Ethereum is a framework for cryptocurrencies which uses blockchain technology to provide an open global computing platform, called the Ethereum Virtual Machine (EVM). EVM executes bytecode on a simple stack machine. Programmers do not usually write EVM code; instead, they can program in a JavaScript-like language, called Solidity, that compiles to bytecode. Since the main purpose of EVM is to execute smart contracts that manage and transfer digital assets (called Ether), security is of paramount importance. However, writing secure smart contracts can be extremely difficult: due to the openness of Ethereum, both programs and pseudonymous users can call into the public methods of other programs, leading to potentially dangerous compositions of trusted and untrusted code. This risk was recently illustrated by an attack on TheDAO contract that exploited subtle details of the EVM semantics to transfer roughly $50M worth of Ether into the control of an attacker. In this paper, we outline a framework to analyze and verify both the runtime safety and the functional correctness of Ethereum contracts by translation to F , a functional programming language aimed at program verification.
We present a new, completely redesigned, version of F ⋆ , a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F ⋆ is a dependently typed, higher-order, call-by-value language with primitive effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F ⋆ uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F ⋆ is a language of pure functions used to write specifications and proof terms-its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F ⋆ we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F ⋆ is programmed (but not verified) in F ⋆ , and bootstraps in both OCaml and F#. Our experience confirms F ⋆ 's pay-as-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F ⋆ is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F ⋆ than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F ⋆ in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System F ω and even µF ⋆ , a sizeable fragment of F ⋆ itself-these proofs make essential use of F ⋆ 's flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale. Categories and Subject Descriptors D.3.1 [Programming Languages]: Formal Definitions and Theory-Semantics; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Programs-Mechanical verification Keywords verification; proof assistants; effectful programming 1 Henceforth, we refer to the new language presented in this paper as "F ⋆ " while referring to the old, defunct version as "old-F ⋆ ".
We present EverCrypt: a comprehensive collection of verified, high-performance cryptographic functionalities available via a carefully designed API. The API provably supports agility (choosing between multiple algorithms for the same functionality) and multiplexing (choosing between multiple implementations of the same algorithm). Through abstraction and zero-cost generic programming, we show how agility can simplify verification without sacrificing performance, and we demonstrate how C and assembly can be composed and verified against shared specifications. We substantiate the effectiveness of these techniques with new verified implementations (including hashes, Curve25519, and AES-GCM) whose performance matches or exceeds the best unverified implementations. We validate the API design with two high-performance verified case studies built atop EverCrypt, resulting in line-rate performance for a secure network protocol and a Merkle-tree library, used in a production blockchain, that supports 2.7 million insertions/sec. Altogether, EverCrypt consists of over 124K verified lines of specs, code, and proofs, and it produces over 29K lines of C and 14K lines of assembly code. SpecificationsImplementations Spec.Hash val compress (a:alg) (st:words a) (b:block a) : words_state a val init val finish val compress_many val hash EverCrypt.Hash val compress (st:state alg) (b:larr uint8 alg) : Stack unit (requires fun h0 -> ...) (ensures fun h0 _ h1 -> ... /\ repr s h1 == Spec.Hash.compress alg (repr s h0) (as_seq h0 b))val init, finish, compress_many, hash Refines Spec.MD5 val compress: ... val init: ...
We present Low * , a language for low-level programming and verification, and its application to high-assurance optimized cryptographic libraries. Low * is a shallow embedding of a small, sequential, well-behaved subset of C in F * , a dependently-typed variant of ML aimed at program verification. Departing from ML, Low * does not involve any garbage collection or implicit heap allocation; instead, it has a structured memory model à la CompCert, and it provides the control required for writing efficient low-level security-critical code. By virtue of typing, any Low * program is memory safe. In addition, the programmer can make full use of the verification power of F * to write high-level specifications and verify the functional correctness of Low * code using a combination of SMT automation and sophisticated manual proofs. At extraction time, specifications and proofs are erased, and the remaining code enjoys a predictable translation to C. We prove that this translation preserves semantics and side-channel resistance. We provide a new compiler back-end from Low * to C and, to evaluate our approach, we implement and verify various cryptographic algorithms, constructions, and tools for a total of about 28,000 lines of code, specification and proof. We show that our Low * code delivers performance competitive with existing (unverified) C cryptographic libraries, suggesting our approach may be applicable to larger-scale low-level software.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.