Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… ·...
Transcript of Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… ·...
![Page 1: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/1.jpg)
Formal Verifica-on of Cloud Services Bryan Parno
1
![Page 2: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/2.jpg)
2
h,ps://www.chase.com/
Online and Mobile Security • We periodically review our operations and
business practices to make sure they comply with the corporate policies and procedures we follow to protect confidential information
![Page 3: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/3.jpg)
Number of data breaches?
3
Large-‐Scale Data Breaches Affect Millions of Users Number of compromised records in recent large-‐scale data breaches
![Page 4: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/4.jpg)
Rustan Leino Chris Hawblitzel Jon Howell
Bryan Parno Brian Zill
Manos Kapritsos
Srinath Se,y Michael Lowell Roberts Danfeng Zhang
Arjun Narayan Jay Lorch
The Ironclad Project
![Page 5: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/5.jpg)
The Ironclad Project
5
Crypto Algorithms
*** TLS
X.509
HTTPS
RSA SHA ECDH
Network buffers
4Q
ASN.1
Everest HTTPS Ironclad Apps
App
Lib
Hardware specs
Math TPM Driver Net Driver
UDP/IP Datatypes RSA Ethernet BigNum SHA-‐256
Std. Lib Common
App
Late launch IOMMU Segs GC
Device IO
[OSDI 2014] IronFleet [SOSP 2015]
![Page 6: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/6.jpg)
An Ironclad app guarantees to remote parces that every instruccon it executes adheres to a high-‐level security spec.
6
My personal data will not be misused My password will never leak
![Page 7: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/7.jpg)
Ironclad combines:
7
push ebp mov ebp, esp sub esp, 4 mov eax, 8
• Late launch • Secure hardware • Sohware verificacon
![Page 8: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/8.jpg)
Ironclad combines:
8
push ebp mov ebp, esp sub esp, 4 mov eax, 8
• Late launch • Secure hardware • Sohware verificacon
Secure Remote Equivalence
Encre sohware stack
Reasonable effort
![Page 9: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/9.jpg)
9
push ebp mov ebp, esp sub esp, 4 mov eax, 8
Verifica3on goals • End-‐to-‐end security
─ Complete ─ Low-‐level
• Rapid development
• Non-‐goal: Verify exiscng code
• Long-‐term: Performance matches unsafe code
![Page 10: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/10.jpg)
Prior work
• Small components – E.g., RSA-‐OAEP – Localized guarantee
• Single layers – No end-‐to-‐end guarantee
10
OS Hardware
App 1
App N …
Drivers
Libraries
![Page 11: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/11.jpg)
Our formal, end-‐to-‐end guarantee • End-‐to-‐end secure communicacon with provably secure assembly code
• Implies: – No buffer overflows – No code injeccon – No type-‐safety flaws – No informacon disclosures – No crypto impl flaws
11
…
We always know what the app will do with private data!
Math TPM Driver Net Driver
UDP/IP Datatypes RSA Ethernet BigNum SHA-‐256
Std. Lib Common
App
Late launch IOMMU Segs GC
Device IO
![Page 12: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/12.jpg)
Verifica3on methodology
12
High-‐level spec
Verifiable, high-‐level implementacon in Dafny
Ironclad spec translator Ironclad compiler
Low-‐ level spec
Verifiable assembly language (BoogieX86)
Verifier Assembler + Linker ü
predicate IsPrime(p:int) { 2 <= p && forall x :: 2 <= x < p ==> p % x != 0 }
procedure CheckPrimality(p:int) returns (b:bool) requires p >= 0; ensures b == IsPrime(p);
{ var divisor := 2; while divisor < p
invariant 2 <= divisor <= p; {
...
call edx := Mov(2); loop: invariant 2 <= edx < eax; invariant MemInv(...); ... if (edx >= eax) { goto loopEnd; }
mov edx, 2 loop: ... cmp edx, eax jae loopEnd
= Untrusted = Trusted
![Page 13: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/13.jpg)
Verifica3on methodology: Benefits
13
High-‐level spec
Verifiable, high-‐level implementacon in Dafny
Ironclad compiler
Low-‐ level spec
Verifiable assembly language (BoogieX86)
Verifier Assembler + Linker ü
Ironclad spec translator Simple and
declaracve
Rapid development
Low-‐level verificacon
Arbitrarily complex
Performance opcmizacon
![Page 14: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/14.jpg)
14
App spec
Lib specs
Hardware specs
Core Math TPM Driver Net Driver
UDP/IP Datatypes RSA
Ethernet BigNum SHA-‐256
Std. Lib App Common
App
Late launch IOMMU Segments GC Device
IO
Architecture
Verve++ [PLDI’10]
Trusted Spec Implementacon
Hardware SoEware
6971 LoC 1750 LoC 1796 LoC
SW Impl : Spec = 3.9 : 1
41,566 instruccons 23.1 : 1
![Page 15: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/15.jpg)
Ironclad Apps
15
Insert datum
Query
Database
Privacy budget
Key pair
Password Protector Notary
Trusted Incrementer Differencally Private DB
password 123456 12345678 abc123 monkey qwerty
letmein dragon 111111 baseball iloveyou trustno1
0373 0027
1288 9823
![Page 16: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/16.jpg)
16
Hardware specs
Core Math TPM Driver Net Driver
UDP/IP Datatypes RSA
Ethernet BigNum SHA-‐256
Std. Lib App Common
App
Late launch IOMMU Segments GC Device
IO
Key Challenge: Specifying security
How do we write a formal, useful, security specifica3on for a full stack of soDware?
App spec
???
![Page 17: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/17.jpg)
Specifying the DiffPriv DB
17
datatype DiffPrivState( keys:RSA, budget:real, db:seq<Row>
)
predicate Transition(old_state:DiffPrivState, new_state:DiffPrivState, request:Request, reply:Reply)
{ match request ... case Query => request.spend < old_state.budget
&& new_state.budget == old_state.budget -‐ request.spend
&& reply.answer == RunQuery(request.query, old_state.db) + ComputeNoise(request.spend) && ...
App spec
![Page 18: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/18.jpg)
18
Hardware specs
Core Math TPM Driver Net Driver
UDP/IP Datatypes RSA
Ethernet BigNum SHA-‐256
Std. Lib App Common
App
Late launch IOMMU Segments GC Device
IO
Key Challenge: Specifying security
How do we write a formal, useful, security specifica3on for a full stack of soDware?
App spec
procedure instr_Add(..., x:reg, y:reg) ensures x := (x + y) % 0x100000000;
...
type core = core(regs:[int]int, eip:int, ..., segments, paging, ...); type machine = machine(cores:[int]core, mem:[int]int, io:IOState);
???
![Page 19: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/19.jpg)
19
procedure instr_inb(..., x:reg)
procedure instr_outb(..., x:reg)
push ebp mov ebp, esp sub esp, 4 mov eax, 8
requires ????
F( ) all possible inputs
all permi,ed
output words
Connec3ng the app to the hardware
![Page 20: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/20.jpg)
20
procedure instr_inb(..., x:reg)
procedure instr_outb(..., x:reg)
push ebp mov ebp, esp sub esp, 4 mov eax, 8
requires public(x);
ensures public(x);
Key idea State-‐machine-‐based relaconal verificacon
Declassifier
Connec3ng the app to the hardware
public_request reply
public_reply Guarantee System’s output is indiscnguishable from that of the abstract app
![Page 21: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/21.jpg)
Evalua3on ques3ons
21
• How does verificacon affect development?
• How does verificacon affect performance?
![Page 22: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/22.jpg)
Eval: Developer experience • Rapid feedback via aggressive caching:
─ Method-‐level via Dafny’s IDE plugins ─ File-‐level via new Dafny include feature ─ Cloud-‐aided verificacon
22
Azure
Cache of verificacon results
Verificacon job scheduling Full Build
Sequencal: 30+ hours Cloud: 8 minutes
![Page 23: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/23.jpg)
23
Core Math TPM Driver Net Driver
UDP/IP Datatypes RSA Ethernet BigNum SHA-‐256
Std. Lib App Common
App
Late launch IOMMU Segments GC Device
IO ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü 1st Version: Secure,
but non-‐funcconal
Verified soDware works!
Eval: Developer experience
![Page 24: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/24.jpg)
24
0 2 4 6 8 10 12 14 16
OS
TPM Driver
Network Driver
UDP/IP/Ethernet
Std. Lib (bytes, words, arrays)
Math Lib
BigInt Lib
Crypto (SHA, HMAC, RSA)
Apps Average 4.8 : 1
Proof hints : Implementacon LoC
Previously > 25 : 1
Eval: Proof burden ~3 person-‐years
Previously 22+ pys
Raco
![Page 25: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/25.jpg)
1
10
100
1000
10000
100000
1000000
ms
RSA private (1024)
0 10 20 30 40 50 60 70 80 90
ns/B
SHA-‐256
Eval: Performance
Cut by 84%
Within 30% of OpenSSL
Improved by 32,000x
Only 5.6x to go…
![Page 26: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/26.jpg)
The Ironclad Project
26
Crypto Algorithms
*** TLS
X.509
HTTPS
RSA SHA ECDH
Network buffers
4Q
ASN.1
Everest HTTPS Ironclad Apps
App
Lib
Hardware specs
Math TPM Driver Net Driver
UDP/IP Datatypes RSA Ethernet BigNum SHA-‐256
Std. Lib Common
App
Late launch IOMMU Segs GC
Device IO
[OSDI 2014] IronFleet [SOSP 2015]
![Page 27: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/27.jpg)
IronFleet: Proving Pracccal Distributed Systems Correct [SOSP 2015]
![Page 28: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/28.jpg)
28
“not one of the properces claimed invariant in [PODC] is actually true of it.”
[Mickens 2013]
[Zave 2015]
![Page 29: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/29.jpg)
[SOSP 2015]
29
We show how to build complex, efficient distributed systems whose implementa9ons
are provably safe and live.
Implementacons are correct, not just abstract protocols
Proofs are machine-‐checked System will make progress given sufficient cme, e.g., it cannot deadlock or livelock
Proof is subject to assumpcons, not absolute
Spec
IronFleet
System will not take incorrect accons
![Page 30: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/30.jpg)
Paxos
30
A B
C
IronRSL Replicated state library
IronKV Sharded key-‐value store
Complex with many features: • state transfer • log truncacon • dynamic view-‐change cmeouts • batching • reply cache
Our verified distributed systems
![Page 31: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/31.jpg)
Running example: IronRSL replicated state library
31
Paxos
A B
C
Safety property: Equivalence to single machine
Liveness property: Clients eventually get replies
![Page 32: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/32.jpg)
32
Verificacon rules out all bugs by construccon
Race condicons Invariant violacons
Integer overflow Deadlock Livelock
Parsing errors Marshalling errors
Buffer overflow ...
![Page 33: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/33.jpg)
Background: Refinement
33
Spec
Implementacon
S0 S1 S2 S3 S4 S5 S6 S7
I0 I1 I2 I3 I4
[Milner 1971, Park 1981, Lamport 1983, Lynch 1983, ...]
method Main()
![Page 34: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/34.jpg)
function SpecRelation(realPackets:set<Packet>, s:SpecState) : bool { forall p, i :: p in realPackets && p.msg == MarshallCounterVal(i) ==> i <= s }
Specificacon is a simple, logically centralized state machine
34
function SpecNext(s:SpecState, s’:SpecState) : bool { s’ == s + 1 }
function SpecInit(s:SpecState) : bool { s == 0 }
type SpecState = int
![Page 35: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/35.jpg)
Implementacon
35
method Main() { var s:ImplState; s := ImplInit(); while (true) { s := EventHandler(s); } }
Host implementacon is a single-‐threaded event-‐handler loop
![Page 36: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/36.jpg)
Proving correctness is hard
36
Subtleces of distributed protocols
Complexices of implementacon
Maintaining global invariants
Ensuring progress
Dealing with hosts accng concurrently
Using efficient data structures
Memory management
Avoiding integer overflow
![Page 37: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/37.jpg)
Two-‐level refinement
37
I0 I1 I2 I3 I4
Implementacon
Spec
S0 S1 S2 S3 S4 S5 S6 S7
P0 P1 P2 P3 P4
Distributed System
![Page 38: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/38.jpg)
Distributed System Layer
38
Implementacon
Refines
function ProtocolNext(s:HostState, s’:HostState) : bool
method EventHandler(s:HostState) returns (s’:HostState)
array<uint64>
seq<int>
type Message = MessageRequest() | MessageReply() | ...
type Packet = array<byte>
Abstract Host
![Page 39: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/39.jpg)
Distributed System Layer
39
Spec
Implementacon Abstract Host
Distributed System Model
Refines Is Part Of
Refines
![Page 40: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/40.jpg)
Concurrency containment strategy
40
R C R S C S R C C S S
R C S S R C C S R C S Host A, Step 1 Host B, Step 1 Host A Step 2
Ideal World
Real World
![Page 41: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/41.jpg)
Concurrency containment strategy
41
R C R S C S R C C S S R C R S C S R C C S S
R C S S R C C S R C S Host A, Step 1 Host B, Step 1 Host A Step 2
Ideal World
Real World
Reduccon obligacon: Step ≜ R*C*S*
![Page 42: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/42.jpg)
Evaluacon quescons
42
• How does verificacon affect development?
• How does verificacon affect performance?
![Page 43: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/43.jpg)
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
20000
Spec Impl Proof Spec Impl Proof Spec Impl Proof
Lines of
code
Safety
Liveness
43
Common Libraries IronRSL IronKV
Funcconal IronFleet: 3.5:1 Ironclad: 4.8:1 seL4: 25.7:1
Funcconal DS Safety IronFleet: 3.5:1 5.4:1 Ironclad: 4.8:1 -‐-‐-‐ seL4: 25.7:1 -‐-‐-‐
Funcconal DS Safety DS Live IronFleet: 3.5:1 5.4:1 7.8:1 Ironclad: 4.8:1 -‐-‐-‐ -‐-‐-‐ seL4: 25.7:1 -‐-‐-‐ -‐-‐-‐
Funcconal DS Safety DS Live IronFleet: 3.5:1 5.4:1 7.8:1 Ironclad: 4.8:1 -‐-‐-‐ -‐-‐-‐ seL4: 25.7:1 -‐-‐-‐ -‐-‐-‐ Verdi: 94.0:1
Developer experience: Proof burden
![Page 44: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/44.jpg)
IronRSL performance
44
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
With batching Without batching
Maximum throughput (req/s)
IronRSL Baseline (EPaxos's Mulcpaxos)
• Challenges reasoning about the heap
• Each opcmizacon requires a proof
We trade some performance for strong correctness, but no fundamental reason verified code should be slower
Adding batching (~2 person-‐months) improved performance by 5x
![Page 45: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/45.jpg)
0
5000
10000
15000
20000
25000
30000
35000
40000
128 B 1 KB 8 KB 128 B 1 KB 8 KB
Throughput (req/s)
IronKV Redis
IronKV performance
45
Max throughput: 28,800 req/sec
Get Set
Value Size
Throughput up to 75% of Redis
![Page 46: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/46.jpg)
The Ironclad Project
46
Crypto Algorithms
*** TLS
X.509
HTTPS
RSA SHA ECDH
Network buffers
4Q
ASN.1
Everest HTTPS Ironclad Apps
App
Lib
Hardware specs
Math TPM Driver Net Driver
UDP/IP Datatypes RSA Ethernet BigNum SHA-‐256
Std. Lib Common
App
Late launch IOMMU Segs GC
Device IO
[OSDI 2014] IronFleet [SOSP 2015]
![Page 47: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/47.jpg)
47
The HTTPS Ecosystem is criccal
• Most widely deployed security protocol? – 40% all Internet traffic (+40%/year)
• Web, cloud, email, VoIP, 802.1x, VPNs, …
Services & Applicacons
Servers Clients cURL WebKit IIS Apache Skype Nginx Edge
HTTPS Ecosystem
![Page 48: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/48.jpg)
48
The HTTPS Ecosystem is complex
***
TLS
X.509
HTTPS
RSA SHA ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms 4Q
Services & Applicacons
ASN.1
Servers Clients cURL WebKit IIS Apache Skype Nginx Edge
Cercficacon Authority
![Page 49: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/49.jpg)
49
The HTTPS Ecosystem is buggy • 20 years of a,acks & fixes Buffer overflows Memory management Incorrect state machines Lax cercficate parsing Weakly or badly implemented crypto Side channels Error-‐inducing APIs Flawed standards …
• Many implementacons OpenSSL, Schannel, NSS, …
S9ll patched every month! ***
TLS
X.509
HTTPS
RSA SHA ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms 4Q
Services & Applicacons
ASN.1 Cercficacon Authority
Servers Clients cURL WebKit IIS Apache Skype Nginx Edge
![Page 50: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/50.jpg)
Unsolved AOacks against HTTPS
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
SSL Stripping (Marlinspike)
Cookie-‐based AVacks (various variants)
CRIME / BREACH (Rizzo, Duong et al.)
Virtual Host Confusion (Delignat-‐Lavaud)
TLS is opconal in HTTP and can be disabled by an accve a,acker
Shared cookie database for HTTP and HTTPS can be used to mount various session fixacon and login CSRF a,acks.
A,ackers can easily mount adapcve chosen-‐plaintext a,acks. Encrypcon aher compression can leak secrets through length.
HTTPS servers do not correlate transport-‐layer and HTTP idencces, leading to origin confusion
Micgated by correct use of HTTP Strict Transport Security (HSTS)
Micgated by new binding proposals (ChannelID, Token Binding). Micgacon is not widely implemented.
Micgated by refreshing secrets (e.g. CSRF tokens). Some protocol-‐specific micgacons (QUICK, HTTP2)
Micgated by configuracon of HTTPS servers with strict host rules
Micgacon is not widely used and vulnerability is scll widespread in praccce.
Extremely difficult to micgate in all browsers with current technologies. Can be used to a,ack almost every website.
Ad-‐hoc micgacon; a,ack is scll widespread in praccce as HTTP compression remains popular.
Ad-‐hoc micgacon; a,ack is scll widespread in praccce.
![Page 51: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/51.jpg)
Crypto failures
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Protocol weaknesses
Implementation bugs
EarlyCCS
Heartbleed
POODLE
Triple Handshake
SKIP
FREAK
Logjam
SLOTH DROWN
Renegotiation Attack
ECDHE Cross-protocol Attack BEAST
(Rogaway 02) Lucky13
RC4 MD5
OpenSSL entropy
CRIME
RSA 512 bit SHA1
High-‐Profile TLS AOacks
![Page 52: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/52.jpg)
Crypto failures
A Timeline of Recent PKI Failures
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
HashClash rogue CA
(MD5 collision) Stevens et al.
Flame malware NSA/GCHQ attack
against Windows CA Bleichenbacher’s e=3 attack on
PKCS#1 signatures
512 bit Korean School CAs
BERSerk
DigiNotar hack
Usage-unrestricted VeriSign certificates
ANSSI
Comodo hack Trustwave VeriSign
NetDiscovery
Debian OpenSSL entropy bug
Basic constraints not enforced (recurring catastrophic bug)
OpenSSL null prefix
The SHAppening
DROWN KeyUsag
e
Name constraints failures
VeriSign hack
OpenSSL CVE-2015-17
93
GnuTLS X509v1
Formatting & semantics
CA failures
TÜRKTRUST
![Page 53: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/53.jpg)
Side Channel Challenge (AOacks)
2000 … 2006 2007 2008 2009 2010 2011 2012 2013 2014
Protocol-‐level side channels
Traffic analysis Timing aVacks against cryptographic primi-ves
Memory & Cache
TLS messages may reveal informacon about the internal protocol state or the applicacon data
Combined analysis of the cme and length distribucons of packets leaks informacon about the applicacon
A remote a,acker may learn informacon about crypto secrets by cming execucon cme for various inputs
Memory access pa,erns may expose secrets, in parccular because caching may expose sensicve data (e.g. by cming)
• Hello message contents (e.g. cme in nonces, SNI)
• Alerts (e.g. decrypcon vs. padding alerts)
• Record headers
• CRIME/BREACH (adapcve chosen plaintext a,ack)
• User tracking • Auto-‐complete input theh
• Bleichenbacher a,acks against PKCS#1 decrypcon and signatures
• Timing a,acks against RC4 (Lucky 13)
• OpenSSL key recovery in virtual machines
• Cache cming a,acks against AES
AES cache cming
Bleichenbacher
CRIME Lucky13 DROWN Remote cming
a,acks are pracccal
BREACH
Tag size
Side-‐channel leaks in Web applicacons
ECDSA cming
Vaudenay
![Page 54: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/54.jpg)
Everest: Deploying Verified-‐Secure Implementa;ons in the HTTPS Ecosystem
![Page 55: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/55.jpg)
55
Everest Goals • Fully verified replacement
• Widespread deployment
• Trustworthy, usable tools
***
TLS
X.509
HTTPS
RSA SHA ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms 4Q
Services & Applicacons
ASN.1 Cercficacon Authority
Servers Clients cURL WebKit IIS Apache Skype Nginx Edge
$ apt-‐get install verified_https $ /etc/init.d/apache2 restart
![Page 56: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/56.jpg)
Research Quescons • How do we decide whether new protocols are secure?
– Especially when interoperacng with insecure protocols
• Can we make verified systems as fast as unverified?
• How do we handle advanced threats? – Ex: Side channels
• Why should we trust automated verificacon tools?
• How can verificacon be more accessible? – Especially to non-‐experts in verificacon
56
![Page 57: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/57.jpg)
Summary • Ironclad Apps guarantee end-‐to-‐end security to remote parces: Every instruccon meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verificacon and its applicability to real-‐world security problems
• Verificacon of systems code is possible, and we’re scaling it to even larger more complex systems
57
h,ps://github.com/Microsoh/Ironclad
Thank you! [email protected]
![Page 58: Formal’Verifica-on’of’Cloud’Services’garth/15719/lectures/15719-S17-verification-parn… · 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Spec& Impl& Proof&](https://reader034.fdocuments.us/reader034/viewer/2022042912/5f466e327d43cf130c0a8ef2/html5/thumbnails/58.jpg)
58