Building a business with Haskell: Case Studies: Cryptol, HaLVM and Copilot

Building a business with HaskellCase Studies: Cryptol, HaLVM, Copilot

Don Stewart | BelHac | Nov 5, 2010

© 2010 Galois, Inc. All rights reserved.

This talk...

Earlier talk, “A decade of functional programming at Galois” described how we use Haskell at Galois

This talk introduces three case studies from some of our projects:

• Cryptol – a cryptography language and toolchain

• HaLVM – OS component isolation via GHC + Xen

• Copilot – a Haskell EDSL for avionics monitoring

Less about Haskell itself, more about the kinds of things we build with it

To give a flavor of how to think functionally about client problems, and hopefully inspire you!


Building systems that are trustworthy

~40 employees in Portland, Oregon

11 years in business

Galois


What does Galois do?

Computer science R&D with a particular brand:

• Formal methods (theorem proving, model checking)

• Typed functional languages

• Compilers, DSLs, analysis tools

For building kernels, file systems, networks, servers, compilers, security systems, desktop apps, ...

Haskell for pretty much everything

French mathematician Évariste Galois


1. Cryptol

What is it? A DSL for cryptography

How? Compilers, interpreters, support tools, all in Haskell

Client need: to establish correctness of crypto algorithm implementations

Not just a government problem:25% of algorithms submitted for FIPS validation had security flaws– Director NIST CMVP, March 26, 2002


Approach: Specification and Formal Tools

Start with a declarative specification language• Make it close to the crypto domain notation

• With custom types and constructs for cryptography

• Designed with feedback from NSA cryptographers

Add execution and validation tools• Generate different implementations (FPGA, C, …)

• Use different verification tools

In use by crypto implementers


More specifically

Purely functional stream-based language• Allows for high level, rapid exploration of the design

Automated synthesis to FPGA• Using algebraic transformations and term rewriting

Automated verification• Equivalence checking of programs against each other, in AIG form

• To show implementation matches the spec

• Using SAT and SMT solvers


Some of the design requirements

Should be a high-level language close to the crypto math• But also executable

Specifications guide and document implementations• And can even generate them

Has to be neutral about execution platform• Don't bake in Von Neumann assumptions

High level language needs support for low level features• Bit patterns, wiring


Key language ideas in Cryptol

Sequences (comprehensions) and recursion

Views on data: machine independent data transforms

Size types: algorithms parameterized by size• Size types from Cryptol coming to GHC soon (Diatchki)

Values and functions

Type inference

x : [4][32];x = [23 13 1 0];

F : ([16],[16]) -> [16];F (x, x’) = 2 * x + x’;


Cryptol Types

Types express size and shape of data [[0x1FE 0x11] [0x132 0x183] [0x1B4 0x5C] [0x26 0x7A]]

has type [4][2][9]

Strong typing with usual power: Inference Parametric polymorphism

All to support the unambiguous specification of interfaces, to the bit level


Converting specs into types

blockEncrypt : {k} (k >= 2, 4 >= k) => ([128], [64*k]) → [128]

For all k…

between 2 and 4

First input is a sequence of 128 bits

Second input is a sequence of 128, 192, or 256 bits

Output is a sequence of

128 bits

†http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


An example: DES

des : ([64],[56]) -> [64];des (pt, key) = permute (FP, last) where { pt’ = permute (IP, pt); iv = [| round (lr, key, rnd) || rnd <- [0 .. 15] || lr <- [(split pt’)] # iv |]; last = join (swap (iv @ 15)); swap [a b] = [b a]; };

round : ([2][32], [56], [4]) -> [2][32];round([l r], key, rnd) = [r (l^f(r, kx))] where { kx = expand(key, rnd); f(r,k) = permute(PP, SBox(k^permute(EP, r))); };


Cryptol on FPGAs

Why? Lack of trust in commodity hardware

• Evaluators can see as much of the solution as possible

• Do not have to ship designs off-shore

• FPGAs are more flexible than programmable custom crypto processors

Natural match between Cryptography and FPGAs• Manipulation of arbitrary length bit sequences

• Highly-parallel stream processing

And FPGAs are fast…


AES reference specification

(Cryptol)

AES reference specification

(Cryptol)

Key

Third party tools

Galois tools

Data files

Evaluation/Certification evidence

Input to tool

Feedback to designer

Cryptolcompiler

Cryptolcompiler

CC

SimulatorSimulator Experiment with system integration and control logic.

Equivalence check

Equivalence check

Equivalenceevidence

Equivalenceevidence

CryptoDeveloper

Targetspecification

Targetspecification

Symbolicsimulator Symbolicsimulator

SymbolicsimulatorSymbolicsimulator

Referencemodel

Referencemodel

TargetmodelTargetmodel

Make high-level target-

specific refinements.

Verify equivalence

with reference specification.

Case Study at Rockwell-CollinsHigh Speed Encryptor Project

Equivalence check

Equivalence check

Equivalenceevidence

Equivalenceevidence

Equivalence check

Equivalence check

Equivalenceevidence

Equivalenceevidence

Place androute

Place androute

BitfileBitfileNetlistmodelNetlistmodel

SynthesisSynthesis

NetlistmodelNetlistmodel

Calibrate time/space trade-offs and connectivity issues. Verify equivalence with target specification.

VHDLVHDL


Equivalence Checking Cryptol

Use SAT to check program equivalence in AIG form• Equivalence Checking of various versions of AES and DES against

both reference models and internal FPGA models take < 5 minutes (most take < 30 seconds)

• Models typically have ~106 nodes

However, it has its limitations• The Hash Function MD5 on 2 bits takes nearly 10 minutes…• The block cipher RC6, however takes, uh, too long

(32-bit multiply)• Only works on core ciphers — not modes (finite input/output)• The equivalence checker typically yields an answer promptly,

or it times out


Other Cryptol Assurance tools

“Quickcheck” property-based testing• User gives a property, Cryptol automatically tests it on random inputs.

Translators to SAT- and SMT-based property checkers• User can give more general properties to these tools• SAT: Checks for satisfiability of large Boolean formulas• SMT extends SAT with higher-level constraint solvers (linear arithmetic,

arrays, functions, etc.) Safety checking

• Automatically checks that a Cryptol function will never raise an exception• Some possible exceptions: Divide-by-zero, Out-of-bounds array access,

assertion failures Semi-automatic theorem proving

• Translator from Cryptol to Isabelle theorem prover• User can specify arbitrary Cryptol properties, but proof may need human

guidance


2. The HaLVM

Xen hypervisor for clean separation between OS components

Haskell runtime as OS on top, for fast, small system prototypes


HaLVM goals

Rapid exploration of decomposed, high assurance OS design space

A sandbox for experimentation with OS components

The HaLVM:• Libraries + runtime on top of the Xen hypervisor

• Boot your (Haskell) OS in < 1s

Write OS components quickly in Haskell, glue them together safely, via Xen


An example: web server separation


High level architecture


HaLVM summary

What we have:• A rapid prototyping system for OS designs

• Build minimalist, strongly separated systems, in Haskell, without a host OS

• Write drivers in Haskell

• Many gory details in practice...

Particularly useful for rolling systems with interesting network stacks quickly

Uses the rich GHC runtime and language to solve the client need for fast, small prototypes and rapid exploration

While giving more assurance than C


3. Copilot: a DSL for hard realtime monitors

• Hard Real-Time systems

• Others already do soft real-time

• Synchronized systems

• Common in avionics

• Periodic Schedules

• Time-trigged systems

• Monitoring by sampling


Copilot design

● Copilot is a Haskell eDSL targeted at monitoring hard real-time systems.

● Synchronous language defined by a set of stream equations (simple data-flow model).

● Uses the Atom Haskell eDSL as an intermediate language to generate hard real-time C.

● eDSLs building on eDSLs!● Atom is co-maintained by Galois and Eaton.

● Generates it's own schedule---no RTOS needed.


Example Copilot Specification

If the temperature rises more than 2.3 degrees within 2 seconds, then engine is shut off.

engine:: Streams

engine = do

temps .= [0,0,0] ++ extF temp 1

overTempRise .= drop 2 (var temps)

> const 2.3 + var temps

trigger .= (var overTempRise)

implies (extB shutoff 2)


Testbed

● Representative of fault-tolerant systems

• 4 X STM microcontrollers

• ARM Cortex M3 cores clocked at 72 Mhz

• MPXV5004DP differential pressure sensor

• Senses dynamic and static pressure

• Pitot tubes measure airspeed

• Designed to fit in UAS (unpiloted air system)

• Power, weight,...





Copilot

Copilot is open source! eDSL on Hackage:• cabal install copilot

Used EDSL approach now (Cryptol's size types required DSL approach back in the day)

Haskell dev environment generates verifiable C code

That C code then runs on the embedded device

Again, uses ideas for strong types, declarative specifications, rapid prototyping, and formal verification


Keep an eye out for other things from Galois

Nettle, a policy language for network routing • cabal install nettle-openflow

Haskell Verifier project• Integrate Haskell and Isabelle once and for all

Grid 2.0 - IdM on the Open Science Grid, for LHC users

TSE: storage device for multiple security levels of data

New Cryptol backends: Java, LLVM

Tearline Wiki: wiki for classified data with strong separation

ASA: information flow analysis tool for C code, integrated into commercial toolchain

And actually, a lot more...


Summary

You can build a thriving engineering business using functional programming skills and ideas – as long as you are client-focused

Seek problem domain problems that can be made safer, faster, easier … quickly demonstrate value to the client

Our tools are ready: GHC, Cabal, Hackage, Isabelle: a rich ecosystem for getting things done quickly – and can be integrated into existing systems and toolchains

But Haskell is not the message: what value to the client do you provide – faster, sooner, safer, cheaper?

Give back to the community if you can: code, servers, infrastructure, hackathons … we all benefit from any individual success


Questions?

Questions?

Documents

Building a business with Haskell: Case Studies: Cryptol, HaLVM and Copilot