White-box Software Isolation with Fully Automated Black-

box Proofs

Jiaqi TanRajeev Gandhi, Priya Narasimhan

PARALLEL DATA LABORATORYCarnegie Mellon University

FMCAD 2015 Student Forum

2

Motivation• Software Isolation

• Safety property of software: External user input cannot subvert and control software execution

• Ensures software is safe from potentially malicious input• Where is it important?

• Safety-critical systems e.g., medical devices, avionics, cars• Lack of isolation Security vulnerabilities Potentially catastrophic

accidents• Why White-box Isolation?

• Safety-critical systems: Need high-assurance• Programmers need to see what safety-checks are doing

• Why Black-box Proofs? • Many connected, potentially safety-critical Internet-of-Things

devices Many programmers writing code for such devices• Need fully-automated, black-box (no expert input) proofs

Jiaqi Tan © September 15http://www.pdl.cmu.edu/

3

Black-Box Software Isolation Proofs

Jiaqi Tan © September 15http://www.pdl.cmu.edu/

Machine-code

Source-code

(e.g., C)

Compilation

void arraycopy(int *src, int *dst, int n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}

Computed memory write target: Dangerous

So

urc

e-co

de

Mac

hin

e-co

de

Key Insight 1: Potential isolation violations evident in machine-code We can automate isolation proofs in machine-code

4

White-Box Software Isolation: Locations

Jiaqi Tan © September 15http://www.pdl.cmu.edu/

Machine-code

Source-code

(e.g., C)

Compilation

void arraycopy(int *src, int *dst, int n) { unsigned int i; for (int i = 0; i < n; i++) { dst[i] = src[i]; }}

Computed memory write target: Dangerous

Debug information helps us resolve this

(for unoptimized code)S

ou

rce-

cod

eM

ach

ine-

cod

e

Key Insight 2: We can identify source-code locations from machine-code addresses for potential isolation violations

5

White-Box Software Isolation: Hints for Remedies

Jiaqi Tan © September 15http://www.pdl.cmu.edu/

So

urc

e-co

de

Mac

hin

e-co

de

void arraycopy (int *src, int *dst, int n) { unsigned int i; for (i = 0; i < n; ++i) {

dst[i] = src[i]; }}

#define SAFE(array,idx) = ……

if (SAFE(dst,i)) {

}

.... (safety check code) ....

......e1a02102 lsl r2, r2, #2e51b1010 ldr r1, [fp, #-16]e0812002 add r2, r1, r2e5922000 ldr r2, [r2]

e50b3008 str r2 [r3]e51b3008 ldr r3, [fp, #-8]e2833001 add r3, r3, #1e50b3008 str r3, [fp, #-8]e51b2018 ldr r2, [fp, #-24]......

Provides logic preconditions

needed: Proves dangerous

instruction is safe to run

Compilation

Machine-code

Source-code (e.g., C)

Compilation

Key Insight 3: We can write code, SAFE(dst,i), which gives us the necessary logic pre-conditions for provable isolation

6

Visualization of Approach

Jiaqi Tan © September 15http://www.pdl.cmu.edu/

Machine-code

Source-code (e.g., C)

Software Isolation Proof Generation

(AUSPICE) [1]

Software Isolation Remedy Hint Generation

Software isolation violations manifest in machine-code behavior Prove isolation in machine-code

Programmers can only observe this level of abstraction Isolation enforcement mechanisms must be in source-code

Compilation

Safety Proof of Isolation

Proof Success

Proof Failure

Hints for source-code remedies for safety violations

Machine-code Addresses

Responsible for Proof-

Failure

Programmer applies hints

HOL4 and Cambridge

ARM Logic [2]

LLVM-Clang Tooling

7

References• [1] Jiaqi Tan, Hui Jun Tay, Rajeev Gandhi,

Priya Narasimhan. AUSPICE: Automatic Safety Property Verification for Unmodified Executables. In Working Conference on Verified Software: Tools, Theories and Experiments (VSTTE), July 2015.

• [2] Magnus Myreen, Anthony Fox, Michael Gordon. Hoare Logic for ARM Machine Code. In Fundamentals of Software Engineering (FSEN), 2007.

Jiaqi Tan © September 15http://www.pdl.cmu.edu/