to verify fy systems soft ftware
play

to verify fy systems soft ftware Chris Hawblit itzel F*: - PowerPoint PPT Presentation

Dec 11, 2023 •456 likes •806 views

Combining tactics, normalization, and SMT solv lvin ing to verify fy systems soft ftware Chris Hawblit itzel F*: expressive and automated verification higher-order logic type nat10 = x:int{0 <= x /\ x < 10} tactics (as of

  1. Combining tactics, normalization, and SMT solv lvin ing to verify fy systems soft ftware Chris Hawblit itzel

  2. F*: expressive and automated verification • higher-order logic type nat10 = x:int{0 <= x /\ x < 10} • tactics (as of 2017) type nat20 = x:int{0 <= x /\ x < 20} • full dependent types (as of 2015) • interpreter in type checker let f (x:nat20) = ... let g (x:nat10) = f x (computation on terms) ask Z3 to prove: let f (b:bool):(if b then int else bool) (0 <= x /\ x < 10) ==> = if b then 5 else true (0 <= x /\ x < 20) let x:int = f true F* interpreter (not Z3): (if true then int else bool) → int

  3. Using F* to verify systems software (an F* user’s perspective) • Introductory examples • Bytes and words via normalization + SMT • Parsers/printers via tactics + SMT • EverParse library (USENIX Security 2019) • Everest project and EverCrypt • Example cryptography: SHA, Poly1305 • Poly1305 math via tactics + SMT • Assembly language in Vale/F* • Efficient verification conditions via normalization + SMT

  4. Demo: bytes and words via normalization + SMT let nat8 = n:nat{n < 0x100} let rec bytes_to_nat_i (s:seq nat8) (i:nat{i <= length s}) : nat = if i = 0 then 0 else s.[i - 1] + 0x100 * bytes_to_nat_i s (i - 1) let rec bytes_to_nat (s:seq nat8) : nat = bytes_to_nat_i s (length s) let demo_norm (s:seq nat8) : Lemma (requires length s == 8 /\ (forall (i:nat).{:pattern s.[i]} i < 8 ==> s.[i] = 0x12 * i)) (ensures bytes_to_nat s == 0x00122436485a6c7e) = norm_spec [zeta; iota; primops; delta_only [`%bytes_to_nat_i]] (bytes_to_nat_i s 8)

  5. Demo: parsers/printers via tactics + SMT type color = | Red | Green | Blue let make_value (t:term) : Tac unit = if term_eq t (`int) then exact (`0) else if term_eq t (`bool) then exact (`false) else if term_eq t (`color) then exact (`Red) else fail "oops" let i:int = _ by (make_value (`int)) let c:color = _ by (make_value (`color))

  6. Demo: parsers/printers via tactics + SMT noeq type print_parse (a:Type) = | PrintParse : print: (a -> int) -> parse: (int -> a) -> round_trip: (v:a -> Lemma (ensures parse (print v) == v)) -> print_parse a let print_parse_bool : print_parse bool = … let print_color (v:color) : int = match v with | Red -> 0 | Green -> 1 | Blue -> 2 let parse_color (p:int) : color = match p with | 0 -> Red | 1 -> Green | _ -> Blue let lemma_color (v:color) : Lemma (ensures parse_color (print_color v) == v) = () let print_parse_color : print_parse color = PrintParse print_color parse_color lemma_color let make_print_parse (t:term) : Tac unit = if term_eq t (`bool) then exact (`print_parse_bool) else if term_eq t (`color) then exact (`print_parse_color) else fail "oops" let test:print_parse color = _ by (make_print_parse (`color))

  7. Secure communication confidentiality, integrity, authentication SSL : S ecure S ockets L ayer TLS : T ransport L ayer S ecurity

  8. TLS standards, some implementations OpenSSL BoringSSL TLS Protocol: 40K LoC TLS Protocol: 30K LoC Crypto Crypto C: 160K LoC Asm: 150K LoC C: 100K LoC Asm: 60K LoC Lines-of-Code ~100 measured with SLOCCount pages

  9. Crypto implementation bugs Low*

  10. Everest: verified components for the HTTPS ecosystem Goals: Services & Applications • Strong verified security Edge cURL WebKit Skype Apache Nginx IIS • Trustworthy, usable tools Clients Servers • Widespread deployment 5-year project (2016-2021) TLS Protocol: miTLS (F*) Crypto: EverCrypt HACL* (F*) Vale (Asm) also: Untrusted network (TCP, UDP, …) certificates, properties of HTTPS, ...

  11. Verifying cryptography • Popular algorithms • symmetric (shared key): AES , ChaCha20 , … • hashes and MACs: SHA , HMAC , Poly1305 , … • combined symmetric+MAC (AEAD): AES-GCM , … • public key and signatures: RSA , Elliptic curve , … • Verification goals: • safety • implementation meets specification • avoid side channels

  12. TLS Protocol: miTLS (F*) HACL* SHA example Crypto HACL* (F*) Vale (Asm) // F* code let _Ch x y z = H32.logxor (H32.logand x y) (H32.logand (H32.lognot x) z) … let shuffle_core hash block ws k t = // C code … … let e = hash.(4ul) in uint32_t e = hash_0[4]; let f = hash.(5ul) in uint32_t f1 = hash_0[5]; let g = hash.(6ul) in uint32_t g = hash_0[6]; … … let t1 = …(_Ch e f g)… in uint32_t t1 = …(e & f1 ^ ~e & g)…; let t2 = … in uint32_t t2 = …;

  13. Example algorithm: Poly1305 MAC // pseudocode for poly1305 inner loop bigint p := 2 130 - 5; bigint h := 0; uint128 r := ...derived from key...; while(...) { uint128 data := ...next 16 data bytes...; h := h + data; h := h * r; h := h mod p; }

  14. Example algorithm: Poly1305 MAC ... h := h mod p; // p = 2 130 - 5 395 = 4 * 102 - 5 p = 4*(2 64 ) 2 - 5 ... 301 mod 99 301 mod 95 901 mod 395 = 202 mod 99 = 206 mod 95 = 506 mod 395 = 103 mod 99 = 111 mod 95 = 111 mod 395 = 4 mod 99 = 16 mod 95 = (100*(9 mod 4) = (3+1) mod 99 = (5*3+1) mod 95 + 5*(9/4) +1) mod 395 x mod 4 = x & 3 5 * (x / 4) = (x & ~3) + (x >> 2)

  15. Example algorithm: Poly1305 MAC 901 mod 395 = 506 mod 395 = 111 mod 395 = (100*(9 mod 4) + 5*(9/4) +1) mod 395 x mod 4 = x & 3 5 * (x / 4) = (x & ~3) + (x >> 2)

  16. TLS Protocol: miTLS (F*) Vale Poly1305 Crypto HACL* (F*) Vale (Asm) procedure poly1305_reduce() … { … And64(rax, d3); Mov64(h2, d3); Shr64(d3, 2); And64(h2, 3); Add64Wrap(rax, d3); Add64Wrap(h0, rax); Bug! This carry was originally missing! Adc64Wrap(h1, 0); Adc64Wrap(h2, 0); … }

  17. procedure poly1305_reduce() returns(ghost hOut:int) let Vale Poly1305 n := 0x1_0000_0000_0000_0000; p := 4 * n * n - 5; hIn := (n * n) * d3 + n * h1 + h0; d3 @= r10; h0 @= r14; h1 @= rbx; h2 @= rbp; modifies rax; r10; r14; rbx; rbp; efl; requires And64(rax, d3); d3 / 4 * 5 < n; Mov64(h2, d3); rax == n - 4; ensures Shr64(d3, 2); hOut % p == hIn % p; And64(h2, 3); hOut == (n * n) * h2 + n * h1 + h0; Add64Wrap(rax, d3); h2 < 5; Add64Wrap(h0, rax); { Adc64Wrap(h1, 0); lemma_BitwiseAdd64(); lemma_poly_bits64(); Adc64Wrap(h2, 0); And64(rax , d3)…Adc64Wrap(h2, 0); ghost var h10 := n * old(h1) + old(h0); hOut := h10 + rax + (old(d3) % 4) * (n * n); lemma_poly_reduce(n, p, hIn, old(d3), h10, rax, hOut); }

  18. procedure poly1305_reduce() returns(ghost hOut:int) let Vale Poly1305 n := 0x1_0000_0000_0000_0000; p := 4 * n * n - 5; hIn := (n * n) * d3 + n * h1 + h0; d3 @= r10; h0 @= r14; h1 @= rbx; h2 @= rbp; modifies val lemma_poly_reduce (n p h h2 h10 c hh:int) : rax; r10; r14; rbx; rbp; efl; Lemma requires (requires d3 / 4 * 5 < n; p > 0 /\ rax == n - 4; n * n > 0 /\ ensures h >= 0 /\ h2 >= 0 /\ hOut % p == hIn % p; 4 * (n * n) == p + 5 /\ hOut == (n * n) * h2 + n * h1 + h0; h2 == h / (n * n) /\ h2 < 5; h10 == h % (n * n) /\ c == (h2 / 4) + (h2 / 4) * 4 /\ { hh == h10 + c + (h2 % 4) * (n * n)) lemma_BitwiseAdd64(); (ensures lemma_poly_bits64(); h % p == hh % p) And64(rax , d3)…Adc64Wrap(h2, 0); ghost var h10 := n * old(h1) + old(h0); hOut := h10 + rax + (old(d3) % 4) * (n * n); lemma_poly_reduce(n, p, hIn, old(d3), h10, rax, hOut); }

  19. Demo: canonizer example let demo_canonizer (a b c d e x:int) : Lemma (requires x == d * e) (ensures (a * (b * c) + (2 * d) * e == e * d + c * (b * a) + x) ) = assert_by_tactic (a * (b * c) + (2 * d) * e == e * d + c * (b * a) + x) (fun _ -> canon_semiring int_cr)

  20. Demo: Poly1305 via canonizer (https://github.com/project-everest/hacl-star/blob/fstar-master/vale/code/crypto/poly1305/x64/Vale.Poly1305.Math.fst) let lemma_poly_reduce (n:int) (p:int) (h:int) (h2:int) (h10:int) (c:int) (hh:int) = let h2_4 = h2 / 4 in let h2_m = h2 % 4 in let h_expand = h10 + (h2_4 * 4 + h2_m) * (n * n) in let hh_expand = h10 + (h2_m) * (n * n) + h2_4 * 5 in lemma_div_mod h (n * n); modulo_addition_lemma hh_expand p h2_4; assert_by_tactic (h_expand == hh_expand + h2_4 * (n * n * 4 + (-5))) (fun _ -> canon_semiring int_cr); ()

  21. Using F* to verify systems software (an F* user’s perspective) • Introductory examples • Bytes and words via normalization + SMT • Parsers/printers via tactics + SMT • EverParse library (USENIX Security 2019) • Everest project and EverCrypt • Example cryptography: SHA, Poly1305 • Poly1305 math via tactics + SMT • Assembly language in Vale/F* • Efficient verification conditions via normalization + SMT

  22. Vale: extensible, automated assembly language verification Vale code machine model (Dafny/F*/Lean) Trusted instructions machine interface Computing type reg = Rax | Rbx| ... procedure mov (…) Base type ins = requires … | Mov(dst:reg, src:reg) ensures … | Add(dst:reg, src:reg) { … } | Neg(dst:reg) … procedure add(…) … lemma code semantics [Mov(r1, r0), lemma_mov (…); program eval(Mov(dst, src ), …) = … Add(r1, r0), lemma_add (…); procedure Triple() … eval(Add(dst, src ), …) = … Add(r1, r1)] lemma_add (…); requires rax < 100; eval(Neg(dst ), …) = … ensures … rbx == 3 * old(rax); code generation { mov(rbx, rax); print(Mov(dst, src ), …) = add(rax, rbx); “ mov “ + (… dst ) + (… src) add(rbx, rax); print(Add(dst, src ), …) = … } …

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Soft ftware Pla latform In Innovation - an example fr from the Health In Information Systems

Soft ftware Pla latform In Innovation - an example fr from the Health In Information Systems

Soft ftware Pla latform In Innovation - an example fr from the Health In Information Systems Programme (H (HIS ISP) and Terje Aksel Sanner Presentation outline Scale in software design and innovation On the distance between designers /

901 views • 20 slides
St Standards for r So Soft ftware Tes esting of f Automotive Systems Stuart Reid PhD, FBCS

St Standards for r So Soft ftware Tes esting of f Automotive Systems Stuart Reid PhD, FBCS

Sa Safer Dri riving St Standards for r So Soft ftware Tes esting of f Automotive Systems Stuart Reid PhD, FBCS STA Consulting Inc. (stuart@sta.co.kr) Scope Automotive Safety Standards ISO 26262 Testing Standards ISO 29119,

597 views • 40 slides
Fr From om a a So Soft ftware e Tes Tester er To a o a L Lea eader der How To Take A

Fr From om a a So Soft ftware e Tes Tester er To a o a L Lea eader der How To Take A

Fr From om a a So Soft ftware e Tes Tester er To a o a L Lea eader der How To Take A Radica cal Leap Fo Forward @W @Work Pe Peter Kh Khoury: Magnetic Sp Spea eaking www www.Magnetic icSp Spea eaking ng Take home message

458 views • 25 slides
Colleg ege o e of C Computing &amp; Soft ftware Engineer eering Wha hat to s sign up gn up

Colleg ege o e of C Computing &amp; Soft ftware Engineer eering Wha hat to s sign up gn up

Colleg ege o e of C Computing &amp; Soft ftware Engineer eering Wha hat to s sign up gn up for F r Fall All Majors ENGL 1101 Math 111(?) we emailed your @students.kennesaw.edu with this information POLS 1101 or HIST

563 views • 18 slides
(Automated) So Soft ftware T Testing ng (Automation) Maurcio Aniche

(Automated) So Soft ftware T Testing ng (Automation) Maurcio Aniche

(Automated) So Soft ftware T Testing ng (Automation) Maurcio Aniche M.FinavaroAniche@tudelft.nl Roman Numerals Given a string in a roman numeral format, the program needs to convert it to an integer. I=1, V=5, X=10, L=50, C=100,

742 views • 25 slides
Co Communi unity W Whi hite P Pape aper and a and a HEP HEP S Soft ftware are Ins

Co Communi unity W Whi hite P Pape aper and a and a HEP HEP S Soft ftware are Ins

Co Communi unity W Whi hite P Pape aper and a and a HEP HEP S Soft ftware are Ins Instit itut ute Peter Elmer Princeton University Mark Neubauer University of Illinois at Urbana-Champaign Mike Sokoloff University of Cincinnati

525 views • 30 slides
Back To The Future Of f Soft ftware Security Developing Secure Smart Contracts Final -

Back To The Future Of f Soft ftware Security Developing Secure Smart Contracts Final -

Back To The Future Of f Soft ftware Security Developing Secure Smart Contracts Final - OWASP Toronto January 23, 2019 Whoami Jamie Baxter, M. Eng., OSCP, OSCE, CISSP, GPEN Independent Information Security Consultant focusing on

764 views • 52 slides
global light baking soft ftware Sp Speaker Na Name Speaker Title &amp; Company Li Li Wen

global light baking soft ftware Sp Speaker Na Name Speaker Title &amp; Company Li Li Wen

How to create a second level Session Title global light baking soft ftware Sp Speaker Na Name Speaker Title &amp; Company Li Li Wen enyao Game engin gine researcher, Netease Game Outline Session Title Development background Sp

671 views • 53 slides
Hackathon on Reverse Engineering and Reengineering Summer School on So ftware Te chnologies and

Hackathon on Reverse Engineering and Reengineering Summer School on So ftware Te chnologies and

vadim@grammarware.net Hackathon on Reverse Engineering and Reengineering Summer School on So ftware Te chnologies and So ftware La nguages Vadim Zaytsev, SWAT, CWI 2012 SoTeSoLa Software Technologies and Software Languages SoTe SoLa:

407 views • 22 slides
Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment? CEC Entertainment, Irving TX Founded by Nolan Bushnell Revenue What Is CEC Entertainment? What Is CEC Entertainment? What Is CEC Entertainment?

305 views • 19 slides
Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

2019 CALENDAR YEAR-END CLOSING PROCEDURES 1 USAS-R CYE Procedures Verify 1099 Data Month End Close Calendar Year End Close 1099 Procedures TR1099 Program 2 2 Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors

357 views • 8 slides
Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy. The original

437 views • 32 slides
Ho How w to to Detec Detect soft soft falls alls on on de devices vices some signal

Ho How w to to Detec Detect soft soft falls alls on on de devices vices some signal

Ho How w to to Detec Detect soft soft falls alls on on de devices vices some signal processing with knime Prof. Dr. Dominique Genoud Vincent Cuendet master HES-SO, Institute of Information Systems Lausanne, Switzerland

440 views • 24 slides
Hybrid Soft Computing: Soft Computing Overview Where Are We Going? -SC Components: PR, FL,

Hybrid Soft Computing: Soft Computing Overview Where Are We Going? -SC Components: PR, FL,

4/21/2005 Hybrid SC and EA - Outline Hybrid Soft Computing: Soft Computing Overview Where Are We Going? -SC Components: PR, FL, NN, EA Modeling with FL and EA Hybrid SC Systems -FLC Parameter Tuning by EA Piero P. Bonissone -EA

612 views • 20 slides
Motivation: Soft w a re Systems in the La rge MAS and Organizations The ORGAN Mo

Motivation: Soft w a re Systems in the La rge MAS and Organizations The ORGAN Mo

Motivation: Soft w a re Systems in the La rge MAS and Organizations The ORGAN Mo del MAS and ORGAN Conlusion and Outlo ok F rom Multi-Agent to Multi-Organization Systems Utilizing Middlew a re App roahes

1.06k views • 47 slides
Data Mining and Soft Computing Francisco Herrera Research Group on Soft Computing and I

Data Mining and Soft Computing Francisco Herrera Research Group on Soft Computing and I

Data Mining and Soft Computing Francisco Herrera Research Group on Soft Computing and I nformation I ntelligent Systems (SCI 2 S) g y ( ) Dept. of Computer Science and A.I. University of Granada, Spain Email: herrera@ decsai.ugr.es

147 views • 12 slides
DLAs, Escape Fraction, &amp; RT Ken Nagamine UNLV Collaborators: Hidenobu Yajima

DLAs, Escape Fraction, &amp; RT Ken Nagamine UNLV Collaborators: Hidenobu Yajima

DLAs, Escape Fraction, &amp; RT Ken Nagamine UNLV Collaborators: Hidenobu Yajima (Penn State) Jun-Hwan Choi (Kentucky) Robert Thompson, Jason Jaacks (UNLV) KN, Choi, Yajima, 2010, ApJ, 725, L219 Yajima, Choi, KN, 2011, MN, 412,

537 views • 26 slides
Some applications of interval computing in statistics Michal Cern y Department of

Some applications of interval computing in statistics Michal Cern y Department of

Some applications of interval computing in statistics Michal Cern y Department of Econometrics &amp; DYME Research Center University of Economics, Prague, Czech Republic SWIM 2015, Prague M. y (V Cern SE Prague) Interval

791 views • 42 slides
MTLE-6120: Advanced Electronic Properties of Materials Electron transport: phonons and

MTLE-6120: Advanced Electronic Properties of Materials Electron transport: phonons and

1 MTLE-6120: Advanced Electronic Properties of Materials Electron transport: phonons and electron-phonon scattering Contents: Phonon density of states and heat capacity Thermal conductivity: electronic and lattice Electron-phonon

276 views • 27 slides
Levenberg-Marquardt Minimization Jrn Wilms Remeis-Sternwarte &amp; ECAP Universitt

Levenberg-Marquardt Minimization Jrn Wilms Remeis-Sternwarte &amp; ECAP Universitt

Levenberg-Marquardt Minimization Jrn Wilms Remeis-Sternwarte &amp; ECAP Universitt Erlangen-Nrnberg http://pulsar.sternwarte.uni-erlangen.de/wilms/ joern.wilms@sternwarte.uni-erlangen.de Introduction The fitting problem: Given the

408 views • 5 slides
Lectures on Signed Graphs and Geometry IWSSG-2011 Mananthavady, Kerala 26 September 2011

Lectures on Signed Graphs and Geometry IWSSG-2011 Mananthavady, Kerala 26 September 2011

Lectures on Signed Graphs and Geometry IWSSG-2011 Mananthavady, Kerala 26 September 2011 Thomas Zaslavsky Binghamton University (State University of New York at Binghamton) These slides are a compressed adaptation of the lecture notes.

795 views • 56 slides
Internet Software Technologies I t t S ft T h l i CGI CGI IMCNE IMCNE A.A. 2008/09

Internet Software Technologies I t t S ft T h l i CGI CGI IMCNE IMCNE A.A. 2008/09

Internet Software Technologies I t t S ft T h l i CGI CGI IMCNE IMCNE A.A. 2008/09 Gabriele Cecchetti Gabriele Cecchetti Introduction (1/2) Many important uses of Web require interaction Many important uses of Web require

441 views • 20 slides
The Multi-Purpose Detector for JINR heavy ion collider Stepan Razin on behalf of the MPD

The Multi-Purpose Detector for JINR heavy ion collider Stepan Razin on behalf of the MPD

The Multi-Purpose Detector for JINR heavy ion collider Stepan Razin on behalf of the MPD Collaboration at NICA INSTR14 Novosibirsk February 2014 1 Heavy ion physics at JINR A new scientific program on heavy-ion physics is under realization at

723 views • 43 slides
S03 - Random effects STAT 401 (Engineering) - Iowa State University April 26, 2018 (STAT401@ISU)

S03 - Random effects STAT 401 (Engineering) - Iowa State University April 26, 2018 (STAT401@ISU)

S03 - Random effects STAT 401 (Engineering) - Iowa State University April 26, 2018 (STAT401@ISU) S03 - Random effects April 26, 2018 1 / 18 Regression models For continuous Y i , we have linear regression ind N ( i , 2 ) , i =

331 views • 18 slides

More recommend