08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Exploring the Cryptol Toolset
1. Exploring the Cryptol Toolset
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
April 30, 2009
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
2. Previously in last month’s Episode!
We had to
Learn the Cryptol language
Build a high-level specification of SNOW3G
We showed you
The language was a combination of arithmetics and sequence
manipulation
Some of its wonderful features: infinite and recursive streams,
polymorphism
The SNOW3G algorithm
A complete (and compact, and elegant!) specification of a
stream cipher in Cryptol
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
3. This time
We had to
Derive an implementation from the specification
Generate (fast) C source code using Cryptol’s C-backend
Use the evaluation version ⇒ access to the complete toolset
We will show you
A user’s perspective of the toolset so far
Cryptol → C conversion
Safety + Theorems in Cryptol ⇒ Formal Methods Galore!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
4. Cryptol Interpreter
The interpreter provides various environments and so far we’ve
used a few of them to:
Bit mode
Run Cryptol programs
C mode
Generate C source code
Symbolic Bit-Vector mode
Apply formal methods
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
5. Bit Mode - useful commands
Usage
:set bit
Base display
:set base=N
Little/Big endianness
:set -/+B
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
6. Base display
Example
Cryptol > [0 1 2 3]
[0x0 0x1 0x2 0x3]
Cryptol > :set base=10
Cryptol > [0 1 2 3]
[0 1 2 3]
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
7. Little/Big endianness
hexbyte.cry
HexByte : [4] Bit ;
HexByte = [ True False False False ];
Example
Cryptol > :load hexbyte.cry
Loading ”hexbyte.cry”.. Checking types.. Processing.. Done!
hexbyte> :set base=2
hexbyte> HexByte
0b0001
hexbyte> :set +B
hexbyte> HexByte
0b1000
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
8. C Mode - useful commands
Usage
:set C
Generation of source code
:compile <filename>
Out-of-bounds checking
:set +b
Specialize polymorphic definitions (automatically on)
:set +S
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
9. Generation of source code
Cryptol → C conversion depends on:
Cryptol .h
Contains all the necessary prototypes, macros and a few
standard C includes.
CryAlloc.o
Implements a custom memory allocator/deallocator for
Cryptol run-time.
CryPrim.o
Implements C-equivalents of Cryptol ’s built-in functions.
CryStream.o
C library for representing/manipulating infinite streams.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
10. Out-of-bounds checking
lookup.cry
lookup : ([4] , [2]) -> Bit ;
lookup ( xs , i ) = xs @ i ;
lookup.c without bounds checking
...
lookup res = GETBIT(xs lookup, i lookup);
...
lookup.c with bounds checking
...
lookup res = GETBIT CHECKED(xs lookup, i lookup, 0x3);
...
NB: It incurs a performance cost.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
11. Specialize polymorphic definitions I
size.cry
size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ];
size ss = ls ! 0
where ls = [0] # [| ( l +1) || l <- ls || s <- ss |];
Example
size> :set C
size> :compile size.c
size.c
#include ”Cryptol .h”
#include ”size.h”
It’s empty!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
12. Specialize polymorphic definitions II
Because
Cryptol generates monomorphic definitions ⇒ We must provide
arguments
size.cry
size : { a b } ( fin a , c >= 1) -> [ a ] b -> [ c ];
size ss = ls ! 0
where ls = [0] # [| ( l +1) || l <- ls || s <- ss |];
force_size = size [0 1 2 3 4];
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
14. Optimizing the C code?
We found out
Not much, the documentation didn’t even address this
specifically
Infinite streams take a heavy toll on performance (it figures...
besides, an implementation isn’t suposed to have these)
But!
Hand-made implementation wasn’t much better
We aren’t done with this yet, it’s just that other stuff grabbed
our attention
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
16. Safety checks
Statically catches
Index out-of-bounds;
Division/modulus by 0;
...and more!
Safe programs really don’t crash!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
17. Safety checking I
lookup.cry
lookup : ([4] , [2]) -> Bit ;
lookup ( xs , i ) = xs @ i ;
Example
lookup> :set sbv
lookup> :safe lookup
”lookup” is safe; no safety violations exist.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
18. Safety checking II
lookup2.cry
lookup2 : ([4] , [3]) -> Bit ;
lookup2 ( xs , i ) = xs @ i ;
Example
lookup2> :safe lookup2
*** 1 safety condition to be checked.
*** Violation detected:
lookup (0, 4) = ”lookup2.cry”, line 2, col 20: index of 4 is out of
bounds (valid range is 0 thru 3).
*** 1 problem found.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
19. Safety checking III
lookup3.cry
lookup3 : ([4] , [3]) -> Bit ;
lookup3 ( xs , i ) = if i >= 3 then False else xs @ i ;
Example
lookup3> :safe lookup3
*** 1 safety condition to be checked.
*** Verified safe.
*** All safety checks pass, safe to execute.
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
20. Quickcheck
The :check command
Cryptol ’s implementation of Quickcheck
Consists in randomly generating test-cases and running
property definitions on these
Validity of theorems
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
21. Quickchecking theorems
Plaintext ⇔ Decrypt . Encrypt
theorem EncDec : { pt k i }. pt == decrypt ( encrypt ( pt , k , i ) , k
, i);
Example
Cryptol > :set quickCheckCount=100
Cryptol > :load SNOW 3G v0.93.cry
Loading ”SNOW 3G v0.93.cry”.. Checking types.. Processing..
Done!
*** Auto quickchecking 1 theorems.
*** Checking ”EncDec” [”SNOW 3G v0.93.cry”, line 23, col 1]
Checking case 100 of 100 (100.00%)
100 tests passed OK
[Coverage : 0.00%.[(100/3940200619639447921227904010014...)]
SNOW 3G v0.93>
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
22. Test coverage
EncDec coverage
[Coverage: 0.00%. [(100/3940200619639447921227904010014...)]
2(128+128+128) diferent cases = insane number above
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
23. Theorems are boolean functions!
In First Order Logic
∀x : 2x ⇔ x + x
In Cryptol
double : [8] -> Bit ;
theorem double : { x }. 2* x == x + x ;
Example
double> :prove double
Q.E.D.
The :prove command
Shows they’re equivalent to the constant function that always
returns True
Finds counter-examples
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
24. Counter-example
FG.cry
f , g : [8] -> [8];
f x = (x -1) *( x +1) ;
g x = x * x + 1;
theorem FG : { x }. f x == g x ;
Example
FG> :prove FG
*** Proving ”FG” [”FG.cry”, line 5, col 1]
Falsifiable.
FG 0 = False
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
25. Satisfiability
Definition
Determining if the variables of a given Boolean formula can be
assigned in such a way as to make the formula evaluate to True.
FH.cry
f , h : [8] -> [8];
f x = (x -1) *( x +1) ;
h x = x * x - 1;
theorem FH : { x }. f x == h x ;
Example
FH> :sat FH
FH 0 = True
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
26. Oveview of formal methods subset
Highs:
Fully automated ⇒ it’s a ”push button” package
If not automated, there’s manual ⇒ Isabelle/HOL translation
(:isabelle)
Fast enough
Lows:
Doesn’t cover the entire Cryptol language:
Finiteness restriction ⇒ incapable of induction
Monomorphic restriction
First order restriction (not really a problem, can be rewritten)
Symbolic termination ⇒ cant’t use recursive functions (again
not really a problem, use recursive streams instead)
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
27. Conclusions
Cryptol provides a vast and truly useful toolset for
cryptographers
Formal methods are ”free” in Cryptol ⇒ No need to learn an
external language or tool
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
28. Coming up!
Field-programmable gate arrays!
VHDL!
Space-time tradeoffs!
Stay tuned!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
29. Acknowledgments
A special thanks to Mr. Levent for his patience.
We also ripped off some ideas from his papers about Cryptol for
this presentation!
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset
30. Questions
?
Pedro Pereira, Ulisses Costa Exploring the Cryptol Toolset