Compiling CAO: from Cryptographic
Specifications to C Implementations
Manuel Barbosa David Castro Paulo Silva
HASLab/INESC TEC
Universidade do Minho
Braga, Portugal
April 8, 2014
Grenoble
Motivation
〉 Developing cryptographic software is challenging
〉 Performance is usually critical
〉 Many implementations are done directly in assembly
〉 Aggressive optimizations must not change the semantics
〉 Error prone and time consuming
Manuel Barbosa, David Castro, Paulo Silva 1/14
CAO Language
〉 Started in the CACE project (FP7) in collaboration with Univ. Bristol
〉 Domain specific language for core cryptographic components
〉 Hash functions, authentication algorithms, signatures, . . .
〉 High level features closer to standards
〉 Supported by a tool chain to assist development
Manuel Barbosa, David Castro, Paulo Silva 2/14
CAO Language
〉 Main design goals:
〉 Flexible and configurable for a wide range of platforms (machine
architecture + operating system + compiler + extra libraries)
〉 Incorporate domain specific optimizations early in the compilation
process
〉 Oriented to the implementation of cryptographic APIs
Manuel Barbosa, David Castro, Paulo Silva 3/14
CAO Features
〉 Call by value semantics
〉 No input/output support
〉 No language construct to dynamically allocate memory
〉 Highly expressive native types and operators
Manuel Barbosa, David Castro, Paulo Silva 4/14
CAO Types
〉 Booleans
def b1 : bool;
def b2 : bool := true;
Manuel Barbosa, David Castro, Paulo Silva 5/14
CAO Types
〉 Booleans
def b1 : bool;
def b2 : bool := true;
〉 Integers (arbitrary precision)
def i1 : int;
def i2 : int := 10;
Manuel Barbosa, David Castro, Paulo Silva 5/14
CAO Types
〉 Booleans
def b1 : bool;
def b2 : bool := true;
〉 Integers (arbitrary precision)
def i1 : int;
def i2 : int := 10;
〉 Machine integers
def ri1 : register int;
def ri2 : register int := 1;
Manuel Barbosa, David Castro, Paulo Silva 5/14
CAO Types
〉 Booleans
def b1 : bool;
def b2 : bool := true;
〉 Integers (arbitrary precision)
def i1 : int;
def i2 : int := 10;
〉 Machine integers
def ri1 : register int;
def ri2 : register int := 1;
〉 Bit strings
def ubs1 : unsigned bits [32];
def ubs2 : unsigned bits [4] := 0b0101;
def sbs1 : signed bits [16];
def sbs2 : signed bits [8] := 1b01010010;
Manuel Barbosa, David Castro, Paulo Silva 5/14
CAO Types (cont.)
〉 Rings or fields defined by an integer
def mo1 : mod [5];
def mo2 : mod [2] := [1];
Manuel Barbosa, David Castro, Paulo Silva 6/14
CAO Types (cont.)
〉 Rings or fields defined by an integer
def mo1 : mod [5];
def mo2 : mod [2] := [1];
〉 Extension fields defined by a type and a polynomial
def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];
def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
Manuel Barbosa, David Castro, Paulo Silva 6/14
CAO Types (cont.)
〉 Rings or fields defined by an integer
def mo1 : mod [5];
def mo2 : mod [2] := [1];
〉 Extension fields defined by a type and a polynomial
def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];
def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
〉 Vectors
def v1 : vector [10] of register int;
def v2 : vector [4] of unsigned bits [2] := {
0b00 , 0b01 , 0b10 , 0b11 };
Manuel Barbosa, David Castro, Paulo Silva 6/14
CAO Types (cont.)
〉 Rings or fields defined by an integer
def mo1 : mod [5];
def mo2 : mod [2] := [1];
〉 Extension fields defined by a type and a polynomial
def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ];
def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1];
〉 Vectors
def v1 : vector [10] of register int;
def v2 : vector [4] of unsigned bits [2] := {
0b00 , 0b01 , 0b10 , 0b11 };
〉 Matrices
def m1 : matrix [2, 3] of int;
def m2 : matrix [2, 2] of mod [2] := {
[1], [0], [0], [1] };
Manuel Barbosa, David Castro, Paulo Silva 6/14
Simple Example: Bubble Sort
typedef int_vector := vector [10] of int;
def bubble_sort (v : int_vector) : int_vector {
def temp : int;
seq i := 8 to 0 by -1 {
seq j := 0 to i {
if (v[j] > v[j+1]) {
temp := v[j];
v[j] := v[j+1];
v[j+1] := temp;
}
}
}
return v;
}
Manuel Barbosa, David Castro, Paulo Silva 7/14
Simple Example: Bubble Sort
def bubble_sort (const n : register int {1 < n}, v : vector[n] of int)
: vector[n] of int {
def temp : int;
seq i := n - 2 to 0 by -1 {
seq j := 0 to i {
if (v[j] > v[j+1]) {
temp := v[j];
v[j] := v[j+1];
v[j+1] := temp;
}
}
}
return v;
}
Manuel Barbosa, David Castro, Paulo Silva 8/14
Complete Algorithm: SHA1
〉 (example sha1.cao)
Manuel Barbosa, David Castro, Paulo Silva 9/14
Exploring Intermediate CAO Code
〉 Source to source transformations
〉 (demo)
Manuel Barbosa, David Castro, Paulo Silva 10/14
Platform Specification
〉 (demo)
Manuel Barbosa, David Castro, Paulo Silva 11/14
Using the Generated Code
〉 (demo)
Manuel Barbosa, David Castro, Paulo Silva 12/14
Protection Against Side-channel Attacks
〉 Popular countermeasure against side-channel attacks
〉 Indistinguishable functions:
〉 Vulnerable functions execute the same sequence of native CAO
operations
〉 (demo)
Manuel Barbosa, David Castro, Paulo Silva 13/14
Conclusions
〉 The code of the compiler is reasonably stable
〉 The source code is available from the Hackage repository:
http://hackage.haskell.org/package/cao
〉 Future work:
〉 Improve efficiency of the generated code (more aggressive
optimizations are possible)
〉 Additional protection countermeasures against side-channel attacks
〉 Provide support for other platforms (ongoing work for ARM
architecture)
〉 Provide additional guarantees when compiling C using CompCert
(ongoing work)
Manuel Barbosa, David Castro, Paulo Silva 14/14

Compiling CAO: From Cryptographic Specifications to C Implementations

  • 1.
    Compiling CAO: fromCryptographic Specifications to C Implementations Manuel Barbosa David Castro Paulo Silva HASLab/INESC TEC Universidade do Minho Braga, Portugal April 8, 2014 Grenoble
  • 2.
    Motivation 〉 Developing cryptographicsoftware is challenging 〉 Performance is usually critical 〉 Many implementations are done directly in assembly 〉 Aggressive optimizations must not change the semantics 〉 Error prone and time consuming Manuel Barbosa, David Castro, Paulo Silva 1/14
  • 3.
    CAO Language 〉 Startedin the CACE project (FP7) in collaboration with Univ. Bristol 〉 Domain specific language for core cryptographic components 〉 Hash functions, authentication algorithms, signatures, . . . 〉 High level features closer to standards 〉 Supported by a tool chain to assist development Manuel Barbosa, David Castro, Paulo Silva 2/14
  • 4.
    CAO Language 〉 Maindesign goals: 〉 Flexible and configurable for a wide range of platforms (machine architecture + operating system + compiler + extra libraries) 〉 Incorporate domain specific optimizations early in the compilation process 〉 Oriented to the implementation of cryptographic APIs Manuel Barbosa, David Castro, Paulo Silva 3/14
  • 5.
    CAO Features 〉 Callby value semantics 〉 No input/output support 〉 No language construct to dynamically allocate memory 〉 Highly expressive native types and operators Manuel Barbosa, David Castro, Paulo Silva 4/14
  • 6.
    CAO Types 〉 Booleans defb1 : bool; def b2 : bool := true; Manuel Barbosa, David Castro, Paulo Silva 5/14
  • 7.
    CAO Types 〉 Booleans defb1 : bool; def b2 : bool := true; 〉 Integers (arbitrary precision) def i1 : int; def i2 : int := 10; Manuel Barbosa, David Castro, Paulo Silva 5/14
  • 8.
    CAO Types 〉 Booleans defb1 : bool; def b2 : bool := true; 〉 Integers (arbitrary precision) def i1 : int; def i2 : int := 10; 〉 Machine integers def ri1 : register int; def ri2 : register int := 1; Manuel Barbosa, David Castro, Paulo Silva 5/14
  • 9.
    CAO Types 〉 Booleans defb1 : bool; def b2 : bool := true; 〉 Integers (arbitrary precision) def i1 : int; def i2 : int := 10; 〉 Machine integers def ri1 : register int; def ri2 : register int := 1; 〉 Bit strings def ubs1 : unsigned bits [32]; def ubs2 : unsigned bits [4] := 0b0101; def sbs1 : signed bits [16]; def sbs2 : signed bits [8] := 1b01010010; Manuel Barbosa, David Castro, Paulo Silva 5/14
  • 10.
    CAO Types (cont.) 〉Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; Manuel Barbosa, David Castro, Paulo Silva 6/14
  • 11.
    CAO Types (cont.) 〉Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; 〉 Extension fields defined by a type and a polynomial def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ]; def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1]; Manuel Barbosa, David Castro, Paulo Silva 6/14
  • 12.
    CAO Types (cont.) 〉Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; 〉 Extension fields defined by a type and a polynomial def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ]; def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1]; 〉 Vectors def v1 : vector [10] of register int; def v2 : vector [4] of unsigned bits [2] := { 0b00 , 0b01 , 0b10 , 0b11 }; Manuel Barbosa, David Castro, Paulo Silva 6/14
  • 13.
    CAO Types (cont.) 〉Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; 〉 Extension fields defined by a type and a polynomial def mp1 : mod[ mod [2] <X> / X**7 + X**3 + 1 ]; def mp2 : mod[ mod [11] <Y> / Y**2 + 1 ] := [5*Y + 2] * [7*Y+1]; 〉 Vectors def v1 : vector [10] of register int; def v2 : vector [4] of unsigned bits [2] := { 0b00 , 0b01 , 0b10 , 0b11 }; 〉 Matrices def m1 : matrix [2, 3] of int; def m2 : matrix [2, 2] of mod [2] := { [1], [0], [0], [1] }; Manuel Barbosa, David Castro, Paulo Silva 6/14
  • 14.
    Simple Example: BubbleSort typedef int_vector := vector [10] of int; def bubble_sort (v : int_vector) : int_vector { def temp : int; seq i := 8 to 0 by -1 { seq j := 0 to i { if (v[j] > v[j+1]) { temp := v[j]; v[j] := v[j+1]; v[j+1] := temp; } } } return v; } Manuel Barbosa, David Castro, Paulo Silva 7/14
  • 15.
    Simple Example: BubbleSort def bubble_sort (const n : register int {1 < n}, v : vector[n] of int) : vector[n] of int { def temp : int; seq i := n - 2 to 0 by -1 { seq j := 0 to i { if (v[j] > v[j+1]) { temp := v[j]; v[j] := v[j+1]; v[j+1] := temp; } } } return v; } Manuel Barbosa, David Castro, Paulo Silva 8/14
  • 16.
    Complete Algorithm: SHA1 〉(example sha1.cao) Manuel Barbosa, David Castro, Paulo Silva 9/14
  • 17.
    Exploring Intermediate CAOCode 〉 Source to source transformations 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 10/14
  • 18.
    Platform Specification 〉 (demo) ManuelBarbosa, David Castro, Paulo Silva 11/14
  • 19.
    Using the GeneratedCode 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 12/14
  • 20.
    Protection Against Side-channelAttacks 〉 Popular countermeasure against side-channel attacks 〉 Indistinguishable functions: 〉 Vulnerable functions execute the same sequence of native CAO operations 〉 (demo) Manuel Barbosa, David Castro, Paulo Silva 13/14
  • 21.
    Conclusions 〉 The codeof the compiler is reasonably stable 〉 The source code is available from the Hackage repository: http://hackage.haskell.org/package/cao 〉 Future work: 〉 Improve efficiency of the generated code (more aggressive optimizations are possible) 〉 Additional protection countermeasures against side-channel attacks 〉 Provide support for other platforms (ongoing work for ARM architecture) 〉 Provide additional guarantees when compiling C using CompCert (ongoing work) Manuel Barbosa, David Castro, Paulo Silva 14/14