Attack Synthesis for Strings using Meta-Heuristics
TLDR
This work uses symbolic execution to extract path constraints, automata-based model counting to estimate the probability of execution paths, and meta-heuristic methods to maximize information gain based on entropy for synthesizing adaptive attack steps.Abstract:
Information leaks are a significant problem in modern computer systems and string manipulation is prevalent in modern software. We present techniques for automated synthesis of side-channel attacks that recover secret string values based on timing observations on string manipulating code. Our attack synthesis techniques iteratively generate inputs which, when fed to code that accesses the secret, reveal partial information about the secret based on the timing observations, leading to recovery of the secret at the end of the attack sequence. We use symbolic execution to extract path constraints, automata-based model counting to estimate the probability of execution paths, and meta-heuristic methods to maximize information gain based on entropy for synthesizing adaptive attack steps.read more
Citations
More filters
Proceedings ArticleDOI
JVM fuzzing for JIT-induced side-channel detection
TL;DR: The results directly contradict the conclusions of four separate state-of-the-art program analysis tools for side-channel detection and demonstrate that JIT-induced side channels are prevalent and can be detected automatically.
Proceedings ArticleDOI
Subformula caching for model counting and quantitative program analysis
TL;DR: This paper presents a subformula caching framework and integrates it into a model counting constraint solver and demonstrates that the approach significantly improves the performance of quantitative program analysis.
Journal ArticleDOI
Incremental Attack Synthesis
TL;DR: This paper presents an incremental approach to attack synthesis that reuses model counting results from prior iterations in each attack step to improve efficiency and drastically improves performance, reducing the attack synthesis time by an order of magnitude.
Book ChapterDOI
Quantifying Information Leakage Using Model Counting Constraint Solvers
TL;DR: By combining model counting constraints solvers with symbolic execution it is possible to quantify the amount of information that a program leaks about a secret input, which is crucial for detection and analysis of side channel vulnerabilities.
Posted Content
Incremental Adaptive Attack Synthesis
TL;DR: Techniques for automated synthesis of adaptive side-channel attacks that recover secret values are presented, using symbolic execution to extract path constraints, automata-based model counting to estimate probabilities of execution paths, and meta-heuristics to maximize information gain based on entropy in order to minimize the number of synthesized attack steps.