The VESSEDIA Project Technical presentation

Armand PUCCETTI, CEARome, 11th October 2018

CHARIOT – 1st Workshop, 11 October 2018, Rome 1

“TOWARDS A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS”

Project objectives

VESSEDIA is H2020 project in Work programme DS-01-2016 “Assurance and Certification for Trustworthy and Secure ICT systems, services and components”

Aims at developing tools to improve the V&V of IoT software applications, inspired from the tools used already for safety-critical embedded systems.Tools to reason at source code level

Tools to V&V formally some code and provide a 100% guarantee that all possible faults of given categories are extracted

Tools for large-scale applications

Tools combined with Dynamic Analysis tools

Tools supported by a V&V methodology

Tools referring CWE items

Tools for easy use by any IoT developer of C/C++/Java code

CHARIOT – 1st Workshop, 11 October 2018, Rome 2

Source code analysis

Source code is the most adequate level representation of a software on which a developer reasons, suitable for analysis.

We address C, C++ and Java languages and improve their analysis tools

CHARIOT – 1st Workshop, 11 October 2018, Rome 3

C, C++ and

Java for mobile

applications, and

interfaces to

binary/assembler

vulnerabilities detection

tools.

V&V Tools – Frama-C

Formal methods are based on mathematical models of programs (e.g. Z for integers) to reason about programs.

Formal methods use a formal semantics of programs to understand their computationalmodel, e.g. operational semantics, denotational semantics or axiomatic semantics.

For imperative programming languages, the preferred formal methods are Hoare Logic and Abstract Interpretation.

CHARIOT – 1st Workshop, 11 October 2018, Rome 4

Hoare, C. A. R. "An axiomatic basis for computer programming”. Communications of the ACM. 12 (10): 576, 580, October

1969.

R. W. Floyd. "Assigning meanings to programs." Proceedings of the American Mathematical Society Symposia on Applied

Mathematics. Vol. 19, pp. 19–31. 1967.

P. Cousot & R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or

approximation of fixpoints. Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of

Programming Languages, pages 238—252, Los Angeles, California, 1977. ACM Press, New York.

https://en.wikipedia.org/wiki/C.A.R._Hoarehttps://web.archive.org/web/20160304013345/http:/www.spatial.maine.edu/~worboys/processes/hoare axiomatic.pdfhttps://en.wikipedia.org/wiki/Communications_of_the_ACMhttps://en.wikipedia.org/wiki/Robert_Floydhttp://www.cs.virginia.edu/~weimer/2007-615/reading/FloydMeaning.pdfhttp://www.di.ens.fr/~cousot/COUSOTpapers/POPL77.shtml

Abstract Interpretation

Plug-in EVA (Evolved Value Analysis)

An example with Frama-C EVA

1 #include

2

3 int main() {

4 int * tab = (int *) malloc(sizeof(int)*10);

5 int i;

6

7 /*@ loop pragma UNROLL 10; */

8 for ( i=0; i

Hoare Logic

Plug-in WP (Weakest Preconditions calculus)

An example with Frama-C ACSL - iota

Assign sequentially increasing values to a range, where the initial value is user-defined. The signature reads:

void iota(value_type* a, size_type n, value_type val);

Starting at val, the function assigns consecutive integers to the elements of the range a. Be careful to deal with possible overflows of the argument val!

predicate

Iota(value_type* a, integer n, value_type v) =

\forall integer i; 0 a[i] == v + i;

The specification of this function is/*@

requires \valid(a + (0..n-1));

requires limit: val + n

An example with Frama-C ACSL – iota (cont’d)

Source code and proof of iota:

CHARIOT – 1st Workshop, 11 October 2018, Rome 9

typedef int value_type;

/*@predicateIota(value_type* a, integer n, value_type v) = \forall integer i; 0 a[i] == v+i;

*/

/*@requires valid: \valid(a + (0..n-1)); requires limit: val + n

VESSEDIA results

At mid-period

V&V Tools

Platforms Frama-C for analysis and proof of C/C++ source code

VeriFast for the analysis of Java and C source code

FlowGuard for the analysis of CFI/DFI properties of binary code

Papyrus/Diversity for modelling and simulation

Several plug-ins for these tools: Frama-clang - analysis of C++ source code by translation into C source code

AFL_SCA - fuzz testing of source code after Abstract Interpretation has been done

E-ACSL - monitoring : compilation of ACSL assertions into binary code

Diversity-to-ACSL - generation of ACSL trace properties

SecSoftML - modelling

SAaaS – proofs in the cloud

RPP – proof of functions sequence properties

CHARIOT – 1st Workshop, 11 October 2018, Rome 11

Use-cases

• Contiki OS (Inria) C Focus on IPv6 stack and OS primitives

C source code mainly

Evaluate handling of specific patterns, e.g. Protothreads

Using Frama-C

• 6LowPAN Management Platform (CEA) OTA reprogramming in multi-hop networks (Contiki-based)

Entities: 6LoWPAN nodes (C), gateway (Java), management server

Using Frama-C and VeriFast

• Aircraft Maintenance System (DA) Diagnosis and failure prevention, embedded in a civil aircraft

Entities: proprietary gateway (C) and open-source proxy server (C++)

Using Frama-C, AFL and CFI/DFI integrated into the CURSOR method

CHARIOT – 1st Workshop, 11 October 2018, Rome

An Open Source OS for the Internet of Things

Open source: BSD

C source code

Supports many embedded platforms

Supports standard low-power IPv6

3.9 KLOC of high-priority source code

23.5 KLOC of medium priority

Analyses achieved

Linked list module verified using WP with ghost code and executable specifications

Minimal contracts for core/lib and core/sys libraries with ACSL

Absence of RTE verified for AES & CCM* modules using WP

Contiki NG analysed with EVA and new plug-ins for recursive functions and loops annotations

The VESSEDIA use-case Contiki-OS

CHARIOT – 1st Workshop, 11 October 2018, Rome

V&V Methodology

V&V methodology selects tools and method according to verification needs and business constraints

Basic (compiler diagnostics)

Simple (non-portable and suspicious program parts)

Advanced (enforcing given programming guidelines)

Formal (e.g. provably establishing the absence of run-time errors)

Modelling framework

UML/Papyrus permits to model a system with Statecharts, sequence diagrams, etc.

Diversity allows to define security properties of sub-systems for analysis with Frama-C

CURSOR method combining SA and DA tools (Frama-C EVA/E-ACSL with AFL and CFI/DFI)

Economic rationale and metrics

CHARIOT – 1st Workshop, 11 October 2018, Rome 14

The DA-SA CURSOR Method

CHARIOT – 1st Workshop, 11 October 2018, Rome 15

Component of Unit Robustness for Security Objectives and Requirements

CMx to be proved formally

with Frama-C tools

C original source code

Frama-C

Value

auto-detection of some CWE

by abstract interpretation

Gena-CWE457,570,571,

…

C with CWE

alarmsalarms expressed

in ACSL

C "CWE

instrumented"

Frama-C

E-ACSL

user's implementation of

counter-measures

operate against

targeted CWE

C "CWE proof"

pentest process

…/…

j = i + 1;

x = *(p+j);

j = i + 1;

x = *(p+j);

/*@ assert i+1

Certification and Security Evaluation

CHARIOT – 1st Workshop, 11 October 2018, Rome 16

Security vulnerabilities detectionAssess the project’s tools for vulnerabilities detection

Coverage of vulnerabilities

C++ vulnerabilities

-> in progress

Security evaluationAssess tools from the perspective of security evaluator

Review security evaluation methodologies

Integrate tools in the security evaluation process

-> in progress

Contact Details

armand.puccetti@cea.fr

Armand PUCCETTI

CEA (Technical)

CHARIOT – 1st Workshop, 11 October 2018, Rome 17

coordination@vessedia.eu

Ursula Polessnig

Technikon (Coordination)

See also our web site : http://vessedia.eu