verifying sha using vst
play

verifying SHA using VST Freek Wiedijk last paper in the reading - PowerPoint PPT Presentation

Dec 29, 2022 •50 likes •740 views

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

  1. verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq 2015–2016 Radboud University Nijmegen June 16, 2016 ⇐← 0 →

  2. SHA and VST ◮ SHA = Secure Hash Algorithm ◮ VST = Verified Software Toolchain ⇐← 1 →

  3. papers papers by Andrew Appel: ◮ Verification of a Cryptographic Primitive: SHA-256 TOPLAS = ACM Transactions on Programming Languages and Systems April 2015 ◮ Second Edition: Verification of a Cryptographic Primitive: SHA-256 updated from VST 1.0 to VST 1.6 ⇐← 2 →

  4. papers papers by Andrew Appel: ◮ Verification of a Cryptographic Primitive: SHA-256 TOPLAS = ACM Transactions on Programming Languages and Systems April 2015 ◮ Second Edition: Verification of a Cryptographic Primitive: SHA-256 updated from VST 1.0 to VST 1.6 ◮ Modular Verification for Computer Security CSF 2016 = Computer Security Foundations Symposium June 2016 ⇐← 2 →

  5. recap reading list overview ◮ imp ◮ big-step operational semantics ◮ small-step operational semantics ◮ Hoare logic ◮ verification condition generator ◮ CompCert ◮ idem for C ◮ VST ◮ separation logic ◮ symbolic execution ⇐← 3 →

  6. imp syntax: a ::= n | x | ( a 1 + a 2 ) | ( a 1 − a 2 ) | ( a 1 · a 2 ) b ::= a 1 = a 2 | a 1 < a 2 | ⊤ | ¬ b | ( b 1 ∧ b 2 ) c ::= skip | x := a | ( c 1 ; c 2 ) | if b then c 1 else c 2 fi | while b do c od example: ( i := 1; f := 1); while i < n do i := i + 1; f := f · i od ⇐← 4 →

  7. big-step operational semantics = natural semantics Gilles Kahn relation: ( c , s ) ⇓ s ′ some representative rules: ( a , s ) ⇓ n ( x := a , s ) ⇓ s [ x �→ n ] ( c 1 , s ) ⇓ s ′ ( c 2 , s ′ ) ⇓ s ′′ ( c 1 ; c 2 , s ) ⇓ s ′′ ( b , s ) ⇓ ⊤ ( c , s ) ⇓ s ′ ( while b do c od , s ′ ) ⇓ s ′′ ( while b do c od , s ) ⇓ s ′′ ( b , s ) ⇓ ⊥ ( while b do c od , s ) ⇓ s ⇐← 5 →

  8. small-step operational semantics = structural operational semantics = SOS Gordon Plotkin relations: ( c , s ) → ∗ ( c ′ , s ′ ) ( c , s ) → ( c ′ , s ′ ) some representative rules: ( a , s ) → ( a ′ , s ) ( x := a , s ) → ( x := a ′ , s ) ( x := n , s ) → ( skip , s [ x �→ n ]) ( c 1 , s ) → ( c ′ 1 , s ′ ) ( c 1 ; c 2 , s ) → ( c ′ 1 ; c 2 , s ′ ) ( skip ; c 2 , s ) → ( c 2 , s ) ( while b do c od , s ) → ( if b then c ; while b do c od else skip fi , s ) ⇐← 6 →

  9. Hoare logic = axiomatic semantics Tony Hoare Hoare triple: { P } c { Q } some representative rules: { Q [ x := a ] } x := a { Q } { P } c 1 { Q } { Q } c 2 { R } { P } c 1 ; c 2 { R } { P ∧ b } c { P } { P } while b do c od { P ∧ ¬ b } Q ′ ⇒ Q P ⇒ P ′ { P ′ } c { Q ′ } { P } c { Q } ⇐← 7 →

  10. verification conditions from weakest preconditions predicate transformer semantics Edsger Dijkstra imp with annotations: c ::= { P } | skip | x := a | ( c 1 ; c 2 ) | if b then c 1 else c 2 fi | while b do { P } c od verification condition and weakest precondition: vc ( { P } c { Q } ) = ( P ⇒ wp ( c , Q )) some representative cases: wp ( { P } , Q ) = P ∧ Q wp ( x := a , Q ) = Q [ x := a ] wp ( c 1 ; c 2 , Q ) = wp ( c 1 , wp ( c 2 , Q )) wp ( while b do { P } c od , Q ) = P ∧ ( P ∧ b ⇒ wp ( c , P )) ∧ ( P ∧ ¬ b ⇒ Q ) ⇐← 8 →

  11. CompCert Xavier Leroy, INRIA, France CompCert = idem for C ◮ C to Clight translator in OCaml ◮ optimizing Clight compiler as a Coq function ◮ Coq code extracted to OCaml ◮ operational semantics of Clight in Coq ◮ operational semantics of assembly in Coq ◮ compiler proved correct in Coq ⇐← 9 →

  12. separation logic Hoare logic for pointers in memory John Reynolds and Peter O’Hearn state = store × heap store = ident → Z heap = Z ⇀ Z separation logic assertions: emp a 1 �→ a 2 P ∗ Q frame rule: { P } c { Q } { P ∗ R } c { Q ∗ R } ⇐← 10 →

  13. VST Andrew Appel, Princeton, US VST = Verified Software Toolchain = CompCert + ◮ separation logic ◮ semantics for separate compilation ◮ symbolic execution ◮ Coq goal is a Hoare triple ◮ tactics execute statements ⇐← 11 →

  14. SHA hashing SSL, TSL and OpenSSL OpenSSL = open source implementation of SSL and TLS protocols used by majority of the web servers SSL = Secure Socket Layer TLS = Transport Layer Security secure communication on the internet private connection: symmetric cryptography identity checking: public-key cryptography reliable connection HTTPS = HTTP + TLS ⇐← 12 →

  15. heartbleed April 2014 ⇐← 13 →

  16. heartbleed April 2014 fix is two lines in ssl/d1_lib.c : if (HEARTBEAT_SIZE_STD (payload) > length) return 0; /* silently discard per RFC 6520 sec. 4 */ ⇐← 13 →

  17. cryptographic hashing cryptographic hash function: h : { 0 , 1 } ∗ → { 0 , 1 } 256 four properties: ◮ h ( x ) can be computed quickly ◮ given h ( x ) finding a corresponding x is infeasible ◮ small change in x gives a large change in h ( x ) ◮ infeasible to find a collision: x 1 and x 2 with h ( x 1 ) = h ( x 2 ) ⇐← 14 →

  18. cryptographic hashing cryptographic hash function: h : { 0 , 1 } ∗ → { 0 , 1 } 256 four properties: ◮ h ( x ) can be computed quickly ◮ given h ( x ) finding a corresponding x is infeasible ◮ small change in x gives a large change in h ( x ) ◮ infeasible to find a collision: x 1 and x 2 with h ( x 1 ) = h ( x 2 ) examples: h ( "Lynx c.q. vos prikt bh: dag zwemjuf" ) = 17c2f3484ab21559fa8d7bf3da97e3443b48a3466f3b8fa8210dbcefe99807a1 h ( "Lynx c.q. vos prikt bh: dag zwemjuf!" ) = 3530df7cc04da1f245eb92e5780610c5e0aa066a94ba17a66e2e310a64f1bd4d ⇐← 14 →

  19. SHA-256 and HMAC SHA = Secure Hash Algorithm SHA-0: 1993, SHA-1: 1995, SHA-2: 2001, SHA-3: 2015 SHA-0: collision known SHA-1: collision unknown, but within range of supercomputers SHA-2 = FIPS PUB 180-2 standard of NIST = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 SHA-256: used by bitcoin ⇐← 15 →

  20. SHA-256 and HMAC SHA = Secure Hash Algorithm SHA-0: 1993, SHA-1: 1995, SHA-2: 2001, SHA-3: 2015 SHA-0: collision known SHA-1: collision unknown, but within range of supercomputers SHA-2 = FIPS PUB 180-2 standard of NIST = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 SHA-256: used by bitcoin HMAC = Hash-based Message Authentication Code ◮ authenticity: message came from sender ◮ integrity: message has not been tampered with ⇐← 15 →

  21. VST example: verifying factorial workflow ⇐← 16 →

  22. VST example: verifying factorial workflow ◮ fac.c C program being verified ◮ fac C function calculating factorial ⇐← 16 →

  23. VST example: verifying factorial workflow ◮ fac.c C program being verified ◮ fac C function calculating factorial ◮ fac.v Clight version as a generated Coq file ⇐← 16 →

  24. VST example: verifying factorial workflow ◮ fac.c C program being verified ◮ fac C function calculating factorial ◮ fac.v Clight version as a generated Coq file ◮ verif_fac.v Coq file with the verification ⇐← 16 →

  25. VST example: verifying factorial workflow ◮ fac.c C program being verified ◮ fac C function calculating factorial ◮ fac.v Clight version as a generated Coq file ◮ verif_fac.v Coq file with the verification ◮ FAC Coq functional program for each function in fac.c ◮ fac_spec specification relating each function in fac.c to its Coq version ◮ body_fac verification of correctness of each function in fac.c ⇐← 16 →

  26. fac.c 10 lines of C calculates the factorial function int fac(int n) { int i, f; f = i = 1; while (i < n) f *= ++i; return f; } ⇐← 17 →

  27. fac.v 320 lines of Coq, generated from fac.c by CompCert’s clightgen . . . Definition _n : ident := 45%positive. . . . Definition _fac : ident := 48%positive. . . . Definition f_fac := {| fn_return := tint; fn_callconv := cc_default; fn_params := ((_n, tint) :: nil); fn_vars := nil; fn_temps := ((_i, tint) :: (_f, tint) :: (51%positive, tint) :: (50%positive, tint) :: nil); fn_body := (Ssequence (Ssequence . . . . . . ) . . . ) |}. . . . Definition prog : Clight.program := {| prog_defs := ( . . . :: (_fac, Gfun(Internal, f_fac)) :: nil); . . . |}. ⇐← 18 →

  28. verif_fac.v 59 lines of Coq checking time: 75 seconds ⇐← 19 →

  29. verif_fac.v 59 lines of Coq checking time: 75 seconds full code in these slides starts with imports: Require Import floyd.proofauto. Require Import Coqlib. Require Import Recdef. ⇐← 19 →

  30. FAC implementation of factorial in Coq using Function (recursion on Acc well-foundedness predicate): Function FAC (i : Z) {measure Z.to_nat i} : Z := if zle i 1 then 1 else FAC (i - 1) * i. ⇐← 20 →

  31. FAC implementation of factorial in Coq using Function (recursion on Acc well-foundedness predicate): Function FAC (i : Z) {measure Z.to_nat i} : Z := if zle i 1 then 1 else FAC (i - 1) * i. Proof. intros. apply Z2Nat.inj_lt; omega. Defined. ⇐← 20 →

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving trigonometric functions. We learn to verify and spend time verifying trigonometric identities because the practice we get verifying trigonometric

661 views • 46 slides
Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

570 views • 24 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
Verification Games Verifying Fire Hydrants 10 mins http://pygy.co/bQn

Verification Games Verifying Fire Hydrants 10 mins http://pygy.co/bQn

Street-level Imagery Collection - HackMD https://hackmd.io/HjjiW4msTXKghSEzs5NNZw?view Intro to Mapillary Verification Games Verifying Fire Hydrants 10 mins http://pygy.co/bQn (http://pygy.co/bQn) Verifying Crossings 10

354 views • 10 slides
Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement

Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement

Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement 3. Prior Authorization 4. Timely Filing Limits 5. Envision Web Portal Verifying Eligibility It is the responsibility of the Medicaid Provider to

602 views • 21 slides
A heuristic method for formally verifying real inequalities Robert Y. Lewis Vrije Universiteit

A heuristic method for formally verifying real inequalities Robert Y. Lewis Vrije Universiteit

A heuristic method for formally verifying real inequalities Robert Y. Lewis Vrije Universiteit Amsterdam June 27, 2018 Motivation Specific topic for today: verifying systems of nonlinear inequalities over R 0 n , n &lt; ( K /

1.02k views • 39 slides
+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1 Verifying the Correctness of HARPO Programs Presented at NECEC 2018, St. Johns NL Inaam Ahmed Computer Engineering Research Labs, Dept. ECE, MUN

492 views • 23 slides
Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of

Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of

Introduction Verifying a Robot Swarm Algorithm Dealing with Uncertainty Conclusions Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of Liverpool, UK cldixon@liverpool.ac.uk in collaboration with

289 views • 25 slides
Randomness in Computing L ECTURE 2 Last time Verifying polynomial identities Probability

Randomness in Computing L ECTURE 2 Last time Verifying polynomial identities Probability

Randomness in Computing L ECTURE 2 Last time Verifying polynomial identities Probability amplification Probability review Discussions Law of Total Probability Bayeslaw Today More probability amplification Verifying

615 views • 8 slides
Verifying a Commercial Microprocessor Design at the RTL level Ken McMillan Cadence Berkeley

Verifying a Commercial Microprocessor Design at the RTL level Ken McMillan Cadence Berkeley

Verifying a Commercial Microprocessor Design at the RTL level Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com We will consider some of the problems involved in verifying the actual RTL code of a commercial processor design, as

480 views • 37 slides
Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario

Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario

Introduction Modeling Adaptation Behavior Verifying Adaptation Behavior Tool Demonstration Summary and Conclusion Verifying the Adaptation Behavior of Embedded Systems Klaus Schneider 1 Tobias Schuele 1 Mario Trapp 2 1 Reactive Systems Group,

438 views • 14 slides
Verifying Finality for Blockchain Systems Karl Palmskog Milos Gligoric Lucas Pe na

Verifying Finality for Blockchain Systems Karl Palmskog Milos Gligoric Lucas Pe na

Verifying Finality for Blockchain Systems Verifying Finality for Blockchain Systems Karl Palmskog Milos Gligoric Lucas Pe na Grigore Ro su The University of Texas at Austin University of Illinois at Urbana-Champaign

739 views • 30 slides
Why formalize? ! ML is tricky, particularly in corner cases Formal Semantics ! generalizable type

Why formalize? ! ML is tricky, particularly in corner cases Formal Semantics ! generalizable type

Why formalize? ! ML is tricky, particularly in corner cases Formal Semantics ! generalizable type variables? ! polymorphic references? ! exceptions? ! Some things are often overlooked for any language ! evaluation order? side-effects? errors? !

603 views • 3 slides
Lecture Outline 1. The lecturer DD2457 Program 2. Introduction to semantics 3. Course syllabus

Lecture Outline 1. The lecturer DD2457 Program 2. Introduction to semantics 3. Course syllabus

Lecture Outline 1. The lecturer DD2457 Program 2. Introduction to semantics 3. Course syllabus Semantics and Analysis 4. Course objectives Introductory Lecture 5. Course organization Lecturer What is semantics ? Dilian Gurov

535 views • 4 slides
Semantics interp IR 0 2 compile / desugar = interp IR 1 2 Assignment 1 interp Scheme IR 2

Semantics interp IR 0 2 compile / desugar = interp IR 1 2 Assignment 1 interp Scheme IR 2

Semantics interp IR 0 2 compile / desugar = interp IR 1 2 Assignment 1 interp Scheme IR 2 church-encode church-&gt;nat interp ( (f) ( (x) -calculus (f (f x)))) Formal semantics Axiomatic Semantics Gives axioms for

545 views • 31 slides
Compositional C11 Program Transformation Mark Batty - Mike Dodds - Alexey Gotsman

Compositional C11 Program Transformation Mark Batty - Mike Dodds - Alexey Gotsman

Compositional C11 Program Transformation Mark Batty - Mike Dodds - Alexey Gotsman Imperial Concurrency Workshop, July 2015 @miike Overview The C11 model is (arguably) broken: we omit problem features, most importantly no RLX.

544 views • 42 slides
Foundations of Programming Overview This course will cover calculi, languages and

Foundations of Programming Overview This course will cover calculi, languages and

Foundations of Programming Overview This course will cover calculi, languages and fundamental techniques of programing. 3 Streams: Theory: Syntax and Semantics of Programming Languages Applications: Core language which

364 views • 10 slides
Compositional reasoning about concurrent libraries on the axiomatic TSO memory model Artem

Compositional reasoning about concurrent libraries on the axiomatic TSO memory model Artem

Compositional reasoning about concurrent libraries on the axiomatic TSO memory model Artem Khyzha IMDEA Software Institute, Madrid, Spain Joint work with Alexey Gotsman (IMDEA Software) Weak memory x = y = 0; x = 1; y = 1; a = y; b = x;

689 views • 38 slides
TDT4205 Operational semantics 2 Once again, from the top Lexically , a language is just a

TDT4205 Operational semantics 2 Once again, from the top Lexically , a language is just a

1 Operational semantics (Extracurricular perspective, there will be no quiz questions on this) TDT4205 Operational semantics 2 Once again, from the top Lexically , a language is just a pile of units which cant be divided without

370 views • 34 slides
with Formal Methods Nikolay Shilov (Innopolis University) talk at P C, Rostov-on-Don, April

with Formal Methods Nikolay Shilov (Innopolis University) talk at P C, Rostov-on-Don, April

Art (?) and Fun (!) with Formal Methods Nikolay Shilov (Innopolis University) talk at P C, Rostov-on-Don, April 4, 2017 Part I WHY I COUNT ON POPULAR SCIENCE N. Shilov talk at PLC-2017, Rostov-on-Don, 04.04.2017 2 4 April 2017 What is

960 views • 63 slides

More recommend