Formal verification of a constant-time preserving C compiler

2021 IEEE Symposium on Security and Privacy (SP)

Bhargavan

et al. 2021

Self Cite

Computer-aided cryptography is an active area of research that develops and applies formal, machine-checkable approaches to the design, analysis, and implementation of cryptography. We present a cross-cutting systematization of the computer-aided cryptography literature, focusing on three main areas: (i) design-level security (both symbolic security and computational security), (ii) functional correctness and efficiency, and (iii) implementation-level security (with a focus on digital side-channel resistance). In each area, we first clarify the role of computer-aided cryptography-how it can help and what the caveats are-in addressing current challenges. We next present a taxonomy of state-of-the-art tools, comparing their accuracy, scope, trustworthiness, and usability. Then, we highlight their main achievements, trade-offs, and research challenges. After covering the three main areas, we present two case studies. First, we study efforts in combining tools focused on different areas to consolidate the guarantees they can provide. Second, we distill the lessons learned from the computer-aided cryptography community's involvement in the TLS 1.3 standardization effort. Finally, we conclude with recommendations to paper authors, tool developers, and standardization bodies moving forward.

“…Barthe et al [150] laid the theoretical foundations of constant-time preserving compilation. These ideas were subsequently realized in the verified CompCert C compiler [157].…”

Section: Discussionmentioning

confidence: 99%

SoK: Computer-Aided Cryptography

Barbosa

2021 IEEE Symposium on Security and Privacy (SP)

Bhargavan

et al. 2021

Self Cite

“…However, mechanizing a proof of preservation of speculative constant-time seems significantly simpler, because the analysis is carried at a lower level. This endeavor would require developing methods for proving preservation of speculative constant-time; however we do not anticipate any difficulty in adapting the techniques from existing work on constant-time preserving compilation [54], [66] to the speculative setting.…”

Section: A Machine-checked Guaranteesmentioning

confidence: 99%

High-Assurance Cryptography in the Spectre Era

2021 IEEE Symposium on Security and Privacy (SP)

Cauligi

Grégoire

et al. 2021

Self Cite

High-assurance cryptography leverages methods from program verification and cryptography engineering to deliver efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics is not aligned with the behavior of modern processors that make use of speculative execution to improve performance. This mismatch, combined with the high-profile Spectre-style attacks that exploit speculative execution, naturally casts doubts on the robustness of high-assurance cryptography guarantees. In this paper, we dispel these doubts by showing that the benefits of high-assurance cryptography extend to speculative execution, costing only a modest performance overhead. We build atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution, and validate our approach experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305, which are secure against both traditional timing and speculative execution attacks.[5], [6], [7], [10] either consider weaker threat models or are not proven sound). Following an established approach, our method is decomposed into two steps: (i) check that the program does not perform illegal memory accesses under

“…The prevailing trend in this line of work is to carry verification of side-channel protection and this is typically performed towards the end of the compilation chain or directly on the generated assembly code. This is because even certified compilers may not preserve countermeasures against side-channel attacksa notable exception being the CompCertCT compiler that has been formally proved to preserve these countermeasures [12]. Following this trend, our version of CompCert includes an intrinsics-aware constant-time verifier, following the type-checking approach at Mach level of [11].…”

Section: Contributionsmentioning

confidence: 99%

“…Finally, we mention work on Jasmin [3,6], a new pre-assembly language for the implementation of high-assurance crypto code. Jasmin comes with a verified compiler that is guaranteed to preserve, not only functional correctness but also source-level constant-time properties [14,12] The Jasmin language also supports intrinsics and has been shown to give rise to competitive assembly implementations of cryptographic libraries. Our work provides an alternative to Jasmin, and indeed direct assembly verification using e.g., Vale [18], when functionally correct implementations are generated at C level.…”

Section: Related Workmentioning

confidence: 99%

Certified Compilation for Cryptography: Extended x86 Instructions and Constant-Time Verification

Almeida

Barbosa

Progress in Cryptology – INDOCRYPT 2020

et al. 2020

Self Cite

We present a new tool for the generation and verification of high-assurance high-speed machine-level cryptography implementations: a certified C compiler supporting instruction extensions to the x86. We demonstrate the practical applicability of our tool by incorporating it into supercop: a toolkit for measuring the performance of cryptographic software, which includes over 2000 different implementations. We show i. that the coverage of x86 implementations in supercop increases significantly due to the added support of instruction extensions via intrinsics and ii. that the obtained verifiably correct implementations are much closer in performance to unverified ones. We extend our compiler with a specialized type system that acts at pre-assembly level; this is the first constant-time verifier that can deal with extended instruction sets. We confirm that, by using instruction extensions, the performance penalty for verifiably constant-time code can be greatly reduced.