Verifying That a Compiler Preserves Concurrent Value-Dependent Information-Flow Security

It is common to prove by reasoning over source code that programs do not leak sensitive data. But doing so leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. This task is complicated when programs enforce value-dependent information-flow security properties (in which classification of locations can vary depending on values in other locations) and complicated further when programs exploit shared-variable concurrency. Prior work has formally defined a notion of concurrency-aware refinement for preserving value-dependent security properties. However, that notion is considerably more complex than standard refinement definitions typically applied in the verification of semantics preservation by compilers. To date it remains unclear whether it can be applied to a realistic compiler, because there exist no general decomposition principles for separating it into smaller, more familiar, proof obligations. In this work, we provide such a decomposition principle, which we show can almost halve the complexity of proving secure refinement. Further, we demonstrate its applicability to secure compilation, by proving in Isabelle/HOL the preservation of value-dependent security by a proof-of-concept compiler from an imperative While language to a generic RISC-style assembly language, for programs with shared-memory concurrency mediated by locking primitives. Finally, we execute our compiler in Isabelle on a While language model of the Cross Domain Desktop Compositor, demonstrating to our knowledge the first use of a compiler verification result to carry an information-flow security property down to the assembly-level model of a non-trivial concurrent program

A Hoare Logic with Regular Behavioral Specifications

We present a Hoare logic that extends program specifications with regular expressions that capture behaviors in terms of sequences of events that arise during the execution. The idea is similar to session types or process-like behavioral contracts, two currently popular research directions. The approach presented here strikes a particular balance between expressiveness and proof automation, notably, it can capture interesting sequential behavior across multiple iterations of loops. The approach is modular and integrates well with autoactive deductive verification tools. We describe and demonstrate our prototype implementation in SecC using two case studies: A matcher for E-Mail addresses and a specification of the game steps in the VerifyThis Casino challenge

Compositional Vulnerability Detection with Insecurity Separation Logic

Memory-safety issues and information leakage are known to be depressingly common. We consider the compositional static detection of these kinds of vulnerabilities in first-order C-like programs. Existing methods often treat one type of vulnerability (e.g. memory-safety) but not the other (e.g. information leakage). Indeed the latter are hyper-safety violations, making them more challenging to detect than the former. Existing leakage detection methods like Relational Symbolic Execution treat only non-interactive programs, avoiding the challenges raised by nondeterminism for reasoning about information leakage. Their implementations also do not treat non-trivial leakage policies like value-dependent classification, which are becoming increasingly common. Finally, being whole-program analyses they cannot be applied compositionally -- to deduce the presence of vulnerabilities in a program by analysing each of its parts -- thereby ruling out the possibility of incremental analysis. In this paper we remedy these shortcomings by presenting Insecurity Separation Logic (InsecSL), an under-approximate relational program logic for soundly detecting information leakage and memory-safety issues in interactive programs. We show how InsecSL can be soundly automated by bi-abduction based symbolic execution. Based on this, we design and implement a top-down, contextual, compositional, inter-procedural analysis for vulnerability detection. We implement our approach in a proof-of-concept tool, Underflow, for analysing C programs, which we demonstrate by applying it to various case studies

Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing

APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant API vulnerability of 2019. However, there are few automated tools -- either in research or industry -- to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations). In this work, we develop a metamorphic relation to tackle that challenge and build the first fuzzing tool -- that we call EDEFuzz -- to systematically detect EDEs. EDEFuzz can significantly reduce false negatives that occur during manual inspection and ad-hoc text-matching techniques, the current most-used approaches. We tested EDEFuzz against the sixty-nine applicable targets from the Alexa Top-200 and found 33,365 potential leaks -- illustrating our tool's broad applicability and scalability. In a more-tightly controlled experiment of eight popular websites in Australia, EDEFuzz achieved a high true positive rate of 98.65% with minimal configuration, illustrating our tool's accuracy and efficiency

Study towards the quantitative definition of the kynurenine pathway

The kynurenine pathway is the prime pathway for the metabolism of the essential amino acid, tryptophan (TRP), and also the de novo pathway for nicotinamide adenine dinucleotide (NAD+) production. The kynurenine pathway is important in the pathogenesis of multi-organ dysfunction syndrome following severe acute pancreatitis (AP-MODS) due to the metabolism of kynurenine (KYN) into cytotoxic 3- hydroxykynurenine (3HK) by the enzyme kynurenine 3-monooxygenase (KMO). Mice with absent Kmo gene expression (KMOnull) have marked reductions in extrapancreatic organ injury post AP. This dissertation describes the pharmacokinetics (PK) of the kynurenine pathway after intravenous infusion of deuterated or heavy carbon stable isotopes (tracers) of four kynurenine pathway compounds (D5-TRP, 13C6-KYN, D5-kynurenic acid (KYNA) and 13C6-3HK) into rats (n=13). Liquid chromatography-electrospray ionisation tandem mass spectrometry (LCMS/ MS) is the most frequently used method to monitor kynurenine pathway compound levels in plasma. This dissertation reports a new method of extraction of plasma samples, using solid phase extraction (SPE), alongside improvement and optimisation of existing LC-MS/MS protocols using a reverse phase ultra-high performance C18-pentafluorophenyl column. This has enabled the analysis of each main metabolite in the kynurenine pathway in a single assay. Mass spectra of compounds were detected using electrospray ionisation (ESI) in both positive and negative polarity employing multiple reaction monitoring (MRM) modes over a 9 min total run time with an injection volume of 10 μL and flow rate of 0.4 mL/min. The method for each compound was shown to be reproducible and accurate (RSD < 25%) and each corresponding standard curve demonstrated linearity (R2 >0.99). Single compartment temporal PK analysis of tracers in rat plasma, during the elimination phase, reveals short mean half-lives for each compound, suggesting that metabolism through the kynurenine pathway is rapid (t1/2 12.14 – 29.12 mins). There was a marked difference in the volume of distribution of each analyte (D5 KYNA 0.12; 13C6-3HK 0.21; 13C6-KYN 0.96 and D5-TRP 0.92 (μg/kg)/(μg/L)). Enzyme rates of formation of each analyte were also identified (KYN 20.73; KYNA 2.21; 3HK 3.68 (μg/L)/min) In conclusion, a new accurate and reliable LC-MS/MS method for the analysis of kynurenine pathway metabolites has been developed. PK analysis has identified important and significant differences in the apparent volumes of distribution of each metabolite. Thus, it can be suggested that TRP and KYN are readily distributed to tissue whilst KYNA and 3HK are largely confined to the plasma compartment