Harsha Sharma,Wenfei Wu,Bangwen Deng

DOI: https://doi.org/10.1109/mascots50786.2020.9285941

2020-01-01

Abstract:Symbolic Execution is a commonly used technique in network function (NF) verification, and it helps network operators to find implementation or configuration bugs before the deployment. By studying most existing symbolic execution engine, we realize that they only focus on packet arrival based event logic; we propose that NF modeling language should include time-driven logic to describe the actual NF implementations more accurately and performing complete verification. Thus, we define primitives to express time-driven logic in NF modeling language and develop a symbolic execution engine NF-SE that can verify such logic for NFs for multiple packets. Our prototype of NF-SE and evaluation on multiple example NFs demonstrate its usefulness and correctness.

Yeqi Mou,Baosheng Wang,Bo Yu,Qiang Yang,Chengnuo Cai

DOI: https://doi.org/10.1145/3689236.3689258

2024-01-01

Abstract:Fuzzing is widely used to test network protocols' reliability. However, network protocol implementations contain numerous branches dedicated to processing network packets, which require certain values at certain positions of the network packet to satisfy, as opposed to simply falling within a range. This makes it challenging for fuzzing to generate testcases that satisfy these branch constraints, leading to inefficiencies in exploring the test space. The challenge is how to generate testcases that can satisfy these branch conditions so that fuzzing can explore the test space more completely. To address this, we introduce a fuzzing approach, SymFL-Net, which is enhanced with branch information. Based on dynamic symbolic execution, we designed a method to extract branch information and generate high-quality testcases with high quality. During testing, SymFL-Net parallelly runs fuzzing and symbolic execution and shares testcases between them, which can help improve the efficiency of exploring test space. We implemented SymFL-Net and evaluated its performance on 5 real-world programs. The experimental results demonstrate at least 89.46 % improvement in average path discovery compared to AFLNet and StateAFL, showing the significant ability of SymFL-Net.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0188229

IF: 3.7

2017-11-16

PLoS ONE

Abstract:Formal techniques have been devoted to analyzing whether network protocol specifications violate security policies; however, these methods cannot detect vulnerabilities in the implementations of the network protocols themselves. Symbolic execution can be used to analyze the paths of the network protocol implementations, but for stateful network protocols, it is difficult to reach the deep states of the protocol. This paper proposes a novel model-guided approach to detect vulnerabilities in network protocol implementations. Our method first abstracts a finite state machine (FSM) model, then utilizes the model to guide the symbolic execution. This approach achieves high coverage of both the code and the protocol states. The proposed method is implemented and applied to test numerous real-world network protocol implementations. The experimental results indicate that the proposed method is more effective than traditional fuzzing methods such as SPIKE at detecting vulnerabilities in the deep states of network protocol implementations.

Alexey Vishnyakov,Andrey Fedotov,Daniil Kuts,Alexander Novikov,Darya Parygina,Eli Kobrin,Vlada Logunova,Pavel Belecky,Shamil Kurmangaleev

DOI: https://doi.org/10.1109/ISPRAS51486.2020.00014

2021-01-26

Abstract:The security development lifecycle (SDL) is becoming an industry standard. Dynamic symbolic execution (DSE) has enormous amount of applications in computer security (fuzzing, vulnerability discovery, reverse-engineering, etc.). We propose several performance and accuracy improvements for dynamic symbolic execution. Skipping non-symbolic instructions allows to build a path predicate 1.2--3.5 times faster. Symbolic engine simplifies formulas during symbolic execution. Path predicate slicing eliminates irrelevant conjuncts from solver queries. We handle each jump table (switch statement) as multiple branches and describe the method for symbolic execution of multi-threaded programs. The proposed solutions were implemented in Sydr tool. Sydr performs inversion of branches in path predicate. Sydr combines DynamoRIO dynamic binary instrumentation tool with Triton symbolic engine. We evaluated Sydr features on 64-bit Linux executables.

Cryptography and Security

Fan Yao,Yongbo Li,Yurong Chen,Hongfa Xue,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1109/dsn.2017.57

2017-01-01

Abstract:Identifying vulnerabilities in software systems is crucial to minimizing the damages that result from malicious exploits and software failures. This often requires proper identification of vulnerable execution paths that contain program vulnerabilities or bugs. However, with rapid rise in software complexity, it has become notoriously difficult to identify such vulnerable paths through exhaustively searching the entire program execution space. In this paper, we propose StatSym, a novel, automated Statistics-Guided Symbolic Execution framework that integrates the swiftness of statistical inference and the rigorousness of symbolic execution techniques to achieve precision, agility and scalability in vulnerable program path discovery. Our solution first leverages statistical analysis of program runtime information to construct predicates that are indicative of potential vulnerability in programs. These statistically identified paths, along with the associated predicates, effectively drive a symbolic execution engine to verify the presence of vulnerable paths and reduce their time to solution. We evaluate StatSym on four real-world applications including polymorph, CTree, Grep and thttpd that come from diverse domains. Results show that StatSym is able to assist the symbolic executor, KLEE, in identifying the vulnerable paths for all of the four cases, whereas pure symbolic execution fails in three out of four applications due to memory space overrun.

Shen Shiqi,Shweta Shinde,Soundarya Ramesh,Abhik Roychoudhury,Prateek Saxena

DOI: https://doi.org/10.14722/ndss.2019.23530

2019-01-01

Elements

Abstract:Symbolic execution is a powerful technique for program analysis.However, it has many limitations in practical applicability: the path explosion problem encumbers scalability, the need for language-specific implementation, the inability to handle complex dependencies, and the limited expressiveness of theories supported by underlying satisfiability checkers.Often, relationships between variables of interest are not expressible directly as purely symbolic constraints.To this end, we present a new approach-neuro-symbolic execution-which learns an approximation of the relationship between program values of interest, as a neural network.We develop a procedure for checking satisfiability of mixed constraints, involving both symbolic expressions and neural representations.We implement our new approach in a tool called NEUEX as an extension of KLEE, a state-of-the-art dynamic symbolic execution engine.NEUEX finds 33 exploits in a benchmark of 7 programs within 12 hours.This is an improvement in the bug finding efficacy of 94% over vanilla KLEE.We show that this new approach drives execution down difficult paths on which KLEE and other DSE extensions get stuck, eliminating limitations of purely SMT-based techniques.

Shiqi Shen,Soundarya Ramesh,Shweta Shinde,Abhik Roychoudhury,Prateek Saxena

2018-01-01

Abstract:Symbolic execution is a powerful technique for program analysis. However, it has many limitations in practical applicability: the path explosion problem encumbers scalability, the need for language-specific implementation, the inability to handle complex dependencies, and the limited expressiveness of theories supported by underlying satisfiability checkers. Often, relationships between variables of interest are not expressible directly as purely symbolic constraints. To this end, we present a new approach -- neuro-symbolic execution -- which learns an approximation of the relationship as a neural net. It features a constraint solver that can solve mixed constraints, involving both symbolic expressions and neural network representation. To do so, we envision such constraint solving as procedure combining SMT solving and gradient-based optimization. We demonstrate the utility of neuro-symbolic execution in constructing exploits for buffer overflows. We report success on 13/14 programs which have difficult constraints, known to require specialized extensions to symbolic execution. In addition, our technique solves $100$% of the given neuro-symbolic constraints in $73$ programs from standard verification and invariant synthesis benchmarks.

Wenqiang Li,Weijun Li,Lina Yu,Min Wu,Linjun Sun,Jingyi Liu,Yanjie Li,Shu Wei,Yusong Deng,Meilan Hao

2024-06-01

Abstract:Symbolic regression (SR) is a powerful technique for discovering the underlying mathematical expressions from observed data. Inspired by the success of deep learning, recent deep generative SR methods have shown promising results. However, these methods face difficulties in processing high-dimensional problems and learning constants due to the large search space, and they don't scale well to unseen problems. In this work, we propose DySymNet, a novel neural-guided Dynamic Symbolic Network for SR. Instead of searching for expressions within a large search space, we explore symbolic networks with various structures, guided by reinforcement learning, and optimize them to identify expressions that better-fitting the data. Based on extensive numerical experiments on low-dimensional public standard benchmarks and the well-known SRBench with more variables, DySymNet shows clear superiority over several representative baseline models. Open source code is available at <a class="link-external link-https" href="https://github.com/AILWQ/DySymNet" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence

Xing Fang,Feiyan Ding,Bang Huang,Ziyi Wang,Gao Han,Rulan Yang,Lizhao You,Qiao Xiang,Linghe Kong,Yutong Liu,Jiwu Shu

DOI: https://doi.org/10.1109/infocom52122.2024.10621215

2024-01-01

Abstract:Satisfiability Modulo Theories (SMT) based network configuration verification tools are powerful tools in preventing network configuration errors. However, their fundamental limitation is efficiency, because they rely on generic SMT solvers to solve SMT problems, which are in general NP-complete. In this paper, we show that by leveraging network domain knowledge, we can substantially accelerate SMT-based network configuration verification. Our key insights are: given a network configuration verification formula, network domain knowledge can (1) guide the search of solutions to the formula by avoiding unnecessary search spaces; and (2) help simplify the formula, reducing the problem scale. We leverage these insights to design a new SMT- based network configuration verification tool called NetSMT. Extensive evaluation using real-world topologies and synthetic network configurations shows that NetSMT achieves orders of magnitude improvements compared to state-of-the-art methods.

Eric Madelaine,Xudong Qin,Min Zhang,Simon Bliudze

DOI: https://doi.org/10.14279/tuj.eceasst.76.1103

2018-01-01

Abstract:Open pNets are used to model the behaviour of open systems, both synchronous or asynchronous, expressed in various calculi or languages. They are endowed with a symbolic operational semantics in terms of so-called “Open Automata”. This allows us to check properties of such systems in a compositional manner. We implement an algorithm computing these semantics, building predicates expressing the synchronization conditions between the events of the pNet sub-systems. Checking such predicates requires symbolic reasoning over first order logics, but also over application-specific data. We use the Z3 SMT engine to check satisfiability of the predicates, and prune the open automaton of its unsatisfiable transitions. As an industrial oriented use-case, we use so-called "architectures" for BIP systems, that have been used in the framework of an ESA project and to specify the control software of a nanosatellite at the EPFL Space Engineering Center. We use pNets to encode a BIP architecture extended with explicit data, and compute its open automaton semantics. This automaton may be used to prove behavioural properties; we give 2 examples, a safety and a liveness property.

Xudong Qin,Simon Bliudze,Eric Madelaine,Zechen Hou,Yuxin Deng,Min Zhang

DOI: https://doi.org/10.1007/s00236-020-00367-6

2020-01-01

Acta Informatica

Abstract:Open pNets are formal models that can express the behaviour of open systems, either synchronous, asynchronous, or heterogeneous. They are endowed with a symbolic operational semantics in terms of open automata, which allows us to check properties of such systems in a compositional manner. We present an algorithm computing these semantics, building predicates expressing the synchronisation conditions between the events of pNet sub-systems. Checking such predicates requires symbolic reasoning about first order logics and application-specific data. We use the Z3 SMT engine to check satisfiability of the predicates. We also propose and implement an optimised algorithm that performs part of the pruning on the fly, and show its correctness with respect to the original one. We illustrate the approach using two use-cases: the first one is a classical process-algebra operator for which we provide several encodings, and prove some basic properties. The second one is industry-oriented and based on the so-called "BIP architectures", which have been used to specify the control software of a nanosatellite at the EPFL Space Engineering Center. We use pNets to encode a BIP architecture extended with explicit data, compute its semantics and discuss its properties, and then show how our algorithms scale up, using a composition of two such architectures.

Bin Yuan,Shengyao Sun,Xianjun Deng,Deqing Zou,Haoyu Chen,Shenghui Li,Hai Jin

DOI: https://doi.org/10.1109/TrustCom53373.2021.00132

2021-01-01

Abstract:The modern network consists of thousands of network devices from different suppliers that perform distinct codependent functions, such as routing, switching, modifying header fields, and access control across physical and virtual networks. Because of the network complexity, the network is prone to a wide range of errors, such as false-positive configuration, software errors, or unexpected interactions across protocols. These errors can lead to loops, sub-optimal routing, path leaks, black holes, and access control violations that make services unavailable, vulnerable to exploitation, or prone to attacks (e.g., DDoS attacks). To mitigate these problems, network operators deploy many different stateful network functions, like firewalls, NATs, load balancers, and intrusion-prevention boxes. They have become an important part of networks today, so it is critical to verify that these network functions are the same as expected deployments. All static network verification tools are meant to rigorously check network software or configuration for bugs before deployment. They usually use handwritten models or limited derivation models that are error-prone and ignore the fact that even the same type of network functions (from different vendors) still have different implementation details. In this paper, we propose a tool that can automatically synthesize more realistic and high-fidelity models that include stateful network functions with non-field attributes. We design an inferring algorithm, implement the transformation between data packages and symbolic packages, and obtain a finite state machine that can accurately express the actions of black-box network functions for a given configuration.

Yanjie Li,Weijun Li,Lina Yu,Min Wu,Jinyi Liu,Wenqiang Li,Meilan Hao,Shu Wei,Yusong Deng

2024-12-19

Abstract:Mathematical formulas serve as the means of communication between humans and nature, encapsulating the operational laws governing natural phenomena. The concise formulation of these laws is a crucial objective in scientific research and an important challenge for artificial intelligence (AI). While traditional artificial neural networks (MLP) excel at data fitting, they often yield uninterpretable black box results that hinder our understanding of the relationship between variables x and predicted values y. Moreover, the fixed network architecture in MLP often gives rise to redundancy in both network structure and parameters. To address these issues, we propose MetaSymNet, a novel neural network that dynamically adjusts its structure in real-time, allowing for both expansion and contraction. This adaptive network employs the PANGU meta function as its activation function, which is a unique type capable of evolving into various basic functions during training to compose mathematical formulas tailored to specific needs. We then evolve the neural network into a concise, interpretable mathematical expression. To evaluate MetaSymNet's performance, we compare it with four state-of-the-art symbolic regression algorithms across more than 10 public datasets comprising 222 formulas. Our experimental results demonstrate that our algorithm outperforms others consistently regardless of noise presence or absence. Furthermore, we assess MetaSymNet against MLP and SVM regarding their fitting ability and extrapolation capability, these are two essential aspects of machine learning algorithms. The findings reveal that our algorithm excels in both areas. Finally, we compared MetaSymNet with MLP using iterative pruning in network structure complexity. The results show that MetaSymNet's network structure complexity is obviously less than MLP under the same goodness of fit.

Machine Learning,Artificial Intelligence

Rulan Yang,Hanyang Shao,Gao Han,Ziyi Wang,Xing Fang,Lizhao You,Qiao Xiang,Linghe Kong,Ruiting Zhou,Jiwu Shu

2024-09-30

Abstract:Although substantial progress has been made in automatically verifying whether distributed routing configurations conform to certain requirements, diagnosing and repairing configuration errors remains manual and time-consuming. To fill this gap, we propose S^2Sim, a novel system for automatic routing configuration diagnosis and repair. Our key insight is that by selectively simulating variants of the given configuration in a symbolic way, we can find an intent-compliant variant, whose differences between the given configuration reveal the errors in the given configuration and suggest the patches. Building on this insight, we also design techniques to support complex scenarios (e.g., multiple protocol networks) and requirements (e.g., k-link failure tolerance). We implement a prototype of S^2Sim and evaluate its performance using networks of size O(10) ~ O(1000) with synthetic real-world configurations. Results show that S^2Sim diagnoses and repairs errors for 1) all WAN configurations within 10 s and 2) all DCN configurations within 20 minutes.

Networking and Internet Architecture

Mehdi Malboubi,Yanlei Gong,Wang Xiong,Chen-Nee Chuah,Puneet Sharma

DOI: https://doi.org/10.1109/ICCCN.2015.7288469

2015-01-01

Abstract:A key requirement for network management is the accurate and reliable monitoring of relevant network characteristics. In today's large-scale networks, this is a challenging task due to the scarcity of network measurement resources and the hard constraints that this imposes. This paper proposes a new framework, SNIPER, which leverages the flexibility provided by Software-Defined Networking (SDN) to design the optimal observation or measurement matrix that can leads to the best achievable estimation accuracy using Matrix Completion (MC) techniques. To cope with the complexity of designing large-scale optimal observation matrices, we use the Evolutionary Optimization Algorithms (EOA) which directly target the ultimate estimation accuracy as the optimization objective function. We evaluate the performance of SNIPER using both synthetic and real network measurement traces from different network topologies and by considering two main applications for per-flow size and delay estimations. Our results show that SNIPER can be applied to a variety of network performance measurements under hard resource constraints. For example, by measuring only 8.8% of all per-flow path delays in Harvard network [1], congested paths can be detected with probability of 0.94. To demonstrate the feasibility of our framework, we also have implemented a prototype of SNIPER in Mininet.

Zhichun Li,Gao Xia,Hongyu Gao,Yi Tang,Yan Chen,Bin Liu,Junchen Jiang,Yuezhou Lv

DOI: https://doi.org/10.1145/1851275.1851216

IF: 1.937

2010-01-01

ACM SIGCOMM Computer Communication Review

Abstract:Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures [10, 29] (a.k.a. data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue.This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures. We release our prototype and sample signatures at www.nshield.org.

Shibo Tang,Xingxin Wang,Yifei Gao,Wei Hu

DOI: https://doi.org/10.1109/ISOCC56007.2022.10031481

2022-01-01

Abstract:Model checking is one of the most commonly used technique in formal verification. However, the exponential scale state space renders exhaustive state enumeration inefficient even for a moderate System on Chip (SoC) design. In this paper, we propose a method that leverages symbolic execution to accelerate state space search and pinpoint security vulnerabilities. We automatically convert the hardware design to functionally equivalent C++ code and utilize the KLEE symbolic execution engine to perform state exploration through heuristic search. To reduce the search space, we symbolically represent essential input signals while making non-critical inputs concrete. Experiment results have demonstrated that our method can precisely identify security vulnerabilities at significantly lower computation cost.

Daniil Kuts

DOI: https://doi.org/10.48550/arXiv.2109.03698

2021-09-08

Cryptography and Security

Abstract:Dynamic symbolic execution is a widely used technique for automated software testing, designed for execution paths exploration and program errors detection. A hybrid approach has recently become widespread, when the main goal of symbolic execution is helping fuzzer increase program coverage. The more branches symbolic executor can invert, the more useful it is for fuzzer. A program control flow often depends on memory values, which are obtained by computing address indexes from user input. However, most DSE tools don't support such dependencies, so they miss some desired program branches. We implement symbolic addresses reasoning on memory reads in our dynamic symbolic execution tool Sydr. Possible memory access regions are determined by either analyzing memory address symbolic expressions, or binary searching with SMT-solver. We propose an enhanced linearization technique to model memory accesses. Different memory modeling methods are compared on the set of programs. Our evaluation shows that symbolic addresses handling allows to discover new symbolic branches and increase the program coverage.

Kaled Alshmrany,Lucas Cordeiro

DOI: https://doi.org/10.48550/arXiv.2001.09592

2020-01-27

Cryptography and Security

Abstract:Implementations of network protocols are often prone to vulnerabilities caused by developers' mistakes when accessing memory regions and dealing with arithmetic operations. Finding practical approaches for checking the security of network protocol implementations has proven to be a challenging problem. The main reason is that the protocol software state-space is too large to be explored. Here we propose a novel verification approach that combines fuzzing with symbolic execution to verify intricate properties in network protocol implementations. We use fuzzing for an initial exploration of the network protocol, while symbolic execution explores both the program paths and protocol states, which were uncovered by fuzzing. From this combination, we automatically generate high-coverage test input packets for a network protocol implementation. We surveyed various approaches based on fuzzing and symbolic execution to understand how these techniques can be effectively combined and then choose a suitable tool to develop further our model on top of it. In our preliminary evaluation, we used ESBMC, Map2Check, and KLEE as software verifiers and SPIKE as fuzzer to check their suitability to verify our network protocol implementations. Our experimental results show that ESBMC can be further developed within our verification framework called \textit{FuSeBMC}, to efficiently and effectively detect intricate security vulnerabilities in network protocol implementations.

Xinming Chen,Beipeng Mu,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.94

2011-01-01

Abstract:Malicious attacks are frequently launched to make specified network service unavailable, compromising end hosts for political or business purpose. Though network security appliances are widely deployed to resist these attacks, there is a lack of dynamic and collaborative platform to flexibly configure and manage all the security elements. In this paper, we present NetSecu, a platform based on Java and Click Router, which can dynamically enable, disable and configure security elements such as firewall, IPS and AV. Furthermore, a collaborate module is implemented to integrate individual NetSecu platform into a Secure Overlay Network, providing collaborative traffic control against DDoS attack. Equipped with collaborate module, NetSecu platforms are organized in a tree hierarchy where each level node is registered to its father node. A Central Management Site acts as the root node for large scale deployment. The policy is distributed from higher level to lower level NetSecu nodes, while security events are aggregated from lower level to higher level. Performance evaluation shows that our NetSecu system can achieve line rate with and without security function. Finally we deploy the NetSecu platform in multiple sites, where our design is fully demonstrated and tested.