Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program...
Transcript of Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program...
![Page 1: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/1.jpg)
Trustworthy Systems from Un-Trusted Components
PRESENTED BY PROF. ABHIK ROYCHOUDHURYNATIONAL UNIVERSITY OF [email protected]
http://www.comp.nus.edu.sg/~tsunami
![Page 2: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/2.jpg)
2
Vulnerability Discovery
Binary Hardening
Verification Data Protection
Agency Collaboration
Industry Collaboration
Education – NUS (Bachelors in Infosec)
Research Outputs – Publications, Tools, Academic Collaboration, Exchanges, Seminars, Workshops
Enhancing local capabilities
Ongoing NRF Project Overall Outlook
![Page 3: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/3.jpg)
ProjectHighlightsUsageandResearchimpact◦ IntegrationtowidelyusedtoolslikeAFLwithactiveusergroups◦ DARPACGCbinaries– findscrashesfaster>10times◦ Integratedintothemostwidelyusedsecuritytestingtool
◦ Angelix toolonautomatedprogramrepair ◦ SecurityVulnerabilitiesremainun-patchedforlong….
ResearchVisibility◦ Invitedtalks atSummerSchoolonInformationSecurityandmanyothervenues◦ IEEEInnovationSpotlight2018fromamongallIEEEarticle.
EducationalImpact◦ DegreePrograminInfosec atNUSstartedconcurrently◦ Modulesbeingcreatedusingoutcomesoftheproject◦ Hands-onCTFeducation inexistingclassesusingprojectoutcomes.
3
![Page 4: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/4.jpg)
ScholarlyImpact◦ High-citation trend
◦ Dataorientedprogramming,April2016[FWCI22.89]
◦ Angelix paperonautomatedprogramrepair,May2016[FWCI26.09]◦ Homerunpaperswithfieldweightedcitationimpact>20
◦ Dagstuhl work-shoponAutomatedRepairorganized– January2017◦ RecentInvitedtalks◦ DistinguishedLectureatLuxembourgS&Tcenter,January2017◦ KLEEworkshoponSymbolicExecution,April2018◦ 9th InternationalSummerSchoolonInformationSecurityandProtectionJuly2018◦ https://cs.anu.edu.au/cybersec/issisp2018/
◦ Publications:CCS,NDSS,Usenix Security,S&P,ICSE,FSE
4
Highlights
![Page 5: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/5.jpg)
SampleTechnologiesfromTSUNAMiAFLFast— 10xfaster thanAFL◦ 1st place@Hackernews◦ 2nd place@DARPACGC(TeamCodejitsu)◦ 6 CVEs@USNationalVulnerabilityDatabase(initial countonlyduringpublication)
◦ 180 stars@Github (+90forks)◦ 2000USD@GoogleSecuritybugbounties◦ Integrated intomain-lineAFL
AFLGo— 1stdirected greybox fuzzer◦ 17CVEs@USNationalVulnerabilityDatabase
◦ 39bugs@security-critical internet libraries (libxml)
◦ 41stars @Github (9forks)
◦ Outperforms state-of-the-artinpatchtesting(KATCH)
◦ Outperforms state-of-the-artincrashreproduction(BugRedux)
5PRESENTATIONTONRFEXPERTPANEL,FEB23,2018
LowFat— EfficientBinaryHardeningDetects stack/bufferoverflowsandtypeconfusionattacks17% performanceoverhead(vs.45%state-of-the-art)12%memoryoverhead(vs.700%state-of-the-art)IntegratedwithAFLFastandAFLGotodetectmorevulnerabilitiesmoreefficiently!
1
![Page 6: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/6.jpg)
6
SecureSmartNationInfra-structure
CertificationofsoftwareforIoT devicesinsmarthome,smarthealth,robots/dronesFocusonenvironmentawarefunctionalitycertification,butalsoweaveinnon-functionalpropertiesCapabilitiesforsuchcertificationexistinNUS,andsomepartnershipsfortranslation,butmoremaybeneeded.
![Page 7: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/7.jpg)
TSUNAMi projectTSUNAMiProject◦ ReactiveSoftwareSecurity(WP1)◦ AutomatedVulnerabilityDetection◦ AutomatedVulnerabilityRepair
◦ ProactiveSoftwareSecurity(WP2+WP3)◦ AutomatedHardening◦ AutomatedProtocolVerification
◦ AssumingCompromisedOperatingSystem(WP4)◦ EnsuringSecureApplicationExecution
![Page 8: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/8.jpg)
WP1: Binary Analysis
![Page 9: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/9.jpg)
• Directed Fuzzing as an optimization problem (No constraint solving)• Program analysis moved to instrumentation time
to retain efficiency of greybox fuzzing.• Distance to targets efficiently computed at runtime.• Find global minimum using search meta-heuristic – Simulated Annealing
• Results: outperforms KATCH and BugRedux. 17 CVEs assigned• Application: patch testing, crash reproduction, information flow analysis
AFLGo: Directed Greybox Fuzzing
[CCS’17]
![Page 10: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/10.jpg)
• Model Greybox Fuzzing as Markov chain • Design power schedules to regulate the “energy” to gravitate path
exploration towards low-frequency paths• Results & Impact
• 10x faster than the state of the artReceived 2000 USD @Google bug bounty
• Outperforms KLEE on vulnerability detection • 2nd place (on vulnerability detection)
@DARPA CGC (Team Codejitsu)• 6 CVEs
AFLFast: Coverage-based Greybox Fuzzing
[CCS’16, TSE’18]
![Page 11: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/11.jpg)
• Point-of-failure and Call-stack based Bucketing do not take program semantics into account leading to over-condensing, send-bucket and long-tail problems
• Our symbolic analysis based solution• Identify culprit constraint• Use culprit constraint as semantic “reason” of failure• Group failing paths having same “reason” together
Bucketing Failing Test via Symbolic Analysis
p1
f1f2 f3 f4x xx
b2b1
b4
b3
b5
Culpritconstraint
[FASE’17]
![Page 12: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/12.jpg)
AutomatedProgramRepair
12
1intsearch(intx,inta[],intlength){2inti;3for(i=0;i<length;i++){4if(x==a[i])5returni;6}7return−1;8}
(a) Correctlinearsearch
1 int search(int x,int a[],int length){2 int L=0;3 int R=length-1;4 do{5 int m=(L+R)/2;6 if(x==a[m]){7 returnm;8 }elseif(x<a[m]) {//bugfix:x>a[m]9 L=m+1;10 }else{11 R=m-1;12 }13 }while(L<=R);14 return-1;15 }
(b)Buggybinarysearch
User-definedcondition: length=3&a[0]<a[1]<a[2]
Verificationcondition
ExperimentsonembeddedLinuxBusybox
![Page 13: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/13.jpg)
SemGraft (ICSE18)
13
Verificationcondition
Counterexample
IsSAT?Negate
Patchfound
Buggyprogram
IsSAT?
Angelicforest
IsSAT?
Componentlibrary
Candidatepatch
No
Yes
Yes
Yes
Buggyprogram
Referenceprogram
Symbolicanalysis
![Page 14: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/14.jpg)
WP2: Binary Hardening
![Page 15: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/15.jpg)
• EffectiveSan is a comprehensive dynamic type checker for C/C++ programs• Key observation: most C/C++ vulnerabilities are type errors:
• EffectiveSan directly detects the following classes of error:• Type errors (type confusion, bad casts, etc.)• Bounds errors (buffer overflows, etc.)• Sub-object bounds errors (overwriting vptrs, etc.)• Use-after-free, reuse-after-free, and double free errors
EffectiveSan: Dynamically Typed C/C++
[PLDI’18]
![Page 16: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/16.jpg)
• EffectiveSan stores meta data (META) at the base of all objects• Given p into object q, use low-fat pointer base(p) to find (META)
• (META) stores the dynamic type which is checked at runtime
How EffectiveSan Works
LOWFAT
[PLDI’18]
![Page 17: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/17.jpg)
WP3: Formal Verification
![Page 18: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/18.jpg)
• The interaction between components is termed as protocols• E.g., Single-Sign-On (SSO) protocol: the communication among a browser, a web
server and a website using SSO service
Communication as protocol
A.com
Username&password
User(Client)
IdentityProvider(IdP)
Accesstoken
Accesstoken
login
![Page 19: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/19.jpg)
• Developed a framework to extract protocols from messages and perform formal analysis
• Protocol extraction• Protocol modelling• Model verification• Result confirmation
Communication as protocol
ModellingProtocolExtraction
Analysis
ProtocolModellingRefine
Finished?
RepeatRefinement
AttackerModel
ProtocolFuzzing
Model
FormalVerification
ReportReportAnalysis
Confirmedvulnerability
ReconstructAttack
AttackerModel
SDKAnalysis Security
PropertyNetworkTraces
NY
RefinedProtocol
Verification
![Page 20: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/20.jpg)
• Formal verification of the communication/protocols are necessary• Protocols, especially security protocols, are error-prone
• Model checking based on PAT (Process Analysis Toolkit)• Protocol: CSP# model• Security properties: assertions or LTL• Built a PAT library for modelling
cryptographic primitives and reasoning on attacker knowledgebounded sessions
Formal verification of protocols
[ICFEM‘17]
![Page 21: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/21.jpg)
• Verification of security protocols with unbounded sessions• Stateful security protocols - global states which influence the protocol behavior
and may unboundedly evolving• Developed a specification framework based on horn clauses• Developed a verification algorithm for verifying stateful security protocols with
unbounded evolving of global states
Formal verification of protocols
YES
NOOR
Representashornclauseswithstates
Deductionofatargetedrule
Stateful protocol
protocol
state
change
influence
Reasoning• Knowledgeforward
searchfortheattacker• Statebackwardsearchto
findavalidevolvingtraceSpecificationFramework
VerificationAlgorithm
Result
[ICFEM‘17]
![Page 22: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/22.jpg)
WP4: Sensitive Data Protection
![Page 23: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/23.jpg)
ConstantLatencyRead-OnlyORAM§Leakageviadataaccesspatternsiscommon
§ObliviousRAMincursatbestO(logN)overheadforread/writeaccesses
§KeyInsight:Forread-onlydata,shuffle&accessstepscanbeparallelized
§OurApproach:With√Ntrustedhardware(SGX)coresontheserver§ Distributeworkineachshufflesteptomultiplethreads§ Thismatchestherateofaccessandshuffleoperations
§Result:Constantlatencywithsufficientcomputationalcores(80threads)§ 0.3secondstofetchablockof256KB
RQ:Canweachieve“constantlatency”forspecificcaseinrealapplications?
EncryptedRAM
EncryptedCloud Storage
Peer-to-peer/Distributedsystem
Secretkeys
Userqueries
OnlineBehavior
Photos
Music
PDFs
Videos
![Page 24: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/24.jpg)
• Micro-containers with• Targeted 20K-30K lines of code of TCB• Unlike LibOSes, Panoply doesn’t virtualize the namespace
Panoply: Micro-containers for SGX
[NDSS’17]
![Page 25: Trustworthy Systems from Un-Trusted Components 2018 Tsun… · Angelixpaper on automated program repair, May 2016 [FWCI 26.09] Home run papers with field weighted citation impact](https://reader035.fdocuments.us/reader035/viewer/2022070917/5fb73153f9988f3ab64561cf/html5/thumbnails/25.jpg)
• Tool-chain and OS support for new security • Primitives and encrypted computation• Panoply prototype
• Security primitives supporting application execution• Limited SDK, Compiler, and library support• Currently tested for 4 case studies
Panoply: Micro-containers for SGX
[NDSS’17]
• HTTP/2WebserverwithpriviledgeseparattiontopreventNeverbleedH2O
• DistributedAnonymousNetworkTOR• DatabasestreamingapplicationFreeTDS• PopularSSL/TLSandcryptographiclibraryOpenSSL