29 research outputs found
Towards Vulnerability Discovery Using Staged Program Analysis
Eliminating vulnerabilities from low-level code is vital for securing
software. Static analysis is a promising approach for discovering
vulnerabilities since it can provide developers early feedback on the code they
write. But, it presents multiple challenges not the least of which is
understanding what makes a bug exploitable and conveying this information to
the developer. In this paper, we present the design and implementation of a
practical vulnerability assessment framework, called Melange. Melange performs
data and control flow analysis to diagnose potential security bugs, and outputs
well-formatted bug reports that help developers understand and fix security
bugs. Based on the intuition that real-world vulnerabilities manifest
themselves across multiple parts of a program, Melange performs both local and
global analyses. To scale up to large programs, global analysis is
demand-driven. Our prototype detects multiple vulnerability classes in C and
C++ code including type confusion, and garbage memory reads. We have evaluated
Melange extensively. Our case studies show that Melange scales up to large
codebases such as Chromium, is easy-to-use, and most importantly, capable of
discovering vulnerabilities in real-world code. Our findings indicate that
static analysis is a viable reinforcement to the software testing tool set.Comment: A revised version to appear in the proceedings of the 13th conference
on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA),
July 201
Compiler-Based Approach to Enhance BliMe Hardware Usability
Outsourced computing has emerged as an efficient platform for data processing, but it has raised security concerns due to potential exposure of sensitive data through runtime and side-channel attacks. To address these concerns, the BliMe hardware extensions offer a hardware-enforced taint tracking policy to prevent secret-dependent data exposure. However, such strict policies can hinder software usability on BliMe hardware.
While existing solutions can transform software to make it constant-time and more compatible with BliMe policies, they are not fully compatible with BliMe hardware. To strengthen the usability of BliMe hardware, we propose a compiler-based tool to detect and transform policy violations, ensuring constant-time compliance with BliMe. Our tool employs static analysis for taint tracking and employs transformation techniques including array access expansion, control-flow linearization and branchless select. We have implemented the tool on LLVM-11 to automatically convert existing source code.
We then conducted experiments on WolfSSL and OISA to examine the accuracy of the analysis and the effect of the transformations. Our evaluation indicates that our tool can successfully transform multiple code patterns. However, we acknowledge that certain code patterns are challenging to transform. Therefore, we also discuss manual approaches and explore potential future work to expand the coverage of our automatic transformations
C++ const and Immutability: An Empirical Study of Writes-Through-const
The ability to specify immutability in a programming language is a
powerful tool for developers, enabling them to better understand and
more safely transform their code without fearing unintended changes to program state. The C++ programming language allows developers to
specify a form of immutability using the const keyword. In this work, we characterize the meaning of the C++ const qualifier and present the ConstSanitizer tool, which dynamically verifies a stricter form of immutability than that defined in C++: it identifies const uses that are either not consistent with transitive immutability, that write to mutable fields, or that write to formerly-const objects whose const-ness has been cast away.
We evaluate a set of 7 C++ benchmark programs to find writes-through-const, establish root causes for how they fail to respect our stricter definition of immutability, and assign attributes
to each write (namely: synchronized, not visible, buffer/cache,
delayed initialization, and incorrect). ConstSanitizer finds 17
archetypes for writes in these programs which do not respect our
version of immutability. Over half of these seem unnecessary to us.
Our classification and observations of behaviour in practice
contribute to the understanding of a widely-used C++ language feature
Evaluation of Hardware-based Data Flow Integrity
Computer security is a very critical problem these days, as it has widespread consequences in case of a failure of computer systems security, like desktop machines, mobile phones, tablets and Internet of Things (IoT) devices. Usually, attackers try to find vulnerabilities in the target systems and by exploiting these vulnerabilities, they launch an attack, thereby achieving their malicious goal.
Software data attacks modify the intended control/data flow in a program that is unprotected. Control data attacks are executed by exploiting buffer overflows or string vulnerabilities to overwrite a return address, a function pointer or some other information about control data. Non-control data attacks exploit similar vulnerabilities to overwrite security critical data without changing the intended control-flow in the program. Data flow integrity ensures that the flow of data in a program at runtime is permitted by the data flow graph. The main objective of the thesis is to implement a hardware-based data flow integrity technique and check for vulnerabilities on a target application. This implementation is achieved by referencing a data flow graph against which the runtime data flow of a program is checked. DFI checking is integrated into existing processor with most changes in hardware going to the load/store unit and the arithmetic unit. In gem5, this is realised by modifying source code of the simulator at instruction level to monitor each load/store instruction on the target application and check if there are any data flow violations and check the overhead caused by the modification of gem5 source code to integrate DFI checking with existing CPU models on gem5. From experiments results, we measured the performance overhead to be up to 14.5%. We also roughly estimate the extra hardware required for this implementation on real hardware
Enforcing Abstract Immutability
Researchers have recently proposed a number of systems for expressing,
verifying, and inferring immutability declarations. These systems are
often rigid, and do not support "abstract immutability". An abstractly
immutable object is an object o which is immutable from the point of
view of any external methods. The C++ programming language is not
rigid–it allows developers to express intent by adding immutability
declarations to methods. Abstract immutability allows for performance
improvements such as caching, even in the presence of writes to object
fields. This dissertation presents a system to enforce abstract
immutability.
First, we explore abstract immutability in real-world systems. We
found that developers often incorrectly use abstract immutability,
perhaps because no programming language helps developers correctly
implement abstract immutability. We believe that this omission leads
to incorrect usages. Specifically, we wrote a dynamic analysis that
reports any writes through immutability declarations. To our knowledge,
this work was the first to explore how objects implement abstract
immutability (or fail to implement it). Our novel study found three
uses of abstract immutability: caching, delayed initialization, and
unit testing. Unit testing was a surprising application of abstract
immutability, and we believe that the ability to modify state is
needed for proper unit testing.
Next, we explore developers' revealed needs for immutability in the
source code. We found that the majority of classes contain a mix of
immutable and mutable methods, with a majority of the overall methods
being immutable. Immutability systems with only immutable or
all-mutating classes are insufficient: developers need immutability
declarations at method granularity. Our study then combined developer
immutability declarations with results from a static analysis to
estimate the true number of immutable methods. The static analysis
checked that no transitive writes to a receiver object occurred. Our
results indicated the need for a sophisticated analysis to check that
these apparently abstractly immutable methods were indeed abstractly
immutable.
Finally, we created a novel static analysis which checks that
developers follow abstract immutability. Specifically, we define
abstract immutability to mean that a class's set of immutable methods
is collectively free of writes to exposed fields. Our analysis found
incorrect usages of abstract immutability, such as incorrect caching.
This analysis is particularly valuable in the context of code
evolution, whereby subsequent programmers may make changes that break
previously-correct cache implementations, for instance. Our work
allows developers to trust that their code is abstractly immutable