Formally Verified Cryptographic Web Applications in WebAssembly

Protzenko, Jonathan; Beurdouche, Benjamin; Merigoux, Denis; Bhargavan, Karthikeyan

doi:10.1109/sp.2019.00064

Cited by 19 publications

(14 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The second result establishes that our type system is sound (Theorem 2). We prove that our transient-flow type system in combination with a standard constant-time type system (e.g., [Protzenko et al 2019;Watt et al 2019]) enforces constant time under speculative execution . We provide full definitions and proofs in the extended version of this paper [Vassena et al 2020].…”

Section: Consistency and Securitymentioning

confidence: 84%

“…Our approach focuses on side-channel attacks through the observation trace and therefore relies on a separate, but standard, type system to control leaks through the program control-flow and architectural state. In particular, we write CT L (c) if c follows the (sequential) constant time discipline from [Protzenko et al 2019;Watt et al 2019], i.e., it is free of secret-dependent branches and memory accesses.…”

Section: Consistency and Securitymentioning

confidence: 99%

See 1 more Smart Citation

Automatically eliminating speculative leaks from cryptographic code with blade

Vassena

Disselkoen

Gleissenthall

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets ( sources ) to those that leak them through the cache ( sinks ), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient , i.e., possibly containing speculative secrets or as being stable , and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect , to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protect s to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically , without user intervention, and efficiently even when using fences to implement protect .

show abstract

Section: Consistency and Securitymentioning

confidence: 84%

Section: Consistency and Securitymentioning

confidence: 99%

Automatically eliminating speculative leaks from cryptographic code with blade

Vassena

Disselkoen

Gleissenthall

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…High-assurance cryptography. Many tools have been used to verify functional correctness (and memory safety, if applicable) [28], [29], [30], [31], [32], [33], [34], [35], [36], [37], [38] and constant-time [39], [40], [41], [42], [43], [44], [45], [46], [47], [48], [35], [49] for cryptographic code, including for ChaCha20/Poly1305 [35], [36], [50], [51], [52], [8], [9], [53], [11]. We refer readers to the survey by Barbosa et al [1] for a detailed systematization of high-assurance cryptography tools and applications.…”

Section: Spectre-pht (Input Validation Bypassmentioning

confidence: 99%

High-Assurance Cryptography in the Spectre Era

Barthe

Cauligi

Grégoire

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

High-assurance cryptography leverages methods from program verification and cryptography engineering to deliver efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics is not aligned with the behavior of modern processors that make use of speculative execution to improve performance. This mismatch, combined with the high-profile Spectre-style attacks that exploit speculative execution, naturally casts doubts on the robustness of high-assurance cryptography guarantees. In this paper, we dispel these doubts by showing that the benefits of high-assurance cryptography extend to speculative execution, costing only a modest performance overhead. We build atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution, and validate our approach experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305, which are secure against both traditional timing and speculative execution attacks.[5], [6], [7], [10] either consider weaker threat models or are not proven sound). Following an established approach, our method is decomposed into two steps: (i) check that the program does not perform illegal memory accesses under

show abstract

“…Recently, the F ⋆ programming language [70], which exports type definitions to the Z3 theorem prover [43], has been used to produce implementations of TLS [71] and Signal that are formally verified for functional correctness at the level of the implementation itself [69].…”

Section: Formal Verification Paradigmsmentioning

confidence: 99%

Verifpal: Cryptographic Protocol Analysis for the Real World

Kobeissi¹,

Nicolas²,

Tiwari

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Verifpal is a new automated modeling framework and verifier for cryptographic protocols, optimized with heuristics for common-case protocol specifications, that aims to work better for real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is easier to write and understand than the languages employed by existing tools. Its formal verification paradigm is also designed explicitly to provide protocol modeling that avoids user error. Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Furthermore, Verifpal's semantics have been formalized within the Coq theorem prover, and Verifpal models can be automatically translated into Coq as well as into ProVerif models for further verification. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3 as well as the first formal model for the DP-3T pandemic-tracing protocol, which we present in this work. Through Verifpal, we show that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.

show abstract

Formally Verified Cryptographic Web Applications in WebAssembly

Cited by 19 publications

References 39 publications

Automatically eliminating speculative leaks from cryptographic code with blade

Automatically eliminating speculative leaks from cryptographic code with blade

High-Assurance Cryptography in the Spectre Era

Verifpal: Cryptographic Protocol Analysis for the Real World

Contact Info

Product

Resources

About