Abstract
Memory-safety issues and information leakage are known to be depressingly common. We consider the compositional static detection of these kinds of vulnerabilities in first-order C-like programs. Indeed the latter are relational hyper-safety violations, comparing pairs of program executions, making them more challenging to detect than the former, which require reasoning only over individual executions. Existing symbolic leakage detection methods treat only non-interactive programs, avoiding the challenges of nondeterminism. Also, being whole-program analyses they cannot be applied one-function-at-a-time, thereby ruling out incremental analysis. We remedy these shortcomings by presenting Insecurity Separation Logic (InsecSL), an under-approximate relational program logic for soundly detecting information leakage and memory-safety issues in interactive programs. Importantly, InsecSL reasons about pairs of executions, and so is relational, but purposefully resembles the non-relational Incorrectness Separation Logic (ISL) that is already automated in the Infer tool. We show how InsecSL can be automated by bi-abduction based symbolic execution, and we evaluate two implementations of this idea (one based on Infer) on various case-studies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al Fardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, pp. 526–540. IEEE (2013)
Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: IEEE Symposium on Security and Privacy, pp. 339–353. IEEE (2008)
Barthe, G., et al.: Formal verification of a constant-time preserving C compiler. PACMPL 4(POPL), 1–30 (2020)
Benton, N.: Simple relational correctness proofs for static analyses and program transformations. In: POPL, pp. 14–25 (2004)
Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of Bi-abduction. In: POPL, pp. 289–300 (2009)
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)
Daniel, L.A., Bardin, S., Rezk, T.: BINSEC/REL: efficient relational symbolic execution for constant-time at binary-level. In: IEEE Symposium on Security and Privacy, pp. 1021–1038. IEEE (2020)
De Vries, E., Koutavas, V.: Reverse Hoare logic. In: SEFM, pp. 155–171 (2011)
Eilers, M., Müller, P., Hitz, S.: Modular product programs. In: ESOP, pp. 502–529 (2018)
Ernst, G., Murray, T.: SecCSL: security concurrent separation logic. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 208–230. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25543-5_13
Farina, G.P., Chong, S., Gaboardi, M.: Relational symbolic execution. In: PPDP, pp. 1–14 (2019)
Le, Q.L., Raad, A., Villard, J., Berdine, J., Dreyer, D., O’Hearn, P.W.: Finding real bugs in big programs with incorrectness logic. PACMPL 6(OOPSLA1), 1–27 (2022)
Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_14
Murray, T., Yan, P., Ernst, G.: Compositional vulnerability detection with insecurity separation logic(extended version) (2023). https://covern.org/insecurity.html
O’Hearn, P.W.: Resources, concurrency and local reasoning. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 49–67. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28644-8_4
O’Hearn, P.W.: Incorrectness logic. PACMPL 4(POPL), 1–32 (2019)
Raad, A., Berdine, J., Dang, H.-H., Dreyer, D., O’Hearn, P., Villard, J.: Local reasoning about the presence of bugs: incorrectness separation logic. In: Lahiri, S.K., Wang, C. (eds.) CAV 2020. LNCS, vol. 12225, pp. 225–252. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-53291-8_14
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: LICS, pp. 55–74. IEEE (2002)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Yang, H.: Relational separation logic. Theoret. Comput. Sci. 375(1–3), 308–334 (2007)
Zilberstein, N., Dreyer, D., Silva, A.: Outcome logic: a unifying foundation for correctness and incorrectness reasoning. PACMPL 7(OOPSLA1), 522–550 (2023)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Murray, T., Yan, P., Ernst, G. (2023). Compositional Vulnerability Detection with Insecurity Separation Logic. In: Li, Y., Tahar, S. (eds) Formal Methods and Software Engineering. ICFEM 2023. Lecture Notes in Computer Science, vol 14308. Springer, Singapore. https://doi.org/10.1007/978-981-99-7584-6_5
Download citation
DOI: https://doi.org/10.1007/978-981-99-7584-6_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7583-9
Online ISBN: 978-981-99-7584-6
eBook Packages: Computer ScienceComputer Science (R0)