Implementing and Proving the TLS 1.3 Record Layer

Delignat-Lavaud, Antoine; Fournet, Cédric; Kohlweiss, Markulf; Protzenko, Jonathan; Rastogi, Aseem; Swamy, Nikhil; Zanella-Béguelin, Santiago; Bhargavan, Karthikeyan; Pan, Jianyang; Zinzindohoue, Jean Karim

doi:10.1109/sp.2017.58

Cited by 52 publications

(29 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Related Work. Projects such as Everest [8,12], Cao [5], and Jasmin [1], generate verified cryptographic implementations from higher level specifications, e.g. F* models.…”

Section: Introductionmentioning

confidence: 99%

Continuous Formal Verification of Amazon s2n

Chudnov

Collins

Cook

et al. 2018

Computer Aided Verification

View full text Add to dashboard Cite

We describe formal verification of s2n, the open source TLS implementation used in numerous Amazon services. A key aspect of this proof infrastructure is continuous checking, to ensure that properties remain proven during the lifetime of the software. At each change to the code, proofs are automatically re-established with little to no interaction from the developers. We describe the proof itself and the technical decisions that enabled integration into development.

show abstract

“…Related Work. Projects such as Everest [8,12], Cao [5], and Jasmin [1], generate verified cryptographic implementations from higher level specifications, e.g. F* models.…”

Section: Introductionmentioning

confidence: 99%

Continuous Formal Verification of Amazon s2n

Chudnov

Collins

Cook

et al. 2018

Computer Aided Verification

View full text Add to dashboard Cite

show abstract

“…High-assurance cryptographic libraries, for instance, get linked into real applications such as web browsers [24,43] and web servers, which include millions of lines of legacy C/C++ code. Even if the abstractions of the source language ensure that the API of a TLS library cannot leak the server's private key [33], such guarantees are completely lost when compiling the library and linking it into a C/C++ application that can get compromised via a buffer overflow, simply allowing the adversary to read the private key from memory [39]. A compromised or malicious application that links in a high-assurance library can easily read and write its data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any sourcelevel abstraction and breaking any security guarantee obtained by source-level reasoning.…”

Section: Introductionmentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program's data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce.We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.(∀C T . ∀t 1 , .., t k , ..(∀i.C T [P i ] t i ) ⇒ (t 1 , .., t k , ..) ∈ R)

show abstract

“…A number of previous works have shown how to verify cryptographic protocol implementations to prove the absence of some of these kinds of bugs. In particular, implementations of TLS in F# [13], C [14], and JavaScript [15] have been verified for correctness, memory safety, and cryptographic security. An implementation of a non-standard variant of Signal written in a subset of JavaScript was also verified for cryptographic security [16], but not for correctness.…”

Section: Introduction: Cryptographic Web Applicationsmentioning

confidence: 99%

Formally Verified Cryptographic Web Applications in WebAssembly

Protzenko

Beurdouche

Merigoux

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F * are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes.We present a new toolchain that compiles Low * , a low-level subset of the F * programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL * , a WebAssembly version of the existing, verified HACL * cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

show abstract

Implementing and Proving the TLS 1.3 Record Layer

Cited by 52 publications

References 36 publications

Continuous Formal Verification of Amazon s2n

Continuous Formal Verification of Amazon s2n

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Formally Verified Cryptographic Web Applications in WebAssembly

Contact Info

Product

Resources

About