A Machine-Checked Safety Proof for a CISC-Compatible SFI Technique

Executing untrusted code while preserving security requires that thecode be prevented from modifying memory or executing instructionsexcept as explicitly allowed. Software-based fault isolation (SFI) or"sandboxing" enforces such a policy by rewriting code at theinstruction level. In previous work, we developed a new SFI techniquethat is applicable to CISC architectures such as the Intel IA-32,based on enforcing additional alignment constraints to avoiddifficulties with variable-length instructions. This report describesa machine-checked proof we developed to increase our confidence in thesafety provided by the technique. The proof, constructed for asimplified model of the technique using the ACL2 theorem provingenvironment, certifies that if the code rewriting has been checked tohave been performed correctly, the resulting program cannot perform adangerous operation when run. We describe the high-level structure ofthe proof, then give the intermediate lemmas with interspersedcommentary, and finally evaluate the process of the proof'sconstruction

The Effect of Instruction Padding on SFI Overhead

Software-based fault isolation (SFI) is a technique to isolate a potentially faulty or malicious software module from the rest of a system using instruction-level rewriting. SFI implementations on CISC architectures, including Google Native Client, use instruction padding to enforce an address layout invariant and restrict control flow. However this padding decreases code density and imposes runtime overhead. We analyze this overhead, and show that it can be reduced by allowing some execution of overlapping instructions, as long as those overlapping instructions are still safe according to the original per-instruction policy. We implemented this change for both 32-bit and 64-bit x86 versions of Native Client, and analyzed why the performance benefit is higher on 32-bit. The optimization leads to a consistent decrease in the number of instructions executed and savings averaging 8.6% in execution time (over compatible benchmarks from SPECint2006) for x86-32. We describe how to modify the validation algorithm to check the more permissive policy, and extend a machine-checked Coq proof to confirm that the system's security is preserved.Comment: NDSS Workshop on Binary Analysis Research, February 201

Quantitative Information-Flow Tracking for C and Related Languages

We present a new approach for tracking programs' use of data througharbitrary calculations, to determine how much information about secretinputs is revealed by public outputs. Using a fine-grained dynamicbit-tracking analysis, the technique measures the information revealedduring a particular execution. The technique accounts for indirectflows, e.g. via branches and pointer operations. Two kinds ofuntrusted annotation improve the precision of the analysis. Animplementation of the technique based on dynamic binary translation isdemonstrated on real C, C++, and Objective C programs of up to half amillion lines of code. In case studies, the tool checked multiplesecurity policies, including one that was violated by a previouslyunknown bug

Quantitative information-flow tracking for real systems

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2008.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 99-105).An information-flow security policy constrains a computer system's end-to-end use of information, even as it is transformed in computation. For instance, a policy would not just restrict what secret data could be revealed directly, but restrict any output that might allow inferences about the secret. Expressing such a policy quantitatively, in terms of a specific number of bits of information, is often an effective program independent way of distinguishing what scenarios should be allowed and disallowed. This thesis describes a family of new techniques for measuring how much information about a program's secret inputs is revealed by its public outputs on a particular execution, in order to check a quantitative policy on realistic systems. Our approach builds on dynamic tainting, tracking at runtime which bits might contain secret in formation, and also uses static control-flow regions to soundly account for implicit flows via branches and pointer operations. We introduce a new graph model that bounds information flow by the maximum flow between inputs and outputs in a flow network representation of an execution. The flow bounds obtained with maximum flow are much more precise than those based on tainting alone (which is equivalent to graph reachability). The bounds are a conservative estimate of channel capacity: the amount of information that could be transmitted by an adversary making an arbitrary choice of secret inputs. We describe an implementation named Flowcheck, built using the Valgrind framework for x86/Linux binaries, and use it to perform case studies on six real C, C++, and Objective C programs, three of which have more than 250,000 lines of code. We used the tool to check the confidentiality of a different kind of information appropriate to each program. Its results either verified that the information was appropriately kept secret on the examined executions, or revealed unacceptable leaks, in one case due to a previously unknown bug.by Stephen Andrew McCamant.Ph.D

Predicting problems caused by component upgrades

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2004.Includes bibliographical references (p. 89-93).This thesis presents a new, automatic technique to assess whether replacing a component of a software system by a purportedly compatible component may change the behavior of the system. The technique operates before integrating the new component into the system or running system tests, permitting quicker and cheaper identification of problems. It takes into account the system's use of the component, because a particular component upgrade may be desirable in one context but undesirable in another. No formal specifications are required, permitting detection of problems due either to errors in the component or to errors in the system. Both external and internal behaviors can be compared, enabling detection of problems that are not immediately reflected in the output. The technique generates an operational abstraction for the old component in the context of the system, and one for the new component in the context of its test suite. An operational abstraction is a set of program properties that generalizes over observed run-time behavior. Modeling a system as divided into modules, and taking into account the control and data flow between the modules, we formulate a logical condition to guarantee that the system's behavior is preserved across a component replacement. If automated logical comparison indicates that the new component does not make all the guarantees that the old one did, then the upgrade may affect system behavior and should not be performed without further scrutiny.(cont.) We describe a practical implementation of the technique, incorporating enhancements to handle non-local state, non-determinism, and missing test suites, and to distinguish old from new incompatibilities. We evaluate the implementation in case studies using real-world systems, including the Linux C library and 48 Unix programs. Our implementation identified real incompatibilities among versions of the C library that affected some of the programs, and it approved the upgrades for other programs that were unaffected by the changes.by Stephen Andrew McCamant.S.M

Femtosecond Stimulated Raman Study of the Photoactive Flavoprotein AppABLUF

Femtosecond stimulated Raman Spectroscopy (FSRS) is applied to study the photocycle of a blue light using flavin (BLUF) domain photoreceptor, AppABLUF. It is shown that FSRS spectra are sensitive to the light adapted state of the protein and probe its excited state dynamics. The dominant contribution to the most sensitive excited state Raman active modes is from flavin ring modes. However, TD-DFT calculations for excited state structures indicate that reproduction and assignment of the experimentally observed spectral shift will require high level calculations on the flavin in its specific protein environment

Handling the Complexities of a Real-World Language: A Harmonia Language Module for C

The syntax of popular programming languages often includes features that don't conform to the simplest models of program translation. Though designed to be easy for conventional compilers to handle, these features can cause trouble for language analysis in other environments. In implementing support for the C language within the Harmonia incremental framework, we've needed unconventional approaches to deal with the language's quirks. Closely following the language specification, we describe how a flex-based lexer, an ambiguous context-free grammar, and an object-oriented syntax-tree based analysis can be built to function well in a text editor or other interactive environment. By resolving..