Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno...
Transcript of Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno...
![Page 1: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/1.jpg)
Building Provably Secure Systems
Bryan Parno
1
Associate Professor, CSD & ECE
![Page 2: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/2.jpg)
The Ironclad Project
2
Ironclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
Full Verification of Complex Systems
![Page 3: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/3.jpg)
The Ironclad Project
2
Ironclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
IronFleet[SOSP 2015]
Full Verification of Complex Systems
![Page 4: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/4.jpg)
The Ironclad Project
2
Crypto Algorithms
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
4Q
ASN.1
Everest HTTPSIronclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
IronFleet[SOSP 2015]
Full Verification of Complex Systems
![Page 5: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/5.jpg)
The Ironclad Project
2
Ironclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
Full Verification of Complex Systems
![Page 6: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/6.jpg)
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
![Page 7: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/7.jpg)
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
![Page 8: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/8.jpg)
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
Online and Mobile Security
• Chase Online, the Chase Mobile app and the Chase Mobile website use Secure Socket Layer (SSL) technology
…• We periodically review our operations and
business practices to make sure they comply with the corporate policies and procedures we follow to protect confidential information
![Page 9: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/9.jpg)
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
![Page 10: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/10.jpg)
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
![Page 11: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/11.jpg)
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
![Page 12: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/12.jpg)
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
![Page 13: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/13.jpg)
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
My password will never leak
![Page 14: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/14.jpg)
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
My personal data will not be misused
![Page 15: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/15.jpg)
Our formal, end-to-end guarantee
• End-to-end secure communication with provably secure assembly code
• Implies:
– No buffer overflows
– No code injection
– No type-safety flaws
– No information disclosures
– No crypto impl flaws
5
…
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
![Page 16: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/16.jpg)
Our formal, end-to-end guarantee
• End-to-end secure communication with provably secure assembly code
• Implies:
– No buffer overflows
– No code injection
– No type-safety flaws
– No information disclosures
– No crypto impl flaws
5
…
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
![Page 17: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/17.jpg)
Our formal, end-to-end guarantee
• End-to-end secure communication with provably secure assembly code
• Implies:
– No buffer overflows
– No code injection
– No type-safety flaws
– No information disclosures
– No crypto impl flaws
5
…
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
1st Version: Secure, but non-functional
![Page 18: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/18.jpg)
Ironclad Apps
6
![Page 19: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/19.jpg)
Ironclad Apps
6
Password Protector
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
![Page 20: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/20.jpg)
Ironclad Apps
6
Password Protector Notary
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
![Page 21: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/21.jpg)
Ironclad Apps
6
Password Protector Notary
Trusted Incrementer
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
0373 0027
1288 9823
![Page 22: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/22.jpg)
Ironclad Apps
6
Insert datum
Query
Database
Privacy budget
Key pair
Password Protector Notary
Trusted Incrementer Differentially Private DB
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
0373 0027
1288 9823
![Page 23: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/23.jpg)
The Ironclad Project
7
Crypto Algorithms
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
4Q
ASN.1
Everest HTTPS
![Page 24: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/24.jpg)
8
The HTTPS Ecosystem is critical
• Most widely deployed security protocol?
– 40% all Internet traffic (+40%/year)
• Web, cloud, IoT, email, VoIP, 802.1x, VPNs, …
Services & Applications
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
HTTPS Ecosystem
![Page 25: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/25.jpg)
9
The HTTPS Ecosystem is complex
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
Certification Authority
![Page 26: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/26.jpg)
10
The HTTPS Ecosystem is buggy• 20 years of attacks & fixes
Buffer overflowsMemory managementIncorrect state machinesLax certificate parsingWeakly or badly implemented cryptoSide channelsError-inducing APIsFlawed standards…
• Many implementationsOpenSSL, Schannel, NSS, …
Still patched every month!
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 27: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/27.jpg)
10
The HTTPS Ecosystem is buggy• 20 years of attacks & fixes
Buffer overflowsMemory managementIncorrect state machinesLax certificate parsingWeakly or badly implemented cryptoSide channelsError-inducing APIsFlawed standards…
• Many implementationsOpenSSL, Schannel, NSS, …
Still patched every month!
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 28: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/28.jpg)
Everest:
Deploying Verified-Secure Implementations in the HTTPS Ecosystem
![Page 29: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/29.jpg)
12
Everest Goals
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 30: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/30.jpg)
12
Everest Goals• Fully verified replacement
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 31: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/31.jpg)
12
Everest Goals• Fully verified replacement
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 32: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/32.jpg)
12
Everest Goals• Fully verified replacement
• Widespread deployment
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 33: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/33.jpg)
12
Everest Goals• Fully verified replacement
• Widespread deployment
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
$ apt-get install verified_https
$ /etc/init.d/apache2 restart
![Page 34: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/34.jpg)
12
Everest Goals• Fully verified replacement
• Widespread deployment
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
$ apt-get install verified_https
$ /etc/init.d/apache2 restart
![Page 35: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/35.jpg)
12
Everest Goals• Fully verified replacement
• Widespread deployment
• Trustworthy, usable tools
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
![Page 36: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/36.jpg)
Research Questions
• How do we decide whether new protocols are secure?– Especially when interoperating with insecure protocols
• Can we make verified systems as fast as unverified?
• How do we handle advanced threats?– Ex: Side channels
• Why should we trust automated verification tools?
• How can verification be more accessible?– Especially to non-experts in verification
13
![Page 37: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/37.jpg)
Verified Crypto
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Crypto Algorithms
4Q
ASN.1
![Page 38: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/38.jpg)
Why verify crypto?
• Bugs are real, and potentially devastating!
![Page 39: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/39.jpg)
Why verify crypto?
• Bugs are real, and potentially devastating!
• 3 bugs in OpenSSL’s Poly1305 this year!
![Page 40: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/40.jpg)
Why verify crypto?
• Bugs are real, and potentially devastating!
• 3 bugs in OpenSSL’s Poly1305 this year!
“These produce wrong results. The first example does so only on 32 bit,
the other three also on 64 bit.”
“I believe this affects both the SSE2 and AVX2 code. It does seem to be
dependent on this input pattern.”
“I'm probably going to write something to generate random inputs and stress
all your other poly1305 code paths against a reference implementation.”
![Page 41: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/41.jpg)
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
Current State of the Art: OpenSSL
![Page 42: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/42.jpg)
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
Current State of the Art: OpenSSL
![Page 43: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/43.jpg)
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
• Why?• Performance!
Current State of the Art: OpenSSL
![Page 44: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/44.jpg)
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
• Why?• Performance!
Current State of the Art: OpenSSL
![Page 45: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/45.jpg)
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
• Why?• Performance!
Current State of the Art: OpenSSL
![Page 46: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/46.jpg)
Vale: extensible, automated assembly language verification
machine model (Dafny/F*/Lean)
type reg = r0 | r1 | ...type ins =
Mov(dst:reg, src:reg)| Add(dst:reg, src:reg)| Neg(dst:reg)…
instructions
eval(Mov(dst, src), …) = …eval(Add(dst, src), …) = …eval(Neg(dst), …) = ……
semantics
print(Mov(dst, src), …) =“mov “ + (…dst) + (…src)
print(Add(dst, src), …) = ……
code generation
Vale code
procedure mov(…)requires …ensures …
{ … }
procedure add(…)…
machine interface
procedure quadruple(…)requires 0 <= r0 < 230;ensures r1 == r0 * 4;
{mov(r1, r0);add(r1, r0);add(r1, r1);
}
program[Mov(r1, r0),Add(r1, r0),Add(r1, r1)]
lemma_mov(…);lemma_add(…);lemma_add(…);
code proof
TrustedComputingBase
mem[eax] == SHA(mem[ebx])
crypto spec
![Page 47: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/47.jpg)
Crypto implementations
HACL*: High-Assurance Crypto Library
• ChaCha20: Stream cipher
• Poly1305: MAC
• Curve 25519: Elliptic curve
• Verified, side-channel resistant BigIntegers
• Cryptographic construction: AEAD
– Demonstrates concrete securitydefinitions and crypto proofs
18
Vale crypto
• SHA-256 on ARM
– Demonstrates flexibility necessary to match OpenSSL’s performance
– Uncovered leakage in OpenSSL
• SHA-256 on x86 and x64
– Demonstrates platform agnosticism
– Demonstrates spec and proof reuse
• AES-CBC on x86
– Demonstrates advanced HW features
• Poly1305 on x64
– Demonstrates mathematical specs
![Page 48: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/48.jpg)
Crypto implementations
HACL*: High-Assurance Crypto Library
• ChaCha20: Stream cipher
• Poly1305: MAC
• Curve 25519: Elliptic curve
• Verified, side-channel resistant BigIntegers
• Cryptographic construction: AEAD
– Demonstrates concrete securitydefinitions and crypto proofs
18
Vale crypto
• SHA-256 on ARM
– Demonstrates flexibility necessary to match OpenSSL’s performance
– Uncovered leakage in OpenSSL
• SHA-256 on x86 and x64
– Demonstrates platform agnosticism
– Demonstrates spec and proof reuse
• AES-CBC on x86
– Demonstrates advanced HW features
• Poly1305 on x64
– Demonstrates mathematical specs
Caveat: Can’t verify crypto assumptions!
![Page 49: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/49.jpg)
Vale Performance
19
• At parity with OpenSSL!
• Caveats
– Specific platforms
– Missing OpenSSL’s advanced modes
Vale
Vale
![Page 50: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/50.jpg)
Summary
20
![Page 51: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/51.jpg)
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
20
![Page 52: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/52.jpg)
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
20
![Page 53: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/53.jpg)
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
20
![Page 54: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/54.jpg)
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
• Verification of systems code is possible, and we’re scaling it to even larger more complex systems
20
![Page 55: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/55.jpg)
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
• Verification of systems code is possible, and we’re scaling it to even larger more complex systems
20
https://github.com/Microsoft/Ironclad
![Page 56: Building Provably Secure Systems - CMU Engineering · Building Provably Secure Systems Bryan Parno 1 Associate Professor, CSD & ECE](https://reader031.fdocuments.net/reader031/viewer/2022020305/5c2ea29c09d3f2dd0b8ca2ed/html5/thumbnails/56.jpg)
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
• Verification of systems code is possible, and we’re scaling it to even larger more complex systems
20
https://github.com/Microsoft/Ironclad
Thank [email protected]