Sound Abstract Nonexploitability Analysis
Pages 314 - 337
Abstract
Runtime errors that can be triggered by an attacker are sensibly more dangerous than others, as they not only result in program failure, but can also be exploited and lead to security breaches such as Denial-of-Service attacks or remote code execution. Proving the absence of exploitable runtime errors is challenging, as it involves combining classic techniques for safety with novel security analyses. While numerous approaches to statically detect runtime errors have been proposed, they lack the ability to classify program failures as potentially exploitable or not. In this paper, we bridge the gap between traditional safety properties and security hyperproperties by putting forward a novel definition of nonexploitability, which we leverage to propose a sound static analysis by abstract interpretation to prove the absence of exploitable runtime errors. While false alarms can occur, if our analysis determines that a program is nonexploitable, then there is a strong mathematical guarantee that it is impossible for an attacker to trigger a runtime error. Furthermore, our analysis reduces the noise generated from false positives by classifying each warning as security-critical or not. We implemented the first nonexploitability analyzer for a subset of C, and we evaluated it on a set of real-world programs taken from the GNU Coreutils package that are long up to lines of code. Our analysis was able to prove that more than 70% of the runtime errors previously reported ( over ) cannot be triggered by an attacker.
References
[1]
Common vulnerabilities and exposures (CVE) database. https://cve.mitre.org/. Accessed 30 Aug 2023
[2]
CVE-2019-8745. Available from NIST, CVE-ID CVE-2019-8745. https://nvd.nist.gov/vuln/detail/CVE-2019-8745. Accessed 30 Aug 2023
[3]
CVE-2022-36934. Available from NIST, CVE-ID CVE-2022-36934. https://nvd.nist.gov/vuln/detail/CVE-2022-36934. Accessed 30 Aug 2023
[4]
CVE-2022-4135. Available from NIST, CVE-ID CVE-2022-4135. https://nvd.nist.gov/vuln/detail/CVE-2022-4135 Accessed 30 Aug 2023
[5]
The Infer static analyzer. https://fbinfer.com/
[6]
The Pysa static analyzer. https://engineering.fb.com/2020/08/07/security/pysa/
[7]
Juliet C/C++ test suite (2017). https://samate.nist.gov/SARD/test-suites/112. Accessed 30 Aug 2023
[8]
Microsoft: a proactive approach to more secure code (2019). https://msrc.microsoft.com/blog/2019/07/a-proactive-approach-to-more-secure-code/. Accessed 30 Aug 2023
[9]
Agat, J.: Transforming out timing leaks. In: Principles of Programming Languages, POPL, pp. 40–53. ACM (2000).
[10]
Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of self-composition for proving the absence of timing channels. In: Conference on Programming Language Design and Implementation, PLDI, pp. 362–375. ACM (2017).
[11]
Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Programming Language Design and Implementation, PLDI, pp. 259–269. ACM (2014).
[12]
Assaf, M., Naumann, D.A., Signoles, J., Totel, E., Tronel, F.: Hypercollecting semantics and its application to static analysis of information flow. In: Principles of Programming Languages, POPL (2017).
[13]
Aziz A, Sanwal K, Singhal V, and Brayton R Alur R and Henzinger TA Verifying continuous time Markov chains Computer Aided Verification 1996 Heidelberg Springer 269-276
[14]
Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: Computer Security Foundations Workshop CSFW, pp. 253. IEEE Computer Society (2002).
[15]
Bardin, S., Girol, G.: A quantitative flavour of robust reachability. CoRR abs/2212.05244 (2022). 10.48550/arXiv. 2212.05244
[16]
Barthe G, D’Argenio PR, and Rezk T Secure information flow by self-composition Math. Struct. Comput. Sci. 2011 21 6 1207-1252
[17]
Berghel H The code red worm Commun. ACM 2001 44 12 15-19
[18]
Clarkson MR, Finkbeiner B, Koleini M, Micinski KK, Rabe MN, and Sánchez C Abadi M and Kremer S Temporal logics for hyperproperties Principles of Security and Trust 2014 Heidelberg Springer 265-284
[19]
Clarkson, M.R., Schneider, F.B.: Hyperproperties. In: 21st IEEE Computer Security Foundations Symposium, pp. 51–65 (2008)
[20]
Cohen, E.S.: Information transmission in computational systems. In: Symposium on Operating System Principles, SOSP, pp. 133–139. ACM (1977).
[21]
Cousot P et al. Sagiv M et al. The ASTREÉ analyzer Programming Languages and Systems 2005 Heidelberg Springer 21-30
[22]
Cousot P Chang B-YE Abstract semantic dependency Static Analysis 2019 Cham Springer 389-410
[23]
Cousot P and Cousot R Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints 1977 POPL Principles of Programming Languages
[24]
Cousot P and Monerau M Seidl H Probabilistic abstract interpretation Programming Languages and Systems 2012 Heidelberg Springer 169-193
[25]
Denning DE and Denning PJ Certification of programs for secure information flow Commun. ACM 1977 20 7 504-513
[26]
Durumeric, Z., et al.: The matter of heartbleed. In: Internet Measurement Conference, IMC, pp. 475–488. ACM (2014).
[27]
Finkbeiner B, Rabe MN, and Sánchez C Kroening D and Păsăreanu CS Algorithms for model checking HyperLTL and HyperCTL Computer Aided Verification 2015 Cham Springer 30-48
[28]
Girol G, Farinier B, and Bardin S Silva A and Leino KRM Not all bugs are created equal, but robust reachability can tell the difference Computer Aided Verification 2021 Cham Springer 669-693
[29]
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Security and Privacy, pp. 11–20. IEEE Computer Society (1982).
[30]
Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Security and Privacy, pp. 75–87. IEEE Computer Society (1984).
[31]
Hansson H and Jonsson B A logic for reasoning about time and reliability Formal Aspects Comput. 1994 6 5 512-535
[32]
Heintze, N., Riecke, J.G.: The slam calculus: programming with secrecy and integrity. In: Principles of Programming Languages, POPL, pp. 365–377. ACM (1998).
[33]
Heusser, J., Malacaria, P.: Quantifying information leaks in software. In: Annual Computer Security Applications Conference, ACSAC, pp. 261–269. ACM (2010).
[34]
Jeannet B and Miné A Bouajjani A and Maler O Apron: a library of numerical abstract domains for static analysis Computer Aided Verification 2009 Heidelberg Springer 661-667
[35]
Journault M, Miné A, Monat R, and Ouadjaout A Chakraborty S and Navas JA Combinations of reusable abstract domains for a multilingual static analyzer Verified Software. Theories, Tools, and Experiments 2020 Cham Springer 1-18
[36]
Li L et al. Static analysis of android apps: a systematic literature review Inf. Softw. Technol. 2017 88 67-95
[37]
Mastroeni, I., Pasqua, M.: Hyperhierarchy of semantics - a formal framework for hyperproperties verification. In: Static Analysis Symposium, SAS. vol. 10422, pp. 232–252 (2017).
[38]
Mastroeni, I., Pasqua, M.: Verifying bounded subset-closed hyperproperties. In: Static Analysis Symposium, SAS. vol. 11002, pp. 263–283 (2018).
[39]
Mastroeni, I., Pasqua, M.: Statically analyzing information flows: an abstract interpretation-based hyperanalysis for non-interference. In: Symposium on Applied Computing, SAC, pp. 2215–2223 (2019).
[40]
Miné, A.: The octagon abstract domain. High. Order Symbolic Comput. (HOSC) 19(1), 31–100 (2006)., http://www-apr.lip6.fr/mine/publi/article-mine-HOSC06.pdf
[41]
Monniaux D Palsberg J Abstract interpretation of probabilistic semantics Static Analysis 2000 Heidelberg Springer 322-339
[42]
Monniaux D Cousot P An abstract analysis of the probabilistic termination of programs Static Analysis 2001 Heidelberg Springer 111-126
[43]
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Symposium on Operating System Principles, SOSP, pp. 129–142. ACM (1997).
[44]
Ørbæk P and Palsberg J Trust in the lambda-calculus J. Funct. Program. 1997 7 6 557-591
[45]
Orman HK The Morris worm: a fifteen-year perspective IEEE Secur. Priv. 2003 1 5 35-43
[46]
Ouadjaout A and Miné A Pichardie D and Sighireanu M A library modeling language for the static analysis of C programs Static Analysis 2020 Cham Springer 223-247
[47]
Parolini, F., Miné, A.: Sound Abstract Nonexploitability Analysis Artifact (2023).
[48]
Di Pierro A and Wiklicky H Probst CW, Hankin C, and Hansen RR Probabilistic abstract interpretation: from trace semantics to DTMC’s and linear regression Semantics, Logics, and Calculi 2016 Cham Springer 111-139
[49]
Pottier F and Simonet V Information flow inference for ML ACM Trans. Program. Lang. Syst. 2003 25 1 117-158
[50]
Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Computer Security Foundations Workshop, CSFW, pp. 200–214. IEEE Computer Society (2000).
[51]
Schultz E, Mellander J, and Peterson D The MS-SQL slammer worm Netw. Secur. 2003 2003 3 10-14
[52]
Smith, G., Volpano, D.M.: Secure information flow in a multi-threaded imperative language. In: Principles of Programming Languages, POPL, pp. 355–364. ACM (1998).
[53]
Spoto, F., et al.: Static identification of injection attacks in Java. ACM Trans. Program. Lang. Syst. 41(3), 18:1–18:58 (2019).
[54]
Terauchi T and Aiken A Hankin C and Siveroni I Secure information flow as a safety problem Static Analysis 2005 Heidelberg Springer 352-367
[55]
Tiraboschi, I., Rezk, T., Rival, X.: Sound symbolic execution via abstract interpretation and its application to security. In: Verification, Model Checking, and Abstract Interpretation, VMCAI. LNCS, vol. 13881, pp. 267–295. Springer (2023).
[56]
Urban, C., Müller, P.: An abstract interpretation framework for input data usage. In: European Symposium on Programming, ESOP. vol. 10801, pp. 683–710 (2018).
[57]
Volpano DM, Irvine CE, and Smith G A sound type system for secure flow analysis J. Comput. Secur. 1996 4 2/3 167-188
[58]
Volpano, D.M., Smith, G.: Probabilistic noninterference in a concurrent language. J. Comput. Secur. 7(1), 231–253 (1999).
[59]
Zdancewic S and Myers AC Sands D Secure information flow and CPS Programming Languages and Systems 2001 Heidelberg Springer 46-61
Index Terms
- Sound Abstract Nonexploitability Analysis
Index terms have been assigned to the content through auto-classification.
Recommendations
Detection of Uncaught Exceptions in Functional Programs by Abstract Interpretation
Programming Languages and SystemsAbstractException handling is a key feature in modern programming languages. Exceptions can be used to deal with errors, or as a means to control the flow of execution of a program. Since they might unexpectedly terminate a program, unhandled exceptions ...
Sound Static Analysis of Regular Expressions for Vulnerabilities to Denial of Service Attacks
Theoretical Aspects of Software EngineeringAbstractModern programming languages often provide functions to manipulate regular expressions in standard libraries. If they offer support for advanced features, the matching algorithm has an exponential worst-case time complexity: for some so-called ...
Abstract interpretation under speculative execution
PLDI 2019: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and ImplementationAnalyzing the behavior of a program running on a processor that supports speculative execution is crucial for applications such as execution time estimation and side channel detection. Unfortunately, existing static analysis techniques based on abstract ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Jan 2024
348 pages
ISBN:978-3-031-50520-1
DOI:10.1007/978-3-031-50521-8
- Editors:
- Rayna Dimitrova,
- Ori Lahav,
- Sebastian Wolff
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 15 January 2024
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 28 Sep 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in