-
Flexible remote attestation of pre-SNP SEV VMs using SGX enclaves
Authors:
Pedro Antonino,
Ante Derek,
Wojciech Aleksander Wołoszyn
Abstract:
We propose a protocol that explores a synergy between two TEE implementations: it brings SGX-like remote attestation to SEV VMs. We use the notion of a \emph{trusted guest owner}, implemented as an SGX enclave, to deploy, attest, and provision a SEV VM. This machine can, in turn, rely on the trusted owner to generate SGX-like attestation proofs on its behalf. Our protocol combines the application…
▽ More
We propose a protocol that explores a synergy between two TEE implementations: it brings SGX-like remote attestation to SEV VMs. We use the notion of a \emph{trusted guest owner}, implemented as an SGX enclave, to deploy, attest, and provision a SEV VM. This machine can, in turn, rely on the trusted owner to generate SGX-like attestation proofs on its behalf. Our protocol combines the application portability of SEV with the flexible remote attestation of SGX. We formalise our protocol and prove that it achieves the intended guarantees using the Tamarin prover. Moreover, we develop an implementation for our trusted guest owner together with example SEV machines, and put those together to demonstrate how our protocol can be used in practice; we use this implementation to evaluate our protocol in the context of creating \emph{accountable machine-learning models}. We also discuss how our protocol can be extended to provide a simple remote attestation mechanism for a heterogeneous infrastructure of trusted components.
△ Less
Submitted 16 May, 2023;
originally announced May 2023.
-
A Pattern-based deadlock-freedom analysis strategy for concurrent systems
Authors:
Pedro Antonino,
Augusto Sampaio,
Jim Woodcock
Abstract:
Local analysis has long been recognised as an effective tool to combat the state-space explosion problem. In this work, we propose a method that systematises the use of local analysis in the verification of deadlock freedom for concurrent and distributed systems. It combines a strategy for system decomposition with the verification of the decomposed subsystems via adherence to behavioural patterns…
▽ More
Local analysis has long been recognised as an effective tool to combat the state-space explosion problem. In this work, we propose a method that systematises the use of local analysis in the verification of deadlock freedom for concurrent and distributed systems. It combines a strategy for system decomposition with the verification of the decomposed subsystems via adherence to behavioural patterns. At the core of our work, we have a number of CSP refinement expressions that allows the user of our method to automatically verify all the behavioural restrictions that we impose. We also propose a prototype tool to support our method. Finally, we demonstrate the practical impact our method can have by analysing how it fares when applied to some examples.
△ Less
Submitted 18 July, 2022;
originally announced July 2022.
-
Specification is Law: Safe Creation and Upgrade of Ethereum Smart Contracts
Authors:
Pedro Antonino,
Juliandson Ferreira,
Augusto Sampaio,
A. W. Roscoe
Abstract:
Smart contracts are the building blocks of the "code is law" paradigm: the smart contract's code indisputably describes how its assets are to be managed - once it is created, its code is typically immutable. Faulty smart contracts present the most significant evidence against the practicality of this paradigm; they are well-documented and resulted in assets worth vast sums of money being compromis…
▽ More
Smart contracts are the building blocks of the "code is law" paradigm: the smart contract's code indisputably describes how its assets are to be managed - once it is created, its code is typically immutable. Faulty smart contracts present the most significant evidence against the practicality of this paradigm; they are well-documented and resulted in assets worth vast sums of money being compromised. To address this issue, the Ethereum community proposed (i) tools and processes to audit/analyse smart contracts, and (ii) design patterns implementing a mechanism to make contract code mutable. Individually, (i) and (ii) only partially address the challenges raised by the "code is law" paradigm. In this paper, we combine elements from (i) and (ii) to create a systematic framework that moves away from "code is law" and gives rise to a new "specification is law" paradigm. It allows contracts to be created and upgraded but only if they meet a corresponding formal specification. The framework is centered around \emph{a trusted deployer}: an off-chain service that formally verifies and enforces this notion of conformance. We have prototyped this framework, and investigated its applicability to contracts implementing two widely used Ethereum standards: the ERC20 Token Standard and ERC1155 Multi Token Standard, with promising results.
△ Less
Submitted 16 May, 2022;
originally announced May 2022.
-
Trusted And Confidential Program Analysis
Authors:
Han Liu,
Pedro Antonino,
Zhiqiang Yang,
Chao Liu,
A. W. Roscoe
Abstract:
We develop the concept of Trusted and Confidential Program Analysis (TCPA) which enables program certification to be used where previously there was insufficient trust. Imagine a scenario where a producer may not be trusted to certify its own software (perhaps by a foreign regulator), and the producer is unwilling to release its sources and detailed design to any external body. We present a protoc…
▽ More
We develop the concept of Trusted and Confidential Program Analysis (TCPA) which enables program certification to be used where previously there was insufficient trust. Imagine a scenario where a producer may not be trusted to certify its own software (perhaps by a foreign regulator), and the producer is unwilling to release its sources and detailed design to any external body. We present a protocol that can, using trusted computing based on encrypted sources, create certification via which all can trust the delivered object code without revealing the unencrypted sources to any party. Furthermore, we describe a realization of TCPA with trusted execution environments (TEE) that enables general and efficient computation. We have implemented the TCPA protocol in a system called TCWasm for web assembly architectures. In our evaluation with 33 benchmark cases, TCWasm managed to finish the analysis with relatively slight overheads.
△ Less
Submitted 1 December, 2021;
originally announced December 2021.
-
From Complexity Measurement to Holistic Quality Evaluation for Automotive Software Development
Authors:
Jens Heidrich,
Michael Kläs,
Andreas Morgenstern,
Pablo Oliveira Antonino,
Adam Trendowicz,
Jochen Quante,
Thomas Grundler
Abstract:
In recent years, the role and the importance of software in the automotive domain have changed dramatically. Being able to systematically evaluate and manage software quality is becoming even more crucial. In practice, however, we still find a largely static approach for measuring software quality based on a predefined list of complexity metrics with static thresholds to fulfill. We propose using…
▽ More
In recent years, the role and the importance of software in the automotive domain have changed dramatically. Being able to systematically evaluate and manage software quality is becoming even more crucial. In practice, however, we still find a largely static approach for measuring software quality based on a predefined list of complexity metrics with static thresholds to fulfill. We propose using a more flexible framework instead, which systematically derives measures and evaluation rules based on the goals and context of a development project.
△ Less
Submitted 27 October, 2021;
originally announced October 2021.
-
Guardian: symbolic validation of orderliness in SGX enclaves
Authors:
Pedro Antonino,
Wojciech Aleksander Wołoszyn,
A. W. Roscoe
Abstract:
Modern processors can offer hardware primitives that allow a process to run in isolation. These primitives implement a trusted execution environment (TEE) in which a program can run such that the integrity and confidentiality of its execution are guaranteed. Intel's Software Guard eXtensions (SGX) is an example of such primitives and its isolated processes are called \emph{enclaves}. These guarant…
▽ More
Modern processors can offer hardware primitives that allow a process to run in isolation. These primitives implement a trusted execution environment (TEE) in which a program can run such that the integrity and confidentiality of its execution are guaranteed. Intel's Software Guard eXtensions (SGX) is an example of such primitives and its isolated processes are called \emph{enclaves}. These guarantees, however, can be easily thwarted if the enclave has not been properly designed. Its interface with the untrusted software stack is arguably the largest attack surface that adversaries can exploit; unintended interactions with untrusted code can expose the enclave to memory corruption attacks, for instance. In this paper, we propose a notion of an \emph{orderly} enclave which splits its behaviour into several execution phases each of which imposes a set of restrictions on accesses to untrusted memory, phase transitions and registers sanitisation. A violation to these restrictions indicates an undesired behaviour which could be harnessed to perpetrate attacks against the enclave. We also introduce \Analyser{}: a tool that uses symbolic execution to carry out the validation of an enclave against our notion of an orderly enclave; in this process, it also looks for some typical memory-corruption vulnerabilities. We discuss how our approach can prevent and flag enclave vulnerabilities that have been identified in the literature. Moreover, we have evaluated how our approach fares in the analysis of some practical enclaves. \Analyser{} was able to identify real vulnerabilities on these enclaves which have been acknowledged and fixed by their maintainers.
△ Less
Submitted 12 May, 2021;
originally announced May 2021.
-
A Systematic Identification of Formal and Semi-formalLanguages and Techniques for Software-intensiveSystems-of-Systems Requirements Modeling
Authors:
Cristiane Aparecida Lana,
Milena Guessi,
Pablo Oliveira Antonino,
Dieter Rombach,
Elisa Yumi NakagawaA
Abstract:
Software-intensive Systems-of-Systems (SoS) refer to an arrangement of managerially and operationally independent systems(i.e., constituent systems), which work collaboratively towards the achievement of global missions. Because some SoS are developed for critical domains, such as healthcare and transportation, there is an increasing need to attain higher quality levels, which often justifies addi…
▽ More
Software-intensive Systems-of-Systems (SoS) refer to an arrangement of managerially and operationally independent systems(i.e., constituent systems), which work collaboratively towards the achievement of global missions. Because some SoS are developed for critical domains, such as healthcare and transportation, there is an increasing need to attain higher quality levels, which often justifies additional costs that can be incurred by adopting formal and semi-formal approaches (i.e., languages and techniques) for modeling requirements. Various approaches have been employed, but a detailed landscape is still missing, and it is not well known whether they are appropriate for addressing the inherent characteristics of SoS. The main contribution of this article is to present this landscape by reporting on the state of the art in SoS requirements modeling. This landscape was built by means of a systematic map** and shows formal and semi-formal approaches grouped from model-based to property-oriented ones. Most of them have been tested in safety-critical domains, where formal approaches such as finite state machines are aimed at critical system parts, while semi-formal approaches (e.g., UML and i*) address non-critical parts. Although formal and semi-formal modeling is an essential activity, the quality of SoS requirements does not rely solely on which formalism is used, but also on the availability of supporting tools/mechanisms that enable, for instance, requirements verification along the SoS lifecycle
△ Less
Submitted 14 July, 2020;
originally announced July 2020.
-
Formalising and verifying smart contracts with Solidifier: a bounded model checker for Solidity
Authors:
Pedro Antonino,
A. W. Roscoe
Abstract:
The exploitation of smart-contract vulnerabilities can have catastrophic consequences such as the loss of millions of pounds worth of crypto assets. Formal verification can be a useful tool in identifying vulnerabilities and proving that they have been fixed. In this paper, we present a formalisation of Solidity and the Ethereum blockchain using the Solid language and its blockchain; a Solid progr…
▽ More
The exploitation of smart-contract vulnerabilities can have catastrophic consequences such as the loss of millions of pounds worth of crypto assets. Formal verification can be a useful tool in identifying vulnerabilities and proving that they have been fixed. In this paper, we present a formalisation of Solidity and the Ethereum blockchain using the Solid language and its blockchain; a Solid program is obtained by explicating/desugaring a Solidity program. We make some abstractions that over-approximate the way in which Solidity/Ethereum behave. Based on this formalisation, we create Solidifier: a bounded model checker for Solidity. It translates Solid into Boogie, an intermediate verification language, that is later verified using Corral, a bounded model checker for Boogie. Unlike much of the work in this area, we do not try to find specific behavioural/code patterns that might lead to vulnerabilities. Instead, we provide a tool to find errors/bad states, i.e. program states that do not conform with the intent of the developer. Such a bad state, be it a vulnerability or not, might be reached through the execution of specific known code patterns or through behaviours that have not been anticipated.
△ Less
Submitted 7 February, 2020;
originally announced February 2020.
