Verified low-level programming embedded in F*

Protzenko, Jonathan; Zinzindohoué, Jean-Karim; Rastogi, Aseem; Ramananandro, Tahina; Wang, Peng; Zanella-Béguelin, Santiago; Delignat-Lavaud, Antoine; Hriţcu, Cătălin; Bhargavan, Karthikeyan; Fournet, Cédric; Swamy, Nikhil

doi:10.1145/3110261

Cited by 69 publications

(44 citation statements)

References 53 publications

(48 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, while ConSORT automatically infers many ownership transfers, Viper requires extensive annotations for each transfer. F*, a dependently typed dialect of ML, includes an update/select theory of heaps and requires explicit annotations summarizing the heap effects of a method [44,57,58]. This approach enables modular reasoning and precise specification of pre-and post-conditions with respect to the heap, but precludes full automation.…”

Section: Related Workmentioning

confidence: 99%

ConSORT: Context- and Flow-Sensitive Ownership Refinement Types for Imperative Programs

Toman

Siqi

Suenaga

et al. 2020

Programming Languages and Systems

View full text Add to dashboard Cite

We present ConSORT, a type system for safety verification in the presence of mutability and aliasing. Mutability requires strong updates to model changing invariants during program execution, but aliasing between pointers makes it difficult to determine which invariants must be updated in response to mutation. Our type system addresses this difficulty with a novel combination of refinement types and fractional ownership types. Fractional ownership types provide flow-sensitive and precise aliasing information for reference variables. ConSORT interprets this ownership information to soundly handle strong updates of potentially aliased references. We have proved ConSORT sound and implemented a prototype, fully automated inference tool. We evaluated our tool and found it verifies non-trivial programs including data structure implementations.

show abstract

Section: Related Workmentioning

confidence: 99%

ConSORT: Context- and Flow-Sensitive Ownership Refinement Types for Imperative Programs

Toman

Siqi

Suenaga

et al. 2020

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Once proven correct with regards to their specification, programs written in F * can be compiled to OCaml or F#. Recently [9], F * gained the ability to generate C code, as long as the run-time parts of the program are written in a low-level subset called Low * . This allows the programmer to use the full power of F * for proofs and verification and, relying on the fact that proofs are computationally irrelevant and hence erased, extract the remaining Low * code to C. This approach was successfully used by the HACL * [18] verified crypto library, and the resulting C code is currently used in the Firefox browser and Wireguard VPN.…”

Section: Background: F * and Webassemblymentioning

confidence: 99%

“…Our approach is to compile WebAssembly code from formally verified source code written in Low * [9], a subset of the F * programming language [10]. As far as we know, this is the first verification toolchain for WebAssembly that supports correctness, memory safety, and side-channel resistance.…”

Section: Introduction: Cryptographic Web Applicationsmentioning

confidence: 99%

Formally Verified Cryptographic Web Applications in WebAssembly

Protzenko

Beurdouche

Merigoux

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F * are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes.We present a new toolchain that compiles Low * , a low-level subset of the F * programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL * , a WebAssembly version of the existing, verified HACL * cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

show abstract

“…Whereas those specifications are ghost code, we would like to generate implementations that can be extracted to C. To this end, we generate stateful implementations written in the Low set of F [56], operating on buffers, which are Low mutable data structures representing C arrays. There, instead of a sequence of bytes, the parser implementation is given an input buffer and its length; and the serializer implementation is given an output buffer (along with its length) onto which it is to serialize the data.…”

Section: A Metaprogramming Verified Parsers and Serializersmentioning

confidence: 99%

Meta-F $$^\star $$ : Proof Automation with SMT, Tactics, and Metaprograms

Martínez

Ahman

Dumitrescu³

et al. 2019

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

We introduce Meta-F , a tactics and metaprogramming framework for the F program verifier. The main novelty of Meta-F is allowing the use of tactics and metaprogramming to discharge assertions not solvable by SMT, or to just simplify them into well-behaved SMT fragments. Plus, Meta-F can be used to generate verified code automatically. Meta-F is implemented as an F effect, which, given the powerful effect system of F , heavily increases code reuse and even enables the lightweight verification of metaprograms. Metaprograms can be either interpreted, or compiled to efficient native code that can be dynamically loaded into the F type-checker and can interoperate with interpreted code. Evaluation on realistic case studies shows that Meta-F provides substantial gains in proof development, efficiency, and robustness.

show abstract

Verified low-level programming embedded in F*

Cited by 69 publications

References 53 publications

ConSORT: Context- and Flow-Sensitive Ownership Refinement Types for Imperative Programs

ConSORT: Context- and Flow-Sensitive Ownership Refinement Types for Imperative Programs

Formally Verified Cryptographic Web Applications in WebAssembly

Meta-F $$^\star $$ : Proof Automation with SMT, Tactics, and Metaprograms

Contact Info

Product

Resources

About