In defense of soundiness

Livshits, Benjamin; Sridharan, Manu; Smaragdakis, Yannis; Lhoták, Ondřej; Amaral, José Nelson; Chang, Bor-Yuh Evan; Guyer, Samuel Z.; Khedker, Uday P.; Möller, Anders; Vardoulakis, Dimitris

doi:10.1145/2644805

Cited by 204 publications

(106 citation statements)

References 0 publications

Supporting

Mentioning

103

Contrasting

Unclassified

Order By: Relevance

“…While this lack of soundness and precision can be viewed as a deficiency, we argue that instead -in the spirit of "soundiness" [23] -it is a strength. Indeed, we explicitly trade off traditional goals of static program analysis in favor of efficiency, as our particular goal is oriented more towards best-effort discovery of extension-reuse vulnerabilities and less towards proving the absence of these vulnerabilities.…”

Section: E Limitationsmentioning

confidence: 83%

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

Buyukkayhan

Onarlıoğlu

Robertson

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Extension architectures of popular web browsers have been carefully studied by the research community; however, the security impact of interactions between different extensions installed on a given system has received comparatively little attention. In this paper, we consider the impact of the lack of isolation between traditional Firefox browser extensions, and identify a novel extension-reuse vulnerability that allows adversaries to launch stealthy attacks against users. This attack leverages capability leaks from legitimate extensions to avoid the inclusion of security-sensitive API calls within the malicious extension itself, rendering extensions that use this technique difficult to detect through the manual vetting process that underpins the security of the Firefox extension ecosystem.We then present CROSSFIRE, a lightweight static analyzer to detect instances of extension-reuse vulnerabilities. CROSSFIRE uses a multi-stage static analysis to efficiently identify potential capability leaks in vulnerable, benign extensions. If a suspected vulnerability is identified, CROSSFIRE then produces a proof-ofconcept exploit instance -or, alternatively, an exploit template that can be adapted to rapidly craft a working attack that validates the vulnerability.To ascertain the prevalence of extension-reuse vulnerabilities, we performed a detailed analysis of the top 10 Firefox extensions, and ran further experiments on a random sample drawn from the top 2,000. The results indicate that popular extensions, downloaded by millions of users, contain numerous exploitable extension-reuse vulnerabilities. A case study also provides anecdotal evidence that malicious extensions exploiting extension-reuse vulnerabilities are indeed effective at cloaking themselves from extension vetters.

show abstract

Section: E Limitationsmentioning

confidence: 83%

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

Buyukkayhan

Onarlıoğlu

Robertson

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…JayHorn is implemented in the spirit of soundiness [14]. Our analysis does not have a fully sound handling of the following features: JNI, implicit method invocations, integer overflow, reflection API, invokedynamic, code generation at runtime, dynamic loading, different class loaders, and key native methods We have determined that the unsoundness in our handling of these features has no effect the validity of our experimental eval-Benchmark # Problems JayHorn + Z3 JayHorn + Eldarica TO TO CBMC-java tests 44 26 12 6 33 8 3 MinePump 64 36 0 28 39 25 0 SVCOMP Recursive 23 7 2 14 14 2 7 Table 1.…”

Section: Architecture Of Jayhornmentioning

confidence: 99%

JayHorn: A Framework for Verifying Java programs

Kahsai

Rümmer

Sanchez

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Building a competitive program verifiers is becoming cheaper. On the front-end side, openly available compiler infrastructure and optimization frameworks take care of hairy problems such as alias analysis, and break down the subtleties of modern languages into a handful of simple instructions that need to be handled. On the back-end side, theorem provers start providing full-fledged model checking algorithms, such as PDR, that take care looping control-flow. In this spirit, we developed JayHorn, a verification framework for Java with the goal of having as few moving parts as possible. Most steps of the translation from Java into logic are implemented as bytecode transformations, with the implication that their soundness can be tested easily. From the transformed bytecode, we generate a set of constrained Horn clauses that are verified using state-of-the-art Horn solvers. We report on our implementation experience and evaluate JayHorn on benchmarks.

show abstract

“…Practical Assumptions Related to Soundness WHOOP is "soundy" 7 [41]: it aims in principle to perform a sound analysis that can prove absence of races, but suffers from some known sources of unsoundness, which we now comment on.…”

Section: Verification and Error Reportingmentioning

confidence: 99%

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers (T)

Deligiannis

Donaldson

Rakamarić

2015

2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

Abstract-Concurrency errors, such as data races, make device drivers notoriously hard to develop and debug without automated tool support. We present WHOOP, a new automated approach that statically analyzes drivers for data races. WHOOP is empowered by symbolic pairwise lockset analysis, a novel analysis that can soundly detect all potential races in a driver. Our analysis avoids reasoning about thread interleavings and thus scales well. Exploiting the race-freedom guarantees provided by WHOOP, we achieve a sound partial-order reduction that significantly accelerates CORRAL, an industrial-strength bug-finder for concurrent programs. Using the combination of WHOOP and CORRAL, we analyzed 16 drivers from the Linux 4.0 kernel, achieving 1.5-20× speedups over standalone CORRAL.

show abstract

In defense of soundiness

Abstract: Soundy is the new sound.

Cited by 204 publications

References 0 publications

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

JayHorn: A Framework for Verifying Java programs

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers (T)

Contact Info

Product

Resources

About