Compiling CAO: From Cryptographic Specifications to C Implementations

265 views

Published on

Tool demo presented at POST14 (part of ETAPS 2014: 5-13 April 2014, Grenoble, France).

Published in: Science, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
265
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Compiling CAO: From Cryptographic Specifications to C Implementations

  1. 1. Compiling CAO: from Cryptographic Specifications to C Implementations Manuel Barbosa David Castro Paulo Silva HASLab/INESC TEC Universidade do Minho Braga, Portugal April 8, 2014 Grenoble
  2. 2. Motivation 〉 Developing cryptographic software is challenging 〉 Performance is usually critical 〉 Many implementations are done directly in assembly 〉 Aggressive optimizations must not change the semantics 〉 Error prone and time consuming Manuel Barbosa, David Castro, Paulo Silva 1/14
  3. 3. CAO Language 〉 Started in the CACE project (FP7) in collaboration with Univ. Bristol 〉 Domain specific language for core cryptographic components 〉 Hash functions, authentication algorithms, signatures, . . . 〉 High level features closer to standards 〉 Supported by a tool chain to assist development Manuel Barbosa, David Castro, Paulo Silva 2/14
  4. 4. CAO Language 〉 Main design goals: 〉 Flexible and configurable for a wide range of platforms (machine architecture + operating system + compiler + extra libraries) 〉 Incorporate domain specific optimizations early in the compilation process 〉 Oriented to the implementation of cryptographic APIs Manuel Barbosa, David Castro, Paulo Silva 3/14
  5. 5. CAO Features 〉 Call by value semantics 〉 No input/output support 〉 No language construct to dynamically allocate memory 〉 Highly expressive native types and operators Manuel Barbosa, David Castro, Paulo Silva 4/14
  6. 6. CAO Types 〉 Booleans def b1 : bool; def b2 : bool := true; Manuel Barbosa, David Castro, Paulo Silva 5/14
  7. 7. CAO Types 〉 Booleans def b1 : bool; def b2 : bool := true; 〉 Integers (arbitrary precision) def i1 : int; def i2 : int := 10; Manuel Barbosa, David Castro, Paulo Silva 5/14
  8. 8. CAO Types 〉 Booleans def b1 : bool; def b2 : bool := true; 〉 Integers (arbitrary precision) def i1 : int; def i2 : int := 10; 〉 Machine integers def ri1 : register int; def ri2 : register int := 1; Manuel Barbosa, David Castro, Paulo Silva 5/14
  9. 9. CAO Types 〉 Booleans def b1 : bool; def b2 : bool := true; 〉 Integers (arbitrary precision) def i1 : int; def i2 : int := 10; 〉 Machine integers def ri1 : register int; def ri2 : register int := 1; 〉 Bit strings def ubs1 : unsigned bits [32]; def ubs2 : unsigned bits [4] := 0b0101; def sbs1 : signed bits [16]; def sbs2 : signed bits [8] := 1b01010010; Manuel Barbosa, David Castro, Paulo Silva 5/14
  10. 10. CAO Types (cont.) 〉 Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; Manuel Barbosa, David Castro, Paulo Silva 6/14
  11. 11. CAO Types (cont.) 〉 Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; 〉 Extension fields defined by a type and a polynomial def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ]; def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1]; Manuel Barbosa, David Castro, Paulo Silva 6/14
  12. 12. CAO Types (cont.) 〉 Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; 〉 Extension fields defined by a type and a polynomial def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ]; def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1]; 〉 Vectors def v1 : vector [10] of register int; def v2 : vector [4] of unsigned bits [2] := { 0b00 , 0b01 , 0b10 , 0b11 }; Manuel Barbosa, David Castro, Paulo Silva 6/14
  13. 13. CAO Types (cont.) 〉 Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; 〉 Extension fields defined by a type and a polynomial def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ]; def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1]; 〉 Vectors def v1 : vector [10] of register int; def v2 : vector [4] of unsigned bits [2] := { 0b00 , 0b01 , 0b10 , 0b11 }; 〉 Matrices def m1 : matrix [2, 3] of int; def m2 : matrix [2, 2] of mod [2] := { [1], [0], [0], [1] }; Manuel Barbosa, David Castro, Paulo Silva 6/14
  14. 14. Simple Example: Bubble Sort typedef int_vector := vector [10] of int; def bubble_sort (v : int_vector) : int_vector { def temp : int; seq i := 8 to 0 by -1 { seq j := 0 to i { if (v[j] > v[j+1]) { temp := v[j]; v[j] := v[j+1]; v[j+1] := temp; } } } return v; } Manuel Barbosa, David Castro, Paulo Silva 7/14
  15. 15. Simple Example: Bubble Sort def bubble_sort (const n : register int {1 < n}, v : vector[n] of int) : vector[n] of int { def temp : int; seq i := n - 2 to 0 by -1 { seq j := 0 to i { if (v[j] > v[j+1]) { temp := v[j]; v[j] := v[j+1]; v[j+1] := temp; } } } return v; } Manuel Barbosa, David Castro, Paulo Silva 8/14
  16. 16. Complete Algorithm: SHA1 〉 (example sha1.cao) Manuel Barbosa, David Castro, Paulo Silva 9/14
  17. 17. Exploring Intermediate CAO Code 〉 Source to source transformations 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 10/14
  18. 18. Platform Specification 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 11/14
  19. 19. Using the Generated Code 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 12/14
  20. 20. Protection Against Side-channel Attacks 〉 Popular countermeasure against side-channel attacks 〉 Indistinguishable functions: 〉 Vulnerable functions execute the same sequence of native CAO operations 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 13/14
  21. 21. Conclusions 〉 The code of the compiler is reasonably stable 〉 The source code is available from the Hackage repository: http://hackage.haskell.org/package/cao 〉 Future work: 〉 Improve efficiency of the generated code (more aggressive optimizations are possible) 〉 Additional protection countermeasures against side-channel attacks 〉 Provide support for other platforms (ongoing work for ARM architecture) 〉 Provide additional guarantees when compiling C using CompCert (ongoing work) Manuel Barbosa, David Castro, Paulo Silva 14/14

×