Meta-F* Language Extensibility, Metaprogramming and Proof - PowerPoint PPT Presentation

Meta-F* Language Extensibility, Metaprogramming and Proof automation https://fstar-lang.github.io https://project-everest.github.io/

• Interns, open-source • MS MSR R Redm dmond ond • INRIA A Paris contributors, visitors, • Barry Bond • Danel Ahman alumns • Chris Hawblitzel • Kenji Maillard Guido Martinez • • Qunyan Magnus • Benjamin Beurdouche Zoe Paraskevopoulou • • Karthikeyan Bhargavan • Kiran Muthabatulla Yao Li • • Jonathan Protzenko • Victor Dumitrescu Joonwon Choi • • Tahina Ramananandro • Cătălin Hriţcu Clément Pit-Claudel • • Nikhil Swamy • Marina Polubelova Nick Giannarakis • • Gustavo Varo • CMU MU (P (Pitts ttsbu burgh) gh) Niklas Grimm • • MS MSR R Camb mbridg ridge Anita Gollamudi • Jay Bosamiya • Nadim Kobeissi • Antoine Delignat-Lavaud • Aymeric Fromherz • Matteo Maffei • Cédric Fournet • Bryan Parno • Asher Manning • Christoph M. Wintersteiger • Edinburgh • Monal Narasimhamurthy • Santiago Zanella-Béguelin • • Markulf Kohlweiss Gordon Plotkin • MS MSR R India ia • Perry Wang • • Aseem Rastogi Jean-Karim Zinzindohoue • Classified as Microsoft Confidential

• Interns, open-source • MS MSR R Redm dmond ond • INRIA A Paris contributors, visitors, • Barry Bond • Danel Ahman alumns • Chris Hawblitzel • Kenji Maillard Guido Martinez • • Qunyan Magnus • Benjamin Beurdouche Zoe Paraskevopoulou • • Karthikeyan Bhargavan • Kiran Muthabatulla Yao Li • • Jonathan Protzenko • Victor Dumitrescu Joonwon Choi • • Tahina Ramananandro • Cătălin Hriţcu Clément Pit-Claudel • • Nikhil Swamy • Marina Polubelova Nick Giannarakis • • Gustavo Varo • CMU MU (P (Pitts ttsbu burgh) gh) Niklas Grimm • • MS MSR R Camb mbridg ridge Anita Gollamudi • Jay Bosamiya • Nadim Kobeissi • Antoine Delignat-Lavaud • Aymeric Fromherz • Matteo Maffei • Cédric Fournet • Bryan Parno • Asher Manning • Christoph M. Wintersteiger • Edinburgh • Monal Narasimhamurthy • Santiago Zanella-Béguelin • • Markulf Kohlweiss Gordon Plotkin • MS MSR R India ia • Perry Wang • • Aseem Rastogi Jean-Karim Zinzindohoue • Classified as Microsoft Confidential

Goal: A secure channel Public Key Infrastructure accept(port); connect(server,port); request = recv(); send “GET…”; send “<html>…”; data = recv(); order = recv(); send “POST…”; … … Threat model

Goal: A secure channel 20 years of attacks & fixes Public Key Buffer overflows Infrastructure Incorrect state machines Lax certificate parsing Weak or poorly implemented crypto Side channels Informal security goals Dangerous APIs accept(port); connect(server,port); Flawed standards request = recv(); send “GET…”; send “<html>…”; data = recv(); Mainstream implementations order = recv(); send “POST…”; … … OpenSSL, SChannel , NSS, … Threat model

Much discussions RFC 8446: Aug 2018 IETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, … Including many of our Much improvements proposals • Modern design • Fewer roundtrips • Stronger security New implementations required for all • An early implementer and verified too! Mentioning many formal models of the protocol, including our verified • Find & fix flaws before it’s too late implementation of the record layer

Pr Proje ject t Ever erest est Ver erif ified ied Sec ecur ure e Compon ponents ents in th in the e TL TLS Ecosystem system TLS QUIC ECDH AES RSA SHA … Crypto Algorithms Network buffers Untrusted network (TCP, UDP, …)

Ver erification fication T oo ools s an and d Met ethodo odolo logy gy F*: A general purpose programming language and verification tool

Ver erification fication T oo ools s an and d Met ethodo odolo logy gy F*: A general purpose val nbytes 16 → programming u32 → Math spec in F* language nbytes len → poly1305_mac computes a ∧ and verification nbytes 32 → ST unit tool polynomial in GF(2 130 -5), ∈ ∧ ∈ ∧ ∈ requires λ → storing the result in tag , ensures λ → let in and not modifying let in anything else modifies ∧

Ver erification fication T ools oo s an and d Met ethodo odolo logy gy F*: A general purpose val nbytes 16 → programming u32 → Math spec in F* language nbytes len → poly1305_mac computes a ∧ and verification nbytes 32 → ST unit tool polynomial in GF(2 130 -5), ∈ ∧ ∈ ∧ ∈ requires λ → storing the result in tag , ensures λ → let in and not modifying let in anything else modifies ∧ kreMLin void poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *msg, uint8_t *key) { Efficient C Compiler from uint64_t tmp [10] = { 0 }; (a subset of) implementation uint64_t *acc = tmp F* to C uint64_t *r = tmp + (uint32_t)5; Verification imposes no uint8_t s[16] = { 0 }; runtime performance Crypto_Symmetric_Poly1305_poly1305_init(r, s, key); Crypto_Symmetric_Poly1305_poly1305_process(msg, len, acc, r); overhead Crypto_Symmetric_Poly1305_poly1305_finish(tag, acc, s); }

8 = Trusted = Verified Security spec Secure authenticated channel Protocol security proofs Protocol specs Implementation AES is a pseudo-random function Crypto assumptions

Everest est in Action, n, so so fa far Production deployments of Everest Verified Cryptography

Pr Proje ject t Ever erest est Ver erif ified ied Sec ecur ure e Compon ponents ents in th in the e TL TLS Ecosystem system TLS QUIC ECDH AES RSA SHA … Crypto Algorithms Network buffers Untrusted network (TCP, UDP, …)

So what is this F* thing anyway?

Two o camps ps of program ogram ver erificatio fication n to tool ols

F*: Bridging the gap

F*: Bridging the gap

F*: Bridging the gap

F*: Bridging the gap

F*: Bridging the gap

Beyond Pure Code Effects

Beyond Pure Code Effects

Beyond Pure Code Effects

Beyond Pure Code Effects

Effectful programs with Hoare-style Specifications

Effectful programs with Hoare-style Specifications STEx > Tr

Effectful programs with Hoare-style Specifications STExn

Exploiting Expressiveness & Extensibility Low*: A subset of F* that compiles to C

Low* to C And to support compilation to C, in nearly 1-1 correspondence, for auditability of our generated code Designed to allow manipulating a C-like view of memory

Low* to C And to support compilation to C, in nearly 1-1 correspondence, for auditability of our generated code Designed to allow manipulating a C-like view of memory

Low* to C And to support compilation to C, in nearly 1-1 correspondence, for auditability of our generated code Designed to allow manipulating a C-like view of memory Stack allocation

Low* to C And to support compilation to C, in nearly 1-1 correspondence, for auditability of our generated code Designed to allow manipulating a C-like view of memory Stack allocation Pointer arithmetic

Low* to C And to support compilation to C, in nearly 1-1 correspondence, for auditability of our generated code Designed to allow manipulating a C-like view of memory Erased specification Stack allocation Pointer arithmetic

But SMT-based proofs can go awry

And can be at a low level of abstraction

Domain-specific languages, ad hoc proof automation, extensibility

Domain-specific languages, ad hoc proof automation, extensibility elaborator reflection

A passive compiler pipeline Parsing & Extraction aka Typechecker Desugaring Code generation

A passive compiler pipeline Parsing & Extraction aka Typechecker Desugaring Code generation Higher-order Normalizer SMT Encoding Unification

Scripting components with a metaprogram Parsing & Extraction aka Typechecker Desugaring Code generation Higher-order Normalizer SMT Encoding Unification

Scripting components with a metaprogram Parsing & Extraction aka Typechecker Desugaring Code generation Higher-order Normalizer SMT Encoding Unification

Scripting a language implementation from within the language

From F* to Meta-F*, In three easy steps

Proof-state: A collection of typed holes

Metaprograms are proofstate transformers • Uses an existing F* effect for non-termination: Dv • The type of the state is an abstract type: proofstate • error is the type of exceptions State + Exception + Non-termination monad

Metaprogramming as a user-defined effect • Standard definitions of return, bind, get, raise • Exceptions reset the state

Metaprogramming as a user-defined effect

Metaprogramming as a user-defined effect put

Step 2 Primitive operations on Inl “Goal is not an arrow”

Step 2 Primitive operations on Inl “Goal is not an arrow”

Step 2 Primitive operations on Meta Inl “Goal is not an arrow”

Step 2 Primitive operations on Meta “Goal is not an arrow”