Verifiedprotocolimplementa0onsinF*

AlessandroBruni

$whoami#AlessandroBruni–ComputerScien0st

Now:•  Postdocresearcher@ITU

(computersecurity,SWverifica0on,theoremprovers…)Before:•  Fall2015:GarbageCollector@PrologDev.Center•  2012-2015:PhD@DTU(computersec.,SWver,...)–  ContributedcryptoexamplestotheFStarrepo

•  2012:ResearchEng.@SiavSpA(processmining)

Findmeat:alessandrobruni.name/@hoheinzollern

Recap:F*&Refinementtypes

•  F*=F#+TypesonSteroids:

•  Canexpresspowerfulproper0esondata,e.g.:val cons: n: nat -> l: ‘a list {n = List.length l} " -> x: ‘a -> l’: ‘a list {n+1 = List.length l’}

“Canweuserefinementtypesforprovingsecurityofprotocols?”

= +

Source:XKCD

Source:XKCD

Could/that/beprevented?

1.  Yes2.  Yes!Liketonsofsimilarvulnerabili0es,using

astrongtypingdiscipline

Op0on2:val reply: len:nat -> msg:text{length msg = len} " -> resp:text{resp = msg}Hint:notacompletesolu0on…

miTLS:AVerifiedReferenceImplementa0onofTLS

•  UsesF*dependenttypestoreasonaboutthesecurityofTLS

•  AiacksdiscoveredwhileverifyingTLS:– Alert3SHAKEVHCSMACKLogjamSLOTH

•  Quickmorale:– Automa0creasoningaboutprogramcorrectnesshelpstodiscoverproblems,otherwiseunno0ced

– Themoreautoma0cchecking,thebeier

Introducing:SecurityGames“theonlywinningmoveisnottoplay”

•  Ar0ficialsetup:– AiackergivenaccesstoanOracle,whogiveshimlotsofinforma0on(e.g.encrypts/decryptsmessagesforhim)minussomeimportantbits(e.g.encryp0onkeys)

– Gamefollowsascript:theaiackerandtheoraclebothfollowtherulesofthegame

•  Securityproof:–  Iftheaiackerhasnobeierstrategythanpurelyrandomguessesthentheprotocolissecure

Eavesdroppingsecurity(EAV)

,( )

EavesdropperOracle(knowsk)

m[0] m[1]

b=sample{0,1}

encrypt(k,m[b])

guessb

EavesdropperwinsthegameifP(guessb)>½+ε

Uppin’theGame:ChosenPlaintextAiacks(IND-CPA)

•  Wegivetheaiackeraccesstoencrypt(k,-)beforeandatertheinterac0onwiththeuser

•  S0ll,weshouldhaveP(guessb)<½+ε•  Encryp0onshouldneverreturnthesamevaluetwice;)

,( )

m[0] m[1]

b=sample{0,1}encrypt(k,m[b])

guessb

IntegrityofChosenMessageAiacks(INT-CMA)

AiackerOracle(knowsk)

t=sign(k,m)

m

(m’,t’)

t’=sign(m’,k)

•  Aiackercanquerytheoracleforsignatures,buteachrequestedmessagemisloggedalongwithitssignaturetagt

•  Theaiackerwinsthegameifhecanproduceanewpair(m’,t’),wheret’=sign(k,m’),withprobability>ε

ReasoninginF*

•  Securitygamesarerecipes(programs?)•  Involveinterac0onbetweenpar0es

val send: string -> IO unit"val recv: unit -> IO string

•  Expressverifica0oncondi0ons–  IND-CPAEncryp0on:

val enc: k:key -> plain -> c:cipher{Encrypted k c}"val dec: k:key -> c:cipher{Encrypted k c} -> plain

–  INT-CMASignatures:val mac: k:key -> t:text{Oracle k t} -> tag"val verify: k:key -> t:text -> tag ->" b:bool{b ==> Oracle k t}

•  Arewemissingsomething?

Introducing:Probabilis0cF*

•  Newconstruct:let n = sample {0,1} in

n=1

n=0

50%

50%

Negligibledifferenceslet mac k t = " let m = hmac_sha1 k t in " log := Entry k t m :: !log; " m ""let verify k text tag = " let m = hmac_sha1 k text in " let verified = (m = tag) in " let found = " is_Some (List.find" (fun (Entry k' text' tag’) " -> k = k' && text = text') " !log) in "" verified && found "

let mac k t = " let m = hmac_sha1 k t in" m """let verify k text tag = " let m = hmac_sha1 k text in " let verified = (m = tag) in " verified

≈<ε

Remember:val mac: k:key -> t:text{Oracle k t} -> tag "val verify: k:key -> t:text -> tag -> " b:bool{b ==> Oracle k t}

Example:RPCprotocolA -> B: utf8 s, mac kAB s "B -> A: utf8 t, mac kAB (s, t) "

let client q ="  assume Request(q)  ..."  send mac k (utf8 q)

let server q ="  ..."  if verify k (utf8 q) m"    then " assert Request(q) "      process q

assume forall k t . Oracle k (utf8 t) <==> Request t

Demo

Conclusions

•  Wecanbuildcryptographicproofsofcorrectnessusingdependenttypes

•  Preciselyreasoningaboutthecorrectnessofprograms(usingtypes)helpsdiscoverproblems(miTLSaiacks)

•  Interestedinmorecryptoprotocols?Explore/FStar/examples/crypto