316 research outputs found
Verifying That a Compiler Preserves Concurrent Value-Dependent Information-Flow Security
It is common to prove by reasoning over source code that programs do not leak sensitive data. But doing so leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. This task is complicated when programs enforce value-dependent information-flow security properties (in which classification of locations can vary depending on values in other locations) and complicated further when programs exploit shared-variable concurrency.
Prior work has formally defined a notion of concurrency-aware refinement for preserving value-dependent security properties. However, that notion is considerably more complex than standard refinement definitions typically applied in the verification of semantics preservation by compilers. To date it remains unclear whether it can be applied to a realistic compiler, because there exist no general decomposition principles for separating it into smaller, more familiar, proof obligations.
In this work, we provide such a decomposition principle, which we show can almost halve the complexity of proving secure refinement. Further, we demonstrate its applicability to secure compilation, by proving in Isabelle/HOL the preservation of value-dependent security by a proof-of-concept compiler from an imperative While language to a generic RISC-style assembly language, for programs with shared-memory concurrency mediated by locking primitives. Finally, we execute our compiler in Isabelle on a While language model of the Cross Domain Desktop Compositor, demonstrating to our knowledge the first use of a compiler verification result to carry an information-flow security property down to the assembly-level model of a non-trivial concurrent program
Compositional Vulnerability Detection with Insecurity Separation Logic
Memory-safety issues and information leakage are known to be depressingly
common. We consider the compositional static detection of these kinds of
vulnerabilities in first-order C-like programs. Existing methods often treat
one type of vulnerability (e.g. memory-safety) but not the other (e.g.
information leakage). Indeed the latter are hyper-safety violations, making
them more challenging to detect than the former. Existing leakage detection
methods like Relational Symbolic Execution treat only non-interactive programs,
avoiding the challenges raised by nondeterminism for reasoning about
information leakage. Their implementations also do not treat non-trivial
leakage policies like value-dependent classification, which are becoming
increasingly common. Finally, being whole-program analyses they cannot be
applied compositionally -- to deduce the presence of vulnerabilities in a
program by analysing each of its parts -- thereby ruling out the possibility of
incremental analysis.
In this paper we remedy these shortcomings by presenting Insecurity
Separation Logic (InsecSL), an under-approximate relational program logic for
soundly detecting information leakage and memory-safety issues in interactive
programs. We show how InsecSL can be soundly automated by bi-abduction based
symbolic execution. Based on this, we design and implement a top-down,
contextual, compositional, inter-procedural analysis for vulnerability
detection. We implement our approach in a proof-of-concept tool, Underflow, for
analysing C programs, which we demonstrate by applying it to various case
studies
A Hoare Logic with Regular Behavioral Specifications
We present a Hoare logic that extends program specifications with regular
expressions that capture behaviors in terms of sequences of events that arise
during the execution. The idea is similar to session types or process-like
behavioral contracts, two currently popular research directions. The approach
presented here strikes a particular balance between expressiveness and proof
automation, notably, it can capture interesting sequential behavior across
multiple iterations of loops. The approach is modular and integrates well with
autoactive deductive verification tools. We describe and demonstrate our
prototype implementation in SecC using two case studies: A matcher for E-Mail
addresses and a specification of the game steps in the VerifyThis Casino
challenge
Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing
APIs often transmit far more data to client applications than they need, and
in the context of web applications, often do so over public channels. This
issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant
API vulnerability of 2019. However, there are few automated tools -- either in
research or industry -- to effectively find and remediate such issues. This is
unsurprising as the problem lacks an explicit test oracle: the vulnerability
does not manifest through explicit abnormal behaviours (e.g., program crashes
or memory access violations).
In this work, we develop a metamorphic relation to tackle that challenge and
build the first fuzzing tool -- that we call EDEFuzz -- to systematically
detect EDEs. EDEFuzz can significantly reduce false negatives that occur during
manual inspection and ad-hoc text-matching techniques, the current most-used
approaches.
We tested EDEFuzz against the sixty-nine applicable targets from the Alexa
Top-200 and found 33,365 potential leaks -- illustrating our tool's broad
applicability and scalability. In a more-tightly controlled experiment of eight
popular websites in Australia, EDEFuzz achieved a high true positive rate of
98.65% with minimal configuration, illustrating our tool's accuracy and
efficiency
Study towards the quantitative definition of the kynurenine pathway
The kynurenine pathway is the prime pathway for the metabolism of the essential
amino acid, tryptophan (TRP), and also the de novo pathway for nicotinamide adenine
dinucleotide (NAD+) production. The kynurenine pathway is important in the
pathogenesis of multi-organ dysfunction syndrome following severe acute pancreatitis
(AP-MODS) due to the metabolism of kynurenine (KYN) into cytotoxic 3-
hydroxykynurenine (3HK) by the enzyme kynurenine 3-monooxygenase (KMO).
Mice with absent Kmo gene expression (KMOnull) have marked reductions in
extrapancreatic organ injury post AP.
This dissertation describes the pharmacokinetics (PK) of the kynurenine pathway after
intravenous infusion of deuterated or heavy carbon stable isotopes (tracers) of four
kynurenine pathway compounds (D5-TRP, 13C6-KYN, D5-kynurenic acid (KYNA)
and 13C6-3HK) into rats (n=13).
Liquid chromatography-electrospray ionisation tandem mass spectrometry (LCMS/
MS) is the most frequently used method to monitor kynurenine pathway
compound levels in plasma. This dissertation reports a new method of extraction of
plasma samples, using solid phase extraction (SPE), alongside improvement and
optimisation of existing LC-MS/MS protocols using a reverse phase ultra-high
performance C18-pentafluorophenyl column. This has enabled the analysis of each
main metabolite in the kynurenine pathway in a single assay. Mass spectra of
compounds were detected using electrospray ionisation (ESI) in both positive and
negative polarity employing multiple reaction monitoring (MRM) modes over a 9 min
total run time with an injection volume of 10 μL and flow rate of 0.4 mL/min. The
method for each compound was shown to be reproducible and accurate (RSD < 25%)
and each corresponding standard curve demonstrated linearity (R2 >0.99).
Single compartment temporal PK analysis of tracers in rat plasma, during the
elimination phase, reveals short mean half-lives for each compound, suggesting that
metabolism through the kynurenine pathway is rapid (t1/2 12.14 – 29.12 mins). There
was a marked difference in the volume of distribution of each analyte (D5 KYNA 0.12;
13C6-3HK 0.21; 13C6-KYN 0.96 and D5-TRP 0.92 (μg/kg)/(μg/L)). Enzyme rates of
formation of each analyte were also identified (KYN 20.73; KYNA 2.21; 3HK 3.68
(μg/L)/min) In conclusion, a new accurate and reliable LC-MS/MS method for the analysis of
kynurenine pathway metabolites has been developed. PK analysis has identified
important and significant differences in the apparent volumes of distribution of each
metabolite. Thus, it can be suggested that TRP and KYN are readily distributed to
tissue whilst KYNA and 3HK are largely confined to the plasma compartment
- …