Final Report Summary - CRYSP (CRYSP: A Novel Framework for Collaboratively Building Cryptographically Secure Programs and their Proofs)
The security of distributed software applications depends on the correctness of a variety of critical components, including cryptographic protocols such as TLS, authentication and authorization mechanisms such as single sign-on, and application-specific protections such as encrypted data storage. A design flaw or implementation bug in any of these components may allow a malicious criminal to steal or tamper with the private data of unsuspecting users. Providing formal security guarantees for such applications is clearly desirable, but it has proved intractable for legacy applications that were written without verification in mind.
The key idea of CRYSP is to develop specification methods and security analysis tools that trained application developers can use to program and verify their code side-by-side. Our goal is to obtain the first end-to-end security proofs for web applications that rely on minimal, precise assumptions about cryptography and the runtime environment and account for realistic threats to the client, server, and network.
Over the course of the project, we made significant strides towards this goal, by developing new theory and tools and using them to achieve landmark results in the verification of cryptographic libraries and Web components.
Cryptographic protocols are highly specialized programs that implement complex state machines and use delicate cryptographic mechanisms while presenting an abstract programming interface to the applications. To precisely specify the assumptions and security goals of such programs, we designed expressive type systems (F7, F*) that combine abstract types, refinement types, and affine types. We developed typechecking tools that can automatically verify the security of these programs by calling external theorem provers. Our landmark result is mlTLS, a verified reference implementation of the Transport Layer Security Protocol (TLS), which is widely used on the Web. At 5 thousand lines of F#, miTLS is the largest verified cryptographic protocol implementation to date, both in size and complexity.
During the course of formalizing and verifying the TLS protocol, we uncovered fundamental weaknesses in the protocol that had lain hidden for years. We discovered the Triple Handshake vulnerability, which appears when session resumption and renegotiation are combined in unexpected ways. We disclosed FREAK and Logjam, attacks which appear when servers enable EXPORT-grade ciphersuites. We also found critical bugs in the state machine implementations used by mainstream TLS libraries, leading to high-profile attacks such as SKIP. All of these vulnerabilities were responsibly disclosed and lead to software security updates, as well as protocol-level fixes to TLS.
Web security mechanisms protect user data in a heterogeneous and untrustworthy execution environment, where client-side code runs in standard browsers, server-side code runs on arbitrary cloud-based hosts, and both browser and host may freely engage in other sessions with malicious websites and users. We developed new theory, formal models, and verification tools for such application, and they were used to analyze and find dozens of previously unknown vulnerabilities in popular web browsers, password managers, encrypted cloud storage services and single sign-on protocol frameworks. We also developed DJS, a type-based secure programming and verification framework for JavaScript programs - the first language-based framework to provide strong security guarantees for cryptographic web components running on untrusted websites.
The key idea of CRYSP is to develop specification methods and security analysis tools that trained application developers can use to program and verify their code side-by-side. Our goal is to obtain the first end-to-end security proofs for web applications that rely on minimal, precise assumptions about cryptography and the runtime environment and account for realistic threats to the client, server, and network.
Over the course of the project, we made significant strides towards this goal, by developing new theory and tools and using them to achieve landmark results in the verification of cryptographic libraries and Web components.
Cryptographic protocols are highly specialized programs that implement complex state machines and use delicate cryptographic mechanisms while presenting an abstract programming interface to the applications. To precisely specify the assumptions and security goals of such programs, we designed expressive type systems (F7, F*) that combine abstract types, refinement types, and affine types. We developed typechecking tools that can automatically verify the security of these programs by calling external theorem provers. Our landmark result is mlTLS, a verified reference implementation of the Transport Layer Security Protocol (TLS), which is widely used on the Web. At 5 thousand lines of F#, miTLS is the largest verified cryptographic protocol implementation to date, both in size and complexity.
During the course of formalizing and verifying the TLS protocol, we uncovered fundamental weaknesses in the protocol that had lain hidden for years. We discovered the Triple Handshake vulnerability, which appears when session resumption and renegotiation are combined in unexpected ways. We disclosed FREAK and Logjam, attacks which appear when servers enable EXPORT-grade ciphersuites. We also found critical bugs in the state machine implementations used by mainstream TLS libraries, leading to high-profile attacks such as SKIP. All of these vulnerabilities were responsibly disclosed and lead to software security updates, as well as protocol-level fixes to TLS.
Web security mechanisms protect user data in a heterogeneous and untrustworthy execution environment, where client-side code runs in standard browsers, server-side code runs on arbitrary cloud-based hosts, and both browser and host may freely engage in other sessions with malicious websites and users. We developed new theory, formal models, and verification tools for such application, and they were used to analyze and find dozens of previously unknown vulnerabilities in popular web browsers, password managers, encrypted cloud storage services and single sign-on protocol frameworks. We also developed DJS, a type-based secure programming and verification framework for JavaScript programs - the first language-based framework to provide strong security guarantees for cryptographic web components running on untrusted websites.