Upload
don-stewart
View
6.106
Download
1
Embed Size (px)
Citation preview
Building a business with HaskellCase Studies: Cryptol, HaLVM, Copilot
Don Stewart | BelHac | Nov 5, 2010
© 2010 Galois, Inc. All rights reserved.
This talk...
Earlier talk, “A decade of functional programming at Galois” described how we use Haskell at Galois
This talk introduces three case studies from some of our projects:
• Cryptol – a cryptography language and toolchain
• HaLVM – OS component isolation via GHC + Xen
• Copilot – a Haskell EDSL for avionics monitoring
Less about Haskell itself, more about the kinds of things we build with it
To give a flavor of how to think functionally about client problems, and hopefully inspire you!
© 2010 Galois, Inc. All rights reserved.
Building systems that are trustworthy
~40 employees in Portland, Oregon
11 years in business
Galois
© 2010 Galois, Inc. All rights reserved.
What does Galois do?
Computer science R&D with a particular brand:
• Formal methods (theorem proving, model checking)
• Typed functional languages
• Compilers, DSLs, analysis tools
For building kernels, file systems, networks, servers, compilers, security systems, desktop apps, ...
Haskell for pretty much everything
French mathematician Évariste Galois
© 2010 Galois, Inc. All rights reserved.
1. Cryptol
What is it? A DSL for cryptography
How? Compilers, interpreters, support tools, all in Haskell
Client need: to establish correctness of crypto algorithm implementations
Not just a government problem:25% of algorithms submitted for FIPS validation had security flaws– Director NIST CMVP, March 26, 2002
© 2010 Galois, Inc. All rights reserved.
Approach: Specification and Formal Tools
Start with a declarative specification language• Make it close to the crypto domain notation
• With custom types and constructs for cryptography
• Designed with feedback from NSA cryptographers
Add execution and validation tools• Generate different implementations (FPGA, C, …)
• Use different verification tools
In use by crypto implementers
© 2010 Galois, Inc. All rights reserved.
More specifically
Purely functional stream-based language• Allows for high level, rapid exploration of the design
Automated synthesis to FPGA• Using algebraic transformations and term rewriting
Automated verification• Equivalence checking of programs against each other, in AIG form
• To show implementation matches the spec
• Using SAT and SMT solvers
© 2010 Galois, Inc. All rights reserved.
Some of the design requirements
Should be a high-level language close to the crypto math• But also executable
Specifications guide and document implementations• And can even generate them
Has to be neutral about execution platform• Don't bake in Von Neumann assumptions
High level language needs support for low level features• Bit patterns, wiring
© 2010 Galois, Inc. All rights reserved.
Key language ideas in Cryptol
Sequences (comprehensions) and recursion
Views on data: machine independent data transforms
Size types: algorithms parameterized by size• Size types from Cryptol coming to GHC soon (Diatchki)
Values and functions
Type inference
x : [4][32];x = [23 13 1 0];
F : ([16],[16]) -> [16];F (x, x’) = 2 * x + x’;
© 2010 Galois, Inc. All rights reserved.
Cryptol Types
Types express size and shape of data [[0x1FE 0x11] [0x132 0x183] [0x1B4 0x5C] [0x26 0x7A]]
has type [4][2][9]
Strong typing with usual power: Inference Parametric polymorphism
All to support the unambiguous specification of interfaces, to the bit level
© 2010 Galois, Inc. All rights reserved.
Converting specs into types
blockEncrypt : {k} (k >= 2, 4 >= k) => ([128], [64*k]) → [128]
For all k…
between 2 and 4
First input is a sequence of 128 bits
Second input is a sequence of 128, 192, or 256 bits
Output is a sequence of
128 bits
†http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
© 2010 Galois, Inc. All rights reserved.
An example: DES
des : ([64],[56]) -> [64];des (pt, key) = permute (FP, last) where { pt’ = permute (IP, pt); iv = [| round (lr, key, rnd) || rnd <- [0 .. 15] || lr <- [(split pt’)] # iv |]; last = join (swap (iv @ 15)); swap [a b] = [b a]; };
round : ([2][32], [56], [4]) -> [2][32];round([l r], key, rnd) = [r (l^f(r, kx))] where { kx = expand(key, rnd); f(r,k) = permute(PP, SBox(k^permute(EP, r))); };
© 2010 Galois, Inc. All rights reserved.
Cryptol on FPGAs
Why? Lack of trust in commodity hardware
• Evaluators can see as much of the solution as possible
• Do not have to ship designs off-shore
• FPGAs are more flexible than programmable custom crypto processors
Natural match between Cryptography and FPGAs• Manipulation of arbitrary length bit sequences
• Highly-parallel stream processing
And FPGAs are fast…
© 2010 Galois, Inc. All rights reserved.
AES reference specification
(Cryptol)
AES reference specification
(Cryptol)
Key
Third party tools
Galois tools
Data files
Evaluation/Certification evidence
Input to tool
Feedback to designer
Cryptolcompiler
Cryptolcompiler
CC
SimulatorSimulator Experiment with system integration and control logic.
Equivalence check
Equivalence check
Equivalenceevidence
Equivalenceevidence
CryptoDeveloper
Targetspecification
Targetspecification
Symbolicsimulator Symbolicsimulator
SymbolicsimulatorSymbolicsimulator
Referencemodel
Referencemodel
TargetmodelTargetmodel
Make high-level target-
specific refinements.
Verify equivalence
with reference specification.
Case Study at Rockwell-CollinsHigh Speed Encryptor Project
Equivalence check
Equivalence check
Equivalenceevidence
Equivalenceevidence
Equivalence check
Equivalence check
Equivalenceevidence
Equivalenceevidence
Place androute
Place androute
BitfileBitfileNetlistmodelNetlistmodel
SynthesisSynthesis
NetlistmodelNetlistmodel
Calibrate time/space trade-offs and connectivity issues. Verify equivalence with target specification.
VHDLVHDL
© 2010 Galois, Inc. All rights reserved.
Equivalence Checking Cryptol
Use SAT to check program equivalence in AIG form• Equivalence Checking of various versions of AES and DES against
both reference models and internal FPGA models take < 5 minutes (most take < 30 seconds)
• Models typically have ~106 nodes
However, it has its limitations• The Hash Function MD5 on 2 bits takes nearly 10 minutes…• The block cipher RC6, however takes, uh, too long
(32-bit multiply)• Only works on core ciphers — not modes (finite input/output)• The equivalence checker typically yields an answer promptly,
or it times out
© 2010 Galois, Inc. All rights reserved.
Other Cryptol Assurance tools
“Quickcheck” property-based testing• User gives a property, Cryptol automatically tests it on random inputs.
Translators to SAT- and SMT-based property checkers• User can give more general properties to these tools• SAT: Checks for satisfiability of large Boolean formulas• SMT extends SAT with higher-level constraint solvers (linear arithmetic,
arrays, functions, etc.) Safety checking
• Automatically checks that a Cryptol function will never raise an exception• Some possible exceptions: Divide-by-zero, Out-of-bounds array access,
assertion failures Semi-automatic theorem proving
• Translator from Cryptol to Isabelle theorem prover• User can specify arbitrary Cryptol properties, but proof may need human
guidance
© 2010 Galois, Inc. All rights reserved.
2. The HaLVM
Xen hypervisor for clean separation between OS components
Haskell runtime as OS on top, for fast, small system prototypes
© 2010 Galois, Inc. All rights reserved.
HaLVM goals
Rapid exploration of decomposed, high assurance OS design space
A sandbox for experimentation with OS components
The HaLVM:• Libraries + runtime on top of the Xen hypervisor
• Boot your (Haskell) OS in < 1s
Write OS components quickly in Haskell, glue them together safely, via Xen
© 2010 Galois, Inc. All rights reserved.
An example: web server separation
© 2010 Galois, Inc. All rights reserved.
High level architecture
© 2010 Galois, Inc. All rights reserved.
HaLVM summary
What we have:• A rapid prototyping system for OS designs
• Build minimalist, strongly separated systems, in Haskell, without a host OS
• Write drivers in Haskell
• Many gory details in practice...
Particularly useful for rolling systems with interesting network stacks quickly
Uses the rich GHC runtime and language to solve the client need for fast, small prototypes and rapid exploration
While giving more assurance than C
© 2010 Galois, Inc. All rights reserved.
3. Copilot: a DSL for hard realtime monitors
• Hard Real-Time systems
• Others already do soft real-time
• Synchronized systems
• Common in avionics
• Periodic Schedules
• Time-trigged systems
• Monitoring by sampling
© 2010 Galois, Inc. All rights reserved.
Copilot design
● Copilot is a Haskell eDSL targeted at monitoring hard real-time systems.
● Synchronous language defined by a set of stream equations (simple data-flow model).
● Uses the Atom Haskell eDSL as an intermediate language to generate hard real-time C.
● eDSLs building on eDSLs!● Atom is co-maintained by Galois and Eaton.
● Generates it's own schedule---no RTOS needed.
© 2010 Galois, Inc. All rights reserved.
Example Copilot Specification
If the temperature rises more than 2.3 degrees within 2 seconds, then engine is shut off.
engine:: Streams
engine = do
temps .= [0,0,0] ++ extF temp 1
overTempRise .= drop 2 (var temps)
> const 2.3 + var temps
trigger .= (var overTempRise)
implies (extB shutoff 2)
© 2010 Galois, Inc. All rights reserved.
Testbed
● Representative of fault-tolerant systems
• 4 X STM microcontrollers
• ARM Cortex M3 cores clocked at 72 Mhz
• MPXV5004DP differential pressure sensor
• Senses dynamic and static pressure
• Pitot tubes measure airspeed
• Designed to fit in UAS (unpiloted air system)
• Power, weight,...
© 2010 Galois, Inc. All rights reserved.
© 2010 Galois, Inc. All rights reserved.
© 2010 Galois, Inc. All rights reserved.
© 2010 Galois, Inc. All rights reserved.
Copilot
Copilot is open source! eDSL on Hackage:• cabal install copilot
Used EDSL approach now (Cryptol's size types required DSL approach back in the day)
Haskell dev environment generates verifiable C code
That C code then runs on the embedded device
Again, uses ideas for strong types, declarative specifications, rapid prototyping, and formal verification
© 2010 Galois, Inc. All rights reserved.
Keep an eye out for other things from Galois
Nettle, a policy language for network routing • cabal install nettle-openflow
Haskell Verifier project• Integrate Haskell and Isabelle once and for all
Grid 2.0 - IdM on the Open Science Grid, for LHC users
TSE: storage device for multiple security levels of data
New Cryptol backends: Java, LLVM
Tearline Wiki: wiki for classified data with strong separation
ASA: information flow analysis tool for C code, integrated into commercial toolchain
And actually, a lot more...
© 2010 Galois, Inc. All rights reserved.
Summary
You can build a thriving engineering business using functional programming skills and ideas – as long as you are client-focused
Seek problem domain problems that can be made safer, faster, easier … quickly demonstrate value to the client
Our tools are ready: GHC, Cabal, Hackage, Isabelle: a rich ecosystem for getting things done quickly – and can be integrated into existing systems and toolchains
But Haskell is not the message: what value to the client do you provide – faster, sooner, safer, cheaper?
Give back to the community if you can: code, servers, infrastructure, hackathons … we all benefit from any individual success
© 2010 Galois, Inc. All rights reserved.
Questions?
Questions?