Upcoming SlideShare
×

# Exploring the Cryptol Toolset

1,457 views

Published on

A view over the cryptol toolset

Published in: Technology
0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
1,457
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
41
0
Likes
0
Embeds 0
No embeds

No notes for slide

### Exploring the Cryptol Toolset

1. 1. Exploring the Cryptol Toolset Pedro Pereira Ulisses Costa Formal Methods in Software Engineering April 30, 2009 Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
2. 2. Previously in last month’s Episode! We had to Learn the Cryptol language Build a high-level speciﬁcation of SNOW3G We showed you The language was a combination of arithmetics and sequence manipulation Some of its wonderful features: inﬁnite and recursive streams, polymorphism The SNOW3G algorithm A complete (and compact, and elegant!) speciﬁcation of a stream cipher in Cryptol Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
3. 3. This time We had to Derive an implementation from the speciﬁcation Generate (fast) C source code using Cryptol’s C-backend Use the evaluation version ⇒ access to the complete toolset We will show you A user’s perspective of the toolset so far Cryptol → C conversion Safety + Theorems in Cryptol ⇒ Formal Methods Galore! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
4. 4. Cryptol Interpreter The interpreter provides various environments and so far we’ve used a few of them to: Bit mode Run Cryptol programs C mode Generate C source code Symbolic Bit-Vector mode Apply formal methods Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
5. 5. Bit Mode - useful commands Usage :set bit Base display :set base=N Little/Big endianness :set -/+B Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
6. 6. Base display Example Cryptol > [0 1 2 3] [0x0 0x1 0x2 0x3] Cryptol > :set base=10 Cryptol > [0 1 2 3] [0 1 2 3] Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
7. 7. Little/Big endianness hexbyte.cry HexByte : [4] Bit ; HexByte = [ True False False False ]; Example Cryptol > :load hexbyte.cry Loading ”hexbyte.cry”.. Checking types.. Processing.. Done! hexbyte> :set base=2 hexbyte> HexByte 0b0001 hexbyte> :set +B hexbyte> HexByte 0b1000 Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
8. 8. C Mode - useful commands Usage :set C Generation of source code :compile <ﬁlename> Out-of-bounds checking :set +b Specialize polymorphic deﬁnitions (automatically on) :set +S Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
9. 9. Generation of source code Cryptol → C conversion depends on: Cryptol .h Contains all the necessary prototypes, macros and a few standard C includes. CryAlloc.o Implements a custom memory allocator/deallocator for Cryptol run-time. CryPrim.o Implements C-equivalents of Cryptol ’s built-in functions. CryStream.o C library for representing/manipulating inﬁnite streams. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
10. 10. Out-of-bounds checking lookup.cry lookup : ([4] , [2]) -> Bit ; lookup ( xs , i ) = xs @ i ; lookup.c without bounds checking ... lookup res = GETBIT(xs lookup, i lookup); ... lookup.c with bounds checking ... lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3); ... NB: It incurs a performance cost. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
11. 11. Specialize polymorphic deﬁnitions I size.cry size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ]; size ss = ls ! 0 where ls = [0] # [| ( l +1) || l <- ls || s <- ss |]; Example size> :set C size> :compile size.c size.c #include ”Cryptol .h” #include ”size.h” It’s empty! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
12. 12. Specialize polymorphic deﬁnitions II Because Cryptol generates monomorphic deﬁnitions ⇒ We must provide arguments size.cry size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ]; size ss = ls ! 0 where ls = [0] # [| ( l +1) || l <- ls || s <- ss |]; force_size = size [0 1 2 3 4]; Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
13. 13. Generated size.c size.c # include quot; cryptol . h quot; # include quot; size . h quot; static uint8 const [5] = {0 x0 , 0 x1 , 0 x2 , 0 x3 , 0 x4 }; uint8 size_5 ( uint8 * ss_size ) { uint32 local4 = 0 x0 ; uint8 local5 = 0 x0 ; uint8 size_5_res = 0 x0 ; uint8 local8 = 0 x0 ; uint32 * mrk = getAllocMark () ; size_5_res = 0 x0 ; for ( local4 = 0 x0 ; local4 < 0 x5 ; local4 += 0 x1 ) { local8 = size_5_res + 0 x1 ; local5 = local8 & 0 x1f ; size_5_res = local5 ; } freeUntil ( mrk ) ; return size_5_res ; } Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
14. 14. Optimizing the C code? We found out Not much, the documentation didn’t even address this speciﬁcally Inﬁnite streams take a heavy toll on performance (it ﬁgures... besides, an implementation isn’t suposed to have these) But! Hand-made implementation wasn’t much better We aren’t done with this yet, it’s just that other stuﬀ grabbed our attention Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
15. 15. SBV Mode - useful commands Usage :set sbv Safety checks :safe <expression> Quickcheck :check <expression> Theorem prover :prove <expression> Satisﬁability :sat <expression> Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
16. 16. Safety checks Statically catches Index out-of-bounds; Division/modulus by 0; ...and more! Safe programs really don’t crash! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
17. 17. Safety checking I lookup.cry lookup : ([4] , [2]) -> Bit ; lookup ( xs , i ) = xs @ i ; Example lookup> :set sbv lookup> :safe lookup ”lookup” is safe; no safety violations exist. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
18. 18. Safety checking II lookup2.cry lookup2 : ([4] , [3]) -> Bit ; lookup2 ( xs , i ) = xs @ i ; Example lookup2> :safe lookup2 *** 1 safety condition to be checked. *** Violation detected: lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out of bounds (valid range is 0 thru 3). *** 1 problem found. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
19. 19. Safety checking III lookup3.cry lookup3 : ([4] , [3]) -> Bit ; lookup3 ( xs , i ) = if i >= 3 then False else xs @ i ; Example lookup3> :safe lookup3 *** 1 safety condition to be checked. *** Veriﬁed safe. *** All safety checks pass, safe to execute. Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
20. 20. Quickcheck The :check command Cryptol ’s implementation of Quickcheck Consists in randomly generating test-cases and running property deﬁnitions on these Validity of theorems Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
21. 21. Quickchecking theorems Plaintext ⇔ Decrypt . Encrypt theorem EncDec : { pt k i }. pt == decrypt ( encrypt ( pt , k , i ) , k , i); Example Cryptol > :set quickCheckCount=100 Cryptol > :load SNOW 3G v0.93.cry Loading ”SNOW 3G v0.93.cry”.. Checking types.. Processing.. Done! *** Auto quickchecking 1 theorems. *** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1] Checking case 100 of 100 (100.00%) 100 tests passed OK [Coverage : 0.00%.[(100/3940200619639447921227904010014...)] SNOW 3G v0.93> Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
22. 22. Test coverage EncDec coverage [Coverage: 0.00%. [(100/3940200619639447921227904010014...)] 2(128+128+128) diferent cases = insane number above Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
23. 23. Theorems are boolean functions! In First Order Logic ∀x : 2x ⇔ x + x In Cryptol double : [8] -> Bit ; theorem double : { x }. 2* x == x + x ; Example double> :prove double Q.E.D. The :prove command Shows they’re equivalent to the constant function that always returns True Finds counter-examples Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
24. 24. Counter-example FG.cry f , g : [8] -> [8]; f x = (x -1) *( x +1) ; g x = x * x + 1; theorem FG : { x }. f x == g x ; Example FG> :prove FG *** Proving ”FG” [”FG.cry”, line 5, col 1] Falsiﬁable. FG 0 = False Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
25. 25. Satisﬁability Deﬁnition Determining if the variables of a given Boolean formula can be assigned in such a way as to make the formula evaluate to True. FH.cry f , h : [8] -> [8]; f x = (x -1) *( x +1) ; h x = x * x - 1; theorem FH : { x }. f x == h x ; Example FH> :sat FH FH 0 = True Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
26. 26. Oveview of formal methods subset Highs: Fully automated ⇒ it’s a ”push button” package If not automated, there’s manual ⇒ Isabelle/HOL translation (:isabelle) Fast enough Lows: Doesn’t cover the entire Cryptol language: Finiteness restriction ⇒ incapable of induction Monomorphic restriction First order restriction (not really a problem, can be rewritten) Symbolic termination ⇒ cant’t use recursive functions (again not really a problem, use recursive streams instead) Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
27. 27. Conclusions Cryptol provides a vast and truly useful toolset for cryptographers Formal methods are ”free” in Cryptol ⇒ No need to learn an external language or tool Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
28. 28. Coming up! Field-programmable gate arrays! VHDL! Space-time tradeoﬀs! Stay tuned! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
29. 29. Acknowledgments A special thanks to Mr. Levent for his patience. We also ripped oﬀ some ideas from his papers about Cryptol for this presentation! Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
30. 30. Questions ? Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset