Jasmin: A CompilerandFramework for High-Assuranceand High...
Transcript of Jasmin: A CompilerandFramework for High-Assuranceand High...
![Page 1: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/1.jpg)
Jasmin: A Compiler and Framework forHigh-Assurance and High-Speed Cryptog-raphy
Benjamin Gregoire
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 1
![Page 2: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/2.jpg)
Previous work: Provable crytography
Algorithms:
Primitives(RSA)
Protocols(SSH)Adversary
Provable security: Pr [A breaks P] ≤ Pr [B(A) breaks assumption] + ε
• Foundation: Probabilistic Relational Hoare Logic (pRHL)• Tools : EasyCrypt / AutoG&P• Case studies:
encryption, signatures, hash designs (SHA3), key exchange protocols,zero knowledge protocols, garbled circuits, voting, key managementservice (AWS)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 2
![Page 3: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/3.jpg)
Previous work: Provable crytography
Algorithms:
Primitives(RSA)
Protocols(SSH)Adversary
Provable security: Pr [A breaks P] ≤ Pr [B(A) breaks assumption] + ε
• Foundation: Probabilistic Relational Hoare Logic (pRHL)• Tools : EasyCrypt / AutoG&P• Case studies:
encryption, signatures, hash designs (SHA3), key exchange protocols,zero knowledge protocols, garbled circuits, voting, key managementservice (AWS)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 2
![Page 4: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/4.jpg)
Implementation details are important
Most algorithms (widely) deployed today are provably secure
Still we frequently hear of crypto implementations being broken
What is the problem ?
Let us loop at some examples
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 3
![Page 5: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/5.jpg)
Example 1: Bleichenbacher’s attack
in 1998 SSLv3 and PKCS#1 v1.5 were widely used
• Session key transported using RSA with random padding• Bleichenbacher’s attack was published (CRYPTO’98)
• Some SSL servers would signal padding errors in decryption• The revealed if exponentiation result was in known range
• Vulnerability allowed decrypting arbitrary messages• Using adaptive chosen-ciphertext attack (IND-CCA)
“ The SSL documentation does not clearly specify the error conditions andcorresponding alerts”Error messages left as “implementation details”
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 4
![Page 6: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/6.jpg)
Example 2: MEE-CBC and timing
• TLSv1.0 uses an authenticated encryption scheme called MEE-CBC• This is a MAC-then-Pad-Then-Encrypt construction• MEE-CBC is known to be vulnerable to padding oracle attacks using error
messages
• In TLSv1.0 error messages for MEE-CBC decryption failures are sent overan encrypted channel
• So security analysis took this possibility into consideration and all is OK• Not quite ...
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 5
![Page 7: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/7.jpg)
Example 2: MEE-CBC and timing
• Canvel et al. [CRYPTO’03] break TLSv1.0• Padding oracle attack can recover encrypted passwords
Attack strategy:• Measure the time that a server takes to abort: checks padding only or
padding and MAC• If short time, guess it was padding error• if long time, guess it was not a padding error
Simple timing attack brings padding oracle back
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 6
![Page 8: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/8.jpg)
Lesson learned
Real-world attackers can observe more than the I/O values of cryptoalgorithms:• Timing• Power• Sound emmitted by fan (!)
All that the adversary can somehow measure and use as a side-channel.
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 7
![Page 9: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/9.jpg)
Constant-time programming
Software-based countermeasure against timing attacks and cache attacks.
Guideline: control-flow and memory accesses should not depend on secretdata.
Rationale: crypto implementations without this property are vulnerable.
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 8
![Page 10: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/10.jpg)
Can we trust our compiler ?
gcc/clang:• Their intensive use provides some guaranties on their correctness• This is not the case when we require a high level of optimisations
CompCert:• It is certified in Coq (semantic preservation)• Certified compilers do not perform aggressive optimisation
Do compilers preserve “constant-time”-ness?
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 9
![Page 11: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/11.jpg)
Counter-example: emulation of conditional-move
Beforeint cmove(int x, int y, bool b) {return x + (y−x) * b;}
Afterint cmove(int x, int y, bool b) {if (b) {return y;} else {return x;}}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 10
![Page 12: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/12.jpg)
Counter-example: emulation of conditional-move
Beforeint cmove(int x, int y, bool b) {return x + (y−x) * b;}
Afterint cmove(int x, int y, bool b) {if (b) {return y;} else {return x;}}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 10
![Page 13: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/13.jpg)
Counter-example: double-word multiplication
Beforelong long llmul(long long x, long long y) {return x * y;}
x = aN + b y = cN + d xy = (ad + cb)N + bd (mod N2)
Afterlong long llmul(long long x, long long y) {long a = High(x);long c = High(y);if (a | c) {. . .} else {return Low(x) * Low(y);}}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 11
![Page 14: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/14.jpg)
Counter-example: double-word multiplication
Beforelong long llmul(long long x, long long y) {return x * y;}
x = aN + b y = cN + d xy = (ad + cb)N + bd (mod N2)
Afterlong long llmul(long long x, long long y) {long a = High(x);long c = High(y);if (a | c) {. . .} else {return Low(x) * Low(y);}}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 11
![Page 15: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/15.jpg)
Counter-example: tabulation
Beforechar rot13(char x) {return `a` + (x− `a` + 13) % 26;}
Afterchar rot13(char x) {static char table[26] = ``nopqrstuvwxyzabcdefghijklm'';return table[x− `a`];}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 12
![Page 16: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/16.jpg)
Counter-example: tabulation
Beforechar rot13(char x) {return `a` + (x− `a` + 13) % 26;}
Afterchar rot13(char x) {static char table[26] = ``nopqrstuvwxyzabcdefghijklm'';return table[x− `a`];}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 12
![Page 17: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/17.jpg)
Where we are?
High-assurance and high-speed cryptography• We need cryptographic libraries that we can trust• Correct implementation frequently remain vulnerable to side channel
attacks• Efficiency considerations often force developers to carry out very
aggressive optimizations
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 13
![Page 18: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/18.jpg)
Implementing “crypto”: a subtle equilibrium
• Fast• Correct (functional correctness, safety)• Side-channel resistant (constant-time)• Provably secure
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 14
![Page 19: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/19.jpg)
A gap between source and assembly languages
Source• Portable• Convenient software-engineering abstractions• Readable, maintainable
Assembly• Efficiency• Control (instruction selection and scheduling)• Predictable
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 15
![Page 20: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/20.jpg)
A gap between source and assembly languages
Source• Portable• Convenient software-engineering abstractions• Readable, maintainable
Assembly• Efficiency• Control (instruction selection and scheduling)• Predictable
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 15
![Page 21: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/21.jpg)
A gap between source and assembly languages
• Assembly is not programmer/verifier friendly- The code is obfuscated- More error prone- Harder to prove / analyze
• Source is not security/efficiency friendly- Trust compiler- Certified compilers are less efficient- Optimizing compilers can break side channel resistance
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 16
![Page 22: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/22.jpg)
What are the possible solutions
• Fast• Correct (functional correctness, safety)• Side-channel resistant (constant-time)• Provably secure
Vale: Assembly level• Prove functional correctness and constant time at the assembly level• the code can be manually written or generated
Frama-C, Hacl*, ...: Source level• functional correctness is proved at the source level• Should trust the compiler or use a certified compiler
Easycrypt• Provable secure• But at the algorithm level (no executable code)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 17
![Page 23: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/23.jpg)
Jasmin: last mile of high assurance cryptography
Fast and formally verified assembly code• Source language: assembly in the head with formal semantics=⇒ programmer & verification friendly
• Compiler: predictable & formally verified (in Coq)=⇒ programmer has control and no compiler security bug
• Verification toolchain (based on EasyCrypt):- provable security- safety- side channel resistance (constant-time)- functional correctness
World speed record + full verificationTLS 1.3 components : ChaCha20, Poly1305, Curve25519, Sha3(keccak)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 18
![Page 24: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/24.jpg)
Jasmin by example
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 19
![Page 25: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/25.jpg)
Initialization of Chacha20 state
inline fn init(reg u64 key nonce, reg u32 counter)→ stack u32[16]{inline int i;stack u32[16] st;reg u32[8] k;reg u32[3] n;
st[0] = 0x61707865;st[1] = 0x3320646e;st[2] = 0x79622d32;st[3] = 0x6b206574;
for i=0 to 8 {k[i] = (u32)[key + 4*i];st[4+i] = k[i];}
st[12] = counter;
for i=0 to 3 {n[i] = (u32)[nonce + 4*i];st[13+i] = n[i];}
return st;}
Zero-cost abstractions• Variable names• Arrays• Loops• Inline functions
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 20
![Page 26: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/26.jpg)
User control: loop unrolling
for i=0 to 15 {k[i] = st[i];}
• For loops are fully unrolled• The value of the counter is
propagated• The source code still
readable and compact
while(i < 15) {k[i] = st[i]; i += 1;}
• While loops are untouched
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 21
![Page 27: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/27.jpg)
User control: register or stack
• Jasmin has two kind of variables:- register variables (reg)- stack variables (stack)
• Array can be register array or stack array• Spilling is done manually (by the user)
inline fn sum states(reg u32[16] k, stack u32 k15, stack u32[16] st)→ reg u32[16], stack u32{inline int i;stack u32 k14;
for i=0 to 15 {k[i] += st[i];}
k14 = k[14]; // Spillingk[15] = k15; // Spillingk[15] += st[15];k15 = k[15]; // Spillingk[14] = k14; // Spilling
return k, k15;}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 22
![Page 28: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/28.jpg)
User control: instruction-set architecture level
• Direct memory access
reg u64 output, plain;for i=0 to 12{ k[i] ˆ= (u32)[plain + 4*i];(u32)[output + 4*i] = k[i]; }
• Conditional move
x = y if ¬cf;
• The carry flag is an ordinary boolean variable
reg u64[3] h;reg bool cf0 cf1;reg u64 h2rx4 h2r;
h2r += h2rx4;cf0 , h[0] += h2r;cf1 , h[1] += 0 + cf0;
, h[2] += 0 + cf1;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 23
![Page 29: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/29.jpg)
User control : instruction-set architecture level
• Most of assembly instructions are accessible in the source language
of, cf ,sf, pf, zf, z = x86 ADC(x, y, cf);
of, cf, x = x86 ROL 32(x, bits);
• SIMD instructions
k[0] +8u32= k[1]; // vectorized addition of 8 32−bits word;
k[1] = x86 VPSHUFD 256(k[1], (4u2)[0,3,2,1]);
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 24
![Page 30: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/30.jpg)
The Jasmin compiler
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 25
![Page 31: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/31.jpg)
Goals / Features
• Predictability and control of generated assembly• Preserves semantics (Coq proofs, machine-checked)• Preserves side-channel resistance
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 26
![Page 32: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/32.jpg)
Compilation passes
• For loop unrolling• Function inlining• Constant-propagation• Sharing of stack variables• Register array expansion• Lowering• Register allocation• Linearization• Assembly generation
Formal verification:• Maximal use of validation• Reuse of a single checker (core) for various passes
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 27
![Page 33: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/33.jpg)
Semantic preservation
Theorem
∀ p p′ compile(p) = ok(p′)⇒∀ f ∈ exports(p)⇒∀ va m vr m′ enough-stack-space(f , p′,m)⇒
f , va,m ⇓p vr ,m′ ⇒ f , va,m ⇓p′ vr ,m′
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 28
![Page 34: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/34.jpg)
Preservation of constant-time’?
Good news . . .Many compiler optimizations do preserve “constant-time”-ness:• Constant folding• Constant propagation• Variable spilling / Register allocation• Expression flattening• Loop peeling• Pull common instructions out of branches• Swap independent instructions• Linearization
Formally verified for a toy language: CSF18
Future work: Jasmin, CompCert
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 29
![Page 35: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/35.jpg)
Constant-time: a non-interference property
Decorate the small-step relation with a leakage: a bℓ
Definition (Constant-time):For every two execution prefixes
i
i′
s0
s′0
ℓ0
ℓ′0
s1
s′1
ℓ1
ℓ′1
s2
s′2
ℓ2
ℓ′2
. . .
. . .
the leakages agree whenever the inputs agree:
ψ(ı, ı′)⇒ `0 · `1 · `2 = `′0 · `′1 · `′2
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 30
![Page 36: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/36.jpg)
Constant-time: a non-interference property
Decorate the small-step relation with a leakage: a bℓ
Definition (Constant-time):For every two execution prefixes
i
i′
s0
s′0
ℓ0
ℓ′0
s1
s′1
ℓ1
ℓ′1
s2
s′2
ℓ2
ℓ′2
. . .
. . .
the leakages agree whenever the inputs agree:
ψ(ı, ı′)⇒ `0 · `1 · `2 = `′0 · `′1 · `′2
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 30
![Page 37: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/37.jpg)
Preservation of constant time
i
i′
s0
s′0
ℓ0
ℓ′0
s1
s′1
ℓ1
ℓ′1
s2
s′2
ℓ2
ℓ′2
. . .
. . .
Intuition, all leakages at the target level correspond to:• Correspond to an observation at the source level• Or can be computed using previous leakage + some constant
i
i′
s0
s′0
ℓ0
ℓ′0
s1
s′1
ℓ1
ℓ′1
s2
s′2
ℓ2
ℓ′2
. . .
. . .
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 31
![Page 38: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/38.jpg)
Where we are ?
Two correctness theorems:• Functional correctness can be proved at the source level=⇒ certified compiler
• Side channel resistance can be proved at the source level=⇒ constant-time preservation
Both theorems assume that programs are safe =⇒ we need to prove safety
We also need to establish at source level:• Functional correctness• Side channel resistance
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 32
![Page 39: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/39.jpg)
Functional correctness
Using Hoare Logic: c : P V Q• P is the precondition• the post-condition Q is a mathematical description
Using Relational Hoare Logic:• c1 is the reference implementation (the specification)• c2 is the optimized implementation
c1 ∼ c2 : ={args} V ={res}
Combine both of them
EasyCrypt already provides Hoare Logic and Relational Hoare Logic
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 33
![Page 40: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/40.jpg)
Functional correctness by game hopping
We have built an EasyCrypt model for Jasmin
Jasmin compiler is able to translate programs into the EasyCrypt syntax
We perform functional correctness proofs by game hopping:
cref ∼ c1 ∼ . . . ∼ copt
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 34
![Page 41: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/41.jpg)
Function correctness by game hopping
Computing sum:• p is a pointer,• len the number of 64-bits words to sum
We want to compute :∑
i<len (u64)[p+8 * i]
S0
s = 0;i = 0;while (i < len) {s += (u64)[p + 8 * i];i += i}return s;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 35
![Page 42: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/42.jpg)
Function correctness by game hopping
Computing sum:• p is a pointer,• len the number of 64-bits words to sum
We want to compute :∑
i<len (u64)[p+8 * i]
S0
s = 0;i = 0;while (i < len) {s += (u64)[p + 8 * i];i += i}return s;
S1
s = 0;plen = p + 8 * len;while (p < plen) {
s += (u64)[p];p += 8;}return s;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 35
![Page 43: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/43.jpg)
Function correctness by game hopping
Computing sum:• p is a pointer,• len the number of 64-bits words to sum
We want to compute :∑
i<len (u64)[p+8 * i]
S0
s = 0;i = 0;while (i < len) {s += (u64)[p + 8 * i];i += i}return s;
S1
s = 0;plen = p + 8 * len;while (p < plen) {
s += (u64)[p];p += 8;}return s;
S0 ∼ S1 : ={p,len,mem} V ={s}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 35
![Page 44: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/44.jpg)
Loop transformations
S1
s = 0;plen = p + 8 * len;while (p < plen) {s += (u64)[p];p += 8;}return s;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 36
![Page 45: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/45.jpg)
Loop transformations
S1
s = 0;plen = p + 8 * len;while (p < plen) {s += (u64)[p];p += 8;}return s;
S2
s = 0;plen = p + 8 * len;len4 = 4 * (len / 4);plen4 = p + 8 * len4;while (p < plen4) {s += (u64)[p]; p += 8;s += (u64)[p]; p += 8;s += (u64)[p]; p += 8;s += (u64)[p]; p += 8;}while (p < plen) {
s += (u64)[p];p += 8;}return s;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 36
![Page 46: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/46.jpg)
Loop transformations
S1
s = 0;plen = p + 8 * len;while (p < plen) {s += (u64)[p];p += 8;}return s;
S2
s = 0;plen = p + 8 * len;len4 = 4 * (len / 4);plen4 = p + 8 * len4;while (p < plen4) {s += (u64)[p]; p += 8;s += (u64)[p]; p += 8;s += (u64)[p]; p += 8;s += (u64)[p]; p += 8;}while (p < plen) {
s += (u64)[p];p += 8;}return s;
S3
s = 0;plen = p + 8 * len;
if (4≤ len) {len4 = 4 * (len / 4);plen4 = p + 8 * len4;s0 = 0; s1 = 0; s2 = 0; s3 = 0;while (p < plen4) {s0 += (u64)[p]; p += 8;s1 += (u64)[p]; p += 8;s2 += (u64)[p]; p += 8;s3 += (u64)[p]; p += 8;}s0 += s2;s1 += s3;s = s0 + s1;}while (p < plen) {
s += (u64)[p];p += 8;}return s;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 36
![Page 47: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/47.jpg)
Use vector instructions
S3
s = 0;plen = p + 8 * len;
if (4≤ len) {len4 = 4 * (len / 4);plen4 = p + 8 * len4;s0 = 0; s1 = 0; s2 = 0; s3 = 0;while (p < plen4) {s0 += (u64)[p]; p += 8;s1 += (u64)[p]; p += 8;s2 += (u64)[p]; p += 8;s3 += (u64)[p]; p += 8;}s0 += s2;s1 += s3;s = s0 + s1;}while (p < plen) {s += (u64)[p];p += 8;}return s;
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 37
![Page 48: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/48.jpg)
Use vector instructions
S3
s = 0;plen = p + 8 * len;
if (4≤ len) {len4 = 4 * (len / 4);plen4 = p + 8 * len4;s0 = 0; s1 = 0; s2 = 0; s3 = 0;while (p < plen4) {s0 += (u64)[p]; p += 8;s1 += (u64)[p]; p += 8;s2 += (u64)[p]; p += 8;s3 += (u64)[p]; p += 8;}s0 += s2;s1 += s3;s = s0 + s1;}while (p < plen) {s += (u64)[p];p += 8;}return s;
S4
s = 0;plen = p + 8 * len;
if (4≤ len) {len4 = 4 * (len / 4);plen4 = p + 8 * len4;ss0 = 0; // u256while (p < plen4) {ss0 +4u64= (u256)[p];p += 32;}ss1 = x86 VPSHUFD 256(ss0,(4u2)[2,3,0,1]); /* s2, s3, s0, s1 */ss0 +4u64= ss1; /* s0+s2, s1+s3, s2+s0, s3+s1 */ss01 = x86 VEXTRACTI128(ss0, 0); /* s0+s2, s1+s3 */s = x86 VPEXTR 64(ss0, 0); /* s0+s2 */s1 = x86 VPEXTR 64(ss0, 1); /* s1+s3 */s += s1; /* s0 + s2 + s1 + s3 */}while (p < plen) {s += (u64)[p];p += 4;}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 37
![Page 49: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/49.jpg)
Where we are?
Implementing “crypto”: a subtle equilibrium• Fast• Safety + functional correctness (X)• Side-channel resistant• Provably secure (EasyCrypt)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 38
![Page 50: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/50.jpg)
Side channel resistanceConstant time is a non-interference property:
i
i′
s0
s′0
ℓ0
ℓ′0
s1
s′1
ℓ1
ℓ′1
s2
s′2
ℓ2
ℓ′2
. . .
. . .
Constant time can be checked using RHLIdea: introduce ghost variable to model leakage
if (t) c1 else c2 leaks = t :: leaks;if (t) c1 else c2
c is constant time if its model c verifies the relational property:
c ∼ c : ={public inputs} V ={leaks}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 39
![Page 51: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/51.jpg)
Side channel resistanceConstant time is a non-interference property:
i
i′
s0
s′0
ℓ0
ℓ′0
s1
s′1
ℓ1
ℓ′1
s2
s′2
ℓ2
ℓ′2
. . .
. . .
Constant time can be checked using RHLIdea: introduce ghost variable to model leakage
if (t) c1 else c2 leaks = t :: leaks;if (t) c1 else c2
c is constant time if its model c verifies the relational property:
c ∼ c : ={public inputs} V ={leaks}
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 39
![Page 52: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/52.jpg)
Verification of constant time
Jasmin compiler can generate a EasyCryptmodel for constant-time
Good news:c ∼ c : ={public inputs} V ={leaks}
• Can be automatically decided (dependency analysis)• the sim tactic do it for you
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 40
![Page 53: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/53.jpg)
Where we are?
Implementing “crypto”: a subtle equilibrium• Fast• Safety + functional correctness (X)• Side-channel resistant (X)• Provably secure (EasyCrypt)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 41
![Page 54: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/54.jpg)
Benchmarks: Comparison to non-verified codeChaCha20:
0
5
10
15
20
32 64 128 256 512 1024 2048 4096 8192 16384
cycl
es p
er b
yte
message length in bytes
HACL* (GCC 8.1)
OpenSSL (Scalar)
Usuba (AVX2)
OpenSSL (AVX2)
Jasmin (AVX2)
Poly1305:
0
1
2
3
4
5
6
7
32 64 128 256 512 1024 2048 4096 8192 16384
cycl
es p
er b
yte
message length in bytes
HACL* (GCC 8.1)
OpenSSL (AVX2)
Jasmin (AVX2)
Shake256(SHA3):
5
10
15
20
25
30
35
128 256 512 1024 2048 4096 8192 16384
cycl
es p
er b
yte
message length in bytes
OpenSSL (No Assembly)
OpenSSL (Scalar)
Jasmin (Scalar)
OpenSSL (AVX2)
Jasmin (AVX2)
hacl* (GCC 8.1 CCOPTS) = -Ofast -march=native -mtune=native -m64 -fwrapv-fomit-frame-pointer -funroll-loops
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 42
![Page 55: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/55.jpg)
Benchmarks: Comparison to fully verified codeChaCha20:
0
5
10
15
20
25
30
32 64 128 256 512 1024 2048 4096 8192 16384
cycl
es p
er b
yte
message length in bytes
HACL* (CompCert 3.4)
Jasmin (Scalar)
Jasmin (AVX2)
Poly1305:
0.5
1
2
4
8
16
32
64
128
256
32 64 128 256 512 1024 2048 4096 8192 16384
cycl
es p
er b
yte
message length in bytes
HACL* (CompCert 3.4)
Vale
Jasmin (Scalar)
Jasmin (AVX2)
Shake256(SHA3):
0
10
20
30
40
50
60
70
80
90
100
110
128 256 512 1024 2048 4096 8192 16384
cycl
es p
er b
yte
message length in bytes
EverCrypt
Jasmin (Scalar)
Jasmin (AVX2)
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 43
![Page 56: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/56.jpg)
Conclusion
If P is safe, functionally correct, constant-time and
AdvA(P) ≤ ε
then [[P]] is safe, functionally correct, constant-time and
AdvB([[P]]) ≤ ε
and [[P]] is fast!
Furthermore, safety, functional correctness, “constant-time”-ness can be easilychecked at the source level
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 44
![Page 57: Jasmin: A CompilerandFramework for High-Assuranceand High …fm.csl.sri.com/SSFT19/gregoir-slides2.pdf · 2020-03-17 · Frama-C, Hacl*, ...: Source level functional correctness is](https://reader033.fdocuments.net/reader033/viewer/2022050212/5f5e65810ba57a6c640946bb/html5/thumbnails/57.jpg)
Future works
• Extension of Jasmin: More architectures (ARM)• Preservation of constant time (Jasmin + CompCert)• TLS 1.3 primitives• Automation of equivalence proofs
Benjamin Gregoire – Jasmin: A Compiler and Framework for High-Assurance and High-Speed Cryptography 45