Adversarial Reachability for Program-level Security Analysis

Abstract Many program analysis tools and techniques have been developed to assess vulnerability. Yet, they are based on the standard concept of reachability represent an attacker able craft smart legitimate input, while in practice attackers can be much more powerful, using for instance micro-architectural exploits or fault injection methods. We introduce adversarial , a framework allowing reason about such advanced check whether system is vulnerable immune particular attacker. As equipping with new capacities significantly increases state space under analysis, we present symbolic exploration algorithm, namely execution injecting faults forkless manner prevent path explosion, together optimizations dedicated reduce number injections consider keeping same power. Experiments representative benchmarks from show that our method reduces paths explore, scale up 10 where prior work timeout 3 faults. In addition, analyze well-tested WooKey bootloader, demonstrate ability find attacks evaluate countermeasures real-life security scenarios. were especially attack not mentioned previous patch.