formally verified cryptographic web applications
play

Formally Verified Cryptographic Web Applications J. Protzenko et al. - PowerPoint PPT Presentation

Aug 14, 2022 •912 likes •1.5k views

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

  1. Formally Verified Cryptographic Web Applications J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA Denis Merigoux INRIA Karthik Bhargavan INRIA

  2. The Web beyond the Web The Web environment has become the choice target for deploying applications. Think: websites, desktop apps (Electron), server apps (node.js), browser addons… managers, secure messengers? J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 2 / 22 How about security-sensitive applications, such as: password

  3. Life is hard for secure web apps Application developers are at a loss for secure toolchains targeting the Web runtime. Web-based security-sensitive applications. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 3 / 22 • custom cryptographic schemes • ad-hoc protocols • unverifiable app logic • hostile target environment (JavaScript). (Larger) Claim: the JavaScript toolchain is inadequate for

  4. 4 / 22 side-channel check May. 22 st , 2019 Verified Cryptographic Web Applications in WASM J. Protzenko et al. — MSR + INRIA browser, node, … KreMLin paper paper Machine Code WASM implement it in the KreMLin compiler. An F ∗ to WASM toolchain We formalize a verified pipeline from Low ∗ to WASM and Low ∗ (ICFP’17) F ∗ C ♭

  5. This work’s contributions WebAssembly WebAssembly side-channel resistance and protocol security • A generic toolchain (formalization and implementation) to compile F ∗ programs to WebAssembly • The HACL ∗ verified cryptographic library compiled to • A formally verified implementation of Signal, in • Verified for functional correctness, memory safety, • No performance penalty; same API; ready to integrate

  6. Our running example: Signal This means over 1 billion users Let’s start by a quick overview of the protocol. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 6 / 22 • Signal powers WhatsApp, Messenger, Skype, Signal • Allows communicating asynchronously (trend) • Relies on server with limited trust • Generally trust-on-first-use

  7. Our running example: Signal This means over 1 billion users Let’s start by a quick overview of the protocol. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 6 / 22 • Signal powers WhatsApp, Messenger, Skype, Signal • Allows communicating asynchronously (trend) • Relies on server with limited trust • Generally trust-on-first-use

  8. Alice Server Bob BP

  9. Alice Server Bob publishes keys BP

  10. Alice Server Bob BP

  11. Alice Server Bob key bundle BP

  12. Alice Server Bob X3DH BP rk 0

  13. Alice Server Bob Diffje-Helman ratchet BP rk 1 , ck 1

  14. Alice Server Bob “hey Bob” m 1 + keys BP

  15. Alice Server Bob symmetric key ratchet BP ck 2

  16. Alice Server Bob “where’s the secret stash” m 2 BP

  17. Alice Server Bob etc. BP

  18. Alice Server Bob BP

  19. Alice Server Bob m 1 + keys BP

  20. Alice Server Bob X3DH BP rk 0

  21. Alice Server Bob Diffje-Helman ratchet BP rk 1 , ck 1

  22. Alice Server Bob BP m 1 = “hey Bob”

  23. Alice Server Bob m 2 BP

  24. Alice Server Bob symmetric key ratchet BP ck 2

  25. Alice Server Bob BP m 2 = “where’s the secret stash”

  26. Alice Server Bob etc. BP

  27. Alice Server Bob Diffje-Helman ratchet BP rk 2 , ck 3

  28. Alice Server Bob “it’s at Oakland” m 3 + keys BP

  29. Alice Server Bob etc. BP

  30. Signal: a recap forward secrecy and post-compromise security J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 8 / 22 • the protocol is sophisticated • X3DH for session initiation • double-ratchet for asynchronous communications, • involves non-trivial cryptography (X25519, etc.) https://signal.org/docs/

  31. Step 1: a protocol specification Written in ProVerif (symbolic model). Builds on previous work May. 22 st , 2019 Verified Cryptographic Web Applications in WASM J. Protzenko et al. — MSR + INRIA … Prior Knowledge: Responder R … 9 / 22 Initiator I Prior Knowledge: post-compromise security. (Euro S&P’17). Guarantees integrity, confidentiality, forward secrecy, ( i , g i ) ( r , g r ) , ( s , g s )[ , ( o , g o )] Initiate ( i , g r , g s [ , g o ]) → ( rk 0 ) : generate ( e , g e ) dh 0 = 0xFF | g si | g re | g se [ | g oe ] rk 0 = HKDF ( dh 0 , 0x00 32 , ‘‘ WhisperText ′′ )

  32. Step 1: a protocol specification Written in ProVerif (symbolic model). Builds on previous work May. 22 st , 2019 Verified Cryptographic Web Applications in WASM J. Protzenko et al. — MSR + INRIA … Prior Knowledge: Responder R … 9 / 22 Initiator I Prior Knowledge: post-compromise security. (Euro S&P’17). Guarantees integrity, confidentiality, forward secrecy, ( i , g i ) ( r , g r ) , ( s , g s )[ , ( o , g o )] Initiate ( i , g r , g s [ , g o ]) → ( rk 0 ) : generate ( e , g e ) dh 0 = 0xFF | g si | g re | g se [ | g oe ] rk 0 = HKDF ( dh 0 , 0x00 32 , ‘‘ WhisperText ′′ )

  33. An ML-like language with support for program verification via SMT automation. for implementations! J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 10 / 22 Step 2: transcribe specifications to F ∗ • Specifications include more detail than ProVerif (e.g. tags) • Currently manual; hope to automate it • Specifications extract to OCaml, for tests – not suitable

  34. Step 3a: implement cryptography etc. Now available on the Web! Generally useful: WebCrypto or Node) J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 11 / 22 We use HACL ∗ for the cryptographic primitives. HACL ∗ has been integrated in Firefox, WireGuard, mbedTLS, • fills the gap for custom or new primitives (not in • a solution for code that needs synchronous APIs • avoid legacy libraries (OpenSSL on Node).

  35. Step 3b: implement Signal core We implement all the core operations of the Signal protocol KreMLin compiler. libquiccrypto. Now a verified implementation of Signal in C and WebAssembly. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 12 / 22 in Low ∗ . Low ∗ is a low-level subset of F ∗ that compiles to C using the Low ∗ has been used by HACL ∗ , EverCrypt, Merkle Trees,

  36. A new, safe, widely supported target for fast, portable execution. Used primarily in web runtimes but not only. structured control flow mono, etc. Used for video games, AutoCad, large applications… J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 13 / 22 Step 4: compile Low ∗ to WebAssembly • isolation guarantees • basic type safety relying on an operand stack and • more compiler support every day: LLVM, emscripten,

  37. Our ProVerif to WASM toolchain We formalize a verified pipeline from ProVerif to WASM and extend the KreMLin compiler with a WASM backend. ProVerif WebAssembly transcribe refines compiles via KreMLin J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 14 / 22 F ∗ spec Low ∗ impl

  38. A simple translation (WASM is an expression language) that eliminates complexity and fits in two paper pages. Thanks to a new intermediary language in KreMLin, the J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 15 / 22 A direct route from Low ∗ to WASM We formalize the compilation from Low ∗ to WASM. compilations rules are compact, auditable and simple.

  39. The implementation is carefully audited and follows the paper rules. Consequence A high-assurance compilation toolchain to WASM! J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 16 / 22 A direct route from Low ∗ to WASM We implement the compilation from Low ∗ to WASM. • 2,400 lines of OCaml code (total: 11,000) • does not implement any sophisticated optimization • very regular.

  40. transformations) One reason we chose to implement our own toolchain... confidence. J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 17 / 22 An indirect route from Low ∗ to WASM Classic route (via Emscripten): Low ∗ → C → WASM • massive TCB • no side-channel reasoning • requires KreMLin to deal with C semantics (un-necessary With only 2,400 extra lines of OCaml, we have greater

  41. What we prove Thanks to a combination of techniques, we guarantee: and through a dedicated check In short, we ofger a library of core building blocks of the Signal protocol. Session and state management, policies to discard old with the browser). J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 18 / 22 • memory safety, by virtue of Low ∗ • functional correctness, by virtue of the specifications • absence of “classic” side-channel leaks, by construction ratchets, etc. are left to the JavaScript code (need integration

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1. CEDRIC-ENSIIE, Evry, France 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway Dagstuhl Seminar 15381 1 / 23 Formally verified

501 views • 28 slides
A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo and F .-J. Mart n-Mateos Computational Logic Group Dept. of Computer Science and Artificial Intelligence University of Seville A Formally

356 views • 32 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea Formally verify a stateful NF with competitive performance and reasonable human effort 2 Formally verify a stateful NF with

836 views • 81 slides
A Simple Supercompiler Formally Verified in Coq Dimitur Krustev IGE+XAO Balkan 4 July 2010 /

A Simple Supercompiler Formally Verified in Coq Dimitur Krustev IGE+XAO Balkan 4 July 2010 /

Introduction Supercompiler Organization and Correctness Proof Possible Extensions and Applications Summary A Simple Supercompiler Formally Verified in Coq Dimitur Krustev IGE+XAO Balkan 4 July 2010 / META 2010 Dimitur Krustev A Simple

431 views • 40 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
Developing Fast, Mechanically-Verified Cryptographic Code Bryan Parno Carnegie Mellon University

Developing Fast, Mechanically-Verified Cryptographic Code Bryan Parno Carnegie Mellon University

Developing Fast, Mechanically-Verified Cryptographic Code Bryan Parno Carnegie Mellon University 1 The HTTPS Ecosystem is critical Services & Applications Edge cURL Skype Apache Nginx WebKit IIS Clients Servers HTTPS Ecosystem

1.17k views • 82 slides
A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu Rochester Institute of Technology Rochester, NY, USA FMCAD-18 Student Forum David E. Narv aez (RIT) Formally Verified Symmetry Breaking Tool FMCAD-18

215 views • 6 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software Institute, Madrid, Spain September 30, 2014 Motivation Loss of trust in Internet Implementation bugs (HeartBleed) Logical bugs (Triple

670 views • 38 slides
The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

539 views • 29 slides
Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands 2 School of Computer Science Open University The Netherlands

778 views • 62 slides
A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste

A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste

A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste Dagand 4 , 3 , 1 Xavier Leroy 1 Marc Pouzet 4 , 2 , 1 Lionel Rieg 5 , 6 1. Inria Paris 2. DI, cole normale suprieure 3. CNRS 4. Univ. Pierre et

1.15k views • 96 slides
FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model Patrick Lincoln and John Rushby Computer Science Laboratory SRI International Menlo Park CA USA FTCS 93 1 Summary What we have

494 views • 25 slides
Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

900 views • 79 slides
Hidden Semantics: why? how? and what to do? Mike Bond, Cryptomathic Ltd. George French, Barclays

Hidden Semantics: why? how? and what to do? Mike Bond, Cryptomathic Ltd. George French, Barclays

Hidden Semantics: why? how? and what to do? Mike Bond, Cryptomathic Ltd. George French, Barclays Bank Plc. ASA-4 Edinburgh 2010 Crypomathic Logo Here Hidden Semantics: Why Why worry about it: Hidden semantics is important to the API analysis

647 views • 33 slides
Wireless Sensor Networks: Motes, NesC, and TinyOS J urgen Sch onw alder, Mat u s

Wireless Sensor Networks: Motes, NesC, and TinyOS J urgen Sch onw alder, Mat u s

Wireless Sensor Networks: Motes, NesC, and TinyOS J urgen Sch onw alder, Mat u s Harvan Jacobs University Bremen Bremen, Germany EECS Seminar, 24 April 2007 J urgen Sch onw alder, Mat u s Harvan Motes, NesC, and

688 views • 54 slides
RESOLUTION OF INTERNATIONAL BANKS: CAN SMALLER COUNTRIES COPE? DIRK SCHOENMAKER ROTTERDAM

RESOLUTION OF INTERNATIONAL BANKS: CAN SMALLER COUNTRIES COPE? DIRK SCHOENMAKER ROTTERDAM

RESOLUTION OF INTERNATIONAL BANKS: CAN SMALLER COUNTRIES COPE? DIRK SCHOENMAKER ROTTERDAM SCHOOL OF MANAGEMENT & BRUEGEL NZ TREASURY, 17 NOVEMBER 2017 Outline Reform after the Great Financial Crisis Need for fiscal backstop

289 views • 18 slides
CREATING VALUE BECOMING RELEVANT Action plan for concretising the strategic objectives

CREATING VALUE BECOMING RELEVANT Action plan for concretising the strategic objectives

Federal Office of Topography swisstopo CREATING VALUE BECOMING RELEVANT Action plan for concretising the strategic objectives Sharing Knowledge, Capacities and Infrastructure (EGS-Pillar 3). Brussels, 18 February 2020 Existing EGS

341 views • 18 slides
Molson Coors Brewing Company Barclays Back to School Consumer Conference September 5, 2012

Molson Coors Brewing Company Barclays Back to School Consumer Conference September 5, 2012

Molson Coors Brewing Company Barclays Back to School Consumer Conference September 5, 2012 Peter Swinburn Chief Executive Officer Molson Coors Brewing Company 2 Forward Looking Statement Forward Looking Statements: This presentation

443 views • 30 slides
during the Henry Ohlsson economic crisis Deputy Governor 17 June 2020 Three challenges The

during the Henry Ohlsson economic crisis Deputy Governor 17 June 2020 Three challenges The

Monetary policy during the Henry Ohlsson economic crisis Deputy Governor 17 June 2020 Three challenges The financial markets are not functioning as under normal circumstances Inflation statistics are difficult to interpret It is

523 views • 6 slides
A game changer for public debt markets? Daniel Gros Rome, Seminar LUISS, SEP March 8, 2018

A game changer for public debt markets? Daniel Gros Rome, Seminar LUISS, SEP March 8, 2018

QE A game changer for public debt markets? Daniel Gros Rome, Seminar LUISS, SEP March 8, 2018 Rome, March, 8, 2018 Thinking ahead for Europe Centre for European Policy Studies (CEPS) www.ceps.eu Bernanke: the problem with QE

823 views • 35 slides
Macro Economics and Political Dynamics Hong Kong, 31 October 2017 Peter Morris, Chief Economist

Macro Economics and Political Dynamics Hong Kong, 31 October 2017 Peter Morris, Chief Economist

Macro Economics and Political Dynamics Hong Kong, 31 October 2017 Peter Morris, Chief Economist 1 FlightGlobal: Pioneering aviation insight and analytics business Part of a leading data solutions group RELX Group: London, Amsterdam and

447 views • 28 slides

More recommend