Machine Assisted Verification Tools forCryptography

Paulo Silva1 Manuel Barbosa1

1Departamento de InformáticaComputer Science and Technology Centre (CCTC/DI)

Universidade do MinhoPortugal

October 13, 2010

Computer Aided Cryptography Engineering (CACE)

European FP7 Project(http://www.cace-project.eu)Overal objectives:

Design, develop and deploy a toolbox for cryptographicsoftware engineeringAllow non-experts to develop high-level cryptographicapplications using cryptography-aware programminglanguages and tools

Our group is responsible for the Work Package 5 (WP5):Formal Verification and Validation of CryptographicSoftware

Formal Verification and Validation (WP5)

Adapt validation, verification and certification of securesoftware techniques to the CACE projectExtend languages and tools to include machine assistedverification of correctness and conformance to securitypoliciesImplement a certified shared library core

CAO Language

CAO Language

Small and simple domain specific languageGeared toward the automatic production of highly efficienttarget code subject to security-aware optimizationsClose to cryptographic standardsType system supports cryptographic types such as bitstrings, matrices and field extensionsWe have a complete formalization of CAO’s:

SyntaxSemanticsType system

We have implemented a fully functional CAO interpreter

CAO Language Example (AES fragment)

typedef GF2 := mod[ 2 ];typedef GF2N :=mod[ GF2<X> / X**8 + X**4 + X**3 + X + 1 ];

typedef S := matrix[4,4] of GF2N;

def mix : matrix[4,4] of GF2N :={[X],[X+1],[1],[1],[1],[X],[X+1],[1],[1],[1],[X],[X+1],[X+1],[1],[1],[X]};

def MixColumns( s : S ) : S {def r : S;seq i := 0 to 3 {

r[0..3,i] := mix * s[0..3,i]; }return r; }

Deductive Verification

Deductive Verification

Tools based on variations of Hoare logicAxioms and inference rules capture the semantics ofimperative languagesPrograms are bound to contracts: a pre- and apost-conditionIf pre-condition is met at the inputs, program guaranteespost-conditions at the outputs

Deductive Verification

Annotation Language (CAO-SL) Properties that must beproven (specification) and extra information tofacilitate verification are included in source codeas annotations.

Verification condition generator (VCGen) The annotatedprogram is used to generate a set of proofobligations. The validity of these proof obligationswill imply that the software is indeed correct withrespect to the specification.

Proof generation Proof obligations are theorems of first-orderlogic that must be proven, using a first-orderautomatic proof tool (e.g. Simplify) or a proofassistant (e.g. Coq) to construct the proof.

CALF Language

CALF Language

Higher-level than CAOMore powerful abstraction to write generic codeA suitable candidate for direct translation andimplementation of cryptographic standardsStatic verification and pre-processing tool for enhancedCAO source code.

CALF to CAO compiler

High-assurance compiler that translates CALF to CAOcodeAdvanced type system based on dependent types toensure that certain properties are metMore manageable than deductive verificationMay be used to reduce the number of proof obligationsExample: ensures that the access to a vector position iswithin bounds (memory safe)

CALF Language Example (RSA fragment)

typedef RSAPub<(n : int)> :=struct [ def e : int; ];

def RSA<(n : int)>(k : RSAPub<(n)>, m : int ) : int{

def c : mod[n];

c := (mod[n]) m;c := c ** k.e;return (int) c;

}

Ongoing Work

Proofs about CAO formalization, namely, type safetyData type classifiersVerification of cryptographic libraries (NaCl)Compiler from CAO to C