exploring the cryptol toolset
DESCRIPTION
A view over the cryptol toolsetTRANSCRIPT
Exploring the Cryptol Toolset
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
April 30, 2009
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Previously in last month’s Episode!
We had to
Learn the Cryptol language
Build a high-level specification of SNOW3G
We showed you
The language was a combination of arithmetics and sequencemanipulation
Some of its wonderful features: infinite and recursive streams,polymorphism
The SNOW3G algorithm
A complete (and compact, and elegant!) specification of astream cipher in Cryptol
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
This time
We had to
Derive an implementation from the specification
Generate (fast) C source code using Cryptol’s C-backend
Use the evaluation version ⇒ access to the complete toolset
We will show you
A user’s perspective of the toolset so far
Cryptol → C conversion
Safety + Theorems in Cryptol ⇒ Formal Methods Galore!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Cryptol Interpreter
The interpreter provides various environments and so far we’veused a few of them to:
Bit mode
Run Cryptol programs
C mode
Generate C source code
Symbolic Bit-Vector mode
Apply formal methods
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Bit Mode - useful commands
Usage
:set bit
Base display
:set base=N
Little/Big endianness
:set -/+B
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Base display
Example
Cryptol > [0 1 2 3][0x0 0x1 0x2 0x3]Cryptol > :set base=10Cryptol > [0 1 2 3][0 1 2 3]
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Little/Big endianness
hexbyte.cry
HexByte : [4]Bit;
HexByte = [True False False False];
Example
Cryptol > :load hexbyte.cryLoading ”hexbyte.cry”.. Checking types.. Processing.. Done!hexbyte> :set base=2hexbyte> HexByte0b0001hexbyte> :set +Bhexbyte> HexByte0b1000
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
C Mode - useful commands
Usage
:set C
Generation of source code
:compile <filename>
Out-of-bounds checking
:set +b
Specialize polymorphic definitions (automatically on)
:set +S
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Generation of source code
Cryptol → C conversion depends on:
Cryptol .h
Contains all the necessary prototypes, macros and a fewstandard C includes.
CryAlloc.o
Implements a custom memory allocator/deallocator forCryptol run-time.
CryPrim.o
Implements C-equivalents of Cryptol ’s built-in functions.
CryStream.o
C library for representing/manipulating infinite streams.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Out-of-bounds checking
lookup.cry
lookup : ([4], [2]) -> Bit;
lookup(xs, i) = xs @ i;
lookup.c without bounds checking...lookup res = GETBIT(xs lookup, i lookup);...
lookup.c with bounds checking...lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3);...
NB: It incurs a performance cost.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Specialize polymorphic definitions I
size.cry
size : {a b} (fin a, c >= 1) -> [a]b -> [c];
size ss = ls ! 0
where ls = [0] # [| (l+1) || l <- ls || s <- ss |];
Example
size> :set Csize> :compile size.c
size.c
#include ”Cryptol .h”#include ”size.h”
It’s empty!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Specialize polymorphic definitions II
Because
Cryptol generates monomorphic definitions ⇒ We must providearguments
size.cry
size : {a b} (fin a, c >= 1) -> [a]b -> [c];
size ss = ls ! 0
where ls = [0] # [| (l+1) || l <- ls || s <- ss |];
force_size = size [0 1 2 3 4];
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Generated size.c
size.c
#include "cryptol.h"
#include "size.h"
static uint8 const [5] = {0x0, 0x1 , 0x2, 0x3, 0x4};
uint8 size_5 (uint8* ss_size) {
uint32 local4 = 0x0;
uint8 local5 = 0x0;
uint8 size_5_res = 0x0;
uint8 local8 = 0x0;
uint32* mrk = getAllocMark ();
size_5_res = 0x0;
for ( local4 = 0x0 ; local4 < 0x5 ; local4 += 0x1 ) {
local8 = size_5_res + 0x1;
local5 = local8 & 0x1f;
size_5_res = local5;
}
freeUntil(mrk);
return size_5_res;
}
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Optimizing the C code?
We found out
Not much, the documentation didn’t even address thisspecifically
Infinite streams take a heavy toll on performance (it figures...besides, an implementation isn’t suposed to have these)
But!
Hand-made implementation wasn’t much better
We aren’t done with this yet, it’s just that other stuff grabbedour attention
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
SBV Mode - useful commands
Usage
:set sbv
Safety checks
:safe <expression>
Quickcheck
:check <expression>
Theorem prover
:prove <expression>
Satisfiability
:sat <expression>
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Safety checks
Statically catches
Index out-of-bounds;
Division/modulus by 0;
...and more!
Safe programs really don’t crash!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Safety checking I
lookup.cry
lookup : ([4], [2]) -> Bit;
lookup(xs, i) = xs @ i;
Example
lookup> :set sbvlookup> :safe lookup”lookup” is safe; no safety violations exist.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Safety checking II
lookup2.cry
lookup2 : ([4], [3]) -> Bit;
lookup2(xs, i) = xs @ i;
Example
lookup2> :safe lookup2*** 1 safety condition to be checked.*** Violation detected:lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out ofbounds (valid range is 0 thru 3).*** 1 problem found.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Safety checking III
lookup3.cry
lookup3 : ([4], [3]) -> Bit;
lookup3 (xs, i) = if i >= 3 then False else xs @ i;
Example
lookup3> :safe lookup3*** 1 safety condition to be checked.*** Verified safe.*** All safety checks pass, safe to execute.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Quickcheck
The :check command
Cryptol ’s implementation of Quickcheck
Consists in randomly generating test-cases and runningproperty definitions on these
Validity of theorems
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Quickchecking theorems
Plaintext ⇔ Decrypt . Encrypt
theorem EncDec: {pt k i}. pt == decrypt(encrypt(pt, k, i), k
, i);
Example
Cryptol > :set quickCheckCount=100Cryptol > :load SNOW 3G v0.93.cryLoading ”SNOW 3G v0.93.cry”.. Checking types.. Processing..Done!*** Auto quickchecking 1 theorems.*** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1]Checking case 100 of 100 (100.00%)100 tests passed OK[Coverage : 0.00%.[(100/3940200619639447921227904010014...)]SNOW 3G v0.93>
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Test coverage
EncDec coverage
[Coverage: 0.00%. [(100/3940200619639447921227904010014...)]
2(128+128+128) diferent cases = insane number above
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Theorems are boolean functions!
In First Order Logic
∀x : 2x ⇔ x + x
In Cryptol
double : [8] -> Bit;
theorem double: {x}. 2*x == x+x;
Example
double> :prove doubleQ.E.D.
The :prove command
Shows they’re equivalent to the constant function that alwaysreturns True
Finds counter-examples
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Counter-example
FG.cry
f, g : [8] -> [8];
f x = (x-1)*(x+1);
g x = x*x + 1;
theorem FG: {x}. f x == g x;
Example
FG> :prove FG*** Proving ”FG” [”FG.cry”, line 5, col 1]Falsifiable.FG 0 = False
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Satisfiability
Definition
Determining if the variables of a given Boolean formula can beassigned in such a way as to make the formula evaluate to True.
FH.cry
f, h : [8] -> [8];
f x = (x-1)*(x+1);
h x = x*x - 1;
theorem FH: {x}. f x == h x;
Example
FH> :sat FHFH 0 = True
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Oveview of formal methods subset
Highs:
Fully automated ⇒ it’s a ”push button” package
If not automated, there’s manual ⇒ Isabelle/HOL translation(:isabelle)
Fast enough
Lows:
Doesn’t cover the entire Cryptol language:
Finiteness restriction ⇒ incapable of inductionMonomorphic restrictionFirst order restriction (not really a problem, can be rewritten)Symbolic termination ⇒ cant’t use recursive functions (againnot really a problem, use recursive streams instead)
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Conclusions
Cryptol provides a vast and truly useful toolset forcryptographers
Formal methods are ”free” in Cryptol ⇒ No need to learn anexternal language or tool
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Coming up!
Field-programmable gate arrays!
VHDL!
Space-time tradeoffs!
Stay tuned!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Acknowledgments
A special thanks to Mr. Levent for his patience.
We also ripped off some ideas from his papers about Cryptol forthis presentation!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
Questions
?
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset