three applications of - mit csailpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf ·...
TRANSCRIPT
![Page 1: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/1.jpg)
threeapplications of model finding
Daniel Jackson · Tel Aviv, March 7, 2012based on work withEunsuk Kang, Aleks Milicevic & Joe Near
![Page 2: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/2.jpg)
model finding
![Page 3: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/3.jpg)
finding a graph coloring
all a, b | a->b in adj implies a.color != b.colorcondition on adjacency and coloring:
free variable
free variable
no adj.color & coloror, equivalently:
some disj Node, Color: set univ, adj: Node -> Node, color: Node -> one Color | no adj.color & color
formalizing types:
an instance:
![Page 4: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/4.jpg)
alloy analyzer
![Page 5: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/5.jpg)
how alloy works
kodkod engine
alloyformula bounds
booleanformula
booleaninstance
alloyinstance
translateformula
translateinstance
SATsolver
mapping
alloycommand
alloy front end
elaborate typecheck visualize
visualoutput
API
API
![Page 6: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/6.jpg)
partial instances
Petersen graph a coloring
n0 n1 n2 n3n0
n1
n2
n3
11
1
00
000
001
00
0 00
...
c0 c1 c2 c3n0
n1
n2
n3
c00 c01 c02 c03
c10 c11 c12 c13
c20 c21 c22 c23
c30 c31 c32 c33
...
![Page 7: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/7.jpg)
kodkod architecture
[Torlak07]
[Torlak08]
spec
bounds
universe
skolemizer
symmetrydetector
symmetrybreaker
skolemized
formula
universe
partitioning
circuit transformer
boolean
formula
SBP
translator
SAT solver
CNFmodel
sharing detector
sat?
core extractor
unsat?
minimal core
![Page 8: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/8.jpg)
some applications of model finding
checking theoremsfind a refutation
eg, Nitpick for Isabelle/HOL
software updatefind packages to installeg, Eclipse’s Equinox P2
configuring networksfind router settings
eg, Telcordia’s ConfigAssure
![Page 9: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/9.jpg)
why alloy/kodkod?
language
first order logic
relational algebra
partial models
inductive definitions
types
bitvector arithmetic
model finding
partial models
inductive definitions
symmetry breaking
high-arity relations
nested quantifiers
core extraction
minimal core
Kodko
d
IDP1.3
Parad
ox2.3
DarwinF
M
Mace4
full support
partial support
no support
![Page 10: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/10.jpg)
#0design analysis
![Page 11: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/11.jpg)
zave on chord
Pamela Zave. Invariant-Based Verification of Routing Protocols: The Case of Chord, 2009
Ion Stoica et al. Chord: A Scalable Peer to Peer Lookup Servicefor Internet Applications, SIGCOMM 2001 (also TON, 2003)
![Page 12: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/12.jpg)
akhawe+ on web security
generic model of web securityHTTP, certificates, cookies, script contexts
about 2,000 lines of Alloy
![Page 13: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/13.jpg)
results
applied to 5 case studiesin each, found vulnerabilities
2 known, 3 unknown
sample vulnerabilityreferrer validation fails on redirects
![Page 14: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/14.jpg)
falling over the cliff
![Page 15: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/15.jpg)
more examples: alloy.mit.edu
![Page 16: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/16.jpg)
#1declarative programming
work by Aleks Milicevic
![Page 17: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/17.jpg)
sudoku
problemfill in the empty cells so that
all rows, columns and squares contain 1..9
![Page 18: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/18.jpg)
declaring the grid
public class Sudoku { private int [][] grid = new int [9][9];
public static void main(String[] args) { Sudoku s = new Sudoku(); s.grid[0][3] = 1; ...; s.grid[8][8] = 5;
}
![Page 19: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/19.jpg)
specifying solve
public class Sudoku { private int [][] grid = new int [9][9];
@Ensures ({ "all row in {0..8} | this.grid[row][int] = {1..9}", "all col in {0..8} | this.grid[int][col] = {1..9}", "all r , c in {0, 1, 2} | this.grid[{r∗3..r∗3+2}][{c∗3..c∗3+2] = {1..9}" })@Modifies("this.grid[int].elems | _<2> = 0")public void solve() { ... }
public static void main(String[] args) { Sudoku s = new Sudoku(); s.grid[0][3] = 1; ...; s.grid[8][8] = 5; s.solve( );
}
![Page 20: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/20.jpg)
implementing solve
public class Sudoku { private int [][] grid = new int [9][9];
@Ensures ({ "all row in {0..8} | this.grid[row][int] = {1..9}", "all col in {0..8} | this.grid[int][col] = {1..9}", "all r , c in {0, 1, 2} | this.grid[{r∗3..r∗3+2}][{c∗3..c∗3+2] = {1..9}" })@Modifies("this.grid[int].elems | _<2> = 0")public void solve() { Squander.exe(this); }
public static void main(String[] args) { Sudoku s = new Sudoku(); s.grid[0][3] = 1; ...; s.grid[8][8] = 5; s.solve( );
}
![Page 21: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/21.jpg)
printing the result
public class Sudoku { private int [][] grid = new int [9][9];
@Ensures ({ "all row in {0..8} | this.grid[row][int] = {1..9}", "all col in {0..8} | this.grid[int][col] = {1..9}", "all r , c in {0, 1, 2} | this.grid[{r∗3..r∗3+2}][{c∗3..c∗3+2] = {1..9}" })@Modifies("this.grid[int].elems | _<2> = 0")public void solve() { Squander.exe(this); }
public static void main(String[] args) { Sudoku s = new Sudoku(); s.grid[0][3] = 1; ...; s.grid[8][8] = 5; s.solve( ); System.out.println(s); }
![Page 22: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/22.jpg)
"all row in {0..8} | this.grid[row][int] = {1..9}", "all col in {0..8} | this.grid[int][col] = {1..9}", "all r , c in {0, 1, 2} | this.grid[{r∗3..r∗3+2}][{c∗3..c∗3+2] = {1..9}"
code spec
alloy formulaall r: Row | grid.Row.Int = range(1,9)
SQUANDER
n0 n1 n2 n3n0
n1
n2
n3
111
00000
r10
r20
r30
r21
r32
r02 r03
r13
bounds
KODKOD CNF1,23,4534,23,45,461,3,4,7, 1,23,4534,23,45,46, 871,3,4,7
SAT
assignment1,23,44,34,23,45,46, 87
n0 n1 n2 n3n0
n1
n2
n3
111
00000
00000
1 11
instance
Java heap heap updates
![Page 23: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/23.jpg)
performance
0
20
40
60
80
100
tim
e [s
]
N=16 N=28 N=32 N=34 N=36 N=68
BacktrackingtSATtKodkodtSquander
n-queens
hamiltonian path, none hamiltonian path, some
![Page 24: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/24.jpg)
refinements
handling librarieseg, Java collections
specs, spec fields, invariants
minimizing universe sizeexploit type information in heap
map objects of different types to same atom
![Page 25: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/25.jpg)
binary search tree
public class BalancedTree { private Node root;
@SpecField(“this.nodes: set Node | this.nodes = this.root.∗(left+right) − null”) @Invariant({ “all x: this.left.∗(left+right) − null | x.key< this.key”, “all x: this . right .∗( left+right ) − null | x.key > this.key”, “all n: this.nodes | (#n.left.ˆ(left+right) − #n.right.ˆ(left+right)) in {−1, 0, 1}”})
public class public class Node { private Node left, right; private int key; }
@Requires(“z.key !in this.nodes.key”) @Ensures (“this.nodes = @old(this.nodes) + z”) @Modifies(“this.root, this.nodes.left | <1>= null, this.nodes.right | <1>= null”) public void insertNode(Node z) { Squander.exe(this, z); }}
defines nodes
tree is balanced
![Page 26: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/26.jpg)
course schedulerexisting appuses Alloy, butembedded by hand
new versionSquander code
numbers1500 lines of code replaced by 30 of spec2000 objects on heapruns in 5s instead of 1s
![Page 27: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/27.jpg)
related work
Kaplan [Koskal, Kuncak, Suter]constraints integrated with Scala
Jeeves [Yang, Yessenov, Solar-Lezama]declarative privacy policies enforced at runtime
PBnJ [Samimi, Aung, Millstein]falling back to executable specs
data structure repair [Zaeem, Khurshid]using contracts and Kodkod
![Page 28: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/28.jpg)
#2verification of web apps
work by Joseph Near
![Page 29: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/29.jpg)
code checking by refutation
represent code & spec as formulasCode(s,s’)Spec(s,s’)
find instances ofCode(s,s’) and not Spec(s,s‘)
guaranteesevery instance is a valid counterexample
but may miss bugs due to small scope
![Page 30: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/30.jpg)
observations about web apps
“CRUD”little control structure
relational data
not just functionalitysecurity critical
also relational, data-centric
unit testsof controller actions
eg in RSpec
disciplined layeringdata access factored out
![Page 31: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/31.jpg)
Rubicon specs
it "user included in list of users" do user = Factory(:user) get :index assigns[:users].should include userend
RSpec test
it "all users included in list of users" do User.forall do |user| get :index assigns[:users].should include(user) endend
Rubicon spec
![Page 32: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/32.jpg)
how Rubicon works
controller
standardlibraries
RSpectest
normal test
wrapper
spec
controller
standardlibraries
Rubicon check
AlloyAnalyzer
counterexample
![Page 33: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/33.jpg)
stubbing active record
klasses = ActiveRecord::Base.descendants klasses.each do |klass| metaklass = class << klass; self; end metaklass.send(:define_method, :all, lambda {|*args| if $symbolic_execution then ExprApp.new(:all, [self]) else super end})end
User.all evaluates to in Rails: list of database records in Rails+Rubicon: ExprApp(User)
![Page 34: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/34.jpg)
stubbing subclass methods
klass.column_names.each do |name| klass.send(:define_method, name.to_sym, lambda {|*args| if $symbolic_execution then ExprApp.new(:field_get, [self, name.to_sym]) else super end})end
some_user.id evaluates to in Rails: 1, eg in Rails+Rubicon: ExprApp(:field_get, some_user, :id)
![Page 35: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/35.jpg)
sample spec & actionclass UsersController < ApplicationControllerdef profile @current_user = User.find_by_id(session[:user_id]) all_posts = Micropost.where(:user => @current_user.friends) @posts = all_posts.select do |post| (post.privacy == 'friends') | (post.privacy == 'public') end endend
it "all users see only their friends' posts" do User.forall do |user| session[:user_id] = user.id get :profile Micropost.forall do |post| ((post.privacy == 'friends') & (!user.friends.include? post.user)). implies do assigns[:posts].should_not include post end end endend
![Page 36: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/36.jpg)
sample verification condition
all u: User, p: Micropost | p.privacy = friends and not p.user in u.friends implies p not in { p’: Micropost | p.user in u.friends and (p’.privacy = friends or p’.privacy = public)}
Implies( And(symbolic_post.privacy = 'friends', Not(include(symbolic_user.friends, symbolic_post.user))), Not(include(Query(Micropost, And(include(:user, symbolic_user.friends)), Or(=(:privacy, 'friends')), =(:privacy, 'public'))))), symbolic_post))
converted to:
![Page 37: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/37.jpg)
results to date
wrote specs5 open-source apps
c.150 specs, 1kloc
ran analysesaverage about 3s in scope of 5
founds bugs2 bugs found in Fat Free CRM
one spuriousone serious security bug
![Page 38: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/38.jpg)
Fat Free CRM
![Page 39: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/39.jpg)
related work
model finding for checking Java[Vaziri], [Taghdiri], [Dennis] & co
example: KOA vote tallying program
model checking for web appseg, [DeAlfaro], [Castelluccia]
focused on navigation
symbolic security analysis[Chaudhuri & Foster]
checking Rails data model in Alloy[Nijjar & Bultan]
![Page 40: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/40.jpg)
#3security configuration
work by Eunsuk Kang
![Page 41: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/41.jpg)
problem
most security attacks not subtlebadly configured firewallfailure to sanitize queriesmissing access controls
but hard to fixcomplex configuration settings
interactions between componentschanging defaults & behaviors
![Page 42: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/42.jpg)
standard approach
designer of applicationrelies on experts for component properties
administrator picks conservative settingseg DISAs ‘Security Technical Implementation Guides’
no explicit argumentconnecting the components
application-independenttoo stringent?
not stringent enough
![Page 43: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/43.jpg)
a sample STIG entry
![Page 44: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/44.jpg)
architecture
User Queries
security
knowledge base
Solver
System &
Environment Models
Vulnerabilities &
Threats
Mitigation
Techniques
Recommended Fixes
Security
Properties
Security Failures
model & partial instance
![Page 45: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/45.jpg)
example: Facebook privacy
user
security
knowledge base
privacy analyzer
privacy model
undesirable
scenarios
new privacy settings
current
settings +
profile data
profile
data model
![Page 46: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/46.jpg)
example: Facebook privacy
Are my private photos only visible to my friends inMIT network?
user
security
knowledge base
privacy analyzer
privacy model
undesirable
scenarios
new privacy settings
current
settings +
profile data
profile
data model
![Page 47: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/47.jpg)
example: Facebook privacy
Modify the settings for album "Spring Break"
No, your mother can see photo XYZ
Are my private photos only visible to my friends inMIT network?
user
security
knowledge base
privacy analyzer
privacy model
undesirable
scenarios
new privacy settings
current
settings +
profile data
profile
data model
![Page 48: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/48.jpg)
example: Apache security
server
administrator/user
security
knowledge base
Apache
config analyzer
config logic
vulnerabilities
known web
server attacks
suggested
fixes to config
network
model
current
config
![Page 49: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/49.jpg)
example: Apache security
Are my personal files inmy website protected?
server
administrator/user
security
knowledge base
Apache
config analyzer
config logic
vulnerabilities
known web
server attacks
suggested
fixes to config
network
model
current
config
![Page 50: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/50.jpg)
example: Apache securityNo, directory X is missing
index.html, so anyone can view your files
Modify the config to disable directory listing
Directory enumeration by a malicious client
Are my personal files inmy website protected?
server
administrator/user
security
knowledge base
Apache
config analyzer
config logic
vulnerabilities
known web
server attacks
suggested
fixes to config
network
model
current
config
![Page 51: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/51.jpg)
apache configuration model
![Page 52: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/52.jpg)
apache behavior model
![Page 53: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/53.jpg)
apache threat model
![Page 54: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/54.jpg)
sample attack
![Page 55: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/55.jpg)
prototype Apache analyzer
![Page 56: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/56.jpg)
related work
SAT-based configurationfirewalls [Margrave (Nelson et al, 10)]
packages [eg, Opium, Mancoosi, Zypp]
rule-based configurationnetworks [eg, MulVal (Ou et al., 05)]
model-based diagnosis [eg, Reiter, Kleer, Williams]
explain symptoms at run-time
![Page 57: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/57.jpg)
summary: 3 provocations
![Page 58: three applications of - MIT CSAILpeople.csail.mit.edu/dnj/talks/telaviv12/telaviv12.pdf · 2012-03-12 · zave on chord Pamela Zave. Invariant-Based Verification of Routing Protocols:](https://reader035.vdocuments.net/reader035/viewer/2022070805/5f038d607e708231d4099dde/html5/thumbnails/58.jpg)
three provocations
relational logic + SATcf. “the expressiveness/tractability balance”
focus on failures vs proofscounterexamples, explanations, fixes
high-level reasoning vs state machinemay scale better & provide better feedback?