SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);

1

Philipp Rümmer

Uppsala University

SAT/SMT/AR, July 6th, 2018

SMT, Strings, Security

2

Plan

String constraints by example

A word equation primer

Decidable fragments of string constraints

3

Strings in Verifcation

4

String in verifiation

5


ASCII, Unicode

6


Regular expressionassertion:

7


Word/stringioniatenation

8


Loop invariant combiningword equations,regex constraints,length constraints

9


Substringconstraint

10


Or regex:

11


Presburgerlength constraint

12


→ Need a solver that supports all those operators!

13

Alphabets

All constraints are formulated w.r.t. to some fxed fnite alphabet

(e.g., 8-bit ASCII) (e.g., UTF-32)

14

Semantiis and notation

Finite sequences of letters: Empty word: Concatenation:

Equations: Language/regex membership: Word length:

15

LARGE Alphabets

Naive use of fnite-state automata quickly becomes impossible

Conirete letters as transition guards →far too many transitions are needed to express interesting languages

Symbolii handling of letters is necessary

Sometimes complex string conversion functions necessary, e.g. UTF-8 ↔ UTF-32

16

Injeition attaiks

xkcd.com

17

What is happening here?

Possible SQL iommand in a program

database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");

18




Command with input substituted

INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');

19




Command with input substituted

INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');

Problem:Input string

ends quotation!

Commandembedded in

user inputis executed

20




Since no sanitisation is applied, program is vulnerable to SQL injection attacks!

21

How ian this be deteited?

Programcode

Input:User-controlled strings

Output:SQL commands

22


Programcode


Output:SQL commands

23


Programcode


Output:SQL commands

Regexor CFG

24




However, this case could more easily be found with techniques like taint traiking

But what if sanitisation were actually applied?

25

A subtle XSS vulnerability

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);

catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

26





Input string

27





Input stringHTML escape:& → &

JavaScriptescape:

' → \'

28





Input stringHTML escape:& → &

JavaScriptescape:

' → \'

Impliiit HTMLunescape

of the onclickattribute:

& → &

29

An XSS vulnerability (2)




One possible attaikChoose cat to be ');alert(1);//

Generated HTML string is then:<button onclick="createCatList('');alert(1);//')">');alert(1);//</button>

30







This will be unesiaped tocreateCatList('');alert(1);//')

31







This will be unesiaped tocreateCatList('');alert(1);//')

Vulnerability since escapefunctions are applied in

wrong order

32

Cross-site siripting

http://blog.aboutme.vn/choi-xss-tai-knock-xss-moe/

33

Solvers for esiape ops?

34


We need transducers!→ Automata with multiple tracks

35


toUpperCase

a/Ab/Bc/C...


36


toUpperCase

a/Ab/Bc/C...


htmlEsiape

</<>/>&/&...

replaieAll

...

37


toUpperCase

a/Ab/Bc/C...


htmlEsiape

</<>/>&/&...

replaieAll

...

Do not preserve length ...

38

Other operations

String reversal Context-free grammars String-to-number conversions Replace-all with symbolic arguments ...

39

SolvingString

Constraints

40

Bit of Solver History

Bounded-length solvers Bit-vector-based: Hampi, Kaluza CP-based: Gecode

Automata-based tools Stranger, TRAU

SMT/DPLL/CDCL-based methods Z3-str/2/3, CVC4, S3/p, Norn, Sloth

(+ much theoretic work)

41

Solving Word Equations

What are the solutions those equations?

42

Nielsen's transformation

(also called Levi's lemma)

Theorem

43


(also called Levi's lemma)

Theorem

44


As a tableau rule

45


As a tableau rule

46

In the example

47

How about this one?

48

How about this one?

49

How about this one?

Cyile!

50

What ian be done?

Ignore cycles and hope for the best!

Identify fragments for which NT is guaranteed to terminate

Acyclic; straight-line

Improve NT and add termination criteria Makanin's method Simpler algorithms for quadratii equations

51

Quadratii word equations

E.g.

Consider satisfability of asingle quadratii equation

DefnitionA word equation is quadratii if each variable occurs at most twice in the equation.

52


Quadratii = simpler?

53


Quadratii = simpler?

Number ofvariable

occurrencescannot increase!

54

A deiision proiedure

Modifed Nielsen rule

55

A deiision proiedure

Modifed Nielsen rule

Further rules

56

Example

57

Even more rules

One-sided Nielsen rule

58

Deiision proiedure?

Soundness● If root is satisfable, at least one branch cannot

be closed

Completeness● If root is unsat, a closed proof exists● Follows from termination● Open branches → satisfying assignments

Termination● # of variable occurrences does not increase● Up to renaming of variables, only fnitely many

diferent equations exist

59

Soundness argument

Label equations in the proof with: if equation is unsat if equation is sat, has variable

occurrences, and is length of for the shortest solution

Order pairs lexicographically

LemmaIn each application of the Nielsen rule, if the parent is labelled with , then at least one child has label .

60

Soundness argument

Label equations in the proof with: if equation is unsat if equation is sat, has variable

occurrences, and is length of for the shortest solution

Order pairs lexicographically

LemmaIn each application of the Nielsen rule, if the parent is labelled with , then at least one child has label .

Decreasing labels→ Branch cannot

be closed!

61

Combinations ...

Equations

Quadratii

62

Combinations ...

Equations

Quadratii

RegexConstraints

63

Combinations ...

Equations

Quadratii

RegexConstraints

✓

64

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

65

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

?

66

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

??

67

Transduition

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

??

68

Transduition

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

??

Undeiidable

69

Transduition

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

??

Undeiidable

70

Transduition

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

??

Undeiidable

71

Transduition

Combinations ...

Equations

Quadratii

RegexConstraints

✓Length

Constraints

??

Undeiidable

72

The Norn fragment

1. Boolean structure

2. Acyclic (linear) word equations

3. Regex memberships

4. Length constraints

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014

73

The Norn fragment






(a decidable fragment)

74

The Norn fragment






(a decidable fragment)

Order inwhichprocedurehandlesoperators

75

Examples

76

1. Boolean struiture

Use standard DPLL/CDCL → Easy Just consider conjunctions of literals

But we need to handle negation! Negated word equations Negated regex constraints Negated length constraints

77

1. Boolean struiture

Use standard DPLL/CDCL → Easy Just consider conjunctions of literals

But we need to handle negation! Negated word equations Negated regex constraints Negated length constraints

✓✓

?

78

1b. Negative word eqs.

Lemma

Can be reduced to positive equations:

79


Lemma

Large alphabets→ a, b need to be

handled symbolicallyin practice


80


Lemma


TheoremAny Boolean combination of word equations canbe reduced to a single word equation with thesame set of solutions (when projected to theoriginal set of variables).

81

2. Aiyilii word equations

Reduce to solved form by systematic application of Nielsen’s transformation:

( do not occur in )

After that, eliminate equations by inlining!

82

3. Regular expressions

Membership tests with ioniatenation can be split:

Tests with same left-hand side can be merged:

83




Disjunction overstates of

automatonrepresenting

84

4. Length ionstraints

Compute the length abstraition of each regex constraint:

Conjoin length abstractions with other length constraints and check satisfability

85

4. Length ionstraints

Compute the length abstraition of each regex constraint:

Conjoin length abstractions with other length constraints and check satisfability

A Presburgerformula that canbe extracted in

linear time from

86

5. Optimisations ...

E.g., exploit length information when splitting equations or regexes

(still too slow ...)

87

Adding Transducers .

88




89




Does not workany more withtransducers!

90

The Sloth fragments

1. Boolean structure (no negation)

2. Straight-line word equations

3. n-track transducer constraints

Lukás Holík, Petr Janku, Anthony W. Lin, Philipp Rümmer, Tomás Vojnar: String constraints with concatenation and transducers solved efciently. PACMPL 2(POPL): 4:1-4:32 (2018)

91

The Sloth fragments

1. Boolean structure (no negation)

2. Straight-line word equations

3. n-track transducer constraints

Lukás Holík, Petr Janku, Anthony W. Lin, Philipp Rümmer, Tomás Vojnar: String constraints with concatenation and transducers solved efciently. PACMPL 2(POPL): 4:1-4:32 (2018)

→ also decidable!

92

Transduiers

DefnitionAn n-traik transduier is a fnite-stateautomaton over the alphabetAn n-track transducer defnes an n-aryrational relation.

93

Transduiers


94

Transduiers


95

HTML Esiaping

96

Undeiidability

Proposition/FolkloreString constraints with rational relations areundeiidable.

Post correspondence problem:Given word pairs

is there an index sequence with

97

Undeiidability

Proposition/FolkloreString constraints with rational relations areundeiidable.

Post correspondence problem:Given word pairs

is there an index sequence with

Undeiidable

98

Fragments: aiyilii formulas

Positive Boolean comb. of rational relations applied to distinct variables

In every , and share at most one variable

PSPACE-complete[Barcelo, Figuiera, and Libkin’13]

99

Straight-line fragment SL

Conjunction of equations sorted by dependency:

All pairwise distinct Each may only occur in Each is concatenation, or

(interpreted as ) Regex constraints

100

SL example




101

SL example




102

SL example




103

SL example




104

SL example




105

SL example




106

Deiision proiedure for SL

SL Acyclic

Splittingconcat

107


SL Acyclic

Splittingconcat

Linear blow-upfor each split

108


SL Acyclic

Splittingconcat


BooleanTrans.System

109


SL Acyclic

Splittingconcat


BooleanTrans.System

Hardware ModelCheiker

(PSPACE!)

110

Deiidability for aiyilii f.

111


112


(Product automaton)

113


(Product automaton)

Consistency=

Non-emptiness

114


(Product automaton)

Consistency=

Non-emptiness

But how to dothis in PSPACE?

Alternating Finite Automata

q1

q2

a

q3

a

q4

q5

a

q6

a

AFA P AFA P has

Q – a set of states,∆ – a set of transitions

, for example,I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,

I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,

The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.

P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22


q1

q2

a

q3

a

q4

q5

a

q6

a

AFA P AFA P hasQ – a set of states,∆ – a set of transitions

, for example,I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,





q1

q2

a

q3

a

q4

q5

a

q6

a

AFA P AFA P hasQ – a set of states,∆ – a set of transitions, for example,

I ∆(q4) = a ∧ (q5 ∨ q6),

I ∆(q1) = a ∧ q2 ∧ q3,





q1

q2

a

q3

aq4

q5

a

q6

a


I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,





q1

q2

a

q3

a

q4

q5

a

q6

a


I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,





q1

q2

a

q3

a

q4

q5

a

q6

a


I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,




AND between Two AFTs

c/a a/d

c/a/? ?/a/d

a/b b/c

a/b/? ?/b/c

d/c c/b

d/c/? ?/c/b

R1(name, x) R2(x , y)

R12(name, x , y)

∧


AND between Two AFTs

c/a a/d

c/a/? ?/a/d

a/b b/c

a/b/? ?/b/c

d/c c/b

d/c/? ?/c/b

R1(name, x) R2(x , y)

R12(name, x , y)

∧

QR12 = QR1 ∪QR2

IR12 = IR1 ∧ IR2

FR12 = FR1 ∧ FR2

∆R12 = ∆R1 ∪∆R2


SL→ AFT

The translation into an AFT will be carried out in the following steps:1 A translation of conjunctions to AFTs.

2 A translation of concatenations to AFTs:1 Eliminating equations by substitutions.

ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧R3(z, innerHtml) ∧ P(innerHtml)

AFT R12 AFT R3 AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 15 / 22

AFT→ BTS

Variables of the Boolean transition system (BTS) =states of the automaton (AFT):

I q1,q2,q3.

The initial and final formulae of the BTS =initial and final formulae of the AFT:

I I = q1,I F = q2 ∧ q3.

The transition function of the BTS = conjunction of formulaederived from individual transitions of the AFT:

I Trans = ∃ symb : q1 → symb = a ∧ q′2 ∧ q′

3.

q1

q2 q3a


AFT→ BTS


I q1,q2,q3.The initial and final formulae of the BTS =initial and final formulae of the AFT:

I I = q1,I F = q2 ∧ q3.



3.

q1

q2 q3a


AFT→ BTS


I q1,q2,q3.The initial and final formulae of the BTS =initial and final formulae of the AFT:

I I = q1,I F = q2 ∧ q3.



3.

q1

q2 q3a


SL→ AFT

The translation into an AFT will be carried out in the following steps:1 A translation of conjunctions to AFTs.2 A translation of concatenations to AFTs:

1 Eliminating equations by substitutions.

ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦w2 ◦ x ◦w3 ∧R3(z, innerHtml) ∧ P(innerHtml)

AFT R12 AFT R3 AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 15 / 22

Eliminating Equations by Substitutions


ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦w2 ◦ x ◦w3, innerHtml) ∧P(innerHtml)










SL→ AFT


1 Eliminating equations by substitutions.

2 Handling rational relations with concatenations in arguments.

ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦ w2 ◦ x ◦ w3, innerHtml) ∧P(innerHtml)

AFT R12 AFT R3AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 17 / 22

SL→ AFT


1 Eliminating equations by substitutions.2 Handling rational relations with concatenations in arguments.


AFT R12 AFT R3AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 17 / 22

Splitting of Arguments

Run of the AFT R

z

x

y

Consider ϕ ::= R(x ◦ y , z) ∧ ψ.

We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:

I One conjuction for everyconfiguration (set of states) C wherea run may be split.

I Exponentional (2Q) for generalAFTs.



Run of the AFT R

z

x

y

Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.

z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:





Run of the AFT R

z1

z2

x

y

Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.

ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:





Run of the AFT R

z1

z2

C

x

y

Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].

A simple variant:I One conjuction for every

configuration (set of states) C wherea run may be split.




Run of the AFT R

z1

z2

C

x

y

Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:





Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.

R is split to two AFTs: R(x , z1) and R(y , z2).Guess the initial configuration R(y , z2) nondeterministically.

I Remember the configuration by using additional states.

Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).

R(y , z2)

R′(x , y , z1, z2)



Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.R is split to two AFTs: R(x , z1) and R(y , z2).

Guess the initial configuration R(y , z2) nondeterministically.



R(x , z1) R(y , z2)

R′(x , y , z1, z2)



Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.R is split to two AFTs: R(x , z1) and R(y , z2).Guess the initial configuration R(y , z2) nondeterministically.

I Remember the configuration by using additional states.Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).

R(x , z1)

R(y , z2)

R′(x , y , z1, z2)






R(x , z1) R(y , z2)

R′(x , y , z1, z2)




I Remember the configuration by using additional states.Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).

R(x , z1) R(y , z2)

R′(x , y , z1, z2)


115


SL Acyclic

Splittingconcat


BooleanTrans.System

Model Cheiker(nuXmv, ABC)

116

The TRAU fragment

1. General word-equations

2. General transducers

3. Context-free grammars


Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, Philipp Rümmer: Flatten and conquer, a framework for efcient analysis of string constraints. PLDI 2017: 602-617

117

The TRAU fragment

1. General word-equations

2. General transducers

3. Context-free grammars


Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, Philipp Rümmer: Flatten and conquer, a framework for efcient analysis of string constraints. PLDI 2017: 602-617

→ undecidable!

118

Overview of TRAU ...

119

Are we there yet?

Expressiveness

Efciency Precision/guarantees

120

Joint work with ...

Parosh Aziz Abdulla Mohamed Faouzi

Atig Yu-Fang Chen Bui Phi Diep Lukás Holík

Petr Janků Anthony W. Lin Ahmed Rezine Jari Stenman Tomás Vojnar

and others

Documents

SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);