JiaJing Li,Tao Wei,Jian Mao

2007-01-01

Abstract:Two research results of temporal vulnerabilities in x86 executables were giveded. First two new models of temporal vulnerabilities were presented; secondly a method of building pushdown automata for executables was given. Experiments showed the method was effective to verify and find temporal vulnerabilities in x86 executables.

WANG Chun-lei,LIU Qiang,ZHAO Gang,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.04.031

2010-01-01

Computer Science

Abstract:In order to analyze vulnerabilities in executable programs,a vulnerability analysis framework for binaries based upon model checking was proposed.Firstly,the abstract model of binary was defined,and the formal models of vulnerabilities based upon finite state automaton and the representations of software security attributes based upon event system were described.Then,the model checking based vulnerability analysis process and algorithm were proposed with respect to the abstract models of binaries and the security attributes to be checked.After that,the prototype of vulnerability analysis tool was designed and implemented based upon the framework.The illustrative sample program was analyzed to show in detail the principles of the framework,and the experimental results show the effectiveness of the analysis method.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

XU You-fu,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.08.026

2011-01-01

Abstract:The paper though studying automata theory, proposed a vulnerability-based model checking Mining vulnerability theory, as the bulk discover unknown vulnerabilities to provide a theoretical basis.

Junyan Qian,Baowen Xu,Yingzhou Zhang

2007-01-01

Journal of Computational Information Systems

Abstract:Model checking is an automatic formal verification technique for a finite state system. Iterative abstraction refinement has emerged recently as the leading approach to software model checking. We present a methodology for automatically verifying programs against safety specifications based on finite state machine. As the first step, an initial abstract model is automatically extracted from source code using predicate abstraction and theorem proving. In order to reduce time complexities of this process, we partition the set of candidate predicates into subsets, and then construct abstract model independently.

Eric Rothstein-Morris,Sun Jun

DOI: https://doi.org/10.48550/arXiv.1811.10400

2018-11-16

Abstract:This work aims to solve a practical problem, i.e., how to quantify the risk brought upon a system by different attackers. The answer is useful for optimising resource allocation for system defence. Given a set of safety requirements, we quantify the attacker capability in terms of the set of safety requirements an attacker can compromise. Given a system (in the presence of an attacker), model checking it against each safety requirement one by one is expensive and wasteful since the same state space is explored many times. We thus propose model checking multiple properties efficiently by means of coalgebraic model checking using enhanced coinduction techniques. We apply the proposed technique to a real-world water treatment system and the results show that our approach can effectively reduce the effort required for model checking.

Logic in Computer Science,Formal Languages and Automata Theory

Zhi-Hong Tao,Cong-Hua Zhou,Zhong Chen,Li-Fu Wang

DOI: https://doi.org/10.1007/s11390-007-9004-z

IF: 1.871

2007-01-01

Journal of Computer Science and Technology

Abstract:Bounded Model Checking has been recently introduced as an efficient verification method for reactive systems. This technique reduces model checking of linear temporal logic to propositional satisfiability. In this paper we first present how quantified Boolean decision procedures can replace BDDs. We introduce a bounded model checking procedure for temporal logic CTL* which reduces model checking to the satisfiability of quantified Boolean formulas. Our new technique avoids the space blow up of BDDs, and extends the concept of bounded model checking.

Yann Thierry-Mieg

DOI: https://doi.org/10.48550/arXiv.2005.12911

2021-12-18

Abstract:Brute-force model-checking consists in exhaustive exploration of the state-space of a Petri net, and meets the dreaded state-space explosion problem. In contrast, this paper shows how to solve model-checking problems using a combination of techniques that stay in complexity proportional to the size of the net structure rather than to the state-space size. We combine an SMT based over-approximation to prove that some behaviors are unfeasible, an under-approximation using memory-less sampling of runs to find witness traces or counter-examples, and a set of structural reduction rules that can simplify both the system and the property. This approach was able to win by a clear margin the model-checking contest 2020 for reachability queries as well as deadlock detection, thus demonstrating the practical effectiveness and general applicability of the system of rules presented in this paper.

Distributed, Parallel, and Cluster Computing,Formal Languages and Automata Theory,Logic in Computer Science

何恺铎,顾明,宋晓宇,李力,李江

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.01.068

2009-01-01

Computer Science

Abstract:Model checking on software reliability is always considered meaningful.This paper studied theory and metho-dology on source code verification,utilizing predicate abstraction and counterexample-guided abstraction refinement.Detailed verification framework and its implementation of the self-designed Jchecker,a source-oriented software model checker,were also introduced.

Zhou Conghua,Tao Zhihong,Ding Decheng,Wang Lifu

IF: 1.019

2006-01-01

Chinese Journal of Electronics

Abstract:Bounded model checking (BMC) has been recently introduced as an efficient verification method for reactive systems. Propositional satisfiability (SAT)-based bounded model checking methods consists in searching for a counter- example of a particular length and generating a propositional formula that is satisfiable iff such a counterexample exists. Until now, SAT-based bounded model checking only concerns with universal properties. In this paper we focus on bounded model checking for Computation tree logic (CTL). We present how quantified Boolean decision procedures like Davis & Putnam Procedure can replaces Binary decision diagrams (BDDs). Our basic idea is to decide the validation of a CTL formula phi in finite executions of a system and reduce the validation to a Quantified Boolean formula (QBF) psi which is satisfiable if and only if phi is valid in finite executions of the system. QBF solvers based on Davis & Putnam Procedure do not blow up in space. Therefore, our new technique avoids the space blow up of BDDs, and sometimes speeds up the verification.

ZHANG Zhi,ZHANG Lin,ZENG Qing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.07.010

2011-01-01

Abstract:This paper presents two points of improvements for model checking temporal safety properties of program: more efficient model checking algorithm is proposed,which can simplify the checking process and reduce the time cost by extending the state machine model with each function.Alias analysis is used to determine the dataflow dependency between safety operations,which makes the checking process more accurate.Experimental results show that the method can work more efficiently and exactly.

YANG Jun,GE Hai-tong,ZHENG Fei-jun,YAN Xiao-lang

DOI: https://doi.org/10.3321/j.issn:1008-9497.2006.04.012

2006-01-01

Abstract:Being a formal verification method,model checking is used frequently in hardware and software design.Firstey the Kripke structure which is used to describe the behavior of a system and the CTL logic which is used to describe the property of a system were introduced.Then two model checking algorithms were introduced: one is the labeling algorithm,the other is the algorithm based on fixpoint.In the end,the symbolic model checking which can reduce the possibility of memory explosion was introduced.

Qian Ke,Chunlu Wang,Haixia Wang,Yongqiang Lyu,Zihan Xu,Dongsheng Wang

DOI: https://doi.org/10.1109/dsc55868.2022.00015

2022-01-01

Abstract:A new class of transient execution-based attacks, as known as Microarchitectural Data Sampling (MDS), were discovered in recent studies, such as RIDL, Fallout, and ZombieLoad, which have imposed severe threats to general-purpose processors. In MDS attacks, the attacker can steal the information from privileged CPU internal buffers, such as store buffers, line fill buffers, and load ports. To prevent these buffers from leaking information, processor vendors proposed mitigation via microcode update that overwrites CPU internal buffers as soon as the privilege levels are changed. However, the problem if a given architecture is safe against MDS attacks is still to be fully solved.In this study, we propose a formal verification method based on model checking to verify the microarchitectural security against MDS attacks. We formulate the MDS attacks as operation sequences, and set up a behavior model to describe the microarchitectural design correlated MDS attacks. A operation sequence is considered as an MDS attack if the operation sequence can obtain transient illegal data leaked from internal buffers during the operations. We enumerate all the possible sequences by binary decision diagram (BDD)-based statechart traversal, and output all the counterexamples. The experimental results show that the proposed method can sufficiently check the MDS attacks, and a kind of attack is detected to be able to bypass the mitigation proposed by Intel, which was contemporarily proposed as CacheOut attack.

Tang Shan,Peng Xin,Zhao Wen-yun,Liu Yi-ming

2006-01-01

Abstract:One of the urgent problems in software engineering is how to guarantee the correctness of software architecture evolution. Model checking is an approach which is used to verify properties of systems. Generally, it checks whether a given model satisfies some special property which are expressed by linear temporal logic through checking all of states of the target model. Since the complexity of the model checking mainly depends on the amount of number of the states, the most intractable problems of the approach are lack of memory and the state space explosion. There are few effective model checking approaches for large scale dynamic software architecture, this paper proposes a modular model checking strategy based on linear temporal logic. From two different levels: the component composing the system and the whole system, this paper discusses how to verify dynamic software architecture in detail, gives the corresponding algorithms and introduces an e-business case to illustrate the availability of our approach. Keyword: Dynamic Software Architecture, Model Checking, Linear Temporal Logic, Automaton

Xiangyu Luo,Yan Chen,Ming Gu,Lijun Wu

DOI: https://doi.org/10.1109/nswctc.2009.384

2009-01-01

Abstract:Formal verification approaches can guarantee the correctness of security protocols. In this paper we take the well-known Needham-Schroeder public-key authentication protocol as an example, to show how we can apply the symbolic model checker for multiagent systems MCTK, which is developed by us, to the verification of security protocols. One temporal epistemic property is checked successfully both in the original version and the Lowe's revised version of the Needham-Schroeder protocol. The experimental result shows that our method is an effective way to the verification of security protocol.

WANG Chun-lei,LIU Qiang,ZHAO Gang,DAI Yi-qi

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.26.024

2009-01-01

Abstract:The detection of flaw functions in binary executables is an important technique for software vulnerability analysis.A flaw function detection method based upon the static analysis of executable is proposed.The foundation of this method is the signature theme of flaw functions in the form of binary instruction flow.This method establishes the set of potential function call sequences in the running process and constructs the function call graph by statically analyzing the binary executable,and detects the set of flaw functions the executable invoked by matching and analyzing the signatures of flaw functions with the function call graph.Experimental results demonstrate that the method is effective for detecting the flaw functions in executables,and is useful for further security analysis.

Jianhua Zhao,Bin Lei,Xuandong Li,Guoliang Zheng

DOI: https://doi.org/10.1109/ISoLA.2006.28

2006-01-01

Abstract:In this paper, we present a timed automaton reachability analysis algorithm which can use some other properties to improve the model checking efficiency. If the model checker aborts because of memory or CPU time limitation when checking a property P, the users can still use a set of auxiliary properties P_1, P_2, \dots, P_n about the system to reduce the space and time requirement. People can verify these auxiliary properties by either model checking or other methods like theorem proving. This algorithm gives the users a way to reduce the space and time requirement of model checking using their knowledge about the system under check.

Daniel Kroening,Peter Schrammel,Michael Tautschnig

DOI: https://doi.org/10.48550/arXiv.2302.02384

2023-02-05

Abstract:The C Bounded Model Checker (CBMC) demonstrates the violation of assertions in C programs, or proves safety of the assertions under a given bound. CBMC implements a bit-precise translation of an input C program, annotated with assertions and with loops unrolled to a given depth, into a formula. If the formula is satisfiable, then an execution leading to a violated assertion exists. CBMC is one of the most successful software verification tools. Its main advantages are its precision, robustness and simplicity. CBMC is shipped as part of several Linux distributions. It has been used by thousands of software developers to verify real-world software, such as the Linux kernel, and powers commercial software analysis and test generation tools. Table 1 gives an overview of CBMC's features. CBMC is also a versatile tool that can be applied to solve many practical program analysis problems such as bug finding, property checking, test input generation, detection of security vulnerabilities, equivalence checking and program synthesis. This chapter will give an introduction into CBMC, including practical examples and pointers to further reading. Moreover, we give insights about the development of CBMC itself, showing how its performance evolved over the last decade.

Software Engineering,Logic in Computer Science,Programming Languages

Lesly-Ann Daniel,Sébastien Bardin,Tamara Rezk

DOI: https://doi.org/10.48550/arXiv.2209.01129

2022-09-02

Abstract:This paper tackles the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure. These properties are crucial for cryptographic implementations, but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel, for bug-finding and bounded-verification of constant-time and secret-erasure, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel, we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4148 and 1156 binaries respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling which might break secret-erasure. We also discovered that gcc -O0 and backend passes of clang introduce violations of constant-time in implementations that were previously deemed secure by a state-of-the-art constant-time verification tool operating at LLVM level, showing the importance of reasoning at binary-level.

Cryptography and Security