HACL* in Mozilla Firefox Formal methods and high assurance - - PowerPoint PPT Presentation

hacl in mozilla firefox
SMART_READER_LITE
LIVE PREVIEW

HACL* in Mozilla Firefox Formal methods and high assurance - - PowerPoint PPT Presentation

Oct 29, 2022 158 likes •453 views

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web B. Beurdouche F. Kiefer K. Bhargavan E. Rescorla J. Protzenko T. Taubert J-K. Zinzindohou M. Thomson (Project Everest) (Mozilla) Real World Crypto 2018

slide-1
SLIDE 1

HACL* in Mozilla Firefox

Formal methods and high assurance applications for the web

Real World Crypto 2018

  • B. Beurdouche
  • K. Bhargavan
  • J. Protzenko

J-K. Zinzindohoué (Project Everest)

  • F. Kiefer
  • E. Rescorla
  • T. Taubert
  • M. Thomson

(Mozilla)

slide-2
SLIDE 2

Let’s focus on Crypto[graphy] !

slide-3
SLIDE 3

Implementing cryptography is difficult

Memory Safety

(think Heartbleed)

Functional correctness Side channels

(think Lucky 13)

slide-4
SLIDE 4

Functional correctness is difficult

[2016] Integer overflow in OpenSSL’s Poly1305

slide-5
SLIDE 5

Implementing is hard for everyone

[2014] TweetNaCl [2014] Curve25519-Donna

Even for very skilled programmers or cryptographers !

slide-6
SLIDE 6

Network Security Services (NSS) library

6

Multi product security library

  • Joint effort from Mozilla, RedHat…
  • Security Library for Firefox in C/C++
  • Used in RHEL, Fedora, BSDs…

Large number of primitives

  • Both recent and legacy primitives for

interoperability Higher level components

  • Protocols (TLS…)
  • Cryptographic APIs (WebCrypto, PKCS...)
slide-7
SLIDE 7

Redesigning NSS

7

There was no clear way on how to get there...

  • Clean room redesign “à la BoringSSL”
  • More money ?! More hiring ?!

Decision

  • Improve step-by-step the confidence in code

correctness using formal verification “NSS is old, there is a lot of legacy code” “How can we make NSS more modern and get higher confidence in its correctness ?”

slide-8
SLIDE 8

Research challenge from the OpenSSL team

Emilia Kasper, Real World Crypto (2015)

slide-9
SLIDE 9

Formal methods inbound

Recent academic developments for Cryptography

"Automated Verification of Real-World Cryptographic Implementations", Aaron Tomb, IEEE Security & Privacy, vol. 14, no. , pp. 26-33, Nov.-Dec. 2016

slide-10
SLIDE 10

10

What kind of verification and how ?

Code generation or Verification of existing code ? Assembly, C or High-Level Languages ?

slide-11
SLIDE 11

CCS 2017 -https://eprint.iacr.org/2017/536

slide-12
SLIDE 12

F* verification workflow

Code

(F*)

Spec

(F*)

Trusted Library

(F*)

Memory safety Functional correctness Secret independence

Verify

(F*)

failure Potential bug success

Verified Code

(C)

Compile

(KreMLin)

Cannot be compiled to C

Cr Crypto

  • Standard

(RFC, NIST…)

State-of-the-art code

(C)

failure success

Correctness theorem [ICFP2017]

slide-13
SLIDE 13

13

Low*

HACL* - High Assurance Crypto Library

CCS 2017 -https://eprint.iacr.org/2017/536 Functionalities

  • Hash function (SHA-2)
  • Message authentication (HMAC, Poly1305)
  • Symmetric ciphers (Chacha20, Salsa20)
  • Key Exchange algorithm (Curve25519)
  • Signature scheme (Ed25519)
  • AEAD (Chacha20Poly1305)

Formal verification can scale up !

slide-14
SLIDE 14

Specification for Poly1305

slide-15
SLIDE 15

How does the stateful code and proofs look like ?

15

slide-16
SLIDE 16

Lo Low* Poly1 y1305 comp mpiled ed to C

Low* code

C code

slide-17
SLIDE 17

HACL* in Mozilla Firefox

slide-18
SLIDE 18

HACL* in Mozilla Firefox

Firefox 57 "Quantum" was a major release for Mozilla

  • Includes verified cryptography from HACL* (Curve25519)

Next batch of primitives on its way

  • Vectorized Chacha20Poly1305 + Ed25519
  • SHA2 + HMAC + HKDF
  • RSA_PSS + P256 …

Firefox Nightly already has more

  • Chacha20 and Poly1305
slide-19
SLIDE 19

How does one go from an academic project to production code in the industry?

19

?

slide-20
SLIDE 20

20

Code integration

  • Readable, reviewable code

Deployment and support

  • NSS runs on almost everything
  • API and ABI stability

Integration process constraints

Performance

  • Reducing performance is not acceptable (in general)

Toolchain integration

  • Insert verification into the current dev. workflow
slide-21
SLIDE 21

HACL* Performance (C code)

CPU c CPU cycles/byte

Lower is better Encrypt, Hash,

  • r MAC 16KB

1 Diffie-Hellman Sign, verify 16KB

+20 % faster than previous NSS code

slide-22
SLIDE 22

22

Code review (Phabricator)

Removing empty branches, unreachable code…

slide-23
SLIDE 23

23

Improving code quality

Better variable naming Removing intermediate variables

slide-24
SLIDE 24

HACL* verification toolchain in NSS CI (treeherder)

slide-25
SLIDE 25

Supporting multiple platforms

Large number of supported platforms

  • CI does not support all platforms
  • Trusted code base is a problem
  • Some bugs can be introduced by

contributors

slide-26
SLIDE 26

Write F* spec & code Verified Code

(C)

Extract to C and Test

success success failure

Format and Audit

success failure

CI Verification and Tests

success failure

Production Prove Low* code

success failure

A common workflow

slide-27
SLIDE 27

27

The future of NSS

  • Removing more obsolete code
  • Mixing-in other formal methods
  • Integrate formally verified assembly
  • Verifying parsers and protocols

What’s next ?

The future of HACL*

  • Implement new primitives
  • Reduce proof effort and verification time
  • Reduce trust in our tools (verify KreMLin, F*…)
  • Support more platforms (WASM, RIOT…)
slide-28
SLIDE 28

28

Use it ! Test it ! Break it !

(NSS crypto is eligible to Mozilla’s bug bounty program)

Get in touch !

@beurdouche benjamin.beurdouche@inria.fr

Project Everest