signed cryptographic program verification with typed
play

Signed Cryptographic Program Verification with Typed C RYPTO L INE - PowerPoint PPT Presentation

Aug 01, 2023 •132 likes •936 views

Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 , Xiaomu Shi 2 , Ming-Hsien Tsai 1 , Bow-Yaw Wang 1 , Bo-Yin Yang 1 1 Academia Sinica 2 Shenzhen University ACM CCS 2019 1/42 Outline Introduction 1

  1. Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 , Xiaomu Shi 2 , Ming-Hsien Tsai 1 , Bow-Yaw Wang 1 , Bo-Yin Yang 1 1 Academia Sinica 2 Shenzhen University ACM CCS 2019 1/42

  2. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 2/42

  3. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 3/42

  4. Practical Cryptography Cryptographic program is written in C or ASM for efficiency. Computation over large finite field is not trivial in C and ASM. Split a large number into several smaller numbers (a.k.a. limbs). (e.g. 4 or 5 uint64 t/register to store 255-bit keys for Curve25519) Computation over limbs is error-prone. A simple bug can cause catastrophic damages. (e.g. a missing bound check in Heartbleed) 4/42

  5. Practical Cryptography Cryptographic program is written in C or ASM for efficiency. Computation over large finite field is not trivial in C and ASM. Split a large number into several smaller numbers (a.k.a. limbs). (e.g. 4 or 5 uint64 t/register to store 255-bit keys for Curve25519) Computation over limbs is error-prone. A simple bug can cause catastrophic damages. (e.g. a missing bound check in Heartbleed) In this work, we focus on implementation written in C . 4/42

  6. Functional Correctness So.... How to achieve the functional correctness? 5/42

  7. Functional Correctness So.... How to achieve the functional correctness? Test? 5/42

  8. Functional Correctness So.... How to achieve the functional correctness? Test? State space is too BIG, HARD to cover 5/42

  9. Functional Correctness So.... How to achieve the functional correctness? Test? State space is too BIG, HARD to cover Verification 5/42

  10. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 6/42

  11. Previous Work 7/42

  12. Previous Work Proof Assistant + SMT Solver (CHL+14) can only verify some simple code in tolerable time. many human-added annotations. SMT: Satisfiability modulo theories 7/42

  13. Previous Work Proof Assistant + SMT Solver (CHL+14) can only verify some simple code in tolerable time. many human-added annotations. Proof Assistant + SMT Solver + Algebra Solver (TWY17) can deal with more complex operations like multiplication SMT solver cannot deal with large integers multiplication well SMT: Satisfiability modulo theories 7/42

  14. Previous Work Proof Assistant + SMT Solver (CHL+14) can only verify some simple code in tolerable time. many human-added annotations. Proof Assistant + SMT Solver + Algebra Solver (TWY17) can deal with more complex operations like multiplication SMT solver cannot deal with large integers multiplication well DSL + SMT Solver + Algebra Solver (PTW+18) Untyped C RYPTO L INE (only unsigned) Target: ASM (some real-word examples in OpenSSL) integer size is fixed (32/64 bit register) SMT: Satisfiability modulo theories DSL: Domain-specific language 7/42

  15. Goal More real-world examples. Try to verify the C implementation once instead of ASM for every platforms. most implementation now are still written in C instead of human-optimized ASM Less verification effort and friendly to normal cryptographic library developers. 8/42

  16. Target Cryptographic Libraries OpenSSL: UBIQUITOUS BoringSSL: Chrome, Android NaCl: reference implementation wolfSSL: embedded systems Bitcoin’s libsecp256k1: ECDSA used by MANY cryptocurrencies (Ethereum, Zcash, Ripple, · · · ) 9/42

  17. What Curves We Verified OpenSSL: 32/64: integer size NIST P-224 : 2 224 − 2 96 + 1 (unsigned 64) NIST P-256 : 2 256 − 2 224 + 2 192 + 2 96 − 1 (unsigned 64) NIST P-521 : 2 521 − 1 (unsigned 64) Curve25519 : 2 255 − 19 (unsigned 64, signed 32) BoringSSL: Curve25519 (unsigned 64) NaCl: Curve25519 (unsigned 64, signed 64) wolfSSL: Curve25519 (same as OpenSSL ’s) (signed 32) Bitcoin: Secp256k1 (2 256 − 2 32 − 2 9 − 2 8 − 2 7 − 2 6 − 2 4 − 1) (unsigned, signed) 10/42

  18. Contribution Typed C RYPTO L INE – unsigned and signed, arbitrary size integers type system (type checking & type inference) A GCC plugin that translates GIMPLE C RYPTO L INE into Typed C RYPTO L INE GIMPLE C RYPTO L INE – a subset of GIMPLE GIMPLE : a GCC IR used in machine-independent optimization Verify GIMPLE code after machine-independent optimization First to verify signed C implementation in cryptographic libraries used in industry Found a bug in NaCl’s Curve25519 - Case study 11/42

  19. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 12/42

  20. Typed C RYPTO L INE Program Program - instructions Specification Assumption (Precondition) Assertion (Postcondition) Properties { algebra && range } range: variables should be in a proper range (e.g. a < 2 51 ) checked by SMT solver (Boolector, MathSAT, Z3 · · · ) algebra: mathematical properties (e.g. c = a × b ) checked by algebraic solver (Sage, Singular, Mathematica · · · ) Hoare triple: { assumption } program { assertion } 13/42

  21. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  22. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  23. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  24. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  25. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 limbs 64 [ a 0 , a 1 , · · · , a n ] = add c1 a1 b1; // c1 = a1 + b1 12 � n { i = 0 a i × 2 64 × i 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  26. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 2 63 − 1 + 2 63 − 1 = 2 64 − 2 ≤ 2 64 − 1 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  27. Typed C RYPTO L INE Program Example - Overflow 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no restriction 4 && 5 and [ // range prop 6 a0 <=u (2**63)@64, a1 <=u (2**63)@64, 7 b0 <=u (2**63)@64, b1 <=u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 15/42

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade &amp; Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999&gt;'

744 views • 73 slides
Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

1 2 Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes files University of Illinois at Chicago &amp; Technische Universiteit Eindhoven RAM disk Operating-system kernel divides RAM among processes,

1.32k views • 100 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM Brussels, February 2020 What is Formal Verification? Using software tools in order to obtain guarantees on the security of cryptographic components.

319 views • 21 slides
Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp; Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why

537 views • 36 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History Toolbox Whats Next? David Cock January 23, 2015 1

432 views • 32 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (&lt;100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam Quo Vadis Program Verification p. 1/1 One Page Summary Assertional approach to program verification is here to stay. Gap between

629 views • 19 slides
LDP Typed Wildcard PW FEC Elements draft-raza-pwe3-pw-typed-wc-fec-00.txt Kamran Raza Sami

LDP Typed Wildcard PW FEC Elements draft-raza-pwe3-pw-typed-wc-fec-00.txt Kamran Raza Sami

LDP Typed Wildcard PW FEC Elements draft-raza-pwe3-pw-typed-wc-fec-00.txt Kamran Raza Sami Boutros Background Label Distribution Protocol (LDP) [RFC5036] defines the general notion of a &quot;Typed Wildcard Forwarding Equivalence Class

309 views • 6 slides
Cryptographic Program Watermarking Julien Braine , ENS Lyon 2015 Internship with Ron Steinfeld ,

Cryptographic Program Watermarking Julien Braine , ENS Lyon 2015 Internship with Ron Steinfeld ,

Introduction Basic Watermarking scheme Additional goals Applications Limits Conclusion Cryptographic Program Watermarking Julien Braine , ENS Lyon 2015 Internship with Ron Steinfeld , Faculty of IT 17 August 2015 Julien Braine Cryptographic

767 views • 37 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides

More recommend