exploring the cryptol toolset

Exploring the Cryptol Toolset

Pedro Pereira Ulisses Costa

Formal Methods in Software Engineering

April 30, 2009

Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset

Previously in last month’s Episode!

We had to

Learn the Cryptol language

Build a high-level specification of SNOW3G

We showed you

The language was a combination of arithmetics and sequencemanipulation

Some of its wonderful features: infinite and recursive streams,polymorphism

The SNOW3G algorithm

A complete (and compact, and elegant!) specification of astream cipher in Cryptol


This time

We had to

Derive an implementation from the specification

Generate (fast) C source code using Cryptol’s C-backend

Use the evaluation version ⇒ access to the complete toolset

We will show you

A user’s perspective of the toolset so far

Cryptol → C conversion

Safety + Theorems in Cryptol ⇒ Formal Methods Galore!


Cryptol Interpreter

The interpreter provides various environments and so far we’veused a few of them to:

Bit mode

Run Cryptol programs

C mode

Generate C source code

Symbolic Bit-Vector mode

Apply formal methods


Bit Mode - useful commands

Usage

:set bit

Base display

:set base=N

Little/Big endianness

:set -/+B


Base display

Example

Cryptol > [0 1 2 3][0x0 0x1 0x2 0x3]Cryptol > :set base=10Cryptol > [0 1 2 3][0 1 2 3]


Little/Big endianness

hexbyte.cry

HexByte : [4]Bit;

HexByte = [True False False False];

Example

Cryptol > :load hexbyte.cryLoading ”hexbyte.cry”.. Checking types.. Processing.. Done!hexbyte> :set base=2hexbyte> HexByte0b0001hexbyte> :set +Bhexbyte> HexByte0b1000


C Mode - useful commands

Usage

:set C

Generation of source code

:compile <filename>

Out-of-bounds checking

:set +b

Specialize polymorphic definitions (automatically on)

:set +S


Generation of source code

Cryptol → C conversion depends on:

Cryptol .h

Contains all the necessary prototypes, macros and a fewstandard C includes.

CryAlloc.o

Implements a custom memory allocator/deallocator forCryptol run-time.

CryPrim.o

Implements C-equivalents of Cryptol ’s built-in functions.

CryStream.o

C library for representing/manipulating infinite streams.


Out-of-bounds checking

lookup.cry

lookup : ([4], [2]) -> Bit;

lookup(xs, i) = xs @ i;

lookup.c without bounds checking...lookup res = GETBIT(xs lookup, i lookup);...

lookup.c with bounds checking...lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3);...

NB: It incurs a performance cost.


Specialize polymorphic definitions I

size.cry

size : {a b} (fin a, c >= 1) -> [a]b -> [c];

size ss = ls ! 0

where ls = [0] # [| (l+1) || l <- ls || s <- ss |];

Example

size> :set Csize> :compile size.c

size.c

#include ”Cryptol .h”#include ”size.h”

It’s empty!


Specialize polymorphic definitions II

Because

Cryptol generates monomorphic definitions ⇒ We must providearguments

size.cry

size : {a b} (fin a, c >= 1) -> [a]b -> [c];

size ss = ls ! 0

where ls = [0] # [| (l+1) || l <- ls || s <- ss |];

force_size = size [0 1 2 3 4];


Generated size.c

size.c

#include "cryptol.h"

#include "size.h"

static uint8 const [5] = {0x0, 0x1 , 0x2, 0x3, 0x4};

uint8 size_5 (uint8* ss_size) {

uint32 local4 = 0x0;

uint8 local5 = 0x0;

uint8 size_5_res = 0x0;

uint8 local8 = 0x0;

uint32* mrk = getAllocMark ();

size_5_res = 0x0;

for ( local4 = 0x0 ; local4 < 0x5 ; local4 += 0x1 ) {

local8 = size_5_res + 0x1;

local5 = local8 & 0x1f;

size_5_res = local5;

}

freeUntil(mrk);

return size_5_res;

}


Optimizing the C code?

We found out

Not much, the documentation didn’t even address thisspecifically

Infinite streams take a heavy toll on performance (it figures...besides, an implementation isn’t suposed to have these)

But!

Hand-made implementation wasn’t much better

We aren’t done with this yet, it’s just that other stuff grabbedour attention


SBV Mode - useful commands

Usage

:set sbv

Safety checks

:safe <expression>

Quickcheck

:check <expression>

Theorem prover

:prove <expression>

Satisfiability

:sat <expression>


Safety checks

Statically catches

Index out-of-bounds;

Division/modulus by 0;

...and more!

Safe programs really don’t crash!


Safety checking I

lookup.cry

lookup : ([4], [2]) -> Bit;

lookup(xs, i) = xs @ i;

Example

lookup> :set sbvlookup> :safe lookup”lookup” is safe; no safety violations exist.


Safety checking II

lookup2.cry

lookup2 : ([4], [3]) -> Bit;

lookup2(xs, i) = xs @ i;

Example

lookup2> :safe lookup2*** 1 safety condition to be checked.*** Violation detected:lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out ofbounds (valid range is 0 thru 3).*** 1 problem found.


Safety checking III

lookup3.cry

lookup3 : ([4], [3]) -> Bit;

lookup3 (xs, i) = if i >= 3 then False else xs @ i;

Example

lookup3> :safe lookup3*** 1 safety condition to be checked.*** Verified safe.*** All safety checks pass, safe to execute.


Quickcheck

The :check command

Cryptol ’s implementation of Quickcheck

Consists in randomly generating test-cases and runningproperty definitions on these

Validity of theorems


Quickchecking theorems

Plaintext ⇔ Decrypt . Encrypt

theorem EncDec: {pt k i}. pt == decrypt(encrypt(pt, k, i), k

, i);

Example

Cryptol > :set quickCheckCount=100Cryptol > :load SNOW 3G v0.93.cryLoading ”SNOW 3G v0.93.cry”.. Checking types.. Processing..Done!*** Auto quickchecking 1 theorems.*** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1]Checking case 100 of 100 (100.00%)100 tests passed OK[Coverage : 0.00%.[(100/3940200619639447921227904010014...)]SNOW 3G v0.93>


Test coverage

EncDec coverage

[Coverage: 0.00%. [(100/3940200619639447921227904010014...)]

2(128+128+128) diferent cases = insane number above


Theorems are boolean functions!

In First Order Logic

∀x : 2x ⇔ x + x

In Cryptol

double : [8] -> Bit;

theorem double: {x}. 2*x == x+x;

Example

double> :prove doubleQ.E.D.

The :prove command

Shows they’re equivalent to the constant function that alwaysreturns True

Finds counter-examples


Counter-example

FG.cry

f, g : [8] -> [8];

f x = (x-1)*(x+1);

g x = x*x + 1;

theorem FG: {x}. f x == g x;

Example

FG> :prove FG*** Proving ”FG” [”FG.cry”, line 5, col 1]Falsifiable.FG 0 = False


Satisfiability

Definition

Determining if the variables of a given Boolean formula can beassigned in such a way as to make the formula evaluate to True.

FH.cry

f, h : [8] -> [8];

f x = (x-1)*(x+1);

h x = x*x - 1;

theorem FH: {x}. f x == h x;

Example

FH> :sat FHFH 0 = True


Oveview of formal methods subset

Highs:

Fully automated ⇒ it’s a ”push button” package

If not automated, there’s manual ⇒ Isabelle/HOL translation(:isabelle)

Fast enough

Lows:

Doesn’t cover the entire Cryptol language:

Finiteness restriction ⇒ incapable of inductionMonomorphic restrictionFirst order restriction (not really a problem, can be rewritten)Symbolic termination ⇒ cant’t use recursive functions (againnot really a problem, use recursive streams instead)


Conclusions

Cryptol provides a vast and truly useful toolset forcryptographers

Formal methods are ”free” in Cryptol ⇒ No need to learn anexternal language or tool


Coming up!

Field-programmable gate arrays!

VHDL!

Space-time tradeoffs!

Stay tuned!


Acknowledgments

A special thanks to Mr. Levent for his patience.

We also ripped off some ideas from his papers about Cryptol forthis presentation!


Questions

?


exploring the cryptol toolset

Technology