Bibliographically approved

Open Access in DiVA

fulltext(3634 kB)948 downloads
File information
File name FULLTEXT01.pdfFile size 3634 kBChecksum SHA-512
bd0c9b607c70f7ff92b4078e50f1dab2122f593150a56f77f16c69cf95f59e89d43a03f828e1887e0bd6ef68f140e88913881518eed067deffa1349aa81289d3
Type fulltextMimetype application/pdf

Authority records

Lindner, Andreas

Search in DiVA

By author/editor
Lindner, Andreas
By organisation
Theoretical Computer Science, TCS
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 952 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2456 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access