Compositional Vulnerability Detection with Insecurity Separation Logic

Memory-safety issues and information leakage are known to be depressingly common. We consider the compositional static detection of these kinds of vulnerabilities in first-order C-like programs. Existing methods often treat one type of vulnerability (e.g. memory-safety) but not the other (e.g. information leakage). Indeed the latter are hyper-safety violations, making them more challenging to detect than the former. Existing leakage detection methods like Relational Symbolic Execution treat only non-interactive programs, avoiding the challenges raised by nondeterminism for reasoning about information leakage. Their implementations also do not treat non-trivial leakage policies like value-dependent classification, which are becoming increasingly common. Finally, being whole-program analyses they cannot be applied compositionally -- to deduce the presence of vulnerabilities in a program by analysing each of its parts -- thereby ruling out the possibility of incremental analysis. In this paper we remedy these shortcomings by presenting Insecurity Separation Logic (InsecSL), an under-approximate relational program logic for soundly detecting information leakage and memory-safety issues in interactive programs. We show how InsecSL can be soundly automated by bi-abduction based symbolic execution. Based on this, we design and implement a top-down, contextual, compositional, inter-procedural analysis for vulnerability detection. We implement our approach in a proof-of-concept tool, Underflow, for analysing C programs, which we demonstrate by applying it to various case studies

On the formal foundation of a verification approach for system-level concurrent programs

Though program verification is known and used since decades, the verification of a complete computer system still remains a grand challenge. In essence, this challenge stems from the interaction of various programs. Different techniques have been proposed for the verification of communicating programs. Common to all, however, is that they rely on several (usually implicit) assumptions about the underlying system. Typically, such assumptions include compiler correctness, scheduler fairness, and a certain noninterference between the local program behavior and its environment. This thesis aims at discharging these assumptions for the processes of the microkernel Vamos. More specifically, this work formally justifies the abstraction from a kernel model with explicit, deterministic scheduling to a concurrent process system with non-deterministic but temporally fair scheduling. Our formal results form the foundation of a verification approach for system-level concurrent programs. We outline this approach on example properties of a user-mode operating system.Obwohl es schon jahrzehntelang Programmverifikation gibt, wird die Verifikation eines kompletten Computersystems auch heute noch als eine große Herausforderung angesehen. Im Wesentlichen ergibt sich diese Herausforderung aus der vielfältigen Interaktion von Programmen. Verschiedene Techniken wurden für die Verifikation kommunizierender Programme vorgeschlagen. Alle haben jedoch gemein, dass sie sich auf mehrere (meist implizite) Annahmen über das zugrunde liegende System stützen. In der Regel sind solche Annahmen Compiler-Korrektheit, Scheduler-Fairness und eine gewisse Störfreiheit des lokalen Programmverhaltens vom Verhalten seiner Umgebung. Die vorliegende Dissertation beschäftigt sich mit der Entlastung dieser Annahmen für die Prozesse des Mikrokerns Vamos. Genauer gesagt, rechtfertigt diese Arbeit formal die Abstraktion von einem Kernmodell mit explizitem, deterministischem Scheduling zu einem nebenläufigen Prozesssystem mit nicht-deterministischem, aber temporal fairem Scheduling. Die formalen Ergebnisse bilden die Grundlage eines Verifikationsansatzes für nebenläufige, systemnahe Programme. Dieser Ansatz wird am Beispiel von Eigenschaften eines User-Mode-Betriebssystems erläutert