Automatic Generation of ounter-measure alling ontexts: the URSOR Method Dassault Aviation Dillon Pariente June 20th, 2016 Paris, La Maison de La Recherche
Outline ontext Objectives and ase Study on Security URSOR Method Principles Demo onclusion & Perspectives Q&A
ontext FP7 - STANE Project (2012-2016) Partners: EA-List (F, Leader), Trusted-Labs (F), Thales S (F), KULeuven (B), Infineon (G), SearchLab (H), Arttic (F), TU Graz (A), Fraunhofer (G), Dassault Aviation (F) Main purposes: extending Frama- for Security, ++ front-end, http://stance-project.com (links to the SW, publications, reports)
ontext (cont d) FP7 STANE s outcomes: partial outline URSOR Method
Objectives / ase Study Aircraft e-maintenance (on-going dev.) Embedded web application with OTS, opensource SW components Apache, OpenSSL, ProgreSQL, Target of Evaluation How to detect WE by FM on some critical components? How to strengthen the code? (cost-)efficiently?...
URSOR method omponent or Unit Robustness for Security Objectives and Requirements How to break this causality chain? Attacks Exploits VEs X WEs detects some categories of WEs as alarms in source code [ASL annotations] automatically translates (most of) these alarms as executable code [counter-measure calling contexts] URSOR RA approach Runtime Assertion hecking Advantages: pretty automatic approach contributes to Security Function implementation impacts attack surface response no expertise required in Formal Method requires to implement these counter-measures log stop add IPS service rules may rely on
URSOR method omponent or Unit Robustness for Security Objectives and Requirements auto-detection of some WE by abstract interpretation Frama- Value original source code translates ASL alarms into source code Gena-WE 457,570,571, Frama- E-ASL with WE alarms alarms expressed in ASL "WE instrumented" /*@ assert i+1<=max_int; */ /*@ assert \valid_read(p+j); */ e_assert((l)i+1<=maxint,"ovfl"); e_valid(p+j,"vld");?? operate against targeted WE user's implementation of counter-measures "WE proof" e_assert((l)i+1<=maxint,"ovfl"); e_valid(p+j,"vld"); M1() { } M2() { } pentest process / Mx to be proved formally with Frama- tools : Source code : EA tools : DA tools&devs
URSOR application to Apache (server/util library) DEMO
URSOR method omponent or Unit Robustness for Security Objectives and Requirements auto-detection of some WE by abstract interpretation Frama- Value original source code All alarms are processed, spurious or not! translates ASL alarms into source code Gena-WE 457,570,571, Some strategies may limit extra-code generation operate against targeted WE Frama- E-ASL user's implementation of counter-measures pentest process / with WE alarms alarms expressed in ASL "WE instrumented" "WE proof" /*@ assert i+1<=max_int; */ /*@ assert \valid_read(p+j); */ e_assert(i+1<=maxint,"ovfl"); e_valid(p+j,"vld"); e_assert(i+1<=maxint,"ovfl"); e_valid(p+j,"vld"); M libs can be either specific to the alarm context,... or totally generic! Mx to be proved formally with Frama- tools?? M1() { } M2() { } : Source code : EA tools : DA tools&devs
URSOR a more sophisticated process
onclusion and Perspectives Simple and straightforward use of Frama- plug-ins First experiments with URSOR method are quite conclusive (R&T context) Still applicable to more critical/complex applications? (relevant counter-measures? ) How URSOR may contribute to Security Evaluation process, ommon riteria certification,?