CT-wasm: type-driven secure cryptography for the web ecosystem

Watt, Conrad; Renner, John W.; Popescu, Natalie; Cauligi, Sunjay; Stefan, Deian

doi:10.1145/3290390

Cited by 55 publications

(41 citation statements)

References 54 publications

(80 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Like previous information-flow type systems [42,43,55,62], FaCT decorates each base type with a secret or public secrecy label 2 . Figure 2 summarizes our base types; they are largely standard.…”

Section: Type Systemmentioning

confidence: 99%

“…where ≡ is a suitably parametrized notion of equivalence (e.g., public or łlowž equivalence [5,9,62]).…”

Section: Compiler Correctness and Securitymentioning

confidence: 99%

“…Much like CT-Wasm [62], we cannot prove that all FaCT procedures are constant-timeÐFaCT allows procedures to declassify secret data and call external procedures over which it has no control. We can, however, provide guarantees for a safe subset of declassify-free procedures, i.e., procedures that do not contain any declassify statements nor call other procedures unless they too are declassify-free (and not extern).…”

Section: Compiler Correctness and Securitymentioning

confidence: 99%

“…Several other works concerned with constant-time crypto implementation [8,52,56,62] have reported using dudect. In our testing, we found the tool to quickly and reliably find timing differences in buggy code.…”

Section: Securitymentioning

confidence: 99%

See 3 more Smart Citations

FaCT: a DSL for timing-sensitive computation

Cauligi

Soeller

Johannesmeyer

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

Real-world cryptographic code is often written in a subset of C intended to execute in constant-time, thereby avoiding timing side channel vulnerabilities. This C subset eschews structured programming as we know it: if-statements, looping constructs, and procedural abstractions can leak timing information when handling sensitive data. The resulting obfuscation has led to subtle bugs, even in widely-used highprofile libraries like OpenSSL. To address the challenge of writing constant-time cryptographic code, we present FaCT, a crypto DSL that provides high-level but safe language constructs. The FaCT compiler uses a secrecy type system to automatically transform potentially timing-sensitive high-level code into low-level, constant-time LLVM bitcode. We develop the language and type system, formalize the constant-time transformation, and present an empirical evaluation that uses FaCT to implement core crypto routines from several open-source projects including OpenSSL, libsodium, and curve25519-donna. Our evaluation shows that FaCT's design makes it possible to write readable, high-level cryptographic code, with efficient, constant-time behavior. CCS Concepts • Security and privacy → Cryptography; • Software and its engineering → General programming languages; • Theory of computation → Operational semantics.

show abstract

Section: Type Systemmentioning

confidence: 99%

“…where ≡ is a suitably parametrized notion of equivalence (e.g., public or łlowž equivalence [5,9,62]).…”

Section: Compiler Correctness and Securitymentioning

confidence: 99%

Section: Compiler Correctness and Securitymentioning

confidence: 99%

Section: Securitymentioning

confidence: 99%

See 2 more Smart Citations

FaCT: a DSL for timing-sensitive computation

Cauligi

Soeller

Johannesmeyer

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

show abstract

“…We propose to build a validation pass on the WebAssembly code generated from KreMLin to ensure that it preserves the side-channel guarantees proved for the Low * source code. To ensure that these guarantees are preserved all the way to machine code, we hope to eventually connect our toolchain to CT-Wasm [35], a new proposal that advocates for a notion of secrets directly built into the WebAssembly semantics.…”

Section: Secret Independence In Webassemblymentioning

confidence: 99%

Formally Verified Cryptographic Web Applications in WebAssembly

Protzenko

Beurdouche

Merigoux

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F * are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes.We present a new toolchain that compiles Low * , a low-level subset of the F * programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL * , a WebAssembly version of the existing, verified HACL * cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

show abstract

Hermes: A Reversible Language for Writing Encryption Algorithms (Work in Progress)

Mogensen

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

CT-wasm: type-driven secure cryptography for the web ecosystem

Cited by 55 publications

References 54 publications

FaCT: a DSL for timing-sensitive computation

FaCT: a DSL for timing-sensitive computation

Formally Verified Cryptographic Web Applications in WebAssembly

Hermes: A Reversible Language for Writing Encryption Algorithms (Work in Progress)

Contact Info

Product

Resources

About