Upload
pavel
View
46
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Mango: Performance and Vulnerability Detection Potential. Frank Rimlinger Information Assurance Directorate National Security Agency http:// babelfish.arc.nasa.gov / trac / jpf /wiki/projects/ jpf -mango. Summary. Mango formal models for 5 Android apps - PowerPoint PPT Presentation
Citation preview
Mango: Performance and Vulnerability Detection Potential
Frank RimlingerInformation Assurance Directorate
National Security Agencyhttp://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-mango
Summary• Mango formal models for 5 Android apps• Eclipse package explorer, Mango preferences• Project, Auto and Approx • Mango model build performance data.• Case exhaustion• Testing• Anatomy of the “resource not closed”
vulnerability• All dressed up, nowhere to go.
Side-markers show Mango model
Loop side-markers are grey
Formal model artifacts
Artifact: piece of a giant puzzleFit together, make useful inferences
Package Explorer and preferences
Package explorer and preferences
• Project X, say SampleSyncAdapter.• XAuto: SampleSyncAdapterAuto-contains Java
declarations for non-source, like android.jar code.
• XApprox: contains user generated declarations for “hidden code”.
• XApprox: contains user generated code approximations
The “admin user” has already created approximations for system level code
Elaborate mechanism for resolving references, with possible user assist
Auto-generated native source declarationstype only model
Case study: user intervention to avoid “formal heap blow-out”
The user generated approximation
Mango by the numbers LOC LINK SPECIFY
Native #Methods Min
Auto UserBluetoothHDP 534 70 0 86
4JetBoy 868 59 4(2) 72
8*NotePad 968 117 11(4) 79
9RandomMusicPlayer 988 89 0 112
12SampleSyncAdapter 1786 151 3(2) 170
19FirstYearCode 2700 2 0 163
104**
Total 7844 682156
(Mango) 198000
*requires abstraction of source code constructor:com.example.android.jetboy$JetBoyThread(SurfaceHolder surfaceHolder, Context context, Handler handler);due to excessive load on heap.**Most of this time is to handle deeply nested loops in test.firstYearCode.tictactoe
Case Exhaust
Outcome
Forcing the close method through a bottle-neck
Code to tell Mango to check the garbage for “closed” flag.
“Good” test, should not fire vulnerability
“Bad” test should fire vulnerability
Vulnerability Hit
Summary
• Mango can build a formal model for a small (<10k loc) Eclipse project with minimal user assistance.
• To detect a vulnerability, user must devise a strategy based on known, quantifiable properties (e.g. the “closed” flag).
• Mango supports strategy implementation and vulnerability test fielding via symbolic simulation.