Formally Verified Cryptographic Web Applications in WebAssembly

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2019-05-01 DOI:10.1109/SP.2019.00064

Jonathan Protzenko, Benjamin Beurdouche, Denis Merigoux, K. Bhargavan

{"title":"Formally Verified Cryptographic Web Applications in WebAssembly","authors":"Jonathan Protzenko, Benjamin Beurdouche, Denis Merigoux, K. Bhargavan","doi":"10.1109/SP.2019.00064","DOIUrl":null,"url":null,"abstract":"After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F* are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes. We present a new toolchain that compiles Low*, a low-level subset of the F* programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL*, a WebAssembly version of the existing, verified HACL* cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"26","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00064","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 26

Abstract

After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F* are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes. We present a new toolchain that compiles Low*, a low-level subset of the F* programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL*, a WebAssembly version of the existing, verified HACL* cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

查看原文本刊更多论文

WebAssembly中经过正式验证的加密Web应用程序

在经历了数十年备受瞩目的攻击之后，对安全关键软件进行正式验证的必要性从未如此清晰。像F*这样面向验证的编程语言现在被用于构建高保证的加密库和实现像TLS这样的标准协议。在本文中，我们试图将这些验证技术应用于嵌入复杂自定义加密组件的现代Web应用程序，如WhatsApp。问题是，这些组件通常是用JavaScript实现的，而JavaScript是一种既不支持加密代码又难以推理的语言。因此，我们转而瞄准WebAssembly，这是一个新的指令集，所有主要的JavaScript运行时都支持它。我们提出了一个新的工具链，它将Low* (F*编程语言的一个低级子集)编译到WebAssembly中。与其他WebAssembly编译器(如Emscripten)不同，我们的编译管道专注于紧凑性和可审计性:我们在论文中形式化了完整的翻译规则，并在几千行OCaml中实现了它。使用这个工具链，我们给出了两个案例研究。首先，我们构建WHACL*，这是现有的经过验证的HACL*加密库的WebAssembly版本。然后，我们提出了LibSignal*，这是WebAssembly中一个全新的、经过验证的信号协议实现，可以很容易地被WhatsApp、Skype和Signal等消息传递应用程序使用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量