Verifying the Safety of Security-Critical Applications

Transcription

1 Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31

2 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig 2 of 31

3 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig 2 of 31

4 My Research We want to give guarantees about program behavior, for all possible executions and without running the program. Thomas Dillig 3 of 31

5 Undecidability and Abstraction Recall that deciding any non-trivial property about an arbitrary program is undecidable Thomas Dillig 4 of 31

6 Undecidability and Abstraction Recall that deciding any non-trivial property about an arbitrary program is undecidable Cannot exactly characterize the set of states a program P may be in Thomas Dillig 4 of 31

7 Undecidability and Abstraction Recall that deciding any non-trivial property about an arbitrary program is undecidable Cannot exactly characterize the set of states a program P may be in Solution: Overapproximate program behavior Thomas Dillig 4 of 31

8 Undecidability and Abstraction Error states outside overapproximation Program verified Thomas Dillig 5 of 31

9 Undecidability and Abstraction Error states outside overapproximation Program verified Error states inside overapproximation, but outside P false alarm Thomas Dillig 5 of 31

10 Undecidability and Abstraction Error states outside overapproximation Program verified Error states inside overapproximation, but outside P false alarm Goal: Construct an abstraction precise enough to prove properties about realistic programs Thomas Dillig 5 of 31

11 Our Goal in This Talk Multiple orthogonal issues in constructing precise abstractions Thomas Dillig 6 of 31

12 Our Goal in This Talk Multiple orthogonal issues in constructing precise abstractions This talk: Construct a precise and efficient abstraction that allows automatically proving properties about container-manipulating programs Thomas Dillig 6 of 31

13 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Thomas Dillig 7 of 31

14 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Examples: Array, vector, list, map, set, stack, queue,... Thomas Dillig 7 of 31

15 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Examples: Array, vector, list, map, set, stack, queue,... Widely used; provided by common programming languages Thomas Dillig 7 of 31

16 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Examples: Array, vector, list, map, set, stack, queue,... Widely used; provided by common programming languages Precise static reasoning about containers crucial for successful verification Thomas Dillig 7 of 31

17 Example Modeled after method responsedatacalllist in the telephony module in the Android phone code base void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31

18 Example We want to prove that this program will not crash due to an assertion failure in any execution void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31

19 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31

20 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31

21 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31

22 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31

23 Example packets data void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31

24 Example packets data void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31

25 Example packets data void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31

26 Example Such assertions are very difficult to prove automatically void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31

27 Example Such assertions are very difficult to prove automatically Difficulties: void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31

28 Example Such assertions are very difficult to prove automatically Difficulties: Number of elements in data unknown void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31

29 Example Such assertions are very difficult to prove automatically Difficulties: Number of elements in data unknown Unknown number of dynamically allocated objects void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31

30 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations data Thomas Dillig 10 of 31

31 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations data Thomas Dillig 10 of 31

32 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations data Thomas Dillig 10 of 31

33 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations data Edge from node A to B Any concrete location in A may point to any concrete location in B Thomas Dillig 10 of 31

34 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations data Edge from node A to B Any concrete location in A may point to any concrete location in B a full cross-product Thomas Dillig 10 of 31

35 The Standard Memory Abstraction packets data Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations Edge from node A to B Any concrete location in A may point to any concrete location in B a full cross-product assert(packets.front()->val == last)% Thomas Dillig 10 of 31

36 The Challenge No existing technique can prove such assertions automatically Thomas Dillig 11 of 31

37 The Challenge No existing technique can prove such assertions automatically But real programs heavily use containers... Thomas Dillig 11 of 31

38 Our Contribution Heap Analysis Container Reasoning First analysis that is precise enough to automatically prove such properties about containerand heap-manipulating programs in a scalable way Thomas Dillig 12 of 31

39 Our Approach Overarching idea: Symbolic heap abstraction that combines logical formulae with a graph representation to describe contents of containers Thomas Dillig 13 of 31

40 Indexed Locations Key Idea 1: Represent containers with indexed locations Thomas Dillig 14 of 31

41 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Thomas Dillig 14 of 31

42 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Index variable ranges over possible indices of list Thomas Dillig 14 of 31

43 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Index variable ranges over possible indices of list Thomas Dillig 14 of 31

44 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Index variable ranges over possible indices of list Thomas Dillig 14 of 31

45 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 15 of 31

46 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Statically unknown number of allocations in the loop Thomas Dillig 15 of 31

47 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Statically unknown number of allocations in the loop α i2 represents all allocations Thomas Dillig 15 of 31

48 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Statically unknown number of allocations in the loop α i2 represents all allocations For instance, α 0 represents allocation in the first iteration Thomas Dillig 15 of 31

49 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Thomas Dillig 16 of 31

50 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Consider pointer relations between containers a and b. Thomas Dillig 16 of 31

51 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Consider pointer relations between containers a and b. Thomas Dillig 16 of 31

52 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Consider pointer relations between containers a and b. Constraints on points-to edges allow richer relations than cross-product Thomas Dillig 16 of 31

53 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 17 of 31

54 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 17 of 31

55 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 17 of 31

56 We saw how to represent points-to relations in our symbolic heap representation Thomas Dillig 18 of 31

57 We saw how to represent points-to relations in our symbolic heap representation How do we use the information encoded in this abstraction, e.g., to prove the assertion assert(packets.front()->val == last)? Thomas Dillig 18 of 31

58 Load Example Consider packets.front()->val Thomas Dillig 19 of 31

59 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 Thomas Dillig 19 of 31

60 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? Thomas Dillig 19 of 31

61 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 2 = size(data) i i 1 < size(data) Thomas Dillig 19 of 31

62 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 1.i 1 = 0 i 2 = size(data) i i 1 < size(data) Thomas Dillig 19 of 31

63 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 2 = size(data) 1 Thomas Dillig 19 of 31

64 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 2 = size(data) 1 Can now prove assertion packets.front()->val == last Thomas Dillig 19 of 31

65 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Thomas Dillig 20 of 31

66 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: Thomas Dillig 20 of 31

67 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: 1 traverse heap references: satisfiability, existential quantifier elimination Thomas Dillig 20 of 31

68 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: 1 traverse heap references: satisfiability, existential quantifier elimination 2 analyze updates precisely and uniformly: negation, conjunction Thomas Dillig 20 of 31

69 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: 1 traverse heap references: satisfiability, existential quantifier elimination 2 analyze updates precisely and uniformly: negation, conjunction Reduce container reasoning to integer constraints and standard logic operations Thomas Dillig 20 of 31

70 Implementation Implemented heap/container analysis in our Compass program analysis framework for C and C++ programs Thomas Dillig 21 of 31

71 Implementation Implemented heap/container analysis in our Compass program analysis framework for C and C++ programs Analysis requires solving constraints in combined theory of linear integer inequalities and uninterpreted functions used our Mistral SMT solver Thomas Dillig 21 of 31

72 Experiments Analyzed real open-source C and C++ applications using containers Thomas Dillig 22 of 31

73 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC Thomas Dillig 22 of 31

74 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Thomas Dillig 22 of 31

75 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Inkscape Widget Library, 37,211 LOC Thomas Dillig 22 of 31

76 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Inkscape Widget Library, 37,211 LOC DigiKam, 128,318 LOC Thomas Dillig 22 of 31

77 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Inkscape Widget Library, 37,211 LOC DigiKam, 128,318 LOC Annotated containers provided by the STL and QT libraries Thomas Dillig 22 of 31

78 Application: Memory Safety Ran our verification tool to find all segmentation faults or run-time exceptions caused by: buffer overruns and underruns null dereference errors accessing deleted memory Also checked memory leaks Thomas Dillig 23 of 31

79 First Experiment First Experiment: Represent containers as bags of values using the standard abstraction Thomas Dillig 24 of 31

80 First Experiment First Experiment: Represent containers as bags of values using the standard abstraction Existing tools that analyze programs of this size use this abstraction Thomas Dillig 24 of 31

81 First Experiment First Experiment: Represent containers as bags of values using the standard abstraction Existing tools that analyze programs of this size use this abstraction Cannot track index-to-value correlations, modification to one container element contaminates all others Thomas Dillig 24 of 31

82 Containers as Bags False alarms for standard abstraction Bugs found LiteSQL OpenSSH Inkscape DigiKam Thomas Dillig 25 of 31

83 Containers as Bags False alarms for standard abstraction Bugs found LiteSQL OpenSSH Inkscape DigiKam Conclusion Treating containers as bags leads to unacceptable number of false alarms. Thomas Dillig 25 of 31

84 Second Experiment Second Experiment: Used the techniques described in this talk: indexed locations, symbolic points-to relations Thomas Dillig 26 of 31

85 Second Experiment Second Experiment: Used the techniques described in this talk: indexed locations, symbolic points-to relations Able to track key-value correlations; precise reasoning about heap objects stored in containers Thomas Dillig 26 of 31

86 Containers Modeled as Indexed Locations False alarms for standard abstraction Bugs found False alarms for our abstraction LiteSQL OpenSSH Inkscape DigiKam Thomas Dillig 27 of 31

87 Containers Modeled as Indexed Locations False alarms for standard abstraction Bugs found False alarms for our abstraction LiteSQL OpenSSH Inkscape DigiKam Huge reduction in number of false alarms Thomas Dillig 27 of 31

88 Containers Modeled as Indexed Locations Bugs found False alarms for our abstraction LiteSQL OpenSSH Inkscape DigiKam Analysis reports very few false positives Thomas Dillig 28 of 31

89 Containers Modeled as Indexed Locations Bugs found False alarms for our abstraction m 2.3m 2.3m 8.7m 0 LiteSQL OpenSSH Inkscape DigiKam Cost of the analysis is tractable Thomas Dillig 29 of 31

90 Summary Sound, precise, and automatic technique for verifying real programs that make use of heap allocations and containers Thomas Dillig 30 of 31

91 Summary Sound, precise, and automatic technique for verifying real programs that make use of heap allocations and containers First technique to verify real programs of this size with very few false alarms Thomas Dillig 30 of 31

92 Summary Sound, precise, and automatic technique for verifying real programs that make use of heap allocations and containers First technique to verify real programs of this size with very few false alarms Substantial improvement over the state-of-the art substantially extends class of programs that can be automatically verified Thomas Dillig 30 of 31

93 Related Work Reps, T.W., Sagiv, S., Wilhelm, R.: Static Program Analysis via 3-Valued Logic. In: CAV (2004) Lam, P., Kuncak, V., Rinard, M.: Hob: A tool for verifying data structure consistency. In: Compiler Construction. (2005) Deutsch, A.: Interprocedural may-alias analysis for pointers: Beyond k-limiting. In: PLDI (1994) Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B., Distefano, D.. O Hearn, P.: Scalable shape analysis for systems code. In: CAV (2008) Marron, M., Stefanovic, D., Hermenegildo, M., Kapur, D.: Heap Analysis in the Presence of Collection Libraries. In: PASTE. (2007) Thomas Dillig 31 of 31