signed cryptographic program verification with typed
play

Signed Cryptographic Program Verification with Typed C RYPTO L INE - PowerPoint PPT Presentation

Aug 01, 2023 •132 likes •936 views

Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 , Xiaomu Shi 2 , Ming-Hsien Tsai 1 , Bow-Yaw Wang 1 , Bo-Yin Yang 1 1 Academia Sinica 2 Shenzhen University ACM CCS 2019 1/42 Outline Introduction 1

  1. Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 , Xiaomu Shi 2 , Ming-Hsien Tsai 1 , Bow-Yaw Wang 1 , Bo-Yin Yang 1 1 Academia Sinica 2 Shenzhen University ACM CCS 2019 1/42

  2. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 2/42

  3. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 3/42

  4. Practical Cryptography Cryptographic program is written in C or ASM for efficiency. Computation over large finite field is not trivial in C and ASM. Split a large number into several smaller numbers (a.k.a. limbs). (e.g. 4 or 5 uint64 t/register to store 255-bit keys for Curve25519) Computation over limbs is error-prone. A simple bug can cause catastrophic damages. (e.g. a missing bound check in Heartbleed) 4/42

  5. Practical Cryptography Cryptographic program is written in C or ASM for efficiency. Computation over large finite field is not trivial in C and ASM. Split a large number into several smaller numbers (a.k.a. limbs). (e.g. 4 or 5 uint64 t/register to store 255-bit keys for Curve25519) Computation over limbs is error-prone. A simple bug can cause catastrophic damages. (e.g. a missing bound check in Heartbleed) In this work, we focus on implementation written in C . 4/42

  6. Functional Correctness So.... How to achieve the functional correctness? 5/42

  7. Functional Correctness So.... How to achieve the functional correctness? Test? 5/42

  8. Functional Correctness So.... How to achieve the functional correctness? Test? State space is too BIG, HARD to cover 5/42

  9. Functional Correctness So.... How to achieve the functional correctness? Test? State space is too BIG, HARD to cover Verification 5/42

  10. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 6/42

  11. Previous Work 7/42

  12. Previous Work Proof Assistant + SMT Solver (CHL+14) can only verify some simple code in tolerable time. many human-added annotations. SMT: Satisfiability modulo theories 7/42

  13. Previous Work Proof Assistant + SMT Solver (CHL+14) can only verify some simple code in tolerable time. many human-added annotations. Proof Assistant + SMT Solver + Algebra Solver (TWY17) can deal with more complex operations like multiplication SMT solver cannot deal with large integers multiplication well SMT: Satisfiability modulo theories 7/42

  14. Previous Work Proof Assistant + SMT Solver (CHL+14) can only verify some simple code in tolerable time. many human-added annotations. Proof Assistant + SMT Solver + Algebra Solver (TWY17) can deal with more complex operations like multiplication SMT solver cannot deal with large integers multiplication well DSL + SMT Solver + Algebra Solver (PTW+18) Untyped C RYPTO L INE (only unsigned) Target: ASM (some real-word examples in OpenSSL) integer size is fixed (32/64 bit register) SMT: Satisfiability modulo theories DSL: Domain-specific language 7/42

  15. Goal More real-world examples. Try to verify the C implementation once instead of ASM for every platforms. most implementation now are still written in C instead of human-optimized ASM Less verification effort and friendly to normal cryptographic library developers. 8/42

  16. Target Cryptographic Libraries OpenSSL: UBIQUITOUS BoringSSL: Chrome, Android NaCl: reference implementation wolfSSL: embedded systems Bitcoin’s libsecp256k1: ECDSA used by MANY cryptocurrencies (Ethereum, Zcash, Ripple, · · · ) 9/42

  17. What Curves We Verified OpenSSL: 32/64: integer size NIST P-224 : 2 224 − 2 96 + 1 (unsigned 64) NIST P-256 : 2 256 − 2 224 + 2 192 + 2 96 − 1 (unsigned 64) NIST P-521 : 2 521 − 1 (unsigned 64) Curve25519 : 2 255 − 19 (unsigned 64, signed 32) BoringSSL: Curve25519 (unsigned 64) NaCl: Curve25519 (unsigned 64, signed 64) wolfSSL: Curve25519 (same as OpenSSL ’s) (signed 32) Bitcoin: Secp256k1 (2 256 − 2 32 − 2 9 − 2 8 − 2 7 − 2 6 − 2 4 − 1) (unsigned, signed) 10/42

  18. Contribution Typed C RYPTO L INE – unsigned and signed, arbitrary size integers type system (type checking & type inference) A GCC plugin that translates GIMPLE C RYPTO L INE into Typed C RYPTO L INE GIMPLE C RYPTO L INE – a subset of GIMPLE GIMPLE : a GCC IR used in machine-independent optimization Verify GIMPLE code after machine-independent optimization First to verify signed C implementation in cryptographic libraries used in industry Found a bug in NaCl’s Curve25519 - Case study 11/42

  19. Outline Introduction 1 Previous Work & Contribution 2 Typed C RYPTO L INE Example 3 Use GCC to generate C RYPTO L INE 4 Case Study - NaCl 5 Evaluation 6 7 Conclusion 12/42

  20. Typed C RYPTO L INE Program Program - instructions Specification Assumption (Precondition) Assertion (Postcondition) Properties { algebra && range } range: variables should be in a proper range (e.g. a < 2 51 ) checked by SMT solver (Boolector, MathSAT, Z3 · · · ) algebra: mathematical properties (e.g. c = a × b ) checked by algebraic solver (Sage, Singular, Mathematica · · · ) Hoare triple: { assumption } program { assertion } 13/42

  21. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  22. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  23. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  24. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  25. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 limbs 64 [ a 0 , a 1 , · · · , a n ] = add c1 a1 b1; // c1 = a1 + b1 12 � n { i = 0 a i × 2 64 × i 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  26. Typed C RYPTO L INE Program Example - Naive Addition 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no assumption 4 && 5 and [ // range prop 6 a0 <u (2**63)@64, a1 <u (2**63)@64, 7 b0 <u (2**63)@64, b1 <u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 2 63 − 1 + 2 63 − 1 = 2 64 − 2 ≤ 2 64 − 1 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 14/42

  27. Typed C RYPTO L INE Program Example - Overflow 1 proc main (uint64 a0, uint64 a1, uint64 b0, uint64 b1) = 2 { 3 true // algebraic prop; true means no restriction 4 && 5 and [ // range prop 6 a0 <=u (2**63)@64, a1 <=u (2**63)@64, 7 b0 <=u (2**63)@64, b1 <=u (2**63)@64 8 ] 9 } 10 add c0 a0 b0; // c0 = a0 + b0 11 add c1 a1 b1; // c1 = a1 + b1 12 { 13 limbs 64 [c0, c1] 14 = 15 limbs 64 [a0, a1] + limbs 64 [b0, b1] 16 && 17 and [ 18 c0 >=u a0, c1 >=u a1 // true iff not overflow 19 ] 20 } 15/42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade &amp; Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999&gt;'

744 views • 73 slides
Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

1 2 Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes files University of Illinois at Chicago &amp; Technische Universiteit Eindhoven RAM disk Operating-system kernel divides RAM among processes,

1.32k views • 100 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM Brussels, February 2020 What is Formal Verification? Using software tools in order to obtain guarantees on the security of cryptographic components.

319 views • 21 slides
Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp; Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why

537 views • 36 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed

Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed

Raymarching Signed Distance Fields To raytrace or raycast implicit functions, consider signed distance fields . 1. Fire ray into scene 2. At each step, measure distance field function: d = [distance to nearest object in scene] 3. Advance ray

403 views • 4 slides
SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY System, Social and Mobile Security SECURITY

SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY System, Social and Mobile Security SECURITY

SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY System, Social and Mobile Security SECURITY FLAWS The integers are formed by the natural numbers including 0 (0, 1, 2, 3, . . .) together with the negatives of the nonzero natural numbers

704 views • 52 slides
m m i b 2 binary by where the b

m m i b 2 binary by where the b

Decimal and binary representation systems They both are positional representation systems In decimal numbers are represented by the coefficients of the powers of 10 Example: 321 = 3 . 10 2 + 2 . 10 1 + 1. 10 0 Decomposing 321 in

471 views • 5 slides
Types in C LAST TODAY NEXT Numbers in C Cs Memory Model C0 virtual machine

Types in C LAST TODAY NEXT Numbers in C Cs Memory Model C0 virtual machine

Types in C LAST TODAY NEXT Numbers in C Cs Memory Model C0 virtual machine Implementation-defined behavior Arrays and pointers Other C types Pointer casting Arrays on the stack Structs on the stack

464 views • 27 slides
Preview question Which of the following is not always true, when the variables are interpreted as

Preview question Which of the following is not always true, when the variables are interpreted as

Preview question Which of the following is not always true, when the variables are interpreted as 32-bit unsigned t s in C? CSci 5271 A. is odd, if both and are odd Introduction to Computer Security Low-level

311 views • 7 slides
321 (in decimal) Data Representation 100 10 1 How did we get these? 10 2 10 1 10 0

321 (in decimal) Data Representation 100 10 1 How did we get these? 10 2 10 1 10 0

1/26/2017 321 (in decimal) Data Representation 100 10 1 How did we get these? 10 2 10 1 10 0 Base-10 Positions denote powers of 10 3*100 + 2*10 + 1*1 Digits 0-9 denote position values 101000001 101000001 How did we 256 128 64

168 views • 16 slides
pop-count update draft-ietf-pim-pop-count-03 pop-count version 3 changes Mainly changes to

pop-count update draft-ietf-pim-pop-count-03 pop-count version 3 changes Mainly changes to

pop-count update draft-ietf-pim-pop-count-03 pop-count version 3 changes Mainly changes to message format Allow for information fields to be optional Allow for defining new fields in the future New format for link speeds

239 views • 8 slides
Floating Point Slides courtesy of: Randal E. Bryant and David R. OHallaron Bryant and

Floating Point Slides courtesy of: Randal E. Bryant and David R. OHallaron Bryant and

Carnegie Mellon Floating Point Slides courtesy of: Randal E. Bryant and David R. OHallaron Bryant and OHallaron, Computer Systems: A Programmers Perspective, Third Edition Carnegie Mellon Today: Floating Point Background:

977 views • 40 slides

More recommend