CherryPie: A Program Analysis to Assist the Detection of Logic Bombs

Presented as part of the 2019 HCSS conference.

C. Durward McDonell, Mark Thober, Jonathan Myers, Raymond McDowell, Ian Blumenfeld

This talk describes CherryPie, a program analysis-based approach to accelerate the discovery of logic bombs in software. Detecting logic bombs during system certification requires discov-ering undesirable functionality that is explicitly designed to avoid discovery. A high-impact logic bomb must be carefully hidden to avoid accidental triggering. CherryPie exploits this requirement to identify potential logic bombs by recognizing code within a software appli-cation that are unlikely to be exercised during test or normal operations. These results can be used to prioritize program regions for manual analysis or targeted test vector generation. The core algorithms of CherryPie are (a) a multi-colored taint analysis used to identify program locations that depend on a variety of program state elements, and (b) symbolic execution with SMT model estimation to prioritize the identified locations based on the fraction of program state space satisfying the location’s path condition. Initial testing of CherryPie against a logic bomb inserted in the Angband text adventure game demonstrated the potential of the approach by eliminating almost two thirds of program blocks as unlikely to contain logic bombs based on taint analysis and rating the actual block implementing the trigger as three orders of magnitude more likely to be a logic bomb than other blocks. These early results suggest that CherryPie may be able to greatly accelerate the costly manual process of evaluating critical software for the presence logic bombs.

J. Aaron Pendergrass is the Chief Scientist of the Enterprise Systems Cyber Research Group at the Johns Hopkins University Applied Physics Laboratory (JHUAPL). He holds a master’s degree in computer science from the University of Maryland at College Park and a bachelor’s in computer science and math-ematics from Oberlin College. Aaron was the primary founder of JHUAPL’s Software Assurance Research and Application Lab (SARA Lab), focused on im-proving the state of the art and state of practice in automated software analysis and formal verification. Aaron has also worked extensively in virtualization-based software isolation, software integrity measurement, and software reverse engineering.