research-article

Probabilistic relational verification for cryptographic implementations

Authors:
Gilles Barthe

IMDEA Software Institute, Madrid, Spain

IMDEA Software Institute, Madrid, Spain
View Profile

,
Cédric Fournet

Microsoft Research, Cambridge, United Kingdom

Microsoft Research, Cambridge, United Kingdom
View Profile

,
Benjamin Grégoire

Inria Sophia Antipolis - Méditerranée, Sophia Antipolis, France

Inria Sophia Antipolis - Méditerranée, Sophia Antipolis, France
View Profile

,
Pierre-Yves Strub

IMDEA Software Institute, Madrid, Spain

IMDEA Software Institute, Madrid, Spain
View Profile

,
Nikhil Swamy

Microsoft Research, Seattle, WA, USA

Microsoft Research, Seattle, WA, USA
View Profile

,
Santiago Zanella-Béguelin

Microsoft Research, Cambridge, United Kingdom

Microsoft Research, Cambridge, United Kingdom
View Profile

Authors Info & Claims

ACM SIGPLAN Notices Volume 49 Issue 1January 2014pp 193–205https://doi.org/10.1145/2578855.2535847

Published:08 January 2014Publication History

ACM SIGPLAN Notices

Abstract

Relational program logics have been used for mechanizing formal proofs of various cryptographic constructions. With an eye towards scaling these successes towards end-to-end security proofs for implementations of distributed systems, we present RF*, a relational extension of F*, a general-purpose higher-order stateful programming language with a verification system based on refinement types. The distinguishing feature of F* is a relational Hoare logic for a higher-order, stateful, probabilistic language. Through careful language design, we adapt the F* typechecker to generate both classic and relational verification conditions, and to automatically discharge their proofs using an SMT solver. Thus, we are able to benefit from the existing features of F*, including its abstraction facilities for modular reasoning about program fragments. We evaluate RF* experimentally by programming a series of cryptographic constructions and protocols, and by verifying their security properties, ranging from information flow to unlinkability, integrity, and privacy. Moreover, we validate the design of RF* by formalizing in Coq a core probabilistic λ calculus and a relational refinement type system and proving the soundness of the latter against a denotational semantics of the probabilistic lambda λ calculus.

Supplemental Material

d1_right_t9.mp4

mp4

248.3 MB

Download

References

M. Abadi and C. Fournet. Private authentication. Theor. Comput. Sci., 322(3):427--476, 2004. Google ScholarDigital Library
M. Aizatulin, A. D. Gordon, and J. Jürjens. Computational verification of C protocol implementations by symbolic execution. In CCS 2012, pages 712--723. ACM, 2012. Google ScholarDigital Library
J. B. Almeida, M. Barbosa, G. Barthe, and F. Dupressoir. Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In CCS 2013. ACM, 2013. Also appears as Cryptology ePrint Archive, Report 2013/316. Google ScholarDigital Library
A. W. Appel and D. A. McAllester. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst., 23(5):657--683, 2001. Google ScholarDigital Library
M. Arapinis, T. Chothia, E. Ritter, and M. Ryan. Analysing unlinkability and anonymity using the applied Pi calculus. In CSF 2010, pages 107--121. IEEE Computer Society, 2010. Google ScholarDigital Library
P. Audebaud and C. Paulin-Mohring. Proofs of randomized algorithms in Coq. Sci. Comput. Program., 74(8):568--589, 2009. Google ScholarDigital Library
G. Barthe, B. Grégoire, and S. Zanella-Béguelin. Formal certification of code-based cryptographic proofs. In POPL 2009, pages 90--101. ACM, 2009. Google ScholarDigital Library
G. Barthe, B. Grégoire, S. Heraud, and S. Zanella-Béguelin. Computer-aided security proofs for the working cryptographer. In CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, pages 71--90. Springer, 2011. Google ScholarDigital Library
G. Barthe, B. Grégoire, Y. Lakhnech, and S. Zanella-Béguelin. Beyond provable security. Verifiable IND-CCA security of OAEP. In CT-RSA 2011, volume 6558 of Lecture Notes in Computer Science, pages 180--196. Springer, 2011. Google ScholarDigital Library
G. Barthe, B. Köpf, F. Olmedo, and S. Zanella Béguelin. Probabilisticrelational reasoning for differential privacy. In POPL 2012, pages 97--110. ACM, 2012. Google ScholarDigital Library
N. Benton. Simple relational correctness proofs for static analyses and program transformations. In POPL 2004, pages 14--25. ACM, 2004. Google ScholarDigital Library
K. Bhargavan, C. Fournet, and A. D. Gordon. Modular verification of security protocol code by typing. In POPL 2010, pages 445--456. ACM, 2010. Google ScholarDigital Library
K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In S&P 2013, pages 445--459. IEEE Computer Society, 2013. Google ScholarDigital Library
B. Blanchet. Security protocol verification: Symbolic and computational models. In POST 2012, volume 7215 of Lecture Notes in Computer Science, pages 3--29. Springer, 2012. Google ScholarDigital Library
{15} J. Borgström, A. D. Gordon, M. Greenberg, J. Margetson, and J. V. Gael. Measure transformer semantics for bayesian machine learning. In ESOP 2011, volume 6602 of Lecture Notes in Computer Science, pages 77--96. Springer, 2011. Google ScholarDigital Library
D. Cadé and B. Blanchet. From computationally-proved protocol specifications to implementations. In ARES 2012, pages 65--74. IEEE Computer Society, 2012. Google ScholarDigital Library
R. Chadha, L. Cruz-Filipe, P. Mateus, and A. Sernadas. Reasoning about probabilistic sequential programs. Theor. Comput. Sci., 379(1--2):142--165, 2007. Google ScholarDigital Library
S. Chaudhuri, S. Gulwani, and R. Lublinerman. Continuity and robustness of programs. Commun. ACM, 55(8):107--115, 2012. Google ScholarDigital Library
T. Chothia and V. Smirnov. A traceability attack against e-passports. In FC 2010, volume 6052 of Lecture Notes in Computer Science, pages 20--34. Springer, 2010. Google ScholarDigital Library
M. R. Clarkson and F. B. Schneider. Hyperproperties. J. of Comput. Sec., 18(6):1157--1210, 2010. Google ScholarDigital Library
L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS 2008, volume 4963 of Lecture Notes in Computer Science, pages 337--340. Springer, 2008. Google ScholarDigital Library
F. Dupressoir, A. D. Gordon, J. Jürjens, and D. A. Naumann. Guiding a general-purpose C verifier to prove cryptographic protocols. In CSF 2011, pages 3--17. IEEE Computer Society, 2011. Google ScholarDigital Library
Y. A. Feldman and D. Harel. A probabilistic dynamic logic. J. Comput. Syst. Sci., 28(2):193--215, 1984.Google ScholarCross Ref
C. Fournet, M. Kohlweiss, and P.-Y. Strub. Modular code-based cryptographic verification. In CCS 2011, pages 341--350. ACM, 2011. Google ScholarDigital Library
J. A. Goguen and J. Meseguer. Security policies and security models. In S&P 1982, pages 11--20. IEEE Computer Society, 1982.Google Scholar
G. Gonthier, A. Mahboubi, and E. Tassi. A small scale reflection extension for the Coq system. Technical Report RR-6455, INRIA, 2008.Google Scholar
J. Hurd, A. McIver, and C. Morgan. Probabilistic guarded commands mechanized in HOL. Theor. Comput. Sci., 346(1):96--112, 2005. Google ScholarDigital Library
{28} B. Jonsson, W. Yi, and K. G. Larsen. Probabilistic extensions of process algebras. In Handbook of Process Algebra, pages 685--710. Elsevier, 2001.Google ScholarCross Ref
O. Kiselyov and C.-c. Shan. Embedded probabilistic programming. In DSL 2009, volume 5658 of Lecture Notes in Computer Science, pages 360--384. Springer, 2009. Google ScholarDigital Library
D. Kozen. A probabilistic PDL. J. Comput. Syst. Sci., 30(2):162--178, 1985.Google ScholarCross Ref
R. Küsters, T. Truderung, and J. Graf. A framework for the cryptographic verification of Java-like programs. In CSF 2012, pages 198--212. IEEE Computer Society, 2012. Google ScholarDigital Library
J. McCarthy. Towards a mathematical science of computation. In IFIP Congress, pages 21--28, 1962.Google Scholar
A. McIver and C. Morgan. Abstraction, Refinement, and Proof for Probabilistic Systems. Monographs in Computer Science. Springer, 2005. Google ScholarDigital Library
A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs. In ICFP 2008, pages 229--240. ACM, 2008. Google ScholarDigital Library
S. Park, F. Pfenning, and S. Thrun. A probabilistic language based upon sampling functions. In POPL 2005, pages 171--182. ACM, 2005. Google ScholarDigital Library
T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In CRYPTO '91, volume 576 of Lecture Notes in Computer Science, pages 129--140. Springer, 1991. Google ScholarDigital Library
N. Ramsey and A. Pfeffer. Stochastic lambda calculus and monads of probability distributions. In POPL 2002, pages 154--165. ACM, 2002. Google ScholarDigital Library
J. H. Reif. Logics for probabilistic programming (extended abstract). In STOC 1980, pages 8--13. ACM, 1980. Google ScholarDigital Library
B. Reus and N. Charlton. A guide to program logics for higher-order store, 2012. Unpublished manuscript.Google Scholar
A. Rial and G. Danezis. Privacy-preserving smart metering. In WPES 2011, pages 49--60. ACM, 2011. Google ScholarDigital Library
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
G. Stewart, A. Banerjee, and A. Nanevski. Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures. In PPDP 2013, pages 145--156. ACM, 2013. Google ScholarDigital Library
P.-Y. Strub, N. Swamy, C. Fournet, and J. Chen. Self-certification: Bootstrapping certified typecheckers in F* with Coq. In POPL 2012, pages 571--584. ACM, 2012. Google ScholarDigital Library
K. Svendsen, L. Birkedal, and A. Nanevski. Partiality, state and dependent types. In TLCA 2011, pages 198--212. Springer, 2011. Google ScholarDigital Library
N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP 2011, pages 266--278. ACM, 2011. Google ScholarDigital Library
N. Swamy, J. Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Verifying higher-order programs with the Dijkstra monad. In PLDI 2013, pages 387--398. ACM, 2013. Google ScholarDigital Library

Index Terms

Probabilistic relational verification for cryptographic implementations

Recommendations

Higher-order probabilistic adversarial computations: categorical semantics and program logics

Adversarial computations are a widely studied class of computations where resource-bounded probabilistic adversaries have access to oracles, i.e., probabilistic procedures with private state. These computations arise routinely in several domains, ...
Read More
Formal verification of higher-order probabilistic programs: reasoning about approximation, convergence, Bayesian inference, and optimization

Probabilistic programming provides a convenient lingua franca for writing succinct and rigorous descriptions of probabilistic models and inference tasks. Several probabilistic programming languages, including Anglican, Church or Hakaru, derive their ...
Read More
Probabilistic relational verification for cryptographic implementations
POPL '14: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

Relational program logics have been used for mechanizing formal proofs of various cryptographic constructions. With an eye towards scaling these successes towards end-to-end security proofs for implementations of distributed systems, we present RF*, a ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGPLAN Notices Volume 49, Issue 1
POPL '14
January 2014
661 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2578855
Editor:
Mark W. Bailey
Hamilton College, Clinton, NY
Issue’s Table of Contents
POPL '14: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
January 2014
702 pages
ISBN:9781450325448
DOI:10.1145/2535838
General Chair:
Suresh Jagannathan
Purdue University, USA
,
Program Chair:
Peter Sewell
University of Cambridge, UK
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 January 2014
Check for updates
Author Tags
probabilistic programming
program logics
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 64
  Total Citations
  View Citations
- 604
  Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Probabilistic relational verification for cryptographic implementations

ACM SIGPLAN Notices

Abstract

Supplemental Material

References

Cited By

Index Terms

Recommendations

Higher-order probabilistic adversarial computations: categorical semantics and program logics

Formal verification of higher-order probabilistic programs: reasoning about approximation, convergence, Bayesian inference, and optimization

Probabilistic relational verification for cryptographic implementations