The Meaning of Memory Safety

We give a rigorous characterization of what it means for a programming language to be memory safe, capturing the intuition that memory safety supports local reasoning about state. We formalize this principle in two ways. First, we show how a small memory-safe language validates a noninterference property: a program can neither affect nor be affected by unreachable parts of the state. Second, we extend separation logic, a proof system for heap-manipulating programs, with a memory-safe variant of its frame rule. The new rule is stronger because it applies even when parts of the program are buggy or malicious, but also weaker because it demands a stricter form of separation between parts of the program state. We also consider a number of pragmatically motivated variations on memory safety and the reasoning principles they support. As an application of our characterization, we evaluate the security of a previously proposed dynamic monitor for memory safety of heap-allocated data.Comment: POST'18 final versio

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

Instruction-set randomization (ISR) obfuscates the "language" understood by a system to protect against code-injection attacks by presenting an ever-changing target. ISR was originally motivated by code injection through buffer overflow vulnerabilities. However, Stuxnet demonstrated that attackers can exploit other vectors to place malicious binaries into a victim’s filesystem and successfully launch them, bypassing most mechanisms proposed to counter buffer overflows. We propose the holistic adoption of ISR across the software stack, preventing the execution of unauthorized binaries and scripts regardless of their origin. Our approach requires that programs be randomized with different keys during a user-controlled installation, effectively combining the benefits of code whitelisting/signing and runtime program integrity. We discuss how an ISR-enabled environment for binaries can be implemented with little overhead in hardware, and show that higher-overhead software only alternatives are possible. We use Perl and SQL to demonstrate the application of ISR in scripting environments with negligible overhead

A formally verified compiler back-end

This article describes the development and formal verification (proof of semantic preservation) of a compiler back-end from Cminor (a simple imperative intermediate language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a verified compiler is useful in the context of formal methods applied to the certification of critical software: the verification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well

Symbolic Computation via Program Transformation

Symbolic computation is an important approach in automated program analysis. Most state-of-the-art tools perform symbolic computation as interpreters and directly maintain symbolic data. In this paper, we show that it is feasible, and in fact practical, to use a compiler-based strategy instead. Using compiler tooling, we propose and implement a transformation which takes a standard program and outputs a program that performs semantically equivalent, but partially symbolic, computation. The transformed program maintains symbolic values internally and operates directly on them hence the program can be processed by a tool without support for symbolic manipulation. The main motivation for the transformation is in symbolic verification, but there are many other possible use-cases, including test generation and concolic testing. Moreover using the transformation simplifies tools, since the symbolic computation is handled by the program directly. We have implemented the transformation at the level of LLVM bitcode. The paper includes an experimental evaluation, based on an explicit-state software model checker as a verification backend

Mechanized semantics for the Clight subset of the C language

This article presents the formal semantics of a large subset of the C language called Clight. Clight includes pointer arithmetic, "struct" and "union" types, C loops and structured "switch" statements. Clight is the source language of the CompCert verified compiler. The formal semantics of Clight is a big-step operational semantics that observes both terminating and diverging executions and produces traces of input/output events. The formal semantics of Clight is mechanized using the Coq proof assistant. In addition to the semantics of Clight, this article describes its integration in the CompCert verified compiler and several ways by which the semantics was validated.Comment: Journal of Automated Reasoning (2009

Different Factors Affecting Human ANP Amyloid Aggregation and Their Implications in Congestive Heart Failure

Atrial Natriuretic Peptide (ANP)-containing amyloid is frequently found in the elderly heart. No data exist regarding ANP aggregation process and its link to pathologies. Our aims were: i) to experimentally prove the presumptive association of Congestive Heart Failure (CHF) and Isolated Atrial Amyloidosis (IAA); ii) to characterize ANP aggregation, thereby elucidating IAA implication in the CHF pathogenesis.A significant prevalence (85\%) of IAA was immunohistochemically proven ex vivo in biopsies from CHF patients. We investigated in vitro (using Congo Red, Thioflavin T, SDS-PAGE, transmission electron microscopy, infrared spectroscopy) ANP fibrillogenesis, starting from α-ANP as well as the ability of dimeric β-ANP to promote amyloid formation. Different conditions were adopted, including those reproducing β-ANP prevalence in CHF. Our results defined the uncommon rapidity of α-ANP self-assembly at acidic pH supporting the hypothesis that such aggregates constitute the onset of a fibrillization process subsequently proceeding at physiological pH. Interestingly, CHF-like conditions induced the production of the most stable and time-resistant ANP fibrils suggesting that CHF affected people may be prone to develop IAA.We established a link between IAA and CHF by ex vivo examination and assessed that β-ANP is, in vitro, the seed of ANP fibrils. Our results indicate that β-ANP plays a crucial role in ANP amyloid deposition under physiopathological CHF conditions. Overall, our findings indicate that early IAA-related ANP deposition may occur in CHF and suggest that these latter patients should be monitored for the development of cardiac amyloidosis

A survey of security issue in multi-agent systems

Multi-agent systems have attracted the attention of researchers because of agents' automatic, pro-active, and dynamic problem solving behaviors. Consequently, there has been a rapid development in agent technology which has enabled us to provide or receive useful and convenient services in a variety of areas such as banking, transportation, e-business, and healthcare. In many of these services, it is, however, necessary that security is guaranteed. Unless we guarantee the security services based on agent-based systems, these services will face significant deployment problems. In this paper, we survey existing work related to security in multi-agent systems, especially focused on access control and trust/reputation, and then present our analyses. We also present existing problems and discuss future research challenges. © Springer Science+Business Media B.V 2011

Stopping injection attacks with code and structured data

Injection attacks top the lists of the most harmful software vulnerabilities. Injection vulnerabilities are both commonplace and easy to exploit, which makes development of injection protection schemes important. In this article, we show how injection attacks can be practically eliminated through the use of structured data paired with cryptographic verification codes upon transmission.peerReviewe