[Focus on] Verimag - Research activities on tools for vulnerability analysis

By Laurent Mounier and Marie-Laure Potet (VERIMAG/PACSS)
Research activities of Verimag/PACSS aim to improve the security of software systems. Our objective is to develop specific code analysis techniques, allowing to reason both on high-level and low-level code representations, and able to take into account dedicated attacker models.

Research activities of Verimag/PACSS aim to improve the security of software systems. Currently this work mostly focuses on the following topics: vulnerability detection and analysis, robustness against code injection, and security of industrial systems.

Vulnerability detection and analysis

Software vulnerabilities are programming bugs that can been exploited by malicious users in order to break basic security rules (i.e., access confidential data, perform arbitrary code execution, etc.). Detecting such vulnerabilities and analyzing their possible consequences is therefore a major concern for software editors and end-users. To do so, a possible approach is to re-use some of the code analysis techniques aiming to ensure that a software is free from functional bugs, like static code analysis or automated test generation. However, these techniques have to be adapted in several ways. First, they should operate on binary level code, to take into account both the compilation process and the whole code execution environment (including external libraries). Second, they should handle some non standard semantic constructs, like undefined behaviors, in order to produce meaningful verdicts. And finally they should integrate a well-defined attacker model, able to characterize the expected attack scenarios.
We are working in this direction in collaboration with CEA List in the context of the BinSec open platform for security analysis on binary code. As a part of BinSec, we proposed an end-to-end approach to detect use-after-free vulnerabilities (CWE-416), i.e., the use of a memory chunk after it has been freed, which leads to numerous potential attacks and which is hardly addressed by classical code analysis techniques. Our approach combines a lightweight static analysis, based on a dedicated value-set analysis performed on the binary level, and a guided dynamic symbolic execution. The first step statically extracts (potentially) vulnerable weighted slices, containing program execution paths able to successively allocate, free and access a same memory chunk. The second step then tries to generate test executions able to trigger these executions in order to confirm the vulnerability (eliminating false positives). This combination happened to be quite effective, and in particular it allowed to find a new vulnerability on the JasPer application (CVE-2015-5221).

Robustness against fault-injection

In the domain of secure devices (smartcard or secured dongle) vulnerability analysis needs to consider highly sophisticated attacks based on fault injections, that can be performed using laser rays or electromagnetic fields, and which may allow the attacker to alter the code and/or the data of the software under execution. Certification processes like the ones taking place in the context of Common Criteria now require a thorough software analysis in order to asset its robustness against such multi-faults attacks. Therefore research challenges include the development of code analysis techniques able to integrate such active attacker models in order to help both designers to protect their code and evaluation bodies to better target the generation of physical attacks and to quantify their effects.
In this context we develop a tool called Lazart (for Laser Attack and Robustness). This tool takes as input a C/C++ program, a high-level multi-fault injection model, and a security property (e.g., ensuring that authentication cannot be performed on a device without the relevant credentials). Its first step is to produce a high-order mutant of the LLVM representation of the program under test, encoding in a symbolic way all the possible fault injections. The second step consists in running Klee, an open-source concolic execution engine, those purpose is to find insecure executions. The results produced are concrete attack scenarios and some metrics to evaluate the relevance of the counter-measures inserted in the code. Lazart is still under development within several research projects and collaborations like CLAPS (as part of the IRT NanoElec) and SecureIOT-2. A former project is the ANR ASTRID Sertif, in collaboration with CEA/LETI, which produced a public benchmark (called FISCC) to be used for tool evaluation.

Security of Industrial Systems

Industrial control systems still rely on proprietary and legacy codes. Updates and patches are not systematically applied, and the main requirement is too keep such systems "working" before making then "secure". As a result, their overall security level can be quite weak, and the software components are part of the weakest links in this security chain. Verimag participates to the ANR Sacade project aiming to detect vulnerabilities and attack scenarios on such systems. In particular we aim to apply reverse-engineering techniques on PLC codes in order to detect potential vulnerabilities.

Published on June 29, 2020