Trustworthy Systems from Un-Trusted Components

PRESENTED BY PROF. ABHIK ROYCHOUDHURYNATIONAL UNIVERSITY OF SINGAPOREABHIK@COMP.NUS.EDU.SG

http://www.comp.nus.edu.sg/~tsunami

2

Vulnerability Discovery

Binary Hardening

Verification Data Protection

Agency Collaboration

Industry Collaboration

Education – NUS (Bachelors in Infosec)

Research Outputs – Publications, Tools, Academic Collaboration, Exchanges, Seminars, Workshops

Enhancing local capabilities

Ongoing NRF Project Overall Outlook

ProjectHighlightsUsageandResearchimpact◦ IntegrationtowidelyusedtoolslikeAFLwithactiveusergroups◦ DARPACGCbinaries– findscrashesfaster>10times◦ Integratedintothemostwidelyusedsecuritytestingtool

◦ Angelix toolonautomatedprogramrepair ◦ SecurityVulnerabilitiesremainun-patchedforlong….

ResearchVisibility◦ Invitedtalks atSummerSchoolonInformationSecurityandmanyothervenues◦ IEEEInnovationSpotlight2018fromamongallIEEEarticle.

EducationalImpact◦ DegreePrograminInfosec atNUSstartedconcurrently◦ Modulesbeingcreatedusingoutcomesoftheproject◦ Hands-onCTFeducation inexistingclassesusingprojectoutcomes.

3

ScholarlyImpact◦ High-citation trend

◦ Dataorientedprogramming,April2016[FWCI22.89]

◦ Angelix paperonautomatedprogramrepair,May2016[FWCI26.09]◦ Homerunpaperswithfieldweightedcitationimpact>20

◦ Dagstuhl work-shoponAutomatedRepairorganized– January2017◦ RecentInvitedtalks◦ DistinguishedLectureatLuxembourgS&Tcenter,January2017◦ KLEEworkshoponSymbolicExecution,April2018◦ 9th InternationalSummerSchoolonInformationSecurityandProtectionJuly2018◦ https://cs.anu.edu.au/cybersec/issisp2018/

◦ Publications:CCS,NDSS,Usenix Security,S&P,ICSE,FSE

4

Highlights

SampleTechnologiesfromTSUNAMiAFLFast— 10xfaster thanAFL◦ 1st place@Hackernews◦ 2nd place@DARPACGC(TeamCodejitsu)◦ 6 CVEs@USNationalVulnerabilityDatabase(initial countonlyduringpublication)

◦ 180 stars@Github (+90forks)◦ 2000USD@GoogleSecuritybugbounties◦ Integrated intomain-lineAFL

AFLGo— 1stdirected greybox fuzzer◦ 17CVEs@USNationalVulnerabilityDatabase

◦ 39bugs@security-critical internet libraries (libxml)

◦ 41stars @Github (9forks)

◦ Outperforms state-of-the-artinpatchtesting(KATCH)

◦ Outperforms state-of-the-artincrashreproduction(BugRedux)

5PRESENTATIONTONRFEXPERTPANEL,FEB23,2018

LowFat— EfficientBinaryHardeningDetects stack/bufferoverflowsandtypeconfusionattacks17% performanceoverhead(vs.45%state-of-the-art)12%memoryoverhead(vs.700%state-of-the-art)IntegratedwithAFLFastandAFLGotodetectmorevulnerabilitiesmoreefficiently!

1

6

SecureSmartNationInfra-structure

CertificationofsoftwareforIoT devicesinsmarthome,smarthealth,robots/dronesFocusonenvironmentawarefunctionalitycertification,butalsoweaveinnon-functionalpropertiesCapabilitiesforsuchcertificationexistinNUS,andsomepartnershipsfortranslation,butmoremaybeneeded.

TSUNAMi projectTSUNAMiProject◦ ReactiveSoftwareSecurity(WP1)◦ AutomatedVulnerabilityDetection◦ AutomatedVulnerabilityRepair

◦ ProactiveSoftwareSecurity(WP2+WP3)◦ AutomatedHardening◦ AutomatedProtocolVerification

◦ AssumingCompromisedOperatingSystem(WP4)◦ EnsuringSecureApplicationExecution

WP1: Binary Analysis

• Directed Fuzzing as an optimization problem (No constraint solving)• Program analysis moved to instrumentation time

to retain efficiency of greybox fuzzing.• Distance to targets efficiently computed at runtime.• Find global minimum using search meta-heuristic – Simulated Annealing

• Results: outperforms KATCH and BugRedux. 17 CVEs assigned• Application: patch testing, crash reproduction, information flow analysis

AFLGo: Directed Greybox Fuzzing

[CCS’17]

• Model Greybox Fuzzing as Markov chain • Design power schedules to regulate the “energy” to gravitate path

exploration towards low-frequency paths• Results & Impact

• 10x faster than the state of the artReceived 2000 USD @Google bug bounty

• Outperforms KLEE on vulnerability detection • 2nd place (on vulnerability detection)

@DARPA CGC (Team Codejitsu)• 6 CVEs

AFLFast: Coverage-based Greybox Fuzzing

[CCS’16, TSE’18]

• Point-of-failure and Call-stack based Bucketing do not take program semantics into account leading to over-condensing, send-bucket and long-tail problems

• Our symbolic analysis based solution• Identify culprit constraint• Use culprit constraint as semantic “reason” of failure• Group failing paths having same “reason” together

Bucketing Failing Test via Symbolic Analysis

p1

f1f2 f3 f4x xx

b2b1

b4

b3

b5

Culpritconstraint

[FASE’17]

AutomatedProgramRepair

12

1intsearch(intx,inta[],intlength){2inti;3for(i=0;i<length;i++){4if(x==a[i])5returni;6}7return−1;8}

(a) Correctlinearsearch

1 int search(int x,int a[],int length){2 int L=0;3 int R=length-1;4 do{5 int m=(L+R)/2;6 if(x==a[m]){7 returnm;8 }elseif(x<a[m]) {//bugfix:x>a[m]9 L=m+1;10 }else{11 R=m-1;12 }13 }while(L<=R);14 return-1;15 }

(b)Buggybinarysearch

User-definedcondition: length=3&a[0]<a[1]<a[2]

Verificationcondition

ExperimentsonembeddedLinuxBusybox

SemGraft (ICSE18)

13

Verificationcondition

Counterexample

IsSAT?Negate

Patchfound

Buggyprogram

IsSAT?

Angelicforest

IsSAT?

Componentlibrary

Candidatepatch

No

Yes

Yes

Yes

Buggyprogram

Referenceprogram

Symbolicanalysis

WP2: Binary Hardening

• EffectiveSan is a comprehensive dynamic type checker for C/C++ programs• Key observation: most C/C++ vulnerabilities are type errors:

• EffectiveSan directly detects the following classes of error:• Type errors (type confusion, bad casts, etc.)• Bounds errors (buffer overflows, etc.)• Sub-object bounds errors (overwriting vptrs, etc.)• Use-after-free, reuse-after-free, and double free errors

EffectiveSan: Dynamically Typed C/C++

[PLDI’18]

• EffectiveSan stores meta data (META) at the base of all objects• Given p into object q, use low-fat pointer base(p) to find (META)

• (META) stores the dynamic type which is checked at runtime

How EffectiveSan Works

LOWFAT

[PLDI’18]

WP3: Formal Verification

• The interaction between components is termed as protocols• E.g., Single-Sign-On (SSO) protocol: the communication among a browser, a web

server and a website using SSO service

Communication as protocol

A.com

Username&password

User(Client)

IdentityProvider(IdP)

Accesstoken

Accesstoken

login

• Developed a framework to extract protocols from messages and perform formal analysis

• Protocol extraction• Protocol modelling• Model verification• Result confirmation

Communication as protocol

ModellingProtocolExtraction

Analysis

ProtocolModellingRefine

Finished?

RepeatRefinement

AttackerModel

ProtocolFuzzing

Model

FormalVerification

ReportReportAnalysis

Confirmedvulnerability

ReconstructAttack

AttackerModel

SDKAnalysis Security

PropertyNetworkTraces

NY

RefinedProtocol

Verification

• Formal verification of the communication/protocols are necessary• Protocols, especially security protocols, are error-prone

• Model checking based on PAT (Process Analysis Toolkit)• Protocol: CSP# model• Security properties: assertions or LTL• Built a PAT library for modelling

cryptographic primitives and reasoning on attacker knowledgebounded sessions

Formal verification of protocols

[ICFEM‘17]

• Verification of security protocols with unbounded sessions• Stateful security protocols - global states which influence the protocol behavior

and may unboundedly evolving• Developed a specification framework based on horn clauses• Developed a verification algorithm for verifying stateful security protocols with

unbounded evolving of global states

Formal verification of protocols

YES

NOOR

Representashornclauseswithstates

Deductionofatargetedrule

Stateful protocol

protocol

state

change

influence

Reasoning• Knowledgeforward

searchfortheattacker• Statebackwardsearchto

findavalidevolvingtraceSpecificationFramework

VerificationAlgorithm

Result

[ICFEM‘17]

WP4: Sensitive Data Protection

ConstantLatencyRead-OnlyORAM§Leakageviadataaccesspatternsiscommon

§ObliviousRAMincursatbestO(logN)overheadforread/writeaccesses

§KeyInsight:Forread-onlydata,shuffle&accessstepscanbeparallelized

§OurApproach:With√Ntrustedhardware(SGX)coresontheserver§ Distributeworkineachshufflesteptomultiplethreads§ Thismatchestherateofaccessandshuffleoperations

§Result:Constantlatencywithsufficientcomputationalcores(80threads)§ 0.3secondstofetchablockof256KB

RQ:Canweachieve“constantlatency”forspecificcaseinrealapplications?

EncryptedRAM

EncryptedCloud Storage

Peer-to-peer/Distributedsystem

Secretkeys

Userqueries

OnlineBehavior

Photos

Music

PDFs

Videos

• Micro-containers with• Targeted 20K-30K lines of code of TCB• Unlike LibOSes, Panoply doesn’t virtualize the namespace

Panoply: Micro-containers for SGX

[NDSS’17]

• Tool-chain and OS support for new security • Primitives and encrypted computation• Panoply prototype

• Security primitives supporting application execution• Limited SDK, Compiler, and library support• Currently tested for 4 case studies

Panoply: Micro-containers for SGX

[NDSS’17]

• HTTP/2WebserverwithpriviledgeseparattiontopreventNeverbleedH2O

• DistributedAnonymousNetworkTOR• DatabasestreamingapplicationFreeTDS• PopularSSL/TLSandcryptographiclibraryOpenSSL