• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Exploring the Cryptol Toolset
 

Exploring the Cryptol Toolset

on

  • 2,058 views

A view over the cryptol toolset

A view over the cryptol toolset

Statistics

Views

Total Views
2,058
Views on SlideShare
2,049
Embed Views
9

Actions

Likes
0
Downloads
38
Comments
0

4 Embeds 9

http://www.slideshare.net 6
http://www.docseek.net 1
http://www.linkedin.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Exploring the Cryptol Toolset Exploring the Cryptol Toolset Presentation Transcript

    • Exploring the Cryptol Toolset Pedro Pereira Ulisses Costa Formal Methods in Software Engineering April 30, 2009 Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Previously in last month’s Episode! We had to Learn the Cryptol language Build a high-level specification of SNOW3G We showed you The language was a combination of arithmetics and sequence manipulation Some of its wonderful features: infinite and recursive streams, polymorphism The SNOW3G algorithm A complete (and compact, and elegant!) specification of a stream cipher in Cryptol Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • This time We had to Derive an implementation from the specification Generate (fast) C source code using Cryptol’s C-backend Use the evaluation version ⇒ access to the complete toolset We will show you A user’s perspective of the toolset so far Cryptol → C conversion Safety + Theorems in Cryptol ⇒ Formal Methods Galore! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Cryptol Interpreter The interpreter provides various environments and so far we’ve used a few of them to: Bit mode Run Cryptol programs C mode Generate C source code Symbolic Bit-Vector mode Apply formal methods Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Bit Mode - useful commands Usage :set bit Base display :set base=N Little/Big endianness :set -/+B Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Base display Example Cryptol > [0 1 2 3] [0x0 0x1 0x2 0x3] Cryptol > :set base=10 Cryptol > [0 1 2 3] [0 1 2 3] Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Little/Big endianness hexbyte.cry HexByte : [4] Bit ; HexByte = [ True False False False ]; Example Cryptol > :load hexbyte.cry Loading ”hexbyte.cry”.. Checking types.. Processing.. Done! hexbyte> :set base=2 hexbyte> HexByte 0b0001 hexbyte> :set +B hexbyte> HexByte 0b1000 Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • C Mode - useful commands Usage :set C Generation of source code :compile <filename> Out-of-bounds checking :set +b Specialize polymorphic definitions (automatically on) :set +S Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Generation of source code Cryptol → C conversion depends on: Cryptol .h Contains all the necessary prototypes, macros and a few standard C includes. CryAlloc.o Implements a custom memory allocator/deallocator for Cryptol run-time. CryPrim.o Implements C-equivalents of Cryptol ’s built-in functions. CryStream.o C library for representing/manipulating infinite streams. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Out-of-bounds checking lookup.cry lookup : ([4] , [2]) -> Bit ; lookup ( xs , i ) = xs @ i ; lookup.c without bounds checking ... lookup res = GETBIT(xs lookup, i lookup); ... lookup.c with bounds checking ... lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3); ... NB: It incurs a performance cost. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Specialize polymorphic definitions I size.cry size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ]; size ss = ls ! 0 where ls = [0] # [| ( l +1) || l <- ls || s <- ss |]; Example size> :set C size> :compile size.c size.c #include ”Cryptol .h” #include ”size.h” It’s empty! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Specialize polymorphic definitions II Because Cryptol generates monomorphic definitions ⇒ We must provide arguments size.cry size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ]; size ss = ls ! 0 where ls = [0] # [| ( l +1) || l <- ls || s <- ss |]; force_size = size [0 1 2 3 4]; Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Generated size.c size.c # include quot; cryptol . h quot; # include quot; size . h quot; static uint8 const [5] = {0 x0 , 0 x1 , 0 x2 , 0 x3 , 0 x4 }; uint8 size_5 ( uint8 * ss_size ) { uint32 local4 = 0 x0 ; uint8 local5 = 0 x0 ; uint8 size_5_res = 0 x0 ; uint8 local8 = 0 x0 ; uint32 * mrk = getAllocMark () ; size_5_res = 0 x0 ; for ( local4 = 0 x0 ; local4 < 0 x5 ; local4 += 0 x1 ) { local8 = size_5_res + 0 x1 ; local5 = local8 & 0 x1f ; size_5_res = local5 ; } freeUntil ( mrk ) ; return size_5_res ; } Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Optimizing the C code? We found out Not much, the documentation didn’t even address this specifically Infinite streams take a heavy toll on performance (it figures... besides, an implementation isn’t suposed to have these) But! Hand-made implementation wasn’t much better We aren’t done with this yet, it’s just that other stuff grabbed our attention Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • SBV Mode - useful commands Usage :set sbv Safety checks :safe <expression> Quickcheck :check <expression> Theorem prover :prove <expression> Satisfiability :sat <expression> Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Safety checks Statically catches Index out-of-bounds; Division/modulus by 0; ...and more! Safe programs really don’t crash! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Safety checking I lookup.cry lookup : ([4] , [2]) -> Bit ; lookup ( xs , i ) = xs @ i ; Example lookup> :set sbv lookup> :safe lookup ”lookup” is safe; no safety violations exist. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Safety checking II lookup2.cry lookup2 : ([4] , [3]) -> Bit ; lookup2 ( xs , i ) = xs @ i ; Example lookup2> :safe lookup2 *** 1 safety condition to be checked. *** Violation detected: lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out of bounds (valid range is 0 thru 3). *** 1 problem found. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Safety checking III lookup3.cry lookup3 : ([4] , [3]) -> Bit ; lookup3 ( xs , i ) = if i >= 3 then False else xs @ i ; Example lookup3> :safe lookup3 *** 1 safety condition to be checked. *** Verified safe. *** All safety checks pass, safe to execute. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Quickcheck The :check command Cryptol ’s implementation of Quickcheck Consists in randomly generating test-cases and running property definitions on these Validity of theorems Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Quickchecking theorems Plaintext ⇔ Decrypt . Encrypt theorem EncDec : { pt k i }. pt == decrypt ( encrypt ( pt , k , i ) , k , i); Example Cryptol > :set quickCheckCount=100 Cryptol > :load SNOW 3G v0.93.cry Loading ”SNOW 3G v0.93.cry”.. Checking types.. Processing.. Done! *** Auto quickchecking 1 theorems. *** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1] Checking case 100 of 100 (100.00%) 100 tests passed OK [Coverage : 0.00%.[(100/3940200619639447921227904010014...)] SNOW 3G v0.93> Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Test coverage EncDec coverage [Coverage: 0.00%. [(100/3940200619639447921227904010014...)] 2(128+128+128) diferent cases = insane number above Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Theorems are boolean functions! In First Order Logic ∀x : 2x ⇔ x + x In Cryptol double : [8] -> Bit ; theorem double : { x }. 2* x == x + x ; Example double> :prove double Q.E.D. The :prove command Shows they’re equivalent to the constant function that always returns True Finds counter-examples Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Counter-example FG.cry f , g : [8] -> [8]; f x = (x -1) *( x +1) ; g x = x * x + 1; theorem FG : { x }. f x == g x ; Example FG> :prove FG *** Proving ”FG” [”FG.cry”, line 5, col 1] Falsifiable. FG 0 = False Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Satisfiability Definition Determining if the variables of a given Boolean formula can be assigned in such a way as to make the formula evaluate to True. FH.cry f , h : [8] -> [8]; f x = (x -1) *( x +1) ; h x = x * x - 1; theorem FH : { x }. f x == h x ; Example FH> :sat FH FH 0 = True Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Oveview of formal methods subset Highs: Fully automated ⇒ it’s a ”push button” package If not automated, there’s manual ⇒ Isabelle/HOL translation (:isabelle) Fast enough Lows: Doesn’t cover the entire Cryptol language: Finiteness restriction ⇒ incapable of induction Monomorphic restriction First order restriction (not really a problem, can be rewritten) Symbolic termination ⇒ cant’t use recursive functions (again not really a problem, use recursive streams instead) Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Conclusions Cryptol provides a vast and truly useful toolset for cryptographers Formal methods are ”free” in Cryptol ⇒ No need to learn an external language or tool Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Coming up! Field-programmable gate arrays! VHDL! Space-time tradeoffs! Stay tuned! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Acknowledgments A special thanks to Mr. Levent for his patience. We also ripped off some ideas from his papers about Cryptol for this presentation! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
    • Questions ? Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset