404 research outputs found
Enforcing Secure Object Initialization in Java
Sun and the CERT recommend for secure Java development to not allow partially
initialized objects to be accessed. The CERT considers the severity of the
risks taken by not following this recommendation as high. The solution
currently used to enforce object initialization is to implement a coding
pattern proposed by Sun, which is not formally checked. We propose a modular
type system to formally specify the initialization policy of libraries or
programs and a type checker to statically check at load time that all loaded
classes respect the policy. This allows to prove the absence of bugs which have
allowed some famous privilege escalations in Java. Our experimental results
show that our safe default policy allows to prove 91% of classes of java.lang,
java.security and javax.security safe without any annotation and by adding 57
simple annotations we proved all classes but four safe. The type system and its
soundness theorem have been formalized and machine checked using Coq
Integrated Java Bytecode Verification
AbstractExisting Java verifiers perform an iterative data-flow analysis to discover the unambiguous type of values stored on the stack or in registers. Our novel verification algorithm uses abstract interpretation to obtain definition/use information for each register and stack location in the program, which in turn is used to transform the program into Static Single Assignment form. In SSA, verification is reduced to simple type compatibility checking between the definition type of each SSA variable and the type of each of its uses. Inter-adjacent transitions of a value through stack and registers are no longer verified explicitly. This integrated approach is more efficient than traditional bytecode verification but still as safe as strict verification, as overall program correctness can be induced once the data flow from each definition to all associated uses is known to be type-safe
Formalizing non-interference for a simple bytecode language in Coq
In this paper, we describe the application of the interactive theorem prover Coq to the security analysis of bytecode as used in Java. We provide a generic specification and proof of non-interference for bytecode languages using the Coq module system. We illustrate the use of this formalization by applying it to a small subset of Java bytecode. The emphasis of the paper is on modularity of a language formalization and its analysis in a machine proof
Sawja: Static Analysis Workshop for Java
Static analysis is a powerful technique for automatic verification of
programs but raises major engineering challenges when developing a full-fledged
analyzer for a realistic language such as Java. This paper describes the Sawja
library: a static analysis framework fully compliant with Java 6 which provides
OCaml modules for efficiently manipulating Java bytecode programs. We present
the main features of the library, including (i) efficient functional
data-structures for representing program with implicit sharing and lazy
parsing, (ii) an intermediate stack-less representation, and (iii) fast
computation and manipulation of complete programs
Structural Encoding of Static Single Assignment Form
AbstractStatic Single Assignment (SSA) form is often used as an intermediate representation during code optimization in Java Virtual Machines. Recently, SSA has successfully been used for bytecode verification. However, constructing SSA at the code consumer is costly. SSA-based mobile code transport formats have been shown to eliminate this cost by shifting SSA creation to the code producer. These new formats, however, are not backward compatible with the established Java class-file format. We propose a novel approach to transport SSA information implicitly through structural code properties of standard Java bytecode. While the resulting bytecode sequence can still be directly executed by traditional Virtual Machines, our novel VM can infer SSA form and confirm its safety with virtually no overhead
Isolation Without Taxation: {N}ear-Zero-Cost Transitions for {WebAssembly} and {SFI}
Software sandboxing or software-based fault isolation (SFI) is a lightweight
approach to building secure systems out of untrusted components. Mozilla, for
example, uses SFI to harden the Firefox browser by sandboxing third-party
libraries, and companies like Fastly and Cloudflare use SFI to safely co-locate
untrusted tenants on their edge clouds. While there have been significant
efforts to optimize and verify SFI enforcement, context switching in SFI
systems remains largely unexplored: almost all SFI systems use
\emph{heavyweight transitions} that are not only error-prone but incur
significant performance overhead from saving, clearing, and restoring registers
when context switching. We identify a set of \emph{zero-cost conditions} that
characterize when sandboxed code has sufficient structured to guarantee
security via lightweight \emph{zero-cost} transitions (simple function calls).
We modify the Lucet Wasm compiler and its runtime to use zero-cost transitions,
eliminating the undue performance tax on systems that rely on Lucet for
sandboxing (e.g., we speed up image and font rendering in Firefox by up to
29.7\% and 10\% respectively). To remove the Lucet compiler and its correct
implementation of the Wasm specification from the trusted computing base, we
(1) develop a \emph{static binary verifier}, VeriZero, which (in seconds)
checks that binaries produced by Lucet satisfy our zero-cost conditions, and
(2) prove the soundness of VeriZero by developing a logical relation that
captures when a compiled Wasm function is semantically well-behaved with
respect to our zero-cost conditions. Finally, we show that our model is useful
beyond Wasm by describing a new, purpose-built SFI system, SegmentZero32, that
uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our
zero-cost conditions; our prototype performs on-par with the state-of-the-art
Native Client SFI system
C-FLAT: Control-FLow ATtestation for Embedded Systems Software
Remote attestation is a crucial security service particularly relevant to
increasingly popular IoT (and other embedded) devices. It allows a trusted
party (verifier) to learn the state of a remote, and potentially
malware-infected, device (prover). Most existing approaches are static in
nature and only check whether benign software is initially loaded on the
prover. However, they are vulnerable to run-time attacks that hijack the
application's control or data flow, e.g., via return-oriented programming or
data-oriented exploits. As a concrete step towards more comprehensive run-time
remote attestation, we present the design and implementation of Control- FLow
ATtestation (C-FLAT) that enables remote attestation of an application's
control-flow path, without requiring the source code. We describe a full
prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone
hardware security extensions. We evaluate C-FLAT's performance using a
real-world embedded (cyber-physical) application, and demonstrate its efficacy
against control-flow hijacking attacks.Comment: Extended version of article to appear in CCS '16 Proceedings of the
23rd ACM Conference on Computer and Communications Securit
- …