research-article

Open access

A verified, efficient embedding of a verifiable assembly language

Authors:

Aymeric Fromherz,

Nick Giannarakis,

Chris Hawblitzel,

Nikhil SwamyAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 3, Issue POPL

Article No.: 63, Pages 1 - 30

https://doi.org/10.1145/3290376

Published: 02 January 2019 Publication History

Abstract

High-performance cryptographic libraries often mix code written in a high-level language with code written in assembly. To support formally verifying the correctness and security of such hybrid programs, this paper presents an embedding of a subset of x64 assembly language in F* that allows efficient verification of both assembly and its interoperation with C code generated from F*. The key idea is to use the computational power of a dependent type system's type checker to run a verified verification-condition generator during type checking. This allows the embedding to customize the verification condition sent by the type checker to an SMT solver. By combining our proof-by-reflection style with SMT solving, we demonstrate improved automation for proving the correctness of assembly-language code. This approach has allowed us to complete the first-ever proof of correctness of an optimized implementation of AES-GCM, a cryptographic routine used by 90% of secure Internet traffic.

Supplementary Material

WEBM File (a63-fromherz.webm)

Download
75.52 MB

References

[1]

Onur Aciiçmez, Billy Bob Brumley, and Philipp Grabher. 2010. New Results on Instruction Cache Attacks. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES).

Digital Library

[2]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Benedikt Schmidt, and Pierre-Yves Strub. 2017. Jasmin: High-Assurance and High-Speed Cryptography. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[3]

Nada Amin and Tiark Rompf. 2017. LMS-Verify: Abstraction Without Regret for Verified Systems Programming. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL).

Digital Library

[4]

Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2015. On Subnormal Floating Point and Abnormal Timing. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[5]

Clark Barrett, Christopher L. Conway, Morgan Deters, Liana Hadarean, Dejan Jovanović, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Proceedings of the Conference on Computer Aided Verification (CAV).

Digital Library

[6]

Daniel J. Bernstein. 2005. The Poly1305-AES message-authentication code. In Proceedings of Fast Software Encryption.

Digital Library

[7]

Barry Bond, Chris Hawblitzel, Manos Kapritsos, K. Rustan M. Leino, Jacob R. Lorch, Bryan Parno, Ashay Rane, Srinath Setty, and Laure Thompson. 2017. Vale: Verifying High-Performance Cryptographic Assembly Code. In Proceedings of the USENIX Security Symposium.

Digital Library

[8]

David Brumley and Dan Boneh. 2003. Remote Timing Attacks Are Practical. In Proceedings of the USENIX Security Symposium.

Digital Library

[9]

Adam Chlipala. 2013. The Bedrock Structured Programming System: Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier. In Proceedings of the ACM SIGPLAN International Conference on Functional Programming (ICFP).

Digital Library

[10]

Adam Chlipala. 2017. Certified Programming with Dependent Types. http://adam.chlipala.net/cpdt/ .

Digital Library

[11]

Coq Development Team. 2015. The Coq Proof Assistant Reference Manual, version 8.5. https://coq.inria.fr/distrib/current/ refman/ .

[12]

David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end Verification of Information-flow Security for C and Assembly Programs. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[13]

L. de Moura and N. Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS).

Digital Library

[14]

A. Erbsen, J. Philipoom, J. Gross, R. Sloan, and A. Chlipala. 2019. Simple High-Level Code for Cryptographic Arithmetic -With Proofs, Without Compromises. In Proceedings of the IEEE Symposium on Security and Privacy.

[15]

Jean-Christophe Filliâtre. 2011. Deductive Program Verification. https://www.lri.fr/~filliatr/hdr/memoire.pdf .

[16]

Karine Gandolfi, Christophe Mourtel, and Francis Olivier. 2001. Electromagnetic Analysis: Concrete Results. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES).

Digital Library

[17]

J. A. Goguen and J. Meseguer. 1982. Security Policies and Security Models. In Proceedings of the IEEE Symposium on Security and Privacy.

[18]

Michael J. C. Gordon. 1989. Current Trends in Hardware Verification and Automated Theorem Proving. Springer-Verlag New York, Inc., New York, NY, USA, Chapter Mechanizing Programming Logics in Higher Order Logic, 387–439. http://dl.acm.org/citation.cfm?id=106971.107122

Digital Library

[19]

Dan Grossman, J. Gregory Morrisett, Trevor Jim, Michael W. Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[20]

Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, Berkeley, CA, USA, 653–669. http: //dl.acm.org/citation.cfm?id=3026877.3026928

Digital Library

[21]

Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI). ACM, New York, NY, USA, 646–661.

Digital Library

[22]

Shay Gueron. 2012. Intel ® Advanced Encryption Standard (AES) New Instructions Set. https://software.intel.com/sites/ default/files/article/165683/aes- wp- 2012- 09- 22- v01.pdf .

[23]

Paolo Herms, Claude Marché, and Benjamin Monate. 2012. A Certified Multi-prover Verification Condition Generator. In Proceedings of the International Conference on Verified Software: Theories, Tools, Experiments (VSTTE). Springer-Verlag, Berlin, Heidelberg, 2–17.

Digital Library

[24]

Peter V. Homeier and David F. Martin. 1995. A Mechanically Verified Verification Condition Generator. Comput. J. 38, 2 (1995), 131–141.

[25]

Andrew Kennedy, Nick Benton, Jonas B. Jensen, and Pierre-Evariste Dagand. 2013. Coq: The World’s Best Macro Assembler?. In Proceedings of the Symposium on Principles and Practice of Declarative Programming (PPDP).

Digital Library

[26]

Paul C. Kocher. 1996. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of the International Cryptology Conference (CRYPTO).

Digital Library

[27]

K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Proceedings of the Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR).

Digital Library

[28]

Xavier Leroy, Sandrine Blazy, Daniel Kästner, Bernhard Schommer, Markus Pister, and Christian Ferdinand. 2016. CompCert – A Formally Verified Optimizing Compiler. In Embedded Real Time Software and Systems (ERTS). SEE.

[29]

Ramya Jayaram Masti, Devendra Rai, Aanjhan Ranganathan, Christian Müller, Lothar Thiele, and Srdjan Capkun. 2015. Thermal Covert Channels on Multi-core Platforms. In Proceedings of the USENIX Security Symposium.

Digital Library

[30]

David A. McGrew and John Viega. 2004. The Security and Performance of the Galois/Counter Mode of Operation. In Proceedings of the International Conference on Cryptology in India (INDOCRYPT).

Digital Library

[31]

Mozilla. 2018. Measurement Dashboard. https://mzl.la/2ug9YCH .

[32]

Magnus O. Myreen. 2009. Formal verification of machine-code programs. Ph.D. Thesis, University of Cambridge.

[33]

Magnus O. Myreen and Gregorio Curello. 2013. Proof Pearl: A Verified Bignum Implementation in x86-64 Machine Code. In International Conference on Certified Programs and Proofs (CPP).

Digital Library

[34]

Aleksandar Nanevski, J. Gregory Morrisett, and Lars Birkedal. 2008. Hoare type theory, polymorphism and separation. J. Funct. Program. 18, 5-6 (2008), 865–911.

Digital Library

[35]

NIST. 2001. Announcing the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197.

[36]

NIST. 2007. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800-38D.

[37]

OpenSSL. 2016a. Chase overflow bit on x86 and ARM platforms. GitHub commit dc3c5067cd90f3f2159e5d53c57b92730c687d7e.

[38]

OpenSSL. 2016b. Don’t break carry chains. GitHub commit 4b8736a22e758c371bc2f8b3534dc0c274acf42c.

[39]

OpenSSL. 2016c. Don’t loose {sic} 59-th bit. GitHub commit bbe9769ba66ab2512678a87b0d9b266ba970db05.

[40]

Daniel Patterson, Jamie Perconti, Christos Dimoulas, and Amal Ahmed. 2017. FunTAL: Reasonably Mixing a Functional Language with Assembly. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI). ACM, New York, NY, USA, 495–509.

Digital Library

[41]

Colin Percival. 2005. Cache Missing for Fun and Profit. BSDCan. https://www.daemonology.net/papers/htt.pdf .

[42]

F. Pfenning and C. Elliott. 1988. Higher-order Abstract Syntax. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI). ACM, New York, NY, USA, 199–208.

Digital Library

[43]

Jonathan Protzenko, Jean-Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago ZanellaBéguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified Low-Level Programming Embedded in F*. PACMPL 1, ICFP (Sept. 2017), 17:1–17:29.

Digital Library

[44]

L. C. Ragland. 1973. A Verified Program Verifier. Technical Report. Austin, TX, USA.

[45]

Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3, Draft 28. https://tools.ietf.org/html/ draft- ietf- tls- tls13- 28 .

[46]

Pierre-Yves Strub, Nikhil Swamy, Cedric Fournet, and Juan Chen. 2012. Self-Certification: Bootstrapping Certified Typecheckers in F* with Coq. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL). 571–584. https://hal.inria.fr/inria- 00628775

Digital Library

[47]

Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoué, and Santiago Zanella-Béguelin. 2016. Dependent Types and Multi-Monadic Effects in F*. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL). ACM, 256–270.

Digital Library

[48]

Mads Tofte and Jean-Pierre Talpin. 1997. Region-Based Memory Management. Inf. Comput. 132, 2 (Feb. 1997), 109–176.

Digital Library

[49]

Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. 2017. Certified Verification of Algebraic Properties on Low-Level Mathematical Constructs in Cryptographic Programs. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). New York, NY, USA.

Digital Library

[50]

Yuval Yarom, Daniel Genkin, and Nadia Heninger. 2010. CacheBleed: A Timing Attack on OpenSSL Constant Time RSA. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES).

[51]

Jean Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL*: A Verified Modern Cryptographic Library. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

Cited By

Cumming DUtting MCassez FDong NTork SRisius M(2024)EVM-Vale: Formal Verification of EVM Bytecode Using ValeDistributed Ledger Technology10.1007/978-981-97-0006-6_3(39-54)Online publication date: 9-Feb-2024
https://doi.org/10.1007/978-981-97-0006-6_3
Raimondi GBesson FJensen T(2023)Type-directed Program Transformation for Constant-Time EnforcementProceedings of the 25th International Symposium on Principles and Practice of Declarative Programming10.1145/3610612.3610618(1-13)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3610612.3610618
Patterson DWagner AAhmed ACong YDagand P(2023)Semantic Encapsulation using Linking TypesProceedings of the 8th ACM SIGPLAN International Workshop on Type-Driven Development10.1145/3609027.3609405(14-28)Online publication date: 30-Aug-2023
https://dl.acm.org/doi/10.1145/3609027.3609405
Show More Cited By

Index Terms

A verified, efficient embedding of a verifiable assembly language
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification

Recommendations

Language support for verifiable SDNs
SPLASH Companion 2016: Companion Proceedings of the 2016 ACM SIGPLAN International Conference on Systems, Programming, Languages and Applications: Software for Humanity

Programming languages for Software-Defined Networks (SDNs) provide higher abstractions on top of hardware-based APIs like OpenFlow. Researchers started to develop SDN programming languages based on mathematical foundations, which makes these languages ...
Pilsner: a compositionally verified compiler for a higher-order imperative language
ICFP 2015: Proceedings of the 20th ACM SIGPLAN International Conference on Functional Programming

Compiler verification is essential for the construction of fully verified software, but most prior work (such as CompCert) has focused on verifying whole-program compilers. To support separate compilation and to enable linking of results from different ...
Pilsner: a compositionally verified compiler for a higher-order imperative language
ICFP '15

Compiler verification is essential for the construction of fully verified software, but most prior work (such as CompCert) has focused on verifying whole-program compilers. To support separate compilation and to enable linking of results from different ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 3, Issue POPL

January 2019

2275 pages

EISSN:2475-1421

DOI:10.1145/3302515

Issue’s Table of Contents

Copyright © 2019 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 January 2019

Published in PACMPL Volume 3, Issue POPL

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Department of the Navy, Office of Naval Research

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
1,244
Total Downloads

Downloads (Last 12 months)179
Downloads (Last 6 weeks)32

Reflects downloads up to 13 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Cumming DUtting MCassez FDong NTork SRisius M(2024)EVM-Vale: Formal Verification of EVM Bytecode Using ValeDistributed Ledger Technology10.1007/978-981-97-0006-6_3(39-54)Online publication date: 9-Feb-2024
https://doi.org/10.1007/978-981-97-0006-6_3
Raimondi GBesson FJensen T(2023)Type-directed Program Transformation for Constant-Time EnforcementProceedings of the 25th International Symposium on Principles and Practice of Declarative Programming10.1145/3610612.3610618(1-13)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3610612.3610618
Patterson DWagner AAhmed ACong YDagand P(2023)Semantic Encapsulation using Linking TypesProceedings of the 8th ACM SIGPLAN International Workshop on Type-Driven Development10.1145/3609027.3609405(14-28)Online publication date: 30-Aug-2023
https://dl.acm.org/doi/10.1145/3609027.3609405
Ho SFromherz AProtzenko J(2023)Modularity, Code Specialization, and Zero-Cost Abstractions for Program VerificationProceedings of the ACM on Programming Languages10.1145/36078447:ICFP(385-416)Online publication date: 30-Aug-2023
https://dl.acm.org/doi/10.1145/3607844
Zhou YGibson SCai SWinchell MParno BMeng WJensen CCremers CKirda E(2023)Galápagos: Developing Verified Low Level Cryptography on Heterogeneous HardwaresProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616603(2113-2127)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616603
De Almeida Braga DKulatova NSabt MFouque PBhargavan K(2023)From Dragondoom to Dragonstar: Side-channel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00048(707-723)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00048
Derakhshan FZhang ZVasudevan AJia L(2023)Towards End-to-End Verified TEEs via Verified Interface Conformance and Certified Compilers2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00021(324-339)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00021
Jhala R(2022)Embedded Domain Specific VerifiersPrinciples of Systems Design10.1007/978-3-031-22337-2_26(535-553)Online publication date: 29-Dec-2022
https://doi.org/10.1007/978-3-031-22337-2_26
Yuan STalpin JArun-Kumar SMery DSaha IZhang L(2021)Verified functional programming of an IoT operating system's bootloaderProceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3487212.3487347(89-97)Online publication date: 20-Nov-2021
https://dl.acm.org/doi/10.1145/3487212.3487347
Rivera EMergendahl SShrobe HOkhravi HBurow N(2021)Keeping Safe Rust Safe with GaleedProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485903(824-836)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485903
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents