formally verified cryptographic web applications
play

Formally Verified Cryptographic Web Applications J. Protzenko et al. - PowerPoint PPT Presentation

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA


  1. Formally Verified Cryptographic Web Applications J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA Denis Merigoux INRIA Karthik Bhargavan INRIA

  2. The Web beyond the Web The Web environment has become the choice target for deploying applications. Think: websites, desktop apps (Electron), server apps (node.js), browser addons… managers, secure messengers? J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 2 / 22 How about security-sensitive applications, such as: password

  3. Life is hard for secure web apps Application developers are at a loss for secure toolchains targeting the Web runtime. Web-based security-sensitive applications. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 3 / 22 • custom cryptographic schemes • ad-hoc protocols • unverifiable app logic • hostile target environment (JavaScript). (Larger) Claim: the JavaScript toolchain is inadequate for

  4. 4 / 22 side-channel check May. 22 st , 2019 Verified Cryptographic Web Applications in WASM J. Protzenko et al. — MSR + INRIA browser, node, … KreMLin paper paper Machine Code WASM implement it in the KreMLin compiler. An F ∗ to WASM toolchain We formalize a verified pipeline from Low ∗ to WASM and Low ∗ (ICFP’17) F ∗ C ♭

  5. This work’s contributions WebAssembly WebAssembly side-channel resistance and protocol security • A generic toolchain (formalization and implementation) to compile F ∗ programs to WebAssembly • The HACL ∗ verified cryptographic library compiled to • A formally verified implementation of Signal, in • Verified for functional correctness, memory safety, • No performance penalty; same API; ready to integrate

  6. Our running example: Signal This means over 1 billion users Let’s start by a quick overview of the protocol. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 6 / 22 • Signal powers WhatsApp, Messenger, Skype, Signal • Allows communicating asynchronously (trend) • Relies on server with limited trust • Generally trust-on-first-use

  7. Our running example: Signal This means over 1 billion users Let’s start by a quick overview of the protocol. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 6 / 22 • Signal powers WhatsApp, Messenger, Skype, Signal • Allows communicating asynchronously (trend) • Relies on server with limited trust • Generally trust-on-first-use

  8. Alice Server Bob BP

  9. Alice Server Bob publishes keys BP

  10. Alice Server Bob BP

  11. Alice Server Bob key bundle BP

  12. Alice Server Bob X3DH BP rk 0

  13. Alice Server Bob Diffje-Helman ratchet BP rk 1 , ck 1

  14. Alice Server Bob “hey Bob” m 1 + keys BP

  15. Alice Server Bob symmetric key ratchet BP ck 2

  16. Alice Server Bob “where’s the secret stash” m 2 BP

  17. Alice Server Bob etc. BP

  18. Alice Server Bob BP

  19. Alice Server Bob m 1 + keys BP

  20. Alice Server Bob X3DH BP rk 0

  21. Alice Server Bob Diffje-Helman ratchet BP rk 1 , ck 1

  22. Alice Server Bob BP m 1 = “hey Bob”

  23. Alice Server Bob m 2 BP

  24. Alice Server Bob symmetric key ratchet BP ck 2

  25. Alice Server Bob BP m 2 = “where’s the secret stash”

  26. Alice Server Bob etc. BP

  27. Alice Server Bob Diffje-Helman ratchet BP rk 2 , ck 3

  28. Alice Server Bob “it’s at Oakland” m 3 + keys BP

  29. Alice Server Bob etc. BP

  30. Signal: a recap forward secrecy and post-compromise security J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 8 / 22 • the protocol is sophisticated • X3DH for session initiation • double-ratchet for asynchronous communications, • involves non-trivial cryptography (X25519, etc.) https://signal.org/docs/

  31. Step 1: a protocol specification Written in ProVerif (symbolic model). Builds on previous work May. 22 st , 2019 Verified Cryptographic Web Applications in WASM J. Protzenko et al. — MSR + INRIA … Prior Knowledge: Responder R … 9 / 22 Initiator I Prior Knowledge: post-compromise security. (Euro S&P’17). Guarantees integrity, confidentiality, forward secrecy, ( i , g i ) ( r , g r ) , ( s , g s )[ , ( o , g o )] Initiate ( i , g r , g s [ , g o ]) → ( rk 0 ) : generate ( e , g e ) dh 0 = 0xFF | g si | g re | g se [ | g oe ] rk 0 = HKDF ( dh 0 , 0x00 32 , ‘‘ WhisperText ′′ )

  32. Step 1: a protocol specification Written in ProVerif (symbolic model). Builds on previous work May. 22 st , 2019 Verified Cryptographic Web Applications in WASM J. Protzenko et al. — MSR + INRIA … Prior Knowledge: Responder R … 9 / 22 Initiator I Prior Knowledge: post-compromise security. (Euro S&P’17). Guarantees integrity, confidentiality, forward secrecy, ( i , g i ) ( r , g r ) , ( s , g s )[ , ( o , g o )] Initiate ( i , g r , g s [ , g o ]) → ( rk 0 ) : generate ( e , g e ) dh 0 = 0xFF | g si | g re | g se [ | g oe ] rk 0 = HKDF ( dh 0 , 0x00 32 , ‘‘ WhisperText ′′ )

  33. An ML-like language with support for program verification via SMT automation. for implementations! J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 10 / 22 Step 2: transcribe specifications to F ∗ • Specifications include more detail than ProVerif (e.g. tags) • Currently manual; hope to automate it • Specifications extract to OCaml, for tests – not suitable

  34. Step 3a: implement cryptography etc. Now available on the Web! Generally useful: WebCrypto or Node) J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 11 / 22 We use HACL ∗ for the cryptographic primitives. HACL ∗ has been integrated in Firefox, WireGuard, mbedTLS, • fills the gap for custom or new primitives (not in • a solution for code that needs synchronous APIs • avoid legacy libraries (OpenSSL on Node).

  35. Step 3b: implement Signal core We implement all the core operations of the Signal protocol KreMLin compiler. libquiccrypto. Now a verified implementation of Signal in C and WebAssembly. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 12 / 22 in Low ∗ . Low ∗ is a low-level subset of F ∗ that compiles to C using the Low ∗ has been used by HACL ∗ , EverCrypt, Merkle Trees,

  36. A new, safe, widely supported target for fast, portable execution. Used primarily in web runtimes but not only. structured control flow mono, etc. Used for video games, AutoCad, large applications… J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 13 / 22 Step 4: compile Low ∗ to WebAssembly • isolation guarantees • basic type safety relying on an operand stack and • more compiler support every day: LLVM, emscripten,

  37. Our ProVerif to WASM toolchain We formalize a verified pipeline from ProVerif to WASM and extend the KreMLin compiler with a WASM backend. ProVerif WebAssembly transcribe refines compiles via KreMLin J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 14 / 22 F ∗ spec Low ∗ impl

  38. A simple translation (WASM is an expression language) that eliminates complexity and fits in two paper pages. Thanks to a new intermediary language in KreMLin, the J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 15 / 22 A direct route from Low ∗ to WASM We formalize the compilation from Low ∗ to WASM. compilations rules are compact, auditable and simple.

  39. The implementation is carefully audited and follows the paper rules. Consequence A high-assurance compilation toolchain to WASM! J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 16 / 22 A direct route from Low ∗ to WASM We implement the compilation from Low ∗ to WASM. • 2,400 lines of OCaml code (total: 11,000) • does not implement any sophisticated optimization • very regular.

  40. transformations) One reason we chose to implement our own toolchain... confidence. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 17 / 22 An indirect route from Low ∗ to WASM Classic route (via Emscripten): Low ∗ → C → WASM • massive TCB • no side-channel reasoning • requires KreMLin to deal with C semantics (un-necessary With only 2,400 extra lines of OCaml, we have greater

  41. What we prove Thanks to a combination of techniques, we guarantee: and through a dedicated check In short, we ofger a library of core building blocks of the Signal protocol. Session and state management, policies to discard old with the browser). J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 18 / 22 • memory safety, by virtue of Low ∗ • functional correctness, by virtue of the specifications • absence of “classic” side-channel leaks, by construction ratchets, etc. are left to the JavaScript code (need integration

Recommend


More recommend