[PPT] - Meta-F* Language Extensibility, Metaprogramming and Proof PowerPoint Presentation

SLIDE 1

Language Extensibility, Metaprogramming and Proof automation

Meta-F*

https://fstar-lang.github.io https://project-everest.github.io/

SLIDE 2

Classified as Microsoft Confidential

MS

MSR R Redm dmond

nd
Barry Bond
Chris Hawblitzel
Qunyan Magnus
Kiran Muthabatulla
Jonathan Protzenko
Tahina Ramananandro
Nikhil Swamy
Gustavo Varo
MS

MSR R Camb mbridg ridge

Antoine Delignat-Lavaud
Cédric Fournet
Christoph M. Wintersteiger
Santiago Zanella-Béguelin
MS

MSR R India ia

Aseem Rastogi
INRIA

A Paris

Danel Ahman
Kenji Maillard
Benjamin Beurdouche
Karthikeyan Bhargavan
Victor Dumitrescu
Cătălin Hriţcu
Marina Polubelova
CMU

MU (P (Pitts ttsbu burgh) gh)

Jay Bosamiya
Aymeric Fromherz
Bryan Parno
Edinburgh
Markulf Kohlweiss
Interns, open-source

contributors, visitors, alumns

Guido Martinez
Zoe Paraskevopoulou
Yao Li
Joonwon Choi
Clément Pit-Claudel
Nick Giannarakis
Niklas Grimm
Anita Gollamudi
Nadim Kobeissi
Matteo Maffei
Asher Manning
Monal Narasimhamurthy
Gordon Plotkin
Perry Wang
Jean-Karim Zinzindohoue

SLIDE 3

Classified as Microsoft Confidential

MS

MSR R Redm dmond

nd
Barry Bond
Chris Hawblitzel
Qunyan Magnus
Kiran Muthabatulla
Jonathan Protzenko
Tahina Ramananandro
Nikhil Swamy
Gustavo Varo
MS

MSR R Camb mbridg ridge

Antoine Delignat-Lavaud
Cédric Fournet
Christoph M. Wintersteiger
Santiago Zanella-Béguelin
MS

MSR R India ia

Aseem Rastogi
INRIA

A Paris

Danel Ahman
Kenji Maillard
Benjamin Beurdouche
Karthikeyan Bhargavan
Victor Dumitrescu
Cătălin Hriţcu
Marina Polubelova
CMU

MU (P (Pitts ttsbu burgh) gh)

Jay Bosamiya
Aymeric Fromherz
Bryan Parno
Edinburgh
Markulf Kohlweiss
Interns, open-source

contributors, visitors, alumns

Guido Martinez
Zoe Paraskevopoulou
Yao Li
Joonwon Choi
Clément Pit-Claudel
Nick Giannarakis
Niklas Grimm
Anita Gollamudi
Nadim Kobeissi
Matteo Maffei
Asher Manning
Monal Narasimhamurthy
Gordon Plotkin
Perry Wang
Jean-Karim Zinzindohoue

SLIDE 4

SLIDE 5

Threat model

Goal: A secure channel

connect(server,port); send “GET…”; data = recv(); send “POST…”; … accept(port); request = recv(); send “<html>…”;

rder = recv();

…

Public Key Infrastructure

SLIDE 6

Threat model

Goal: A secure channel

connect(server,port); send “GET…”; data = recv(); send “POST…”; … accept(port); request = recv(); send “<html>…”;

rder = recv();

…

Public Key Infrastructure

20 years of attacks & fixes

Buffer overflows Incorrect state machines Lax certificate parsing Weak or poorly implemented crypto Side channels Informal security goals Dangerous APIs Flawed standards

Mainstream implementations

OpenSSL, SChannel, NSS, …

SLIDE 7

Much discussions

IETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, …

Much improvements

Modern design
Fewer roundtrips
Stronger security

New implementations required for all

An early implementer and verified too!
Find & fix flaws before it’s too late

RFC 8446: Aug 2018 Including many of our proposals

Mentioning many formal models of the protocol, including our verified implementation of the record layer

SLIDE 8

… TLS RSA SHA Network buffers Untrusted network (TCP, UDP, …)

Crypto Algorithms

Pr Proje ject t Ever erest est Ver erif ified ied Sec ecur ure e Compon ponents ents in in th the e TL TLS Ecosystem system

QUIC ECDH AES

SLIDE 9

F*: A general purpose programming language and verification tool

Ver erification fication T

ols

s an and d Met ethodo

dolo

logy gy

SLIDE 10

F*: A general purpose programming language and verification tool

Ver erification fication T

ols

s an and d Met ethodo

dolo

logy gy

val nbytes 16 → u32 → nbytes len → nbytes 32 ∧ → ST unit requires λ → ∈ ∧ ∈ ∧ ∈ ensures λ → let in let in modifies ∧

Math spec in F*

poly1305_mac computes a

polynomial in GF(2130-5), storing the result in tag, and not modifying anything else

SLIDE 11

F*: A general purpose programming language and verification tool

kreMLin

Compiler from (a subset of) F* to C

Ver erification fication T

ols

s an and d Met ethodo

dolo

logy gy

val nbytes 16 → u32 → nbytes len → nbytes 32 ∧ → ST unit requires λ → ∈ ∧ ∈ ∧ ∈ ensures λ → let in let in modifies ∧

Math spec in F*

poly1305_mac computes a

polynomial in GF(2130-5), storing the result in tag, and not modifying anything else Efficient C implementation Verification imposes no runtime performance

verhead

void poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *msg, uint8_t *key) { uint64_t tmp [10] = { 0 }; uint64_t *acc = tmp uint64_t *r = tmp + (uint32_t)5; uint8_t s[16] = { 0 }; Crypto_Symmetric_Poly1305_poly1305_init(r, s, key); Crypto_Symmetric_Poly1305_poly1305_process(msg, len, acc, r); Crypto_Symmetric_Poly1305_poly1305_finish(tag, acc, s); }

SLIDE 12

8

Protocol specs Protocol security proofs Security spec Crypto assumptions

Implementation

AES is a pseudo-random function

= Verified = Trusted

Secure authenticated channel

SLIDE 13

SLIDE 14

Everest est in Action, n, so so fa far Production deployments of Everest Verified Cryptography

SLIDE 15

… TLS RSA SHA Network buffers Untrusted network (TCP, UDP, …)

Crypto Algorithms

Pr Proje ject t Ever erest est Ver erif ified ied Sec ecur ure e Compon ponents ents in in th the e TL TLS Ecosystem system

QUIC ECDH AES

SLIDE 16

So what is this F* thing anyway?

SLIDE 17

Two

camps

ps of program

gram ver

erificatio fication n to tool

ls

SLIDE 18

F*: Bridging the gap

SLIDE 19

F*: Bridging the gap

SLIDE 20

F*: Bridging the gap

SLIDE 21

F*: Bridging the gap

SLIDE 22

F*: Bridging the gap

SLIDE 23

SLIDE 24

SLIDE 25

Beyond Pure Code

Effects

SLIDE 26

Beyond Pure Code

Effects

SLIDE 27

Beyond Pure Code

Effects

SLIDE 28

Beyond Pure Code

Effects

SLIDE 29

Effectful programs with Hoare-style Specifications

SLIDE 30

Effectful programs with Hoare-style Specifications

STEx > Tr

SLIDE 31

Effectful programs with Hoare-style Specifications

STExn

SLIDE 32