1 / 34

Symbolic Execution & Constraint Solving

CS161 Computer Security . Finding bugs: Analysis Techniques & Tools. Symbolic Execution & Constraint Solving. Cho , Chia Yuan. Lab. Q1: Manual reasoning on code Mergesort implementation published in Wikibooks Q2: Constraint Solving

manny
Download Presentation

Symbolic Execution & Constraint Solving

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS161 Computer Security Finding bugs: Analysis Techniques & Tools Symbolic Execution& Constraint Solving Cho, Chia Yuan

  2. Lab • Q1: Manual reasoning on code • Mergesort implementation published in Wikibooks • Q2: Constraint Solving • ‘Solve’ for collisions in ELFHash function • Q3: Whitebox & blackbox fuzzing • Use a dynamic symbolic execution tool to find bugs automatically • Start early!

  3. Big Picture Attacks & Defenses Mobile Security (Android) Web Security Network Security Crypto Symbolic Execution & Constraint Solving Why? Program Analysis & Verification

  4. A little history … Can we build a machine that can automatically reason and prove mathematical facts about programs?

  5. 1967

  6. 1967

  7. 1976 “From one simple view, it is an enhanced testing technique. Instead of executing a program on a set of sample inputs, a program is "symbolically" executed for a set of classes of inputs.”

  8. Why now?

  9. Advances in SAT Solvers Source: SanjitSeshia

  10. Advances in SAT Solvers Source: SanjitSeshia

  11. Significance

  12. How do we know our program is “correct”? • In general, we don’t know. • Test it • Let users test it for us • Fuzz it • Try to prove it’s correct • Static analysis Symbolic Execution & Constraint Solving Precision Coverage

  13. Dynamic Sym Exec is Directed Testing len = input + 3; if len< 10 • Path-by-path exploration F T • (len == input + 3) • && !(len < 10) • && !(len%2==0) if len % 2 == 0 s = len T F s = len + 2 s = len buf=malloc(s); read(fd, buf, len);

  14. Dynamic Sym Exec is Directed Testing len = input + 3; if len< 10 • Path-by-path exploration F T • (len == input + 3) • && !(len < 10) • && (len%2==0) if len % 2 == 0 s = len T F s = len + 2 s = len How do we construct the formula & use a solver? • Can we combine all paths into 1 single formula? • Bounded Model Checking buf=malloc(s); read(fd, buf, len);

  15. Q2 Goal: ‘Solve’ for Hash Collisions

  16. Constructing Logic Formulas from Code • Convert statements into Static Single Assignment (SSA) form • Encode SSA into target solver input format

  17. Static Single Assignment Equations • Unroll loops to form loop-free program • for(i=0; i<2; i++){a=a+1;} • a=a+1; a=a+1; • Rename LHS of each assignment into a new local variable • a1=a+1; a2=a+1; • Whenever a variable is read (e.g., at RHS),replace it with last assigned variable name • a1=a0+1; a2=a1+1;

  18. Conditional (if) statements • Dynamic Symbolic Execution: • 2 separate path formulas • Bounded Model Checking: • Merge bothbranches into 1 formula

  19. Conditional (if) statements

  20. Example SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Q: Is !(ret3 >= 0) satisfiable? int example1(int x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } Is this program correct?

  21. Constructing Logic Formulas from Code • Convert statements into Static Single Assignment (SSA) form = Bit-vector Equations in quantifier-free 1st order logic • Encode SSA into target solver input format • Bit-vector arithmetic logic • “SMT” Solver • SMT-LIB 1.0 standard

  22. Example SMT-LIB SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Is !(ret3 >= 0) satisfiable? :extrafuns(x0 BitVec[32]) :extrafuns(ret1 BitVec[32]) :extrafuns(ret2 BitVec[32]) :extrafuns(ret3 BitVec[32]) :extrapreds(branchcond1) :assumption (= ret1 x0) :assumption (= ret2 (bvnegx0) :assumption (iffbranchcond1 (bvsgt x0 bv0[32]) :assumption (= ret3 (itebranchcond1 ret1 ret2) (not (bvsge ret3 bv0[32]) :formula true

  23. Querying the Solver 2147483648  0x80000000 intexample1(intx) { … • 32 bits Two’s Complement system • Positive range: [0 .. 2N-1 – 1] • Or: [0x00 .. 0x7FFFFFFF] • 0x80000000 is a negative signed 32-bit value: -2147483648 $ ./z3 example1.smt –m ret3 -> bv2147483648[32] ret1 -> bv2147483648[32] branchcond1 -> false ret2 -> bv2147483648[32] x0 -> bv2147483648[32] sat

  24. Example SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Q: Is !(ret3 >= 0) satisfiable? int example1(int x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } Assertion violated if x = -2147483648

  25. Slightly Modified Example SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Q: Is !(ret3 >= 0) satisfiable? intexample1(charx) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; }

  26. Example SSA ret1 = x0 ret2 = -x0 ret3 = (x0>0 ? ret1 : ret2) Is !(ret3 >= 0) satisfiable? :extrafuns(x0 BitVec[32]) :extrafuns(ret1 BitVec[32]) :extrafuns(ret2 BitVec[32]) :extrafuns(ret3 BitVec[32]) :extrapreds(branchcond1) :assumption (= ret1 (sign_extend[24] x0)) :assumption (= ret2 (bvneg(sign_extend[24]x0)) :assumption (iff branchcond1 (bvsgt x0 bv0[32]) :assumption (= ret3 (ite branchcond1 ret1 ret2) (not (bvsge ret3 bv0[32]) :formula true

  27. Querying the Solver $ ./z3 example1.smt –m unsat int example1(char x) { int ret; if (x > 0) ret = x; else ret = -x; assert(ret >= 0); return ret; } No satisfying assignment exists ==> Assertion holds for all possible inputs!

  28. SMT-LIB “Cheat” Sheet: Bit-vectors • Declare 32-bit “variable” ‘a’: n-bits Sign Extension to ‘a’: • :extrafuns( a BitVec[32] ) sign_extend[n] a • 32-bit constant ‘1234’ • bv1234[32] • Unary functions: • ~a  bvnot(a) • -a  bvneg(a) • Binary functions: Binary predicates: • bvandbvorbvxorbvaddbvshlbvlshrbvsgtbvsgebvfoo(a b) • & | ^ + << >> > >=

  29. SMT-LIB “Cheat” Sheet: Booleans • Declare a predicate ‘C’: • :extrapreds( C ) • Unary connectives: • ! C  not (C) • Binary connectives: • Implies and or xoriff foo (C D) • => && ||  • Ternary connectives: • C ? a : b  ite (C a b) where a, b can be bit-vectors +

  30. Exercise: C Operator Precedence • SSA equations? • SMT-LIB formula? a = (b >> c) + d; b = -(a ^ ~c);

  31. Exercise: C Operator Precedence inta,b; char d; a = (b >> 3) + d; b = -(a ^ ~d); SSA a1 = (b0 >> 3) + d0; b1 = -(a1 ^ ~d0); SMT-LIB :extrafuns(a1 BitVec[32]) :extrafuns(b0 BitVec[32]) :extrafuns(b1 BitVec[32]) :extrafuns(d0 BitVec[8]) :assumption(= a1 (bvadd (bvlshr b0 bv3[32]) (sign_extend[24] d0)) :assumption(= b1 (bvneg (bvxor (bvnot (sign_extend[24] d0) a1 )))

  32. Additional References • An enjoyable read on verification history: • Vijay D’Silva, Tales from Verification History • More about “constraint solvers”: • Daniel Kroening& OferStrichman, Decision Procedures: An Algorithmic Point of View

More Related