Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
The VESSEDIA Project Technical presentation
Armand PUCCETTI, CEARome, 11th October 2018
CHARIOT – 1st Workshop, 11 October 2018, Rome 1
“TOWARDS A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS”
Project objectives
VESSEDIA is H2020 project in Work programme DS-01-2016 “Assurance and Certification for Trustworthy and Secure ICT systems, services and components”
Aims at developing tools to improve the V&V of IoT software applications, inspired from the tools used already for safety-critical embedded systems.Tools to reason at source code level
Tools to V&V formally some code and provide a 100% guarantee that all possible faults of given categories are extracted
Tools for large-scale applications
Tools combined with Dynamic Analysis tools
Tools supported by a V&V methodology
Tools referring CWE items
Tools for easy use by any IoT developer of C/C++/Java code
CHARIOT – 1st Workshop, 11 October 2018, Rome 2
Source code analysis
Source code is the most adequate level representation of a software on which a developer reasons, suitable for analysis.
We address C, C++ and Java languages and improve their analysis tools
CHARIOT – 1st Workshop, 11 October 2018, Rome 3
C, C++ and
Java for mobile
applications, and
interfaces to
binary/assembler
vulnerabilities detection
tools.
V&V Tools – Frama-C
Formal methods are based on mathematical models of programs (e.g. Z for integers) to reason about programs.
Formal methods use a formal semantics of programs to understand their computationalmodel, e.g. operational semantics, denotational semantics or axiomatic semantics.
For imperative programming languages, the preferred formal methods are Hoare Logic and Abstract Interpretation.
CHARIOT – 1st Workshop, 11 October 2018, Rome 4
Hoare, C. A. R. "An axiomatic basis for computer programming”. Communications of the ACM. 12 (10): 576, 580, October
1969.
R. W. Floyd. "Assigning meanings to programs." Proceedings of the American Mathematical Society Symposia on Applied
Mathematics. Vol. 19, pp. 19–31. 1967.
P. Cousot & R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or
approximation of fixpoints. Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of
Programming Languages, pages 238—252, Los Angeles, California, 1977. ACM Press, New York.
https://en.wikipedia.org/wiki/C.A.R._Hoarehttps://web.archive.org/web/20160304013345/http:/www.spatial.maine.edu/~worboys/processes/hoare axiomatic.pdfhttps://en.wikipedia.org/wiki/Communications_of_the_ACMhttps://en.wikipedia.org/wiki/Robert_Floydhttp://www.cs.virginia.edu/~weimer/2007-615/reading/FloydMeaning.pdfhttp://www.di.ens.fr/~cousot/COUSOTpapers/POPL77.shtml
Abstract Interpretation
Plug-in EVA (Evolved Value Analysis)
An example with Frama-C EVA
1 #include
2
3 int main() {
4 int * tab = (int *) malloc(sizeof(int)*10);
5 int i;
6
7 /*@ loop pragma UNROLL 10; */
8 for ( i=0; i
Hoare Logic
Plug-in WP (Weakest Preconditions calculus)
An example with Frama-C ACSL - iota
Assign sequentially increasing values to a range, where the initial value is user-defined. The signature reads:
void iota(value_type* a, size_type n, value_type val);
Starting at val, the function assigns consecutive integers to the elements of the range a. Be careful to deal with possible overflows of the argument val!
predicate
Iota(value_type* a, integer n, value_type v) =
\forall integer i; 0 a[i] == v + i;
The specification of this function is/*@
requires \valid(a + (0..n-1));
requires limit: val + n
An example with Frama-C ACSL – iota (cont’d)
Source code and proof of iota:
CHARIOT – 1st Workshop, 11 October 2018, Rome 9
typedef int value_type;
/*@predicateIota(value_type* a, integer n, value_type v) = \forall integer i; 0 a[i] == v+i;
*/
/*@requires valid: \valid(a + (0..n-1)); requires limit: val + n
VESSEDIA results
At mid-period
V&V Tools
Platforms Frama-C for analysis and proof of C/C++ source code
VeriFast for the analysis of Java and C source code
FlowGuard for the analysis of CFI/DFI properties of binary code
Papyrus/Diversity for modelling and simulation
Several plug-ins for these tools: Frama-clang - analysis of C++ source code by translation into C source code
AFL_SCA - fuzz testing of source code after Abstract Interpretation has been done
E-ACSL - monitoring : compilation of ACSL assertions into binary code
Diversity-to-ACSL - generation of ACSL trace properties
SecSoftML - modelling
SAaaS – proofs in the cloud
RPP – proof of functions sequence properties
CHARIOT – 1st Workshop, 11 October 2018, Rome 11
Use-cases
• Contiki OS (Inria) C Focus on IPv6 stack and OS primitives
C source code mainly
Evaluate handling of specific patterns, e.g. Protothreads
Using Frama-C
• 6LowPAN Management Platform (CEA) OTA reprogramming in multi-hop networks (Contiki-based)
Entities: 6LoWPAN nodes (C), gateway (Java), management server
Using Frama-C and VeriFast
• Aircraft Maintenance System (DA) Diagnosis and failure prevention, embedded in a civil aircraft
Entities: proprietary gateway (C) and open-source proxy server (C++)
Using Frama-C, AFL and CFI/DFI integrated into the CURSOR method
CHARIOT – 1st Workshop, 11 October 2018, Rome
An Open Source OS for the Internet of Things
Open source: BSD
C source code
Supports many embedded platforms
Supports standard low-power IPv6
3.9 KLOC of high-priority source code
23.5 KLOC of medium priority
Analyses achieved
Linked list module verified using WP with ghost code and executable specifications
Minimal contracts for core/lib and core/sys libraries with ACSL
Absence of RTE verified for AES & CCM* modules using WP
Contiki NG analysed with EVA and new plug-ins for recursive functions and loops annotations
The VESSEDIA use-case Contiki-OS
CHARIOT – 1st Workshop, 11 October 2018, Rome
V&V Methodology
V&V methodology selects tools and method according to verification needs and business constraints
Basic (compiler diagnostics)
Simple (non-portable and suspicious program parts)
Advanced (enforcing given programming guidelines)
Formal (e.g. provably establishing the absence of run-time errors)
Modelling framework
UML/Papyrus permits to model a system with Statecharts, sequence diagrams, etc.
Diversity allows to define security properties of sub-systems for analysis with Frama-C
CURSOR method combining SA and DA tools (Frama-C EVA/E-ACSL with AFL and CFI/DFI)
Economic rationale and metrics
CHARIOT – 1st Workshop, 11 October 2018, Rome 14
The DA-SA CURSOR Method
CHARIOT – 1st Workshop, 11 October 2018, Rome 15
Component of Unit Robustness for Security Objectives and Requirements
CMx to be proved formally
with Frama-C tools
C original source code
Frama-C
Value
auto-detection of some CWE
by abstract interpretation
Gena-CWE457,570,571,
…
C with CWE
alarmsalarms expressed
in ACSL
C "CWE
instrumented"
Frama-C
E-ACSL
user's implementation of
counter-measures
operate against
targeted CWE
C "CWE proof"
pentest process
…/…
j = i + 1;
x = *(p+j);
j = i + 1;
x = *(p+j);
/*@ assert i+1
Certification and Security Evaluation
CHARIOT – 1st Workshop, 11 October 2018, Rome 16
Security vulnerabilities detectionAssess the project’s tools for vulnerabilities detection
Coverage of vulnerabilities
C++ vulnerabilities
-> in progress
Security evaluationAssess tools from the perspective of security evaluator
Review security evaluation methodologies
Integrate tools in the security evaluation process
-> in progress
Contact Details
Armand PUCCETTI
CEA (Technical)
CHARIOT – 1st Workshop, 11 October 2018, Rome 17
Ursula Polessnig
Technikon (Coordination)
See also our web site : http://vessedia.eu