building provably secure systems - cmu engineering · building provably secure systems bryan parno...
TRANSCRIPT
Building Provably Secure Systems
Bryan Parno
1
Associate Professor, CSD & ECE
The Ironclad Project
2
Ironclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
Full Verification of Complex Systems
The Ironclad Project
2
Ironclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
IronFleet[SOSP 2015]
Full Verification of Complex Systems
The Ironclad Project
2
Crypto Algorithms
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
4Q
ASN.1
Everest HTTPSIronclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
IronFleet[SOSP 2015]
Full Verification of Complex Systems
The Ironclad Project
2
Ironclad Apps
App
Lib
Hardware specs
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
[OSDI 2014]
Full Verification of Complex Systems
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
Online and Mobile Security
• Chase Online, the Chase Mobile app and the Chase Mobile website use Secure Socket Layer (SSL) technology
…• We periodically review our operations and
business practices to make sure they comply with the corporate policies and procedures we follow to protect confidential information
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
[OSDI 2014]
Ironclad Apps: End-to-End Security via Automated Full-System Verification
3
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
My password will never leak
An Ironclad app guarantees to remote parties that every instruction it executes adheres to
a high-level security spec.
4
My personal data will not be misused
Our formal, end-to-end guarantee
• End-to-end secure communication with provably secure assembly code
• Implies:
– No buffer overflows
– No code injection
– No type-safety flaws
– No information disclosures
– No crypto impl flaws
5
…
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
Our formal, end-to-end guarantee
• End-to-end secure communication with provably secure assembly code
• Implies:
– No buffer overflows
– No code injection
– No type-safety flaws
– No information disclosures
– No crypto impl flaws
5
…
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
Our formal, end-to-end guarantee
• End-to-end secure communication with provably secure assembly code
• Implies:
– No buffer overflows
– No code injection
– No type-safety flaws
– No information disclosures
– No crypto impl flaws
5
…
MathTPM DriverNet Driver
UDP/IP Datatypes RSA
Ethernet BigNumSHA-256
Std. Lib Common
App
Latelaunch
IOMMUSegs GCDevice
IO
1st Version: Secure, but non-functional
Ironclad Apps
6
Ironclad Apps
6
Password Protector
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
Ironclad Apps
6
Password Protector Notary
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
Ironclad Apps
6
Password Protector Notary
Trusted Incrementer
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
0373 0027
1288 9823
Ironclad Apps
6
Insert datum
Query
Database
Privacy budget
Key pair
Password Protector Notary
Trusted Incrementer Differentially Private DB
password12345612345678abc123monkeyqwerty
letmeindragon111111baseballiloveyoutrustno1
0373 0027
1288 9823
The Ironclad Project
7
Crypto Algorithms
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
4Q
ASN.1
Everest HTTPS
8
The HTTPS Ecosystem is critical
• Most widely deployed security protocol?
– 40% all Internet traffic (+40%/year)
• Web, cloud, IoT, email, VoIP, 802.1x, VPNs, …
Services & Applications
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
HTTPS Ecosystem
9
The HTTPS Ecosystem is complex
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
Certification Authority
10
The HTTPS Ecosystem is buggy• 20 years of attacks & fixes
Buffer overflowsMemory managementIncorrect state machinesLax certificate parsingWeakly or badly implemented cryptoSide channelsError-inducing APIsFlawed standards…
• Many implementationsOpenSSL, Schannel, NSS, …
Still patched every month!
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
10
The HTTPS Ecosystem is buggy• 20 years of attacks & fixes
Buffer overflowsMemory managementIncorrect state machinesLax certificate parsingWeakly or badly implemented cryptoSide channelsError-inducing APIsFlawed standards…
• Many implementationsOpenSSL, Schannel, NSS, …
Still patched every month!
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
Everest:
Deploying Verified-Secure Implementations in the HTTPS Ecosystem
12
Everest Goals
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
12
Everest Goals• Fully verified replacement
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
12
Everest Goals• Fully verified replacement
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
12
Everest Goals• Fully verified replacement
• Widespread deployment
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
12
Everest Goals• Fully verified replacement
• Widespread deployment
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
$ apt-get install verified_https
$ /etc/init.d/apache2 restart
12
Everest Goals• Fully verified replacement
• Widespread deployment
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
$ apt-get install verified_https
$ /etc/init.d/apache2 restart
12
Everest Goals• Fully verified replacement
• Widespread deployment
• Trustworthy, usable tools
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Untrusted network (TCP, UDP, …)
Crypto Algorithms
4Q
Services & Applications
ASN.1Certification
Authority
ServersClients
cURL WebKit IIS ApacheSkype NginxEdge
Research Questions
• How do we decide whether new protocols are secure?– Especially when interoperating with insecure protocols
• Can we make verified systems as fast as unverified?
• How do we handle advanced threats?– Ex: Side channels
• Why should we trust automated verification tools?
• How can verification be more accessible?– Especially to non-experts in verification
13
Verified Crypto
***
TLS
X.509
HTTPS
RSA SHA
ECDH
Network buffers
Crypto Algorithms
4Q
ASN.1
Why verify crypto?
• Bugs are real, and potentially devastating!
Why verify crypto?
• Bugs are real, and potentially devastating!
• 3 bugs in OpenSSL’s Poly1305 this year!
Why verify crypto?
• Bugs are real, and potentially devastating!
• 3 bugs in OpenSSL’s Poly1305 this year!
“These produce wrong results. The first example does so only on 32 bit,
the other three also on 64 bit.”
“I believe this affects both the SSE2 and AVX2 code. It does seem to be
dependent on this input pattern.”
“I'm probably going to write something to generate random inputs and stress
all your other poly1305 code paths against a reference implementation.”
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
Current State of the Art: OpenSSL
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
Current State of the Art: OpenSSL
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
• Why?• Performance!
Current State of the Art: OpenSSL
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
• Why?• Performance!
Current State of the Art: OpenSSL
• Hand-written mix of Perl and assembly
• Customized for 50+ hardware platforms
• Why?• Performance!
Current State of the Art: OpenSSL
Vale: extensible, automated assembly language verification
machine model (Dafny/F*/Lean)
type reg = r0 | r1 | ...type ins =
Mov(dst:reg, src:reg)| Add(dst:reg, src:reg)| Neg(dst:reg)…
instructions
eval(Mov(dst, src), …) = …eval(Add(dst, src), …) = …eval(Neg(dst), …) = ……
semantics
print(Mov(dst, src), …) =“mov “ + (…dst) + (…src)
print(Add(dst, src), …) = ……
code generation
Vale code
procedure mov(…)requires …ensures …
{ … }
procedure add(…)…
machine interface
procedure quadruple(…)requires 0 <= r0 < 230;ensures r1 == r0 * 4;
{mov(r1, r0);add(r1, r0);add(r1, r1);
}
program[Mov(r1, r0),Add(r1, r0),Add(r1, r1)]
lemma_mov(…);lemma_add(…);lemma_add(…);
code proof
TrustedComputingBase
mem[eax] == SHA(mem[ebx])
crypto spec
Crypto implementations
HACL*: High-Assurance Crypto Library
• ChaCha20: Stream cipher
• Poly1305: MAC
• Curve 25519: Elliptic curve
• Verified, side-channel resistant BigIntegers
• Cryptographic construction: AEAD
– Demonstrates concrete securitydefinitions and crypto proofs
18
Vale crypto
• SHA-256 on ARM
– Demonstrates flexibility necessary to match OpenSSL’s performance
– Uncovered leakage in OpenSSL
• SHA-256 on x86 and x64
– Demonstrates platform agnosticism
– Demonstrates spec and proof reuse
• AES-CBC on x86
– Demonstrates advanced HW features
• Poly1305 on x64
– Demonstrates mathematical specs
Crypto implementations
HACL*: High-Assurance Crypto Library
• ChaCha20: Stream cipher
• Poly1305: MAC
• Curve 25519: Elliptic curve
• Verified, side-channel resistant BigIntegers
• Cryptographic construction: AEAD
– Demonstrates concrete securitydefinitions and crypto proofs
18
Vale crypto
• SHA-256 on ARM
– Demonstrates flexibility necessary to match OpenSSL’s performance
– Uncovered leakage in OpenSSL
• SHA-256 on x86 and x64
– Demonstrates platform agnosticism
– Demonstrates spec and proof reuse
• AES-CBC on x86
– Demonstrates advanced HW features
• Poly1305 on x64
– Demonstrates mathematical specs
Caveat: Can’t verify crypto assumptions!
Vale Performance
19
• At parity with OpenSSL!
• Caveats
– Specific platforms
– Missing OpenSSL’s advanced modes
Vale
Vale
Summary
20
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
20
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
20
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
20
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
• Verification of systems code is possible, and we’re scaling it to even larger more complex systems
20
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
• Verification of systems code is possible, and we’re scaling it to even larger more complex systems
20
https://github.com/Microsoft/Ironclad
Summary• Ironclad Apps guarantee end-to-end security to remote
parties: Every instruction meets the app’s security spec
• IronFleet extends these techniques to prove the safety and liveness of distributed systems
• Everest will showcase the power of verification and its applicability to real-world security problems
• Verification of systems code is possible, and we’re scaling it to even larger more complex systems
20
https://github.com/Microsoft/Ironclad
Thank [email protected]