Technical presentation

Transcription

1 TOWARDS A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS The VESSEDIA Project Technical presentation Armand PUCCETTI, CEA Rome, 11th October 2018 CHARIOT 1 st Workshop, 11 October 2018, Rome 1

2 Project objectives VESSEDIA is H2020 project in Work programme DS Assurance and Certification for Trustworthy and Secure ICT systems, services and components Aims at developing tools to improve the V&V of IoT software applications, inspired from the tools used already for safety-critical embedded systems. Tools to reason at source code level Tools to V&V formally some code and provide a 100% guarantee that all possible faults of given categories are extracted Tools for large-scale applications Tools combined with Dynamic Analysis tools Tools supported by a V&V methodology Tools referring CWE items Tools for easy use by any IoT developer of C/C++/Java code CHARIOT 1 st Workshop, 11 October 2018, Rome 2

3 Source code analysis Source code is the most adequate level representation of a software on which a developer reasons, suitable for analysis. We address C, C++ and Java languages and improve their analysis tools C, C++ and Java for mobile applications, and interfaces to binary/assembler vulnerabilities detection tools. CHARIOT 1 st Workshop, 11 October 2018, Rome 3

4 V&V Tools Frama-C Formal methods are based on mathematical models of programs (e.g. Z for integers) to reason about programs. Formal methods use a formal semantics of programs to understand their computational model, e.g. operational semantics, denotational semantics or axiomatic semantics. For imperative programming languages, the preferred formal methods are Hoare Logic and Abstract Interpretation. Hoare, C. A. R. "An axiomatic basis for computer programming. Communications of the ACM. 12 (10): 576, 580, October R. W. Floyd. "Assigning meanings to programs." Proceedings of the American Mathematical Society Symposia on Applied Mathematics. Vol. 19, pp P. Cousot & R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages , Los Angeles, California, ACM Press, New York. CHARIOT 1 st Workshop, 11 October 2018, Rome 4

5 Abstract Interpretation Plug-in EVA (Evolved Value Analysis)

6 An example with Frama-C EVA 1 #include <stdlib.h> 2 3 int main() { 4 int * tab = (int *) malloc(sizeof(int)*10); 5 int i; 6 7 /*@ loop pragma UNROLL 10; */ 8 for ( i=0; i<11; i++ ) 9 tab[i]=1; 10 return 0; } Assuming the platform is Linux x86_64 and using the Frama-C built-ins for libc, the analysis produces: [eva:alarm] f.c:9: Warning: out of bounds write. assert \valid(tab + i); CHARIOT 1 st Workshop, 11 October 2018, Rome 6

7 Hoare Logic Plug-in WP (Weakest Preconditions calculus)

8 An example with Frama-C ACSL - iota Assign sequentially increasing values to a range, where the initial value is user-defined. The signature reads: void iota(value_type* a, size_type n, value_type val); Starting at val, the function assigns consecutive integers to the elements of the range a. Be careful to deal with possible overflows of the argument val! predicate Iota(value_type* a, integer n, value_type v) = \forall integer i; 0 <= i < n ==> a[i] == v + i; The specification of this function is /*@ requires \valid(a + (0..n-1)); requires limit: val + n <= VALUE_TYPE_MAX; // Avoid overflow assigns a[0..n-1]; ensures Iota(a, n, val); */ CHARIOT 1 st Workshop, 11 October 2018, Rome 8

9 An example with Frama-C ACSL iota (cont d) Source code and proof of iota: typedef int value_type; predicate Iota(value_type* a, integer n, value_type v) = \forall integer i; 0 <= i < n ==> a[i] == v+i; */ /*@ requires valid: \valid(a + (0..n-1)); requires limit: val + n <= VALUE_TYPE_MAX; assigns a[0..n-1]; ensures increment: Iota(a, n, val); */ void iota(value_type * a, int n, value_type val) { /*@ loop invariant bound: 0 <= i <= n; loop invariant limit: val == \at(val, Pre) + i; loop invariant increment: Iota(a, i, \at(val, Pre)); loop assigns i, val, a[0..n-1]; loop variant n-i; */ for (int i = 0; i < n; ++i) { a[i] = val++; }; return; } CHARIOT 1 st Workshop, 11 October 2018, Rome 9

10 VESSEDIA results At mid-period

11 Platforms V&V Tools Frama-C for analysis and proof of C/C++ source code VeriFast for the analysis of Java and C source code FlowGuard for the analysis of CFI/DFI properties of binary code Papyrus/Diversity for modelling and simulation Several plug-ins for these tools: Frama-clang - analysis of C++ source code by translation into C source code AFL_SCA - fuzz testing of source code after Abstract Interpretation has been done E-ACSL - monitoring : compilation of ACSL assertions into binary code Diversity-to-ACSL - generation of ACSL trace properties SecSoftML - modelling SAaaS proofs in the cloud RPP proof of functions sequence properties CHARIOT 1 st Workshop, 11 October 2018, Rome 11

12 Use-cases Contiki OS (Inria) C Focus on IPv6 stack and OS primitives C source code mainly Evaluate handling of specific patterns, e.g. Protothreads Using Frama-C 6LowPAN Management Platform (CEA) OTA reprogramming in multi-hop networks (Contiki-based) Entities: 6LoWPAN nodes (C), gateway (Java), management server Using Frama-C and VeriFast Aircraft Maintenance System (DA) Diagnosis and failure prevention, embedded in a civil aircraft Entities: proprietary gateway (C) and open-source proxy server (C++) Using Frama-C, AFL and CFI/DFI integrated into the CURSOR method CHARIOT 1 st Workshop, 11 October 2018, Rome

13 The VESSEDIA use-case Contiki-OS An Open Source OS for the Internet of Things Open source: BSD C source code Supports many embedded platforms Supports standard low-power IPv6 3.9 KLOC of high-priority source code 23.5 KLOC of medium priority Analyses achieved Linked list module verified using WP with ghost code and executable specifications Minimal contracts for core/lib and core/sys libraries with ACSL Absence of RTE verified for AES & CCM* modules using WP Contiki NG analysed with EVA and new plug-ins for recursive functions and loops annotations CHARIOT 1 st Workshop, 11 October 2018, Rome

14 V&V Methodology V&V methodology selects tools and method according to verification needs and business constraints Basic (compiler diagnostics) Simple (non-portable and suspicious program parts) Advanced (enforcing given programming guidelines) Formal (e.g. provably establishing the absence of run-time errors) Modelling framework UML/Papyrus permits to model a system with Statecharts, sequence diagrams, etc. Diversity allows to define security properties of sub-systems for analysis with Frama-C CURSOR method combining SA and DA tools (Frama-C EVA/E-ACSL with AFL and CFI/DFI) Economic rationale and metrics CHARIOT 1 st Workshop, 11 October 2018, Rome 14

15 The DA-SA CURSOR Method Component of Unit Robustness for Security Objectives and Requirements auto-detection of some CWE by abstract interpretation translate ACSL alarms into source code operate against targeted CWE Frama-C Value Gena-CWE 457,570,571, Frama-C E-ACSL user's implementation of counter-measures pentest process / C original source code C with CWE alarms alarms expressed in ACSL C "CWE instrumented" C "CWE proof" j = i + 1; x = *(p+j); /*@ assert i+1<=max_int; */ j = i + 1; /*@ assert \valid_read(p+j); */ x = *(p+j); e_assert(i+1<=maxint,"ovfl"); j = i + 1; e_valid(p,j,"vld"); x = *(p+j); e_assert(i+1<=maxint,"ovfl"); j = i + 1; e_valid(p,j,"vld"); x = *(p+j); All alarms are processed, spurious or not! CMx to be proved formally with Frama-C tools?? CM1() { } CM2() { } Some strategies may limit extra-code generation CM libs can be either specific to the alarm context,... or totally generic! CHARIOT 1 st Workshop, 11 October 2018, Rome 15

16 Certification and Security Evaluation Security vulnerabilities detection Assess the project s tools for vulnerabilities detection Coverage of vulnerabilities C++ vulnerabilities -> in progress Security evaluation Assess tools from the perspective of security evaluator Review security evaluation methodologies Integrate tools in the security evaluation process -> in progress CHARIOT 1 st Workshop, 11 October 2018, Rome 16

17 Contact Details CEA (Technical) Armand PUCCETTI Technikon (Coordination) Ursula Polessnig See also our web site : CHARIOT 1 st Workshop, 11 October 2018, Rome 17