Reflections on the Experimental Evaluation of a Binary-Level Symbolic Analyzer for Spectre

Daniel, Lesly-Ann; Bardin, Sébastien; Rezk, Tamara

doi:10.14722/laser-ndss.2021.24286

Cited by 2 publications

(1 citation statement)

References 16 publications

(42 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Relational symbolic execution. In order to apply SE to security properties such as noninterference, Milushev et al [32] propose a form of relational symbolic execution (RSE) to use KLEE to analyze noninterference by means of a technique called selfcomposition [7,20,39] to reduce a relational property of a program p to a safety property of a transformation of p. More recently, Daniel et al have optimized RSE to be applicable to binary code to analyze relational properties such as constant time [17] and speculative constant time [18,19] and discovered violations of these properties in realworld cryptographic libraries. All these approaches are based on pure (relational) SE static techniques and, as such, they are not capable of recovering soundness beyond a fixed bound as in our case.…”

Section: Related Workmentioning

confidence: 99%

Sound Symbolic Execution via Abstract Interpretation and its Application to Security

Tiraboschi,

Rezk,

Rival

2023

Preprint

View full text Add to dashboard Cite

Symbolic execution is a program analysis technique commonly utilized to determine whether programs violate properties and, in case violations are found, to generate inputs that can trigger them. Used in the context of security properties such as noninterference, symbolic execution is precise when looking for counter-example pairs of traces when insecure information flows are found, however it is sound only up to a bound thus it does not allow to prove the correctness of programs with executions beyond the given bound. By contrast, abstract interpretation-based static analysis guarantees soundness but generally lacks the ability to provide counter-example pairs of traces. In this paper, we propose to weave both to obtain the best of two worlds. We demonstrate this with a series of static analyses, including a static analysis called RedSoundRSE aimed at verifying noninterference. RedSoundRSE provides both semantically sound results and the ability to derive counterexample pairs of traces up to a bound. It relies on a combination of symbolic execution and abstract domains inspired by the well known notion of reduced product. We formalize RedSoundRSE and prove its soundness as well as its relative precision up to a bound. We also provide a prototype implementation of RedSoundRSE and evaluate it on a sample of challenging examples.

show abstract