Not All Bugs Are Created Equal, But Robust Reachability Can Tell the Difference

Girol, Guillaume; Farinier, Benjamin; Bardin, Sébastien

doi:10.1007/978-3-030-81685-8_32

Cited by 7 publications

(10 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, the last but not the least of the tools under our scope is binsec. In [2], Girol, Farinier and Bardin consider another application of symbolic computations: bug tracking.…”

Section: Introductionmentioning

confidence: 99%

At the Bottom of Binary Analysis: Instructions

Bonfante

Talon

2022

Foundations and Practice of Security

View full text Add to dashboard Cite

Here we present a careful exploration of the set of instructions for the x86 processor architecture. This is a preliminary step towards a systematic comparison of SMT-based retro-engineering tools.The latter arose in the context of binary code retro-engineering. All these tools rely themselves on more elementary disassembly tool. In this contribution, we attack the problem at its most atomic level: the instructions.We prepare, trading off between the size of the list and the correctness of the future comparison, a good list of instructions.

show abstract

“…Finally, the last but not the least of the tools under our scope is binsec. In [2], Girol, Farinier and Bardin consider another application of symbolic computations: bug tracking.…”

Section: Introductionmentioning

confidence: 99%

At the Bottom of Binary Analysis: Instructions

Bonfante

Talon

2022

Foundations and Practice of Security

View full text Add to dashboard Cite

show abstract

“…The program property of robust reachability [8,9] refines the standard notion of reachability of a bug given a partition of the program variables in a controlled and an uncontrolled set: a bug is robustly reachable if it is reachable whatever the values of the uncontrolled variables. FuncTion -V can analyze robust reachability properties expressible as a CTL formula of the form AFϕ.…”

Section: Related Workmentioning

confidence: 99%

“…Violations of program properties pose significant risks, particularly when they can be triggered by attackers [8,14]. This paper presents our tool FuncTion -V for the automatic identification of the minimal set(s) of program variables that are vulnerable to be controlled by an attacker to potentially violate a (desirable) program property, or, equivalently, the minimal variable set(s) the values of which must be controlled to ensure an (undesirable) program property.…”

Section: Introductionmentioning

confidence: 99%

“…Let us consider the undesirable robust reachability [8,9] of the error location in Figure 1. Here, to make sure that the error location is reached, an attacker can either (A) control the value of x ensuring that x > 0 (error reachable independently of the values of y and z), or (B) control the value of y and z ensuring that y ≤ z (error reachable independently of the value of x).…”

Section: Introductionmentioning

confidence: 99%

“…Besides robust reachability [8,9,18,19], FuncTion -V more generally supports program properties expressed in Computation Tree Logic (CTL) [2] (e.g., termination [16], recurrence properties [18,19], etc.). To improve the precision of our approach, we have equipped Func-Tion -V with a conflict-driven abstraction refinement-style analysis [7].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Automatic Detection of Vulnerable Variables for CTL Properties of Programs

Moussaoui Remil,

Urban,

Miné

EPiC Series in Computing

View full text Add to dashboard Cite

We present our tool FuncTion-V for the automatic identification of the minimal sets of program variables that an attacker can control to ensure an undesirable program property. FuncTion-V supports program properties expressed in Computation Tree Logic (CTL), and builds upon an abstract interpretation-based static analysis for CTL properties that we extend with an abstraction refinement process. We showcase our tool on benchmarks collected from the literature and SV-COMP 2023.

show abstract

Adversarial Reachability for Program-level Security Analysis

Ducousso

Bardin

Potet

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Many program analysis tools and techniques have been developed to assess program vulnerability. Yet, they are based on the standard concept of reachability and represent an attacker able to craft smart legitimate input, while in practice attackers can be much more powerful, using for instance micro-architectural exploits or fault injection methods. We introduce adversarial reachability, a framework allowing to reason about such advanced attackers and check whether a system is vulnerable or immune to a particular attacker. As equipping the attacker with new capacities significantly increases the state space of the program under analysis, we present a new symbolic exploration algorithm, namely adversarial symbolic execution, injecting faults in a forkless manner to prevent path explosion, together with optimizations dedicated to reduce the number of injections to consider while keeping the same attacker power. Experiments on representative benchmarks from fault injection show that our method significantly reduces the number of adversarial paths to explore, allowing to scale up to 10 faults where prior work timeout for 3 faults. In addition, we analyze the well-tested WooKey bootloader, and demonstrate the ability of our analysis to find attacks and evaluate countermeasures in real-life security scenarios. We were especially able to find an attack not mentioned in a previous patch.

show abstract

Not All Bugs Are Created Equal, But Robust Reachability Can Tell the Difference

Cited by 7 publications

References 44 publications

At the Bottom of Binary Analysis: Instructions

At the Bottom of Binary Analysis: Instructions

Automatic Detection of Vulnerable Variables for CTL Properties of Programs

Adversarial Reachability for Program-level Security Analysis

Contact Info

Product

Resources

About