Relational Symbolic Execution

Farina, Gian Pietro; Chong, Stephen; Gaboardi, Marco

doi:10.1145/3354166.3354175

Cited by 27 publications

(34 citation statements)

References 55 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Relational symbolic execution. Relational symbolic execution [36] offers a more precise analysis than other techniques such as tainting. For instance, Pitchfork [5], which is based on tainting, reports a violation in Listing 7, line 2 because toLeak is tainted with secret data, whereas the program is secure because toLeak is set to 0 before being leaked.…”

Section: Related Workmentioning

confidence: 99%

“…A symbolic array is a function (Array I V) mapping each index i ∈ I to a value v ∈ V with operations: Relational Symbolic Execution (RelSE). RelSE [16], [36] is a promising approach to extend SE for analyzing security properties of two execution traces such as SCT 1 . It symbolically executes two versions of a program in the same symbolic execution instance and maximizes sharing between them.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Daniel¹,

Bardin²,

Rezk³

2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Spectre are microarchitectural attacks which were made public in January 2018. They allow an attacker to recover secrets by exploiting speculations. Detection of Spectre is particularly important for cryptographic libraries and defenses at the software level have been proposed. Yet, defenses correctness and Spectre detection pose challenges due on one hand to the explosion of the exploration space induced by speculative paths, and on the other hand to the introduction of new Spectre vulnerabilities at different compilation stages. We propose an optimization, coined Haunted RelSE, that allows scalable detection of Spectre vulnerabilities at binary level. We prove the optimization semantically correct w.r.t. the more naive explicit speculative exploration approach used in state-of-the-art tools. We implement Haunted RelSE in a symbolic analysis tool, and extensively test it on a wellknown litmus testset for Spectre-PHT, and on a new litmus testset for Spectre-STL, which we propose. Our technique finds more violations and scales better than state-of-the-art techniques and tools, analyzing real-world cryptographic libraries and finding new violations. Thanks to our tool, we discover that indexmasking-a standard defense for Spectre-PHT-and well-known gcc options to compile position independent executables introduce Spectre-STL violations. We propose and verify a correction to index-masking to avoid the problem. addresses the Store to Load (STL) variant (a.k.a Spectre-v4 [13]), which exploits the memory dependence predictor. Unfortunately, Pitchfork does not scale for analyzing Spectre-STL, even on small programs (cf. Table IV). Other variants are currently out-of-scope of static analyzers (see Sections II and VII). Goal and challenges. In this paper, we propose a novel technique to detect Spectre-PHT and Spectre-STL vulnerabilities and we implement it in a new static analyzer for binary code. Two challenges arise in the design of such an analyzer: C1 First, the details of the microarchitecture cannot be fully included in the analysis because they are not public in general and not easy to obtain. Yet the challenge is to find an abstraction powerful enough to capture side channels attacks due to microarchitectural state. C2 Second, exploration of all possible speculative executions does not scale because it quickly leads to state explosion. The challenge is how to optimize this exploration in order to make the analysis applicable to real code. Proposal. We tackle challenge C1 by targeting a relational security property coined in the literature as speculative constanttime [5], a property reminiscent of constant-time [14], widely used in cryptographic implementations. Speculative constanttime takes speculative executions into account without explicitly modeling intrincate microarchitectural details. However, it is well known that constant-time programming is not necessarily preserved by compilers [15], [16], so our analysis operates at binary level-besides, it is compiler-agnostic and does not require source code. For thi...

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Daniel¹,

Bardin²,

Rezk³

2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…One extra benefit of this approach based on randomness alignment is that the transformed program can also be analyzed by standard symbolic executors. This appears to be an important property in light of recent work on detecting counterexamples for buggy programs [12,18,24,25]. Producing a transformed program that can be used for verification of correct programs and bug-finding for incorrect programs is arXiv:1903.12254v2 [cs.PL] 1 Jul 2019 one aspect that is of independent interest (however, we leave this application of transformed programs to future work).…”

Section: Introductionmentioning

confidence: 99%

Proving differential privacy with shadow execution

Wang

Ding

Wang

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Recent work on formal verification of differential privacy shows a trend toward usability and expressiveness -generating a correctness proof of sophisticated algorithm while minimizing the annotation burden on programmers. Sometimes, combining those two requires substantial changes to program logics: one recent paper is able to verify Report Noisy Max automatically, but it involves a complex verification system using customized program logics and verifiers.In this paper, we propose a new proof technique, called shadow execution, and embed it into a language called Shad-owDP. ShadowDP uses shadow execution to generate proofs of differential privacy with very few programmer annotations and without relying on customized logics and verifiers. In addition to verifying Report Noisy Max, we show that it can verify a new variant of Sparse Vector that reports the gap between some noisy query answers and the noisy threshold. Moreover, ShadowDP reduces the complexity of verification: for all of the algorithms we have evaluated, type checking and verification in total takes at most 3 seconds, while prior work takes minutes on the same algorithms.CCS Concepts • Software and its engineering → Formal software verification.• [i] 1 i := 0; bq := 0; max := 0; 2 while ( i < size ) 3 η := Lap (2/ϵ) , Ω ? † : • , Ω ? 2 : 0 ; 4 if ( q [ i ] + η > bq ∨ i = 0) 5 max := i; 6 bq := q[i] + η; 7 i := i + 1; The transformed program (slightly simplified for readability), where underlined commands are added by the type system: 1 v ϵ := 0; 2 i := 0; bq := 0; max := 0; 3 bq • := 0; bq † := 0; 4 while ( i < size ) 5 assert (i < size); 6 havoc η; v ϵ := Ω ? (0 + ϵ) : (v ϵ + 0); 7 if ( q [ i ] + η > bq ∨ i = 0) 8 assert (q[i] + q • [i] + η + 2 > bq + bq † ∨ i = 0); 9 max := i; 10 bq † := bq + bq † -(q[i] + η); 11 bq := q[i] + η; 12 bq • := q • [i] + 2; 13 else 14 assert (¬(q[i] + q • [i] + η + 0 > bq + bq • ∨ i = 0)); 15 // shadow execution 16 if (q[i] + q † [i] + η > bq + bq † ∨ i = 0) 17 bq † := q[i] + q † [i] + η − bq; 18 i := i + 1;

show abstract

“…Although recent work on relational symbolic execution [22] aims for simpler versions of this task (like detecting incorrect calculations of sensitivity), it is not yet powerful enough to reason about probabilistic computations. Hence, it cannot detect counterexamples in sophisticated algorithms like the sparse vector technique [19], which satisfies differential privacy but is notorious for having many incorrect published variations [12,28].…”

mentioning

confidence: 99%

Detecting Violations of Differential Privacy

Ding

Wang

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

110

118

View full text Add to dashboard Cite

The widespread acceptance of differential privacy has led to the publication of many sophisticated algorithms for protecting privacy. However, due to the subtle nature of this privacy definition, many such algorithms have bugs that make them violate their claimed privacy. In this paper, we consider the problem of producing counterexamples for such incorrect algorithms. The counterexamples are designed to be short and human-understandable so that the counterexample generator can be used in the development process -a developer could quickly explore variations of an algorithm and investigate where they break down. Our approach is statistical in nature. It runs a candidate algorithm many times and uses statistical tests to try to detect violations of differential privacy. An evaluation on a variety of incorrect published algorithms validates the usefulness of our approach: it correctly rejects incorrect algorithms and provides counterexamples for them within a few seconds.

show abstract

Relational Symbolic Execution

Cited by 27 publications

References 55 publications

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Proving differential privacy with shadow execution

Detecting Violations of Differential Privacy

Contact Info

Product

Resources

About