http://emergentchaos.com/archives/2009/01/cryptol-language-for-cryptography.html The Emergent Chaos Jazz Combo Fri, 12 Mar 2010 02:36:43 +0000 http://wordpress.org/?v=2.9.2 hourly 1 http://emergentchaos.com/archives/2009/01/cryptol-language-for-cryptography.html/comment-page-1#comment-5381 Iang Thu, 08 Jan 2009 19:04:20 +0000 http://emergentchaos.com/?p=3000#comment-5381 I worry about things like this. What is the point in proving the mathematics and protocol to the Nth degree of purity and essence, when the requirements are wrong? I worry about things like this. What is the point in proving the mathematics and protocol to the Nth degree of purity and essence, when the requirements are wrong?

]]> http://emergentchaos.com/archives/2009/01/cryptol-language-for-cryptography.html/comment-page-1#comment-5380 Anonymous Mon, 05 Jan 2009 14:41:44 +0000 http://emergentchaos.com/?p=3000#comment-5380 Frankly, Tokeneer seemed slightly overhyped to me. I read through the docs back when they were released, and I seem to recall something like the following: In the big glossy print, they claimed the code had been formally verified; later, in the fine print, they revealed that their verification had gaps. For instance, they told their theorem prover to assume that integers couldn't overflow, but they didn't verify this assumption. Many years after they originally delivered the software (I think it may have been when they were preparing the code for release?) they discovered a security bug that arose due to integer overflow. That's my memory. I might be misremembering or misquoting. Frankly, Tokeneer seemed slightly overhyped to me. I read through the docs back when they were released, and I seem to recall something like the following:
In the big glossy print, they claimed the code had been formally verified; later, in the fine print, they revealed that their verification had gaps. For instance, they told their theorem prover to assume that integers couldn’t overflow, but they didn’t verify this assumption. Many years after they originally delivered the software (I think it may have been when they were preparing the code for release?) they discovered a security bug that arose due to integer overflow.
That’s my memory. I might be misremembering or misquoting.

]]> http://emergentchaos.com/archives/2009/01/cryptol-language-for-cryptography.html/comment-page-1#comment-5379 Joe Hendrix Mon, 05 Jan 2009 13:16:56 +0000 http://emergentchaos.com/?p=3000#comment-5379 I met with several people from Galois last summer. If I recall correctly, they have one can define data sizes parametrically in the code, but the actual implementation is compiled to fix-sized buffers. They are mainly targeting Cryptol to compile to Verilog or VHDL for running on FPGAs. For verification, they make two implementations: a high-level inefficient implementation that should be close to the theoretical encryption algorithm, and a low-level pipelined algorithm that may be very complicated. These two implementations are checked for equivalence using a custom combination of SMT solvers and inductive theorem proving techniques. They could also do more convential techniques like fuzz testing as well. By having two implementation and doing equivalence testing, I think they should have a good chance of catching all the implementation correctness bugs. Their approach won't catch bugs in the high-level implementation or in the underlying algorithm. I also suspect they could miss information leakage due to timing attacks, but they may have a solution to that. In any case, this approach of a domain specific language and static verification has been successful in other areas, and seems like a good approach here. I met with several people from Galois last summer. If I recall correctly, they have one can define data sizes parametrically in the code, but the actual implementation is compiled to fix-sized buffers. They are mainly targeting Cryptol to compile to Verilog or VHDL for running on FPGAs.
For verification, they make two implementations: a high-level inefficient implementation that should be close to the theoretical encryption algorithm, and a low-level pipelined algorithm that may be very complicated. These two implementations are checked for equivalence using a custom combination of SMT solvers and inductive theorem proving techniques. They could also do more convential techniques like fuzz testing as well.
By having two implementation and doing equivalence testing, I think they should have a good chance of catching all the implementation correctness bugs. Their approach won’t catch bugs in the high-level implementation or in the underlying algorithm. I also suspect they could miss information leakage due to timing attacks, but they may have a solution to that.
In any case, this approach of a domain specific language and static verification has been successful in other areas, and seems like a good approach here.

]]>