Schneier on Security

Nick P • July 26, 2014 2:35 AM

@ Buck

Observations like that are one of the many reasons I enjoy reading your posts here. Haha.

Nick P • July 26, 2014 2:19 PM

@ Clive

That was funny. Most interesting is the contrast between how Linus talks to them and how they replied to him. Makes him look even more like an a**hole. They fixed it promptly though.

On issue of compilers, I think this situation illustrates why current compiler design methods suck. The certifying compilers that check invariants during compilation could be told, for example, that you can use a stack unless you declared it. Each transformation would produce information that allowed safety, performance, etc checks to happen. LLVM is designed in a similar vein, albeit for optimization. The best example is still CompCert as independent testing showed no bugs in their [large] middle end thanks to formal verification activities.

Nick P • July 27, 2014 12:56 PM

@ Czerno

That’s funny. It’s also BS based on many reports I’ve read on its use. I particularly like how he left off that certain formally verified systems came out essentially flawless, where the “debugged” alternatives are still being debugged. The CompCert compiler, A1-class kernels, and VAMP/AAMP7G microprocessors come to mind. The CompCert compiler is nice for us as it was empirically tested by an independent group with fuzz testing and compared to other major compilers. They found a few bugs (in specification), but noted that of all compilers CompCert was the only one without any bugs in the middle end. So, the majority of it was flawless and there were no code-level flaws in the entire thing.

I’m sure Brendan achieves that with most of his software. 😉

Nick P • July 27, 2014 2:35 PM

High Assurance News, July 2014, Compiler Verification

Alright it’s time for another update on what people in high assurance industry are doing. This post focuses on high assurance compilation and program transformation. Anything that’s clever or (esp) mathematically verified for correctness. There’s been plenty of good work in 2013-2014 with many projects having practical value. If only they’d integrate this stuff. If only…

Verifying crypto – many questions and the beginning of an answer (2014) Schwabe

First one for crypto fans. Schwabe often works on high speed crypto and implementations of crypto on embedded chips. This paper implements a Bernstein-favored curve with verification at the assembly level and a lot of assembly code listings. People studying crypto implementation would probably enjoy his other publications on on his homepage, funnily named “CryptoJedi.”

SPARK 2014 Formal program verification for all 2014 May AdaCore

SPARK 2014 is the latest release of the SPARK language. This one is tied to Ada 2012 that added contracts, among other things. SPARK 2014 can prove absence of more errors, is getting verified containers, can use more of the language, has even more success in industry (eg space software), and is still can be learned without a math degree.

Managing the network with Merlin 2013 Basu et al

Traditional Internet routers and gateways are getting placed with OpenFlow type designs that are more powerful and intelligent. There are different devices for endpoints, middle points, and so on. The problem is they’re all managed differently. Merlin lets someone specify network policy in a high level language, it transforms them into local enforceable policies, and then does the enforcement. They use a theorem prover and Ocaml for assurance. Evaluation shows good results for even complex policies.

Formal verification of loop bound estimation for WCET analysis (2014) Blazy et al

This is great work with application in embedded development. Jack Ganssle was just discussing the pain of WCET analysis and I suggested a tool chain that builds it into the compilation phase. Imagine my surprise to find out my idea had already been built. They start with CompCert verified compiler, then integrate a WCET analysis into it. The WCET method is also verified for correctness. Their next step, just like I sent to Ganssle, is to make formal models of the hardware and its timing properties to tie into their tool.

Correct compilers for correct processors (2014) Krall and Lezuo

Awesome work that goes in a different direction from CompCert. They note that original verified compiler used Gurevich’s abstract state machine method and there’s good tools for them. Clive Robinson and I have pushed that model for secure systems design and verification, as well. They have a “synchronous parallel execution model” with ability “to express sequential computation as a single atomic step (…during a clock cycle).” As this is a lot like hardware circuits, it’s already neat to know & useful in many ways. So, they build such models of instructions, pipelines and so on. They develop an interpreter, an interpreter that produces execution traces, and a source to source C++ compiler. Then, they analyze each compiler pass against those with different methods for different phases, such as symbolic execution or translation validation.

MIPS case study showed the specs/proofs are trivial compared to other methods: specification models for instructions, execution model, and state/memory helpers was 710 lines of code that took 2 days to write; pipeline models with instructions, forwarding and bubbling were 1,500 LOC for instructions, 400 LOC for each pipeline, and took a day. Instruction selection verification on almost 6,000 files of input took a total of 284.2 seconds. Wow.

A verified compiler for multithreaded PreScheme 1996 Farmer & Ramsdell

A classic work I just found. Mitre used to do a lot of good work in high assurance in defense contracts. The VLISP project rigorously verified an implementation of Scheme. Their method was a subset for system programming called PreScheme that compiled to native code, a verified compiler for it, a verified interpreter for the full language, and then a corresponding implementation for it I think in PreScheme. Mitre, being smart, build on a successful project by making it multithreaded, provably correct despite being multithreaded, and faster than original PreScheme. I always figured people wanting verified tools would be wise to leverage powerful tools that are already verified. And good luck finding something more powerful than LISP. 😉

A formally-verified C compiler with floating point 2013 Leroy et al.

Xavier Leroy’s team delivers another round of ass-kicking assurance by adding verified floating point to their CompCert C compiler. They point out in paper that compilers like GCC are actually designed to make floating point fail if optimized. Theirs is design to make it succeed while still performing reasonably well. Some people might like that.

Note: I apparently didn’t keep the link but one group also verified a SSA form for Coq. It’s the most common middle end in compilers, yet also one of the hardest to verify. Now that its done we might see new optimizations. Which brings me to next two papers.

Verified compilation for shared-memory C 2014 Beringer et al.

One problem with optimizing compilers is that shared memory interactions can introduce bugs. This work extends CompCert with new specifications and proving techniques for handling these shared memory interactions. It’s meant to be applied to situations such as buffer-based system calls, shared-memory concurrency, and separate compilation.

Incremental verification of compiler optimizations 2014 Fedyukovich et al

They’re also worried about optimizations effect on safety. Their solution is incremental optimization where they do some transformations, then verify them against a fixed safety property. A side-goal is to reduce re-verification of the entire program for efficiency purposes. They find that they usually succeed at that goal. Integrates with LLVM.

Coq – the world’s best macro assembler? (2014) Kennedy et al

I previously posted a paper on the benefits of using High Level Assembly. Well, I doubt it can get much more high level than programming assembler in a theorem prover lol. This uses a concrete model of x86 assembler, integration of concrete features with Coq’s mathematical structures, macros that are Coq functions, correctness proofs for macros/assembler, generation of hex machine code from Coq assembler, and a verified regular expression engine (DFA compiler) to top it off.

They’ve got verified assembler covered in enough ways that they should probably get a reward for it or something. One of their lessons learned was that a side effect of trying to verify or model assembler was to write smaller and modular assembler code. This is similar to what other formal software verification projects have noted: just specifying and coding in a way that can be verified often produces more benefits than the verification itself.

Use of formal methods in embedded software
development: stakes, constraints and proposal (2014) Pires et al.

This paper’s concern is validation and verification of safety-critical software for DO-178C type evaluations. Such evaluations require strong correspondence of requirements, high level design, implementation, and even object code. The high cost and strict requirements of evaluation mean that formal verification makes sense. This paper tries to make it easier for developers by developing a state machine model that uses a UML subset, automatically generates annotations for the ACSL/Frama-C prover, and is free/open as an Eclipse plugin (AGrUM).

Compiling information-flow security to minimal trusted computing bases (2014) Fournet and Planul

I haven’t really read it as I’m working on something similar and want to maintain originality. Here’s the abstract: “We develop a secure compiler for distributed information flows. To minimize trust assumptions, we rely on cryptographic protection, and we exploit hardware and software mechanisms available on modern architectures, such as virtualization, secure boots, trusted platform modules, and remote attestation. We present a security model for these mechanisms in an imperative language with dynamic code loading. We define program transformations to generate trusted virtual hosts and to run them on untrusted machines. We obtain confidentiality and integrity theorems under realistic assumptions, showing that the compiled distributed system is at least as secure as the source program.”

The pitfalls of protocol design Attempting to write a formally verified PDF parser (2014) Bogk and Schopl

They show the benefit of applying formal verification to data formats and protocols. Their attempt at a parser found huge problems with PDF format including a denial of service attack on all existing PDF implementations with one file. Key contribution is a parser combinator via dependent types with proof of termination.

Efficient Java Code Generation of Security Protocols Specified in AnB/AnBx (2014) Modesti

Great work aiming to prevent implementation flaws like Heartbleed: “The implementation of security protocols is challenging and error-prone, as experience has proved that even widely used and heavily tested protocols like TLS and SSH need to be patched every year due to low-level implementation bugs. A model-driven development approach allows automatic generation of an application, from a simpler and abstract model that can be formally verified. In this work we present the AnBx compiler, a tool for automatic generation of Java code of security protocols specified in the popular Alice & Bob notation, suitable for agile prototyping. In contrast with the existing tools, the AnBx compiler uses a simpler specification language and computes the consistency checks that agents has to perform on reception of messages. This is an important feature for robust implementations. Moreover, the tool applies various optimization strategies to achieve efficiency both at compile time and at run time. A support library interfaces the Java Cryptographic Architecture allowing for easy customization of the application.”

Note: software is here.

Formal Security Analysis with Interacting State Machines (2002) Oheimb and Lotz

I posted here years ago that Interacting State Machines was a good model for software and security verification. I just didn’t see anyone working on it. It appears I just missed out on this paper that’s still valuable. These authors let you define the machines in the graphical AutoFocus tool, they’re checked for consistency, translated to Isabell/HOL prover, and checks semi-automatically performed there. They show usefulness by applying it to LKW model of Infineon SLE 66 smart card chip and Needham-Shroeder Public Key protocol.

I’m out of time so I’m just posting the links to the rest (mostly).

Formalizing and Verifying a Modern Build Language (2014) Christakis et al

“The paper defines the C LOUD M AKE language using an operational semantics,
but with a twist: the central operation exec is defined axiomatically, making it pluggable so that it can be replaced by calls to compilers, linkers, and other tools. The formalization and proofs of the central C LOUD M AKE algorithms are done entirely in D AFNY , the proof engine of which is an SMT-based program verifier.”

The CleanJava Language for Functional Program Verification (2011) Cheon et al

A version of Java language designed specifically for use with the Cleanroom low-defect development methodology. I’ve pushed Cleanroom here in the past and I’m still a fan of it. Best recent work on it was using Python with it.

Validation of a System Design Framework with Formal RDF Techniques (2013) Dossis

Paper focused on the theme of program synthesis. Lot of stuff in it. Uses compiler-generators, RDF rules, logic programming, and XML validation of internal state. I haven’t read the whole paper but I posted it just cuz it’s different along with using web technology standards.

Note: His whole page is interesting.

Nick P • July 27, 2014 8:30 PM

@ Clive Robinson

It might be funny to you BASIC haters, but makes sense to me. BASIC is a general purpose application language with dialects having native compilation, pointers, bitwise operators and inline assembler. FreeBASIC comes to mind. Why wouldn’t a person be able to build an OS in it? That particular OS seems like a vaporware project, though, as it’s Google code page is empty except title and email.

@ Wael

“How do you find the time to read all this stuff?”

I was off work most of yesterday. Took the whole day. My eyes were all glazed over by the end of it, to be honest. Only so many of us even doing research on this stuff. Even fewer bring it to people’s attention. If I drop out of the game, there’s a chance the results will never happen or get anywhere. Gotta do my part to solve these big problems is all.

Nick P • July 27, 2014 11:30 PM

@ Clive

Looking back at your post I didn’t realize the reason that you brought up BCOS was that it was in his signature. I thought you were just messing with me about BASIC again. My bad. 😉

Yeah, it is funny that the guy bashing a verification method as a waste of effort has an ongoing project to code a simple OS in the easiest language on Earth and… hasn’t delivered crap per the site hosting it. Even the toy projects by formal methods community currently have more design, code, and documentation than his own work.

Perhaps he should stop insulting them and ask them for insight on how they got past the 0 lines of code mark, eh? :O

Nick P • July 29, 2014 2:31 PM

@ Wael

” I highly doubt they can build the sort of chip that would run an operating system! Cache, Memory, timings, dopant concentration, type, and time of exposure! This is a science, not a photography class…”

You’re reading too much into this. He said he made “an integrated circuit” out of “transistors” he built this way and claimed it was around 60 micron results. A circuit that was probably highly simple out of some transistors using an unconventional method. That doesn’t sound as far fetched as real stuff I’ve found in old chip design. And it actually is photography, err, photolithography.

The last few I investigated were pretty nice: the always incredible Jeri Ellisworth built a millimeter home fab; this paper on DIY microfabrication for 15um features on copper; this project that’s doing tens of micrometers on copper as well. So, seeing a guy who was highly regarded on his forum claim his EE class built some simple circuits using a cheap method was at least worth a question and a few comments on a blog.

@ Clive, Wael

Btw, did you know you can get silicon wafers on eBay? It’s where Jeri gets hers. I also stumbled upon some in the past that were Alpha processors. Just the silicon wafer of them. There’s also web sites that are middlemen for manufacturers of various things that give the item, the volume, and the price. A lot of stuff one might use for custom circuits is available between them and eBay. Of course, one of my recommendations post-Snowden was to just pull good processors out of old computers and build them into new boards. Maybe put a I/O processor and MMU in front of them to help protect them from attacks. An IOMMU chip would be much easier to design than a processor and with many potential fabs, too.

@ AlanS

That post on microkernels was actually inspired by my criticism of her project which referenced seL4. Someone quoted a discussion between Clive and I about problems from hardware on up in Qubes that she cut down in an insulting way. So, I showed up to hit her back with specific issues. She just got mad and started saying all kinds of nonsense showing how little she understood about building secure systems. I ended the argument by showing it, detail by detail. It was funny.

A while after that, she vented by writing a blog post that cut down everything I mentioned (without naming me) and then another to cut down seL4 and formal verification in general. When evaluating reliability of information, it’s important to know where, who, and why. The recurring pattern with her I’ve seen in many blog posts and comments is she cuts down anything different from their work with red herrings, personal attacks, or even criticisms that apply equally to her own work (eg firmware issues). She also rarely addresses people’s points. Gernot Heiser’s writings on the subject, including his comments on her blog, are much less biased and paint an accurate portrayal of formal verification’s value.

@ Gerard van Vooren

1. They just verified the kernel. This was common even for A1 or EAL6-7 systems. The kernel is the most important part, so it gets the most verification. The other components can be verified to whatever degree people want. Microsoft’s Verve OS verified kernel, drivers, and assembler I believe.
2. It might have been. They focused on C because it’s what most system software is written in and verifying C code was a major research challenge. They were the first to verify a kernel’s C code against a formal specification of design and security. And it was cheaper than old A1 systems so that’s nice side benefit. Btw, look up the Muen separation kernel as it’s being written and analyzed in SPARK Ada.
3. It’s targetted for embedded use. The other thing they have is OKL4 kernel, user-mode Linux, and CAMKES for automating IPC between partitions. That’s seen a lot of use in smartphones and Dresden uses a similar architecture for desktops. The seL4/OKL4.Verified offering has a Linux layer, I believe. So, with work, you can do quite a lot with it but with increasing security risk. Currently, though, it’s just suitable for embedded stuff.
4. They already did a verification of most of its compilation with a custom method. I’d like to see it run through CompCert or the recent one I posted that does MIPS.

@ sena kavote

The use of simulation is an interesting idea that we discussed here. It came up in several forms: different redundant chips checking each other; chips designed to emulate chips; interpreters/VM’s that contain most or all of untrusted software; automated, randomizing synthesis of hardware/software designs. Each has its strengths and weaknesses, but there’s some for you to look into. I’ve used one or more of these methods. Performance was horrible except on Alpha’s where PALcode let it merely be bad. 😉 Of course, my methods were about verified security rather than performance so I didn’t make any clever optimizations that risked breaking security. There could be clever optimizations that improve stuff, esp if we use chips that aren’t Von Neumann.

That’s why I started looking into FPGA’s, No Instruction Set Computing, and putting programmable microcode engines in front of processors like SPARK. These allow customized behavior and security features per chip. They’re still faster than pure software emulation and allows one to avoid excess memory accesses or register spills that caused the bad performance I mentioned.

“We need a mid-option between a custom chip and FPGA: Chip that has all components ready, but wiring is either blocked everywhere or open everywhere.”

Name.withheld showed us exactly that: Structured ASIC’s. Altera even had a way to automated a lot of FPGA to S-ASIC conversion. Bad news is they failed in the marketplace and most of these offerings are being cancelled. The predecessor to this, which used to be successful in market, was the gate array ASIC described here.

“Take jpeg format decoders for example. (This may or may not be a good example.) Make random alterations to jpeg picture files, and if the decoder gives an error message or draws an altered picture, it is ok.”

It’s funny you say that because it was the method a famous bug hunter used. Actually, his was simpler: he just changed one bit at a time and recorded the crashes. Then, he used manual methods to look for vulnerabilities in the crashes. There was also the even more clever method of automatically creating vulnerabilities from patches by leveraging the fact that patches tell you where the vulnerabilities are.

The tech works both ways, though. Most research in such tech is on finding bugs for improving quality or security. I’ve posted proposals here of designing languages that are easy to verify, then running them automatically through many tools in parallel. Each tool is designed to do one or a few things very well. Design keeps getting tweaked until it passes all of them. Design-by-contract is also used to build assumptions and certain policies into the code. The result could be, in theory, automated on cheap build system hardware. Far as timing, I recall DEC’s VMS team coded for a week, let builds/tests run all weekend, fixed as many flaws as possible next week, and repeat. My proposed system could run basic checks every integration, with thorough checks run overnight and developers getting a report in the morning. It can also reduce cost/power by using a cluster of ARM/MIPS boards.

Nick P • July 29, 2014 7:57 PM

Dataflow processors for networking devices

I previously posted an idea of having a pipeline of simple RISC processors for the network stack (incl VPN) with each one performing a specific function. It had optional hardware accelerators for some functions. The recent discussion reminded me of dataflow architecture and made me think it might be ideal for this. So, as usual, I search to see if there are papers or products that did it already. Seems that network computing has been doing dataflow for a while now. Marvell stands out:

http://www.marvell.com/network-processors/technology/data-flow-architecture/

Theirs might be way better than mine. They even argue that with a RISC vs “PISC” comparison. It’s 400+ units, several operations per instruction, many parallel instructions per clock cycle, linear design, and wire speed. Seems like an excellent design for what it’s intended for. I think my RISC or dedicated hardware approach still has merit for things that can’t be done so linearly. Yet, I’d default on this if I was designing a custom networking chip so long as it was affordable and could integrate into my overall design.

The Mill is another novel design I found while doing this research:

http://jakob.engbloms.se/archives/2004

Nick P • July 30, 2014 12:02 AM

@ Buck

He’s already on this blog. He’s been in their collection system. So long as he doesn’t post classified info or build anything he should be fine far as further targeting goes.

Nick P • July 31, 2014 2:17 PM

@ bitguru

It’s both believable and unsurprising. In hardware backdoor discussions here, RobertT pointed out that most chips in your phone or computer contain all kinds of functionality they don’t advertise. Some of it is functionality they use to make the chip work, like a microcontroller. A programmable microcontroller + DMA is automatically a huge security threat as microcontrollers aren’t designed for security typically. The other type of functionality he pointed out was from design reuse to cut costs like redoing chips. They’ll take an ASIC-proven design, disable some of it, and then put it in their new ASIC or SOC. What they disabled you don’t see and depending on their method might be able to turn back on later.

So many issues. Any chip should be considered untrusted by default just like any piece of software. So, with peripherals, it’s why there’s many projects leveraging IOMMU’s, chip to chip authentication, and even cryptosystems. USB has been a steady security risk which is why I promoted simple methods for trusted inputs, like serial ports or PS/2. I also encourage people to disable their USB ports in BIOS and with superglue. 😉

Nick P • August 1, 2014 9:50 PM

We’ve often discussed writing OS’s in languages safer than C/C++. I proposed Pascal as one of the choices for the OS software with the most low level stuff in assembler wrapped by typed function calls. Free Pascal is the main distribution that has plenty of tool and community support. Turns out, there’s some OS’s written in Free Pascal to look at. They have interesting design elements, too:

http://wiki.freepascal.org/Operating_Systems_written_in_FPC

Toro makes me think the SPIN OS could be rewritten in FP. The JX OS’s native functions could be done in it as well. One could even toss the Java aspect of JX, transitioning to an Oberon-type language or something more mainstream like Go. The point is you can use a language superior to C/C++ for the lower layer, then move to something higher level and safer for the high level stuff.