Compiling CAO: from Cryptographic Specifications to C Implementations

Size: px

Start display at page:

Download "Compiling CAO: from Cryptographic Specifications to C Implementations"

Kathleen Dora Bailey
8 years ago
Views:

1 Compiling CAO: from Cryptographic Specifications to C Implementations Manuel Barbosa David Castro Paulo Silva HASLab/INESC TEC Universidade do Minho Braga, Portugal April 8, 2014 Grenoble

2 Motivation Developing cryptographic software is challenging Performance is usually critical Many implementations are done directly in assembly Aggressive optimizations must not change the semantics Error prone and time consuming Manuel Barbosa, David Castro, Paulo Silva 1/14

directly in assembly Aggressive optimizations must not change the

3 CAO Language Started in the CACE project (FP7) in collaboration with Univ. Bristol Domain specific language for core cryptographic components Hash functions, authentication algorithms, signatures,... High level features closer to standards Supported by a tool chain to assist development Manuel Barbosa, David Castro, Paulo Silva 2/14

4 CAO Language Main design goals: Flexible and configurable for a wide range of platforms (machine architecture + operating system + compiler + extra libraries) Incorporate domain specific optimizations early in the compilation process Oriented to the implementation of cryptographic APIs Manuel Barbosa, David Castro, Paulo Silva 3/14

Incorporate domain specific optimizations early in the compilation process Oriented

5 CAO Features Call by value semantics No input/output support No language construct to dynamically allocate memory Highly expressive native types and operators Manuel Barbosa, David Castro, Paulo Silva 4/14

6 CAO Types Booleans def b1 : bool ; def b2 : bool := true ; Manuel Barbosa, David Castro, Paulo Silva 5/14

7 CAO Types Booleans def b1 : bool ; def b2 : bool := true ; Integers (arbitrary precision) def i1 : int ; def i2 : int := 10; Manuel Barbosa, David Castro, Paulo Silva 5/14

8 CAO Types Booleans def b1 : bool ; def b2 : bool := true ; Integers (arbitrary precision) def i1 : int ; def i2 : int := 10; Machine integers def ri1 : register int ; def ri2 : register int := 1; Manuel Barbosa, David Castro, Paulo Silva 5/14

:= 10; Machine integers def ri1 : register int ; def ri2 :

9 CAO Types Booleans def b1 : bool ; def b2 : bool := true ; Integers (arbitrary precision) def i1 : int ; def i2 : int := 10; Machine integers def ri1 : register int ; def ri2 : register int := 1; Bit strings def ubs1 : unsigned bits [32]; def ubs2 : unsigned bits [4] := 0 b0101 ; def sbs1 : signed bits [16]; def sbs2 : signed bits [8] := 1 b ; Manuel Barbosa, David Castro, Paulo Silva 5/14

Bit strings def ubs1 : unsigned bits [32]; def ubs2 : unsigned bits [4] := 0 b0101 ; def sbs1 :

10 CAO Types (cont.) Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; Manuel Barbosa, David Castro, Paulo Silva 6/14

11 CAO Types (cont.) Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; Extension fields defined by a type and a polynomial def mp1 : mod [ mod [2] <X> / X **7 + X **3 + 1 ]; def mp2 : mod [ mod [11] <Y> / Y **2 + 1 ] := [5* Y + 2] * [7* Y +1]; Manuel Barbosa, David Castro, Paulo Silva 6/14

[1]; Extension fields defined by a type and a polynomial def mp1 : mod [ mod

12 CAO Types (cont.) Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; Extension fields defined by a type and a polynomial def mp1 : mod [ mod [2] <X> / X **7 + X **3 + 1 ]; def mp2 : mod [ mod [11] <Y> / Y **2 + 1 ] := [5* Y + 2] * [7* Y +1]; Vectors def v1 : vector [10] of register int ; def v2 : vector [4] of unsigned bits [2] := { 0b00, 0b01, 0b10, 0 b11 }; Manuel Barbosa, David Castro, Paulo Silva 6/14

by a type and a polynomial def mp1 : mod [ mod [2] <X> / X **7 + X **3 + 1 ]; def mp2 : mod [ mod [11] <Y> /

13 CAO Types (cont.) Rings or fields defined by an integer def mo1 : mod [5]; def mo2 : mod [2] := [1]; Extension fields defined by a type and a polynomial def mp1 : mod [ mod [2] <X> / X **7 + X **3 + 1 ]; def mp2 : mod [ mod [11] <Y> / Y **2 + 1 ] := [5* Y + 2] * [7* Y +1]; Vectors def v1 : vector [10] of register int ; def v2 : vector [4] of unsigned bits [2] := { 0b00, 0b01, 0b10, 0 b11 }; Matrices def m1 : matrix [2, 3] of int ; def m2 : matrix [2, 2] of mod [2] := { [1], [0], [0], [1] }; Manuel Barbosa, David Castro, Paulo Silva 6/14

polynomial def mp1 : mod [ mod [2] <X> / X **7 + X **3 + 1 ]; def mp2 : mod [ mod [11] <Y> / Y **2 + 1 ] := [5* Y + 2] * [7* Y +1];

14 Simple Example: Bubble Sort typedef int_vector := vector [10] of int ; def bubble_sort ( v : int_vector ) : int_vector { } def temp : int ; seq i := 8 to 0 by -1 { seq j := 0 to i { if (v[j] > v[j +1]) { temp := v[ j]; v[j] := v[j +1]; v[j +1] := temp ; } } } return v; Manuel Barbosa, David Castro, Paulo Silva 7/14

0 by -1 { seq j := 0 to i { if (v[j] > v[j +1]) { temp := v[ j]; v[j] := v[j

15 Simple Example: Bubble Sort def bubble_sort ( const n : register int {1 < n}, v : vector [ n] of int ) : vector [ n] of int { def temp : int ; seq i := n - 2 to 0 by -1 { seq j := 0 to i { if (v[j] > v[j +1]) { temp := v[ j]; v[j] := v[j +1]; v[j +1] := temp ; } } } return v; } Manuel Barbosa, David Castro, Paulo Silva 8/14

by -1 { seq j := 0 to i { if (v[j] > v[j +1]) { temp := v[ j]; v[j] := v[j +1];

16 Complete Algorithm: SHA1 (example sha1.cao) Manuel Barbosa, David Castro, Paulo Silva 9/14

17 Exploring Intermediate CAO Code Source to source transformations (demo) Manuel Barbosa, David Castro, Paulo Silva 10/14

18 Platform Specification (demo) Manuel Barbosa, David Castro, Paulo Silva 11/14

19 Using the Generated Code (demo) Manuel Barbosa, David Castro, Paulo Silva 12/14

20 Protection Against Side-channel Attacks Popular countermeasure against side-channel attacks Indistinguishable functions: Vulnerable functions execute the same sequence of native CAO operations (demo) Manuel Barbosa, David Castro, Paulo Silva 13/14

functions: Vulnerable functions execute the same sequence of

21 Conclusions The code of the compiler is reasonably stable The source code is available from the Hackage repository: Future work: Improve efficiency of the generated code (more aggressive optimizations are possible) Additional protection countermeasures against side-channel attacks Provide support for other platforms (ongoing work for ARM architecture) Provide additional guarantees when compiling C using CompCert (ongoing work) Manuel Barbosa, David Castro, Paulo Silva 14/14

Balamaruthu Mani. Supervisor: Professor Barak A. Pearlmutter

Balamaruthu Mani. Supervisor: Professor Barak A. Pearlmutter Balamaruthu Mani Supervisor: Professor Barak A. Pearlmutter Plain email text Mail Server Mail Server Encrypted on transfer Encrypted on transfer Sender Email Communication Encryption over network Recipient