Browser Security Guarantees through Formal Shim Verification
Size: px
Start display at page:

Download "Browser Security Guarantees through Formal Shim Verification"

Transcription

1 Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego

2 Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to exploit Reactive Defenses: many ad hoc, bug triage, regressions

3 Fully Formal Verification Code in language that eases reasoning Develop correctness proof in synch Fully formal, machine checkable proof

4 Fully Formal Verification Success story: CompCert C compiler Compiler Bugs Found GCC 122 LLVM 181 CompCert 0 [Yang et al. PLDI 11] OS (sel4), RDBMS & HTTPD (YNot) realistic implementations guaranteed bug free

5 Fully Formal Verification Success story: CompCert C compiler The Catch Compiler Bugs Found Throw away all your code GCC 100 Rewrite in unfamiliar language LLVM 150 Formally CompCert specify correctness 0? Prove every detail correct OS (sel4), Heroic DB, effort HTTPD (YNot) [Yang et al. PLDI 11] realistic implementations guaranteed bug free

6 Formally Verify a Browser?! Resources Complex parts Subtle interactions JPEG Decoder HTML Renderer Loose access policy JavaScript Interpreter Constant evolution

7 Formally Verify Shim a Browser?! Verification Resources Shim Isolate sandbox untrusted code JPEG Decoder JavaScript Interpreter HTML Renderer Insert shim guards resource access Verify shim prove security props

8 Formally Verify Shim a Browser?! Verification Resources QUARK Shim formally verified browser Security Props 1. Tab isolation JPEG Decoder HTML Renderer 2. Cookie integrity 3. Addr bar correctness JavaScript Interpreter Prove code correct machine checkable proof

9 Fully Formal Verification

10 Fully Formal Verification Code in language supporting reasoning

11 Fully Formal Verification Code Spec logical properties characterizing correctness

12 Fully Formal Verification Code Coq Theorem Prover Proof Assistant Spec

13 Fully Formal Verification Code Coq Theorem Prover Proof Assistant Spec interactively show code satisfies specification

14 Fully Formal Verification Code Proof Assistant ML x86 Spec compile down to machine code

15 Fully Formal Verification Code Proof Assistant ML x86 Spec Extremely strong guarantees about actual system!

16 Fully Formal Verification Code Rewrite entire system! Proof Assistant ML x86 Spec

17 Fully Formal Verification Code Rewrite entire system! Proof Assistant ML x86 Spec Prove every detail correct

18 Formal Shim Verification Resources Shim JPEG Decoder HTML Renderer JavaScript Interpreter

19 Formal Shim Verification Resources Adapt to sandbox request access via shim Shim Write shim design effective interface Sandbox.. Untrusted Code Formally verify shim ensure accesses secure

20 Formal Shim Verification Resources Key Insight Adapt to sandbox request access via shim Guarantee sec props Write for entire shimsystem Shim Only reason about small shim design effective interface Sandbox.. Radically ease verification burden Untrusted Prove actual code correct Code Formally verify shim ensure accesses secure

21 Quark: Verified Browser Resources Shim Sandbox.. Untrusted Code

22 Quark: Verified Browser Resources Shim Sandbox.. Untrusted Code

23 Quark: Verified Browser Resources Net network Shim persistent storage user interface Sandbox.. Untrusted Code

24 Quark: Verified Browser Net Resources Shim Sandbox.. Untrusted Code

25 Quark: Verified Browser Resources Net Shim Quark Kernel Quark browser kernel code, spec, proof in Coq Sandbox.. Untrusted Code

26 Quark: Verified Browser Resources Net Shim Quark Kernel Sandbox.. Untrusted Code

27 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code browser components Sandbox.. Untrusted Code run as separate procs strictly sandboxed

28 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code browser components Sandbox.. Untrusted Code run as separate procs strictly sandboxed talk to kernel over pipe

29 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types Sandbox.. Untrusted Code

30 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit Tab modified WebKit, intercept accesses

31 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit Tab

32 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit Tab Cookie Manager written in Python, manages single domain

33 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit tabs WebKit Tab Cookie Manager cookie managers

34 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit tabs WebKit WebKit WebKit Tab Tab Tab Cookie Cookie Manager cookie managers several instances each

35 Quark: Verified Browser Net Quark Kernel WebKit WebKit WebKit Tab Tab Tab Cookie Cookie Manager

36 Quark Kernel: Code, Spec, Proof Quark Kernel

37 Quark Kernel: Code, Spec, Proof

38 Quark Kernel: Code, Spec, Proof Definition kstep...

39 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) :=... kernel state

40 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs);... Unix-style select to find a component pipe ready to read

41 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => case: f is user input... Tab t => case: f is tab pipe...

42 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin);... read command from user over stdin Tab t =>...

43 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab =>... user wants to create... Tab t =>... and focus a new tab

44 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); Tab t =>... create a new tab

45 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); tell new tab to Tab t => render itself...

46 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs)... Tab t => return updated state...

47 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs)... handle other Tab t =>... user commands

48 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) handle requests... from tabs Tab t =>...

49 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs)... Tab t =>...

50 Quark Kernel: Code, Spec, Proof

51 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs read(), write(), open(), write(),...

52 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs trace: all syscalls made by Quark kernel during execution

53 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs kstep() kstep() kstep() kstep()

54 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof

55 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness

56 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain,... for any trace, tab, and domain where trace is a sequence of syscalls

57 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\... if Quark could have produced this trace

58 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\ tab = cur_tab(trace) /\... and tab is the selected tab in this trace

59 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, and domain displayed in address bar for this trace quark_produced(trace) /\ tab = cur_tab(trace) /\ domain = addr_bar(trace) ->...

60 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\ tab = cur_tab(trace) /\ domain = addr_bar(trace) -> domain = tab_domain(tab) then domain is the domain of the focused tab

61 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\ tab = cur_tab(trace) /\ domain = addr_bar(trace) -> domain = tab_domain(tab)

62 Quark Kernel: Code, Spec, Proof Formal Security Properties Tab Non-Interference no tab affects kernel interaction with another tab Cookie Confidentiality and Integrity cookies only accessed by tabs of same domain Address Bar Integrity and Correctness address bar accurate, only modified by user action

63 Quark Kernel: Code, Spec, Proof

64 Quark Kernel: Code, Spec, Proof Prove kernel code satisfies sec props by induction on traces Quark can produce

65 Quark Kernel: Code, Spec, Proof Prove kernel code satisfies sec props by induction on traces Quark can produce induction hypothesis: trace valid up to this point

66 Quark Kernel: Code, Spec, Proof Prove kernel code satisfies sec props by induction on traces Quark can produce +? induction hypothesis: trace valid up to this point proof obligation: still valid after step?

67 Quark Kernel: Code, Spec, Proof +? induction hypothesis: trace valid up to this point proof obligation: still valid after step? Proceed by case analysis on kstep() what syscalls can be appended to trace? will they still satisfy all security properties? prove each case using interactive proof assistant

68 Quark Kernel: Code, Spec, Proof Key Insight Guarantee sec props for browser Use state-of-the-art components Only prove simple browser kernel

69 Usability Demo Video

70 Trusted Computing Base Infrastructure we assume correct any bugs here can invalidate our formal guarantees Fundamental Statement of security properties Coq (soundness, proof checker) Eventually Verified [active research] OCaml [VeriML] Tab Sandbox [RockSalt] Operating System [sel4]...

71 Security Analysis Formally prove important sec props WebKit defenses remain in effect Other desirable security policies

72 Future Work Filesystem access, sound, history could be implemented w/out major redesign Finer grained resource accesses support mashups and plugins Liveness properties formally prove that kernel never blocks

73 Conclusion Formal Shim Verification Guarantee sec props for entire system Only reason about small shim Radically ease verification burden Quark: Verified Browser Guarantee sec props for browser Only prove simple browser kernel Use state-of-the-art components

Similar documents

Verdi: A Framework for Implementing and Formally Verifying Distributed Systems

Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Key-value store VST James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi Wang, Michael D. Ernst, Thomas Anderson

More information

Functional Programming in Coq. Nate Foster Spring 2018

Functional Programming in Coq. Nate Foster Spring 2018 Functional Programming in Coq Nate Foster Spring 2018 Review Previously in 3110: Functional programming Modular programming Data structures Interpreters Next unit of course: formal methods Today: Proof

More information

Turning proof assistants into programming assistants

Turning proof assistants into programming assistants Turning proof assistants into programming assistants ST Winter Meeting, 3 Feb 2015 Magnus Myréen Why? Why combine proof- and programming assistants? Why proofs? Testing cannot show absence of bugs. Some

More information

Hyperkernel: Push-Button Verification of an OS Kernel

Hyperkernel: Push-Button Verification of an OS Kernel Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential

More information

Adam Chlipala University of California, Berkeley ICFP 2006

Adam Chlipala University of California, Berkeley ICFP 2006 Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1 Who Watches the Watcher? Program Verifier Might want to ensure: Memory

More information

Formal verification of an optimizing compiler

Formal verification of an optimizing compiler Formal verification of an optimizing compiler Xavier Leroy INRIA Rocquencourt RTA 2007 X. Leroy (INRIA) Formal compiler verification RTA 2007 1 / 58 The compilation process General definition: any automatic

More information

Reusable Tools for Formal Modeling of Machine Code

Reusable Tools for Formal Modeling of Machine Code Reusable Tools for Formal Modeling of Machine Code Gang Tan (Lehigh University) Greg Morrisett (Harvard University) Other contributors: Joe Tassarotti Edward Gan Jean-Baptiste Tristan (Oracle Labs) @ PiP;

More information

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)

More information

Sandboxing untrusted code: policies and mechanisms

Sandboxing untrusted code: policies and mechanisms Sandboxing untrusted code: policies and mechanisms Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2011 1 Overview Introduction Java and.net Sandboxing Runtime monitoring Information Flow Control

More information

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012 Static and User-Extensible Proof Checking Antonis Stampoulis Zhong Shao Yale University POPL 2012 Proof assistants are becoming popular in our community CompCert [Leroy et al.] sel4 [Klein et al.] Four-color

More information

Formal methods for software security

Formal methods for software security Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality

More information

Mechanized Operational Semantics

Mechanized Operational Semantics Mechanized Operational Semantics J Strother Moore Department of Computer Sciences University of Texas at Austin Marktoberdorf Summer School 2008 (Lecture 3: Direct Proofs) 1 Fact 1 Given an operational

More information

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation Blockchains: new home for proven-correct software Paris, 2017-2-17 Yoichi Hirai formal verification engineer, the Ethereum Foundation Lyon: 2014 January Have you heard of a web site where you can get Bitcoin

More information

Automated verification of termination certificates

Automated verification of termination certificates Automated verification of termination certificates Frédéric Blanqui and Kim Quyen Ly Frédéric Blanqui and Kim Quyen Ly Automated verification of termination certificates 1 / 22 Outline 1 Software certification

More information

Formal Methods for Aviation Software Design and Certification

Formal Methods for Aviation Software Design and Certification Formal Methods for Aviation Software Design and Certification PART II: Formal Methods Gordon Stewart COUNT Short Course Series May 24-26 RUSS COLLEGE OF ENGINEERING AND TECHNOLOGY DO- 333: What Are Formal

More information

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität

More information

Language Techniques for Provably Safe Mobile Code

Language Techniques for Provably Safe Mobile Code Language Techniques for Provably Safe Mobile Code Frank Pfenning Carnegie Mellon University Distinguished Lecture Series Computing and Information Sciences Kansas State University October 27, 2000 Acknowledgments:

More information

Provably Correct Software

Provably Correct Software Provably Correct Software Max Schäfer Institute of Information Science/Academia Sinica September 17, 2007 1 / 48 The Need for Provably Correct Software BUT bugs are annoying, embarrassing, and cost gazillions

More information

How much is a mechanized proof worth, certification-wise?

How much is a mechanized proof worth, certification-wise? How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt PiP 2014: Principles in Practice In this talk... Some feedback from the aircraft industry concerning the

More information

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Translation Validation for a Verified OS Kernel

Translation Validation for a Verified OS Kernel To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified

More information

Assuring Software Protection in Virtual Machines

Assuring Software Protection in Virtual Machines Assuring Software Protection in Virtual Machines Andrew W. Appel Princeton University 1 Software system built from components Less-trusted components More-trusted components (non-core functions) INTERFACE

More information

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Formal verification of program obfuscations

Formal verification of program obfuscations Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler

More information

Formal proofs of code generation and verification tools

Formal proofs of code generation and verification tools Formal proofs of code generation and verification tools Xavier Leroy To cite this version: Xavier Leroy. Formal proofs of code generation and verification tools. Dimitra Giannakopoulou and Gwen Salaün.

More information

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection

More information

Formal Verification. Lecture 10

Formal Verification. Lecture 10 Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying

More information

Programming Languages

Programming Languages : Winter 2010 Principles of Programming Languages Lecture 1: Welcome, etc. Ranjit Jhala UC San Diego Computation & Interaction Precisely expressed by PL Dependence means need for analysis Safety Security

More information

A Certified Implementation of a Distributed Security Logic

A Certified Implementation of a Distributed Security Logic A Certified Implementation of a Distributed Security Logic Nathan Whitehead University of California, Santa Cruz nwhitehe@cs.ucsc.edu based on joint work with Martín Abadi University of California, Santa

More information

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq Akira Tanaka National Institute of Advanced Industrial Science and Technology (AIST) 2018-11-21

More information

Designing Systems for Push-Button Verification

Designing Systems for Push-Button Verification Designing Systems for Push-Button Verification Luke Nelson, Helgi Sigurbjarnarson, Xi Wang Joint work with James Bornholt, Dylan Johnson, Arvind Krishnamurthy, EminaTorlak, Kaiyuan Zhang Formal verification

More information

Efficient Software Based Fault Isolation. Software Extensibility

Efficient Software Based Fault Isolation. Software Extensibility Efficient Software Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham Software Extensibility Operating Systems Kernel modules Device drivers Unix vnodes Application Software

More information

A Formally-Verified C static analyzer

A Formally-Verified C static analyzer A Formally-Verified C static analyzer David Pichardie joint work with J.-H. Jourdan, V. Laporte, S.Blazy, X. Leroy, presented at POPL 15!! How do you trust your software? bug finders sound verifiers verified

More information

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni. Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow

More information

OAuth 2 and Native Apps

OAuth 2 and Native Apps OAuth 2 and Native Apps Flows While all OAuth 2 flows can be used by native apps, only the user delegation flows will be considered in this document: Web Server, User-Agent and Device flows. The Web Server

More information

ISOLATION DEFENSES GRAD SEC OCT

ISOLATION DEFENSES GRAD SEC OCT ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:

More information

Confinement (Running Untrusted Programs)

Confinement (Running Untrusted Programs) Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules

More information

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018 Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!

More information

Formal Methods at Scale in Microsoft

Formal Methods at Scale in Microsoft Formal Methods at Scale in Microsoft Thomas Ball http://research.microsoft.com/rise Microsoft Research 4 October 2017 Code Integ. Tests Unit Test Testing-based Development Commit, Build Review Web app

More information

How Can You Trust Formally Verified Software?

How Can You Trust Formally Verified Software? How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid Formal verification Of libraries and apps Of compilers Of operating systems 2 Fonseca et al., An Empirical Study

More information

Implementing a Verified On-Disk Hash Table

Implementing a Verified On-Disk Hash Table Implementing a Verified On-Disk Hash Table Stephanie Wang Abstract As more and more software is written every day, so too are bugs. Software verification is a way of using formal mathematical methods to

More information

Formally Certified Satisfiability Solving

Formally Certified Satisfiability Solving SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future

More information

Machine-checked proofs of program correctness

Machine-checked proofs of program correctness Machine-checked proofs of program correctness COS 326 Andrew W. Appel Princeton University slides copyright 2013-2015 David Walker and Andrew W. Appel In this course, you saw how to prove that functional

More information

Software Security: Vulnerability Analysis

Software Security: Vulnerability Analysis Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants

More information

Exploring Chrome Internals. Darin Fisher May 28, 2009

Exploring Chrome Internals. Darin Fisher May 28, 2009 Exploring Chrome Internals Darin Fisher May 28, 2009 Simple interface, powerful core Modern browsers resemble the cooperatively multi-tasked operating systems of the past. Guiding sentiment, 2006 Goals

More information

Œuf: Minimizing the Coq Extraction TCB

Œuf: Minimizing the Coq Extraction TCB Œuf: Minimizing the Coq Extraction TCB Eric Mullen University of Washington, USA USA Abstract Zachary Tatlock University of Washington, USA USA Verifying systems by implementing them in the programming

More information

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 An Extensible Programming Language for Verified Systems Software Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 The status quo in computer system design DOM JS API Web page Network JS API CPU Timer interrupts

More information

Topic 16: Validation. CITS3403 Agile Web Development. Express, Angular and Node, Chapter 11

Topic 16: Validation. CITS3403 Agile Web Development. Express, Angular and Node, Chapter 11 Topic 16: Validation CITS3403 Agile Web Development Getting MEAN with Mongo, Express, Angular and Node, Chapter 11 Semester 1, 2018 Verification and Validation Writing a bug free application is critical

More information

Identity-based Access Control

Identity-based Access Control Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like

More information

How Can You Trust Formally Verified Software?

How Can You Trust Formally Verified Software? How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid Buffer over-read vulnerabilities Use after free s e i t i l i b a r e n l u v r o r r e c Logi Buffer overflow

More information

logistics CHALLENGE assignment take-home portion of the final next class final exam review

logistics CHALLENGE assignment take-home portion of the final next class final exam review Sandboxing 1 logistics 2 CHALLENGE assignment take-home portion of the final next class final exam review CHALLENGE (1) 3 expect to release before Saturday; due by written final probably complete all but

More information

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology Guest lecture for Compiler Construction, Spring 2015 Verified compilers Magnus Myréen Chalmers University of Technology Mentions joint work with Ramana Kumar, Michael Norrish, Scott Owens and many more

More information

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic.

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic. Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic ` {P } c {Q} http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed

More information

seccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment

seccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment Nicolas Bareil 1/25 seccomp-nurse Nicolas Bareil EADS CSC Innovation Works France ekoparty 2010 Nicolas Bareil 2/25 Sandbox landscape Executive summary New sandboxing environment on Linux Focusing on headless

More information

Virtual machines (e.g., VMware)

Virtual machines (e.g., VMware) Case studies : Introduction to operating systems principles Abstraction Management of shared resources Indirection Concurrency Atomicity Protection Naming Security Reliability Scheduling Fairness Performance

More information

Packaging Theories of Higher Order Logic

Packaging Theories of Higher Order Logic Packaging Theories of Higher Order Logic Joe Hurd Galois, Inc. joe@galois.com Theory Engineering Workshop Tuesday 9 February 2010 Joe Hurd Packaging Theories of Higher Order Logic 1 / 26 Talk Plan 1 Introduction

More information

Reducing Fair Stuttering Refinement of Transaction Systems

Reducing Fair Stuttering Refinement of Transaction Systems Reducing Fair Stuttering Refinement of Transaction Systems Rob Sumners Advanced Micro Devices robert.sumners@amd.com November 16th, 2015 Rob Sumners (AMD) Transaction Progress Checking November 16th, 2015

More information

Dongseok Jang Zachary Tatlock. UC San Diego Washington

Dongseok Jang Zachary Tatlock. UC San Diego Washington Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants

More information

Work-in-progress: Verifying the Glasgow Haskell Compiler Core language

Work-in-progress: Verifying the Glasgow Haskell Compiler Core language Work-in-progress: Verifying the Glasgow Haskell Compiler Core language Stephanie Weirich Joachim Breitner, Antal Spector-Zabusky, Yao Li, Christine Rizkallah, John Wiegley May 2018 Verified compilers and

More information

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Outline Motivation Hypertext isolation Design challenges Conclusion Quote

More information

Protection. Thierry Sans

Protection. Thierry Sans Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization 04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization

More information

Chapter 1. Introduction

Chapter 1. Introduction 1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in

More information

Lecture 11 Lecture 11 Nov 5, 2014

Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and

More information

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley A Certified TypePreserving Compiler from Lambda Calculus to Assembly Language An experiment with variable binding, denotational semantics, and logical relations in Coq Adam Chlipala University of California,

More information

The Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter

The Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter Browser as an application platform Single stop for many

More information

A Coq Framework For Verified Property-Based Testing (part of QuickChick)

A Coq Framework For Verified Property-Based Testing (part of QuickChick) A Coq Framework For Verified Property-Based Testing (part of QuickChick) Cătălin Hrițcu INRIA Paris-Rocquencourt (Prosecco team, Place d Italie office) Problem: proving in Coq is very costly My proofs

More information

Matching Logic A New Program Verification Approach

Matching Logic A New Program Verification Approach Matching Logic A New Program Verification Approach Grigore Rosu and Andrei Stefanescu University of Illinois at Urbana-Champaign (work started in 2009 with Wolfram Schulte at MSR) Usable Verification Relatively

More information

High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity

High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity Distribution A: SSC17-V-01 High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity Daria C. Lane, Enrique S. Leon, Francisco C. Tacliad, Dexter H. Solio, Ian L. Rodney, Dmitriy

More information

Programming with dependent types: passing fad or useful tool?

Programming with dependent types: passing fad or useful tool? Programming with dependent types: passing fad or useful tool? Xavier Leroy INRIA Paris-Rocquencourt IFIP WG 2.8, 2009-06 X. Leroy (INRIA) Dependently-typed programming 2009-06 1 / 22 Dependent types In

More information

Semantics-Based Program Verifiers for All Languages

Semantics-Based Program Verifiers for All Languages Language-independent Semantics-Based Program Verifiers for All Languages Andrei Stefanescu Daejun Park Shijiao Yuwen Yilong Li Grigore Rosu Nov 2, 2016 @ OOPSLA 16 Problems with state-of-the-art verifiers

More information

A Roadmap for High Assurance Cryptography

A Roadmap for High Assurance Cryptography A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) NEXTLEAP (nextleap.eu) Harry Halpin Prosecco Thanks to Peter Schwabe (Radboud University) Harry.halpin@inria.fr

More information

OMOS: A Framework for Secure Communication in Mashup Applications

OMOS: A Framework for Secure Communication in Mashup Applications : A Framework for in Mashup Applications Saman Zarandioon Danfeng (Daphne) Yao Vinod Ganapathy Department of Computer Science Rutgers University Piscataway, NJ 08854 {samanz,danfeng,vinodg}@cs.rutgers.edu

More information

Specifying the Ethereum Virtual Machine for Theorem Provers

Specifying the Ethereum Virtual Machine for Theorem Provers 1/28 Specifying the Ethereum Virtual Machine for Theorem Provers Yoichi Hirai Ethereum Foundation Cambridge, Sep. 13, 2017 (FC 2017 + some updates) 2/28 Outline Problem Motivation EVM as a Machine Wanted

More information

Formal C semantics: CompCert and the C standard

Formal C semantics: CompCert and the C standard Formal C semantics: CompCert and the C standard Robbert Krebbers 1, Xavier Leroy 2, and Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France Abstract.

More information

SJTU SUMMER 2014 SOFTWARE FOUNDATIONS. Dr. Michael Clarkson

SJTU SUMMER 2014 SOFTWARE FOUNDATIONS. Dr. Michael Clarkson SJTU SUMMER 2014 SOFTWARE FOUNDATIONS Dr. Michael Clarkson e Story Begins Gottlob Frege: a German mathematician who started in geometry but became interested in logic and foundations of arithmetic. 1879:

More information

Outline. software testing: search bugs black-box and white-box testing static and dynamic testing

Outline. software testing: search bugs black-box and white-box testing static and dynamic testing Outline 1 Verification Techniques software testing: search bugs black-box and white-box testing static and dynamic testing 2 Programming by Contract assert statements in Python using preconditions and

More information

Combining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018

Combining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018 Combining program verification with component-based architectures Alexander Senier BOB 2018 Berlin, February 23rd, 2018 About Componolit 2 What happens when we use what's best? 3 What s Best? Mid-90ies:

More information

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring Coq LASER 2011 Summerschool Elba Island, Italy Christine Paulin-Mohring http://www.lri.fr/~paulin/laser Université Paris Sud & INRIA Saclay - Île-de-France September 2011 Lecture 4 : Advanced functional

More information

Sugar: Secure GPU Acceleration in Web Browsers

Sugar: Secure GPU Acceleration in Web Browsers Sugar: Secure GPU Acceleration in Web Browsers Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, Aparna Chandramowlishwaran Trustworthy Systems Lab, UC Irvine 1 WebGL was released in 2011 2 Source:

More information

The design of a programming language for provably correct programs: success and failure

The design of a programming language for provably correct programs: success and failure The design of a programming language for provably correct programs: success and failure Don Sannella Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh http://homepages.inf.ed.ac.uk/dts

More information

Why. an intermediate language for deductive program verification

Why. an intermediate language for deductive program verification Why an intermediate language for deductive program verification Jean-Christophe Filliâtre CNRS Orsay, France AFM workshop Grenoble, June 27, 2009 Jean-Christophe Filliâtre Why tutorial AFM 09 1 / 56 Motivations

More information

Behavioral Equivalence

Behavioral Equivalence Behavioral Equivalence Prof. Clarkson Fall 2016 Today s music: Soul Bossa Nova by Quincy Jones Review Previously in 3110: Functional programming Modular programming & software engineering Interpreters

More information

Behavioral Equivalence

Behavioral Equivalence Behavioral Equivalence Prof. Clarkson Fall 2015 Today s music: Soul Bossa Nova by Quincy Jones Review Previously in 3110: Functional programming Modular programming Interpreters Imperative and concurrent

More information

Ironclad Apps: End-to-End Security via Automated Full-System Verification. Danfeng Zhang

Ironclad Apps: End-to-End Security via Automated Full-System Verification. Danfeng Zhang Ironclad Apps: End-to-End Security via Automated Full-System Verification Chris Hawblitzel Jon Howell Jay Lorch Arjun Narayan Bryan Parno Danfeng Zhang Brian Zill Online and Mobile Security Chase Online,

More information

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers

More information

Induction in Coq. Nate Foster Spring 2018

Induction in Coq. Nate Foster Spring 2018 Induction in Coq Nate Foster Spring 2018 Review Previously in 3110: Functional programming in Coq Logic in Coq Curry-Howard correspondence (proofs are programs) Today: Induction in Coq REVIEW: INDUCTION

More information

Extensible Untrusted Code Verification. Robert Richard Schneck. B.S. (Duke University) 1997

Extensible Untrusted Code Verification. Robert Richard Schneck. B.S. (Duke University) 1997 Extensible Untrusted Code Verification by Robert Richard Schneck B.S. (Duke University) 1997 A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy

More information

Unit- and Sequence Test Generation with HOL-TestGen

Unit- and Sequence Test Generation with HOL-TestGen Unit- and Sequence Test Generation with HOL-TestGen Tests et Methodes Formelles Prof. Burkhart Wolff Univ - Paris-Sud / LRI 16.6.2015 B.Wolff - HOL-TestGen 1 Overview HOL-TestGen and its Business-Case

More information

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html

More information

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Claude Marché (Inria & Université Paris-Saclay) OSIS, Frama-C & SPARK day, May 30th, 2017 1 / 31 Outline Why this joint Frama-C

More information

Rely-Guarantee References for Refinement Types over Aliased Mutable Data

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 23 x:ref

More information

An External Integrity Checker for Increasing Security of Open Source Operating Systems

An External Integrity Checker for Increasing Security of Open Source Operating Systems An External Integrity Checker for Increasing Security of Open Source Operating Systems Hiromasa Shimada, Tsung-Han Lin, Ning Li Distributed and Ubiquitous Computing Lab., Waseda University, Japan Background!

More information

Type Theory meets Effects. Greg Morrisett

Type Theory meets Effects. Greg Morrisett Type Theory meets Effects Greg Morrisett A Famous Phrase: Well typed programs won t go wrong. 1. Describe abstract machine: M ::= 2. Give transition relation: M 1 M 2

More information

Validating LR(1) parsers

Validating LR(1) parsers Validating LR(1) parsers Jacques-Henri Jourdan François Pottier Xavier Leroy INRIA Paris-Rocquencourt, projet Gallium Journées LTP/MTVV, 2011-10-28 Parsing: recap text or token stream abstract syntax tree

More information

SECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris

SECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 1 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 5 year vision

More information

A Structural Operational Semantics for JavaScript

A Structural Operational Semantics for JavaScript Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics

More information

Outline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)

Outline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification) Outline Analyse et Conception Formelle Lesson 7 Program verification methods 1 Testing 2 Model-checking 3 Assisted proof 4 Static Analysis 5 A word about protoypes/models, accuracy, code generation T.

More information

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214 Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback