Moscow Days 6-10 The Kremlin Moscow University A Kremlin Church.
F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool...
Transcript of F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool...
![Page 1: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/1.jpg)
Formal Verification,Language Extensibility, andProof automation
F* and Meta-F*
https://fstar-lang.github.io
https://project-everest.github.io/
![Page 2: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/2.jpg)
Classified as Microsoft Confidential
• MSR Redmond• Barry Bond
• Chris Hawblitzel
• Qunyan Magnus
• Kiran Muthabatulla
• Jonathan Protzenko
• Tahina Ramananandro
• Nikhil Swamy
• Gustavo Varo
• MSR Cambridge• Antoine Delignat-Lavaud
• Cédric Fournet
• Christoph M. Wintersteiger
• Santiago Zanella-Béguelin
• MSR India• Aseem Rastogi
• INRIA Paris• Danel Ahman
• Kenji Maillard
• Benjamin Beurdouche
• Karthikeyan Bhargavan
• Victor Dumitrescu
• Cătălin Hriţcu
• Marina Polubelova
• CMU (Pittsburgh)• Jay Bosamiya
• Aymeric Fromherz
• Bryan Parno
• Edinburgh• Markulf Kohlweiss
• Interns, open-source contributors, visitors, alumns
• Guido Martinez
• Zoe Paraskevopoulou
• Yao Li
• Joonwon Choi
• Clément Pit-Claudel
• Nick Giannarakis
• Niklas Grimm
• Anita Gollamudi
• Nadim Kobeissi
• Matteo Maffei
• Asher Manning
• Monal Narasimhamurthy
• Gordon Plotkin
• Perry Wang
• Jean-Karim Zinzindohoue
![Page 3: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/3.jpg)
![Page 4: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/4.jpg)
Threat model
Goal: A secure channel
connect(server,port);
send “GET…”;
data = recv();
send “POST…”;
…
accept(port);
request = recv();
send “<html>…”;
order = recv();
…
Public Key
Infrastructure
20 years of attacks & fixesBuffer overflows
Incorrect state machines
Lax certificate parsing
Weak or poorly implemented crypto
Side channels
Informal security goals
Dangerous APIs
Flawed standards
Mainstream implementationsOpenSSL, SChannel, NSS, …
![Page 5: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/5.jpg)
Much discussionsIETF, Google, Mozilla, Microsoft, CDNs, cryptographers, network engineers, …
Much improvements• Modern design
• Fewer roundtrips
• Stronger security
New implementationsrequired for all
• An early implementer and verified too!
• Find & fix flaws before it’s too late
RFC 8446: Aug 2018
Including many of our proposals
Mentioning many formal models of the protocol, including our verified implementation of the record layer
![Page 6: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/6.jpg)
…
TLS
RSA SHA
Network buffers
Untrusted network (TCP, UDP, …)
Crypto
Algorithms
Project Everest
Verified Secure Componentsin the TLS Ecosystem
QUICECDH AES
![Page 7: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/7.jpg)
F*: A general
purpose
programming
language
and verification
tool
kreMLinCompiler from
(a subset of)
F* to C
Verification Tools and Methodology
val nbytes 16 →u32 →nbytes len →nbytes 32 ∧ →
ST unitrequires λ → ∈ ∧ ∈ ∧ ∈ensures λ →
let inlet inmodifies ∧
Math spec in F*
poly1305_mac computes a
polynomial in GF(2130-5),
storing the result in tag,
and not modifying
anything else
Efficient C
implementation
Verification imposes no
runtime performance
overhead
void
poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *msg, uint8_t *key)
{
uint64_t tmp [10] = { 0 };
uint64_t *acc = tmp
uint64_t *r = tmp + (uint32_t)5;
uint8_t s[16] = { 0 };
Crypto_Symmetric_Poly1305_poly1305_init(r, s, key);
Crypto_Symmetric_Poly1305_poly1305_process(msg, len, acc, r);
Crypto_Symmetric_Poly1305_poly1305_finish(tag, acc, s);
}
![Page 8: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/8.jpg)
8
Protocol specs
Protocol security proofs
Security spec
Crypto assumptions
Implementation
AES is a pseudo-random function
= Verified
= Trusted
Secure authenticated channel
![Page 9: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/9.jpg)
![Page 10: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/10.jpg)
Everest in Action, so far
Production deployments of Everest Verified Cryptography
![Page 11: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/11.jpg)
So what is this F* thing anyway?
![Page 12: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/12.jpg)
Two camps of program verification tools
![Page 13: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/13.jpg)
F*: Bridging the gap
![Page 14: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/14.jpg)
![Page 15: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/15.jpg)
![Page 16: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/16.jpg)
Beyond Pure Code
Effects
![Page 17: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/17.jpg)
Effectful programs with Hoare-style Specifications
STExn
True
![Page 18: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/18.jpg)
Effectful programs with Hoare-style Specifications
STExn
![Page 19: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/19.jpg)
Exploiting Expressiveness & Extensibility
Low*: A subset of F* that compiles to C
![Page 20: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/20.jpg)
Low* to C
And to support compilation to C, in nearly 1-1 correspondence, for auditability of our generated code
Designed to allow manipulating a C-like view of memory
Pointer arithmetic
Stack allocation
Erased
specification
![Page 21: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/21.jpg)
![Page 22: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/22.jpg)
But SMT-based proofs can go awry
![Page 23: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/23.jpg)
And can be at a low level of abstraction
![Page 24: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/24.jpg)
Domain-specific languages, ad hoc proof automation,extensibility
![Page 25: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/25.jpg)
Domain-specific languages, ad hoc proof automation,extensibility
elaborator reflection
![Page 26: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/26.jpg)
A passive compiler pipeline
Parsing &
DesugaringTypechecker
Extraction aka
Code generation
Higher-order
UnificationNormalizer SMT Encoding
![Page 27: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/27.jpg)
Scripting components with a metaprogram
Parsing &
DesugaringTypechecker
Extraction aka
Code generation
Higher-order
UnificationNormalizer SMT Encoding
![Page 28: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/28.jpg)
Scripting a language implementationfrom within the language
![Page 29: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/29.jpg)
From F* to Meta-F*, In three easy steps
![Page 30: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/30.jpg)
Proof-state: A collection of typed holes
![Page 31: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/31.jpg)
Metaprograms are proofstate transformers
• Uses an existing F* effect for non-termination: Dv• The type of the state is an abstract type: proofstate
• error is the type of exceptions
State + Exception + Non-termination monad
![Page 32: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/32.jpg)
Step 2
Primitive operations on
Meta
Inl
“Goal is not an arrow”
![Page 33: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/33.jpg)
Step 3
Reflecting on syntax
unquote Meta
![Page 34: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/34.jpg)
Putting it together
id Type
Type
Type
Type
![Page 35: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/35.jpg)
And can be at a low level of abstraction
Remember this?
![Page 36: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/36.jpg)
Metaprogramming mutually inverse parsers and formatters
![Page 37: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/37.jpg)
Putting it together
f
assert
𝑥: 𝑛𝑎𝑡, ℎ: 𝑥 > 1 ⊢ _ ∶ (𝑥 ∗ 𝑥 > 𝑥)
![Page 38: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/38.jpg)
SMT: Just one of F*’s tactic primitivesMeta
f
assert
𝑥: 𝑛𝑎𝑡, ℎ: 𝑥 > 1 ⊢ _ ∶ (𝑥 ∗ 𝑥 > 𝑥)
![Page 39: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/39.jpg)
But SMT-based proofs can go awry
Remember this?
![Page 40: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/40.jpg)
SMT + Tactics for more automated, robust proofs
• Prior manual proof required 41 steps of explicit rewriting lemmas (!)
![Page 41: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/41.jpg)
Language extension with native metaprograms
![Page 42: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/42.jpg)
Language extension with native metaprograms
![Page 43: F* and Meta-F* · 2020-07-18 · F*: A general purpose programming language and verification tool kreMLin Compiler from (a subset of) F* to C Verification Tools and Methodology val](https://reader034.fdocuments.us/reader034/viewer/2022050404/5f81f66c4940a5324e28aa82/html5/thumbnails/43.jpg)
Some takeaways
improve