Formally Verified Cryptographic Web Applications in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA Denis Merigoux INRIA Karthik Bhargavan INRIA J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22
57
Embed
FormallyVerified CryptographicWebApplications inWebAssembly · 2019-05-22 · FormallyVerified CryptographicWebApplications inWebAssembly Jonathan Protzenko Microsoft Research Benjamin
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Formally VerifiedCryptographic Web Applications
in WebAssembly
Jonathan Protzenko Microsoft Research
Benjamin Beurdouche INRIA
Denis Merigoux INRIA
Karthik Bhargavan INRIA
J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22st , 2019 1 / 22
The Web beyond the Web
The Web environment has become the choice target fordeploying applications.
Think: websites, desktop apps (Electron), server apps(node.js), browser addons…
How about security-sensitive applications, such as: passwordmanagers, secure messengers?
J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22st , 2019 2 / 22
Life is hard for secure web apps
Application developers are at a loss for secure toolchainstargeting the Web runtime.
• custom cryptographic schemes
• ad-hoc protocols
• unverifiable app logic
• hostile target environment (JavaScript).
(Larger) Claim: the JavaScript toolchain is inadequate forWeb-based security-sensitive applications.
J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22st , 2019 3 / 22
An F∗ to WASM toolchain
We formalize a verified pipeline from Low∗ to WASM andimplement it in the KreMLin compiler.
Low∗(ICFP’17)
C♭ WASM
Machine Code
paper
paper
side-channel checkF∗
KreMLin
browser, node, …
J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22st , 2019 4 / 22
This work’s contributions
• A generic toolchain (formalization and implementation)to compile F∗ programs to WebAssembly
• The HACL∗ verified cryptographic library compiled toWebAssembly
• A formally verified implementation of Signal, inWebAssembly
• Verified for functional correctness, memory safety,side-channel resistance and protocol security
• No performance penalty; same API; ready to integrate
Our running example: Signal
• Signal powers WhatsApp, Messenger, Skype, SignalThis means over 1 billion users
• Allows communicating asynchronously (trend)
• Relies on server with limited trust
• Generally trust-on-first-use
Let’s start by a quick overview of the protocol.
J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22st , 2019 6 / 22
Our running example: Signal
• Signal powers WhatsApp, Messenger, Skype, SignalThis means over 1 billion users
• Allows communicating asynchronously (trend)
• Relies on server with limited trust
• Generally trust-on-first-use
Let’s start by a quick overview of the protocol.
J. Protzenko et al. — MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22st , 2019 6 / 22
Alice Server
BP
Bob
Alice Server
BP
Bob
publishes keys
Alice Server
BP
Bob
Alice Server
BP
Bob
key bundle
Alice Server
BP
Bob
rk0
X3DH
Alice Server
BP
Bob
rk1, ck1
Diffie-Helman ratchet
Alice Server
BP
Bob
m1 + keys
“hey Bob”
Alice Server
BP
Bob
ck2
symmetric key ratchet
Alice Server
BP
Bob
m2
“where’s the secret stash”
Alice Server
BP
Bob
etc.
Alice Server
BP
Bob
Alice Server
BP
Bob
m1 + keys
Alice Server
BP
Bob
rk0
X3DH
Alice Server
BP
Bob
rk1, ck1
Diffie-Helman ratchet
Alice Server
BP
Bob
m1 = “hey Bob”
Alice Server
BP
Bob
m2
Alice Server
BP
Bob
ck2
symmetric key ratchet
Alice Server
BP
Bob
m2 = “where’s the secret stash”
Alice Server
BP
Bob
etc.
Alice Server
BP
Bob
rk2, ck3
Diffie-Helman ratchet
Alice Server
BP
Bob
m3 + keys
“it’s at Oakland”
Alice Server
BP
Bob
etc.
Signal: a recap
• the protocol is sophisticated
• X3DH for session initiation
• double-ratchet for asynchronous communications,forward secrecy and post-compromise security
// Push dst + 8*i on the stackget_local ℓ0;get_local ℓ3; i32.const 8; i32.binop∗; i32.binop+// Load a + 8*i on the stackget_local ℓ1;get_local ℓ3; i32.const 8; i32.binop∗; i32.binop+i64.load// Load b + 8*i on the stack (elided, same as above)// Add a.[i] and b.[i], store into dst.[i]i64.binop+; i64.store// Per the rules, return uniti32.const 0;drop// Increment i; break if i == 5get_local ℓ3; i32.const 1; i32.binop+; tee_local ℓ3i32.const 5; i32.op =;br_if